I'm just digging into the rest interface...  I want to have my Android phone initiate some home automation actions when it gets within 30 M of he house (using Tasker).

The Rest Interface for ISY is a bit more than what I've dealt with in the past, but as I'm starting to use it, it seems reasonable, but there seems to be a security issue that I'm surprised at.

As I worked through the interface, my first port of call was to make calls for information (like what nodes are configured).  This is pretty straight-forward - all you need to do is use the following REST request:  <IP Address>:<port>/rest/nodes.  All good, but I require credentials to access my ISY, so I would  need to use the user/pass to access the system - and I'd expect that this would be required for any access.

That said, I used the following query - http://<userid>:<password>@<ipaddress>:<port>/rest/nodes.  This worked great - I received a list of the nodes listed in ISY.  Next, I tried to use http://<userid>:<incorrect_password>@<ipaddress>:<port>/rest/nodes - I still received all the nodes listed in ISY.  Finally, I tried using http://<ipaddress>:<port>/rest/nodes - I still recieved all nodes from ISY.

I don't know if I'm using the rest interface properly (I've been able to get the node list, but have not been able to run a program as yet).  Since the UID/Pass doesn't seem to be working as I'd expect.   I'm not particularly concerned about the access of data from my system (it's not at ALL good that this data doesn't require a password to access, but I could live with that if I had to - in this case).  What I'm struggling with is validating the UID:Pass mathod for sending credentials and having a program execute when I can't use queries to validate that I'm doing things properly is driving me bat sh1t crazy.  Programs aren't executing, queries don't need credentials and I'm now lost! 

If you are doing this from a webbrowser, you only need to put credentials in once.  After that, the session does not require you repeat the credentials for further queries.

If you are doing this from outside your LAN, using http is wide open.  Your user/credentials will be wide open to anyone who wants to intercept your traffic.  This is easy pickin if you are on a public wifi.  You need to setup https on your ISY.

Didn't think about the fact that the browser would cache credentials.  I would not use http on the Interenet, was just doing it for trying out the interface.  

I should have considered caching - thanks for the repsonse!  

Now, I need to figure out how to trigger a program - last night, I did try to execute a command and it appeared to run 20 minutes later - quite odd.  Will be giving it another shot later tonight.

1 hour ago, SteveKlos said:

Didn't think about the fact that the browser would cache credentials.  I would not use http on the Interenet, was just doing it for trying out the interface.  

I should have considered caching - thanks for the repsonse!  

Now, I need to figure out how to trigger a program - last night, I did try to execute a command and it appeared to run 20 minutes later - quite odd.  Will be giving it another shot later tonight.

I prefer to do everything via State Variables for triggers. That way your ISY programs still have last say whether the program can run or not. The variables are easier to set up in a Rest I/F call.

@MWareman has created some good info about using tasker on the wiki, one of them is 

https://wiki.universal-devices.com/index.php?title=ISY-99i_Series_INSTEON:Networking:Tasker