I set up a Raspberry Pi to communicate with balena.io. In the Balena dashboard, I activated the public URL for my device. The Raspberry Pi is running nodejs and listens on port 80 for a post request. The Raspberry's only job is to open a door.
Now, whenever I tell the Raspberry Pi to open the door, I put { task: "open" } in the body of the request. It is very important that nobody other than me can open the door via sending this HTTPS request to the Raspberry Pi.
My first idea to protect the door from being opened is to include a username and password field in the request like so:
{
task: "open",
username: "Moritz",
password: "1234"
}
However, some sources depict that this approach might not be ideal as the login credentials may be leaked.
My question: If someone would not know the username and password could this person not just take whatever was sent to the Raspberry and just send it again? Since I always send the same object { task: "open" }, this is how someone other than me could open the door, right? Or am I missing something here? Has HTTPS protection in place to prevent something like this from happening?
How can the Raspberry Pi make sure the request to open the door was sent from my server and not someone else's computer?
I appreciate your help, thank you for your time.