I have been working on an Alexa skill that I plan to offer for free. This Alexa skill will have users log in and then map their IP address and API key to their profile. Alexa will then use this information to fire off API requests to their OctoPrint setup. I have not decided on a name for the skill yet, but would likely want to use the word OctoPrint in the name. The FAQ on the trademark page looks like I should be allowed to use it for a free app, but the following line makes me weary:
The OctoPrint brand name may not be used:
a) To give the false impression that a product or service is supported by or in any way associated with OctoPrint or Gina Häußge.
I would also be suuuuper weary of anything that just lets you talk, and execute commands on a 3d printer. That seems like a hugely bad idea. Some "funny prankster" friend comes over and when you're not looking "Alexa, set printer to 5 million degrees".
:laugh: This is me talking to my 3D printer for realz. It's better than you think. I wake up, I'm still groggy and drinking my coffee and I'm not even touching the printer or trying to open up OctoPrint. I just get things started while I'm waking up. When the print job is eventually finished, I can shut things down gracefully as well.
What are my thoughts... @chrisp69581616? My thoughts are that this will be popular and that you'll be stuck with the Lambda invoice at the end of every month. The entire business model at Amazon really makes no sense to me: "developers please please write some Alexa skills so that people continue to buy these devices from us and please publish them oh and yeah... we're going to charge you when those skills become super-popular".
As an esablished Alexa skill developer, AWS actually sends me promotional credits every month that my Alexa resources invoke charges. I have been able to develop on AWS for free for quite some time since they credit the account every month.
Good luck with that. I don't trust Amazon as much as you do. I'm also an established Alexa skill developer; I just don't publish so that the world can use my Lambda. They expect you to (eventually) monetize all this, presumably.
Since they routinely pay me, I have no reason not to trust them. Also, the lambda free tier is a wild limit. I would suggest publishing some to the public just for the perks alone, like I mentioned, I get a minimum of $100USD AWS credits a month, t shirts, and they are sending me a new echo show when they release next month.
I won't, and I hope you take at least some basic precautions to prevent accidental triggering. I laugh every time I see a streamer mention "ok google, blah blah" and the chat blows up with "omfg my phone is going crazy", yeah, no shit, don't enable voice control on anything ever that doesn't also offer voice training to only work with one particular voice. Especially if the thing it's controlling is capable of burning down your house.
So I have a custom website where users sign-in and enter their IP address and API key. The lambda is able to get this information for logged in users based on the token in the Alexa request. Once both are validated, I simply fire off a rest call to the IP address provided in the profile. This assumes the user has their IP address for their printer publicly accessible. I am sure this is a solution many will not want to use because of that public IP requirement, but it is a solution.
Note that there are people who use bots to walk the entire Internet's IP space. They use tools like curl and netcat to quickly probe for open installations of software. There's even a website which will gather these and list the information publicly for others to see. I'm relatively certain that your own printer's IP address is now on that list.
The problem isn't that your own skill has limited ability to do harm. The problem is that users—by thinking that they'll gain something neat—will then open up their printer to the Internet. Once it's on the Internet then these are in two categories: 1) those with User Access and ForceLogin turned on and 2) those without.
It would be worth me adding another disclaimer about the security in the Skill description even though I think OctoPrint does a great job warning when creating the first user. I know you and others here are wildly skeptical of the idea, there are people on reddit who hate it more, but this feedback is useful for me while trying to build a trustworthy app and I appreciate it.
I remember going through this whole process myself. I looked at all the angles, if you will.
It's not that I hate it. I could potentially love it (minus the publicly-available address). Robo 3D themselves spent a year trying to make this happen; they still have this as part of their included plugins and it still doesn't work. :laugh: Just remember that I love the concept so much that I built it myself as well.
I'd say that you need to put up a strong warning that anyone who considers this should have both User Access and ForcedLogin turned on with a new installation of OctoPrint which includes all this.
The trickier part later is then working up a proxy solution for this which removes that vulnerability. As they say, though, the devil is in the details.
This means you somewhere have a database that contains combinations of the public IPs of publicly reachable instances of OctoPrint and credentials for full access to them. The abuse potential of that is enormous. What have you done to prevent data theft? How is that secured? What about off site backups, are they encrypted? How? Who is liable in case of a data breach? Who besides you has access to this data? And - please don't take this personally - why should anyone trust you with this data?
Honestly, that scares the shit out of me. Having to expose the instance publicly is bad enough. Having some centralized datastore that maps out the instances and even includes the keys to the castle is a really bad idea, and I cannot stress this enough.
So the data is not stored in a traditional database, I am using Amazon Cognito and the attributes are associated with each user.
MFA for AWS Access to Cognito
They do not exist, if something were to happen to Cognito all users would have to enter their info again.
The user who provided their api key to a website? This is probably not a great answer. I would have to do some research to see legally where this falls, but I suspect having a disclaimer about the risk of sharing API keys prevents me or my LLC from being legally prosecuted.
