Let's Control It

Hello
i'm new to the Forum and started yesterday with a smartplug (same HW as Sonoff S20)
i flashed ESPeasy 2:
"ESP_Easy_mega-20190511_normal_core_241_ESP8266_1M"

Everything is okay and works fine. I've setup a password and if i want to connect to the WebIF i have to enter User and Password - fine.
But, if i want to control the plug with commands "/control?......" i can control it without any password auth.

For my szenario i have to connect the plug directly to the Internet and i think its a bug and a little bit risky.


Also that i can only set 1 Ip or Ip range its disappointing - because i would whitelist the local net, and one IP Adress to connect from the Internet site.
At the moment the only solution is to allow all Ip adresses - with working password protection it would be a little bit more safe. (and yes i know its plain text and only http which is not encrypted)

Best option in my opinion is to control it over MQTT. That way you only have to exploit the MQTT broker to the Internet but that one you can HTTPS + Password protect. I'm not gonna show you how to exploit the unit directly to the internet because I don't think that's a good idea at all.

THX for your feedback, the problem is that i have only this one plug.
I have a complete working smart home setup based on other system - but at the moment i have many trouble with my wifi router and i need this plug only to break the power supply from the router to restart it remotly.
Thats why i can't connect the plug to my existing smarthome setup.
The plug is only connected to a backup internet connection to restart my main router if needed.
I have a Portfoarwarding to the plug directly, but a higher random port - not 80 or some standard port.


A password protection for HTTP control would be nice, also https (but i understand that it is all limited by 1M flash and normally its not needed in a home network).

P.S.: Is there a way to enable telnet to the device? Maybe i can install a SSL / SSH certificate and enable ssh by myself?

If your backup connection is only to restart the router, why not setup controlled access on the backup connection router (login, VPN etc) to connect to the plug?

Some routers (e.g. Fritzbox ones) allow to set a password in HTTP port forwards.
If you know Apache, then it is just like a proxypath (and reverse) including a .htaccess with a password setup.

I added an issue for it: https://github.com/letscontrolit/ESPEasy/issues/2843

Edit:
So I stepped into a spammer trap. Removed the reply.

@Ath:
The same message, only with different URL, has been posted several times the last few days.
So I deleted the bot-generated message and IP-banned it.
But IP-ban is probably not going to work on bots, but it's all we've got.