This is a wonderful feature, thanks for implementing it. I was wondering, though, about the security implications. Your recommendation for a picture URL is:
Code: Select all
picture_url = https://yourserver/zm/index.php?view=image&eid=EVENTID&fid=alarm&width=600&username=admin&password=yourpassword
I realize that all paths are encrypted, but this still exposes a full Zoneminder login to
someone. You can lock down the login somewhat, but they could still use it to view any of your recorded events.
I mitigated this somewhat partially due to my unusual setup. I don't expose my Zoneminder interface to the wider Internet. I do have a VPS, however, that sports Let's Encrypt certificates. I use my VPS to proxy the picture request to a local proxy that finally makes the request to Zoneminder. The only information passed over the Internet is the event ID. It's a little Rube-Goldbergian, but it works. This still allows someone to view event snapshots, since the IDs are easily guessable.
Have you considered making the event ID information more opaque? Perhaps it could be a time-limited random cookie that gets mapped to the event ID. This would prevent event ID guessing.