Custom Driver - adding security to external web calls ideas

driver

#1

I have a very simple driver that I am using to send email and text notifications via very simple Node/REST server running on a RPi.
Am interested in securing things a bit better now that HE is using HTTPS.

The first thing I want to do is make my calls using https. I assume (hope) this is fairly straightforward. Note: I can handle the Node end, not sure about the HE groovy side. Currently using a basic async post call..

The next thing maybe is some sort of token validation. Was thinking about having a simple token generated on the Node server side (via a command line utility on the terminal) that gets stored in a config file and the user simply enters it in the driver config settings in HE.

Is this an okay thing to do or should I consider something else like cert validation? I just want to dissuade casual hacking/hijacking of the Node server more than anything else..

Any thoughts would be appreciated..


#2

Currently thinking about having a "token"/string of alphanums set in the config file on the Node server and then periodically (once a month maybe) updating it - will have 2 config variables - currToken and oldToken, both will work but when a new token is generated the current one rolls over to oldToken. If the HE driver notices a difference it will automatically update the token in it's configuration.

This also means some sort of "light" polling on the driver side I guess to make sure the drivers token doesn't get out of sync with the server.

Is this a valid approach?