Conversation
agners
force-pushed
the
add-api-explorer-app
branch
from
71a3918 to
eec01a2
Compare
Development app with ingress support for inspecting Supervisor ingress proxy headers and testing Home Assistant Core API calls. Provides a web UI with an ingress header inspector, API request builder, and quick action presets for common endpoints. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
agners
force-pushed
the
add-api-explorer-app
branch
from
eec01a2 to
dee08b2
Compare
There was a problem hiding this comment.
Pull request overview
This PR introduces a new "API Explorer" development add-on for Home Assistant. It provides a web UI (served via ingress) to inspect Supervisor ingress proxy headers and interactively test Home Assistant Core REST API and WebSocket endpoints. The server is a lightweight aiohttp Python application running under s6-overlay.
Changes:
- Adds a new
api_explorer/add-on with itsconfig.yaml,build.yaml,Dockerfile,README.md, andDOCS.md. - Adds the Python
aiohttpserver (server.py) that serves the UI and proxies REST/WebSocket requests to Core via Supervisor. - Adds the front-end single-page application (
index.html) with an ingress header inspector, API request builder with custom headers, and a WebSocket console.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
api_explorer/config.yaml |
Add-on manifest — missing stage: experimental, hard-codes ingress_port: 8099 |
api_explorer/build.yaml |
Build configuration — uses Python 3.13 Alpine base images |
api_explorer/Dockerfile |
Installs aiohttp and copies rootfs |
api_explorer/rootfs/app/server.py |
Core Python server — proxy logic, WebSocket forwarding, resource leaks present |
api_explorer/rootfs/app/index.html |
Full-page UI — custom headers collected but never forwarded |
api_explorer/rootfs/etc/s6-overlay/s6-rc.d/api-explorer/run |
s6 service run script |
api_explorer/rootfs/etc/s6-overlay/s6-rc.d/api-explorer/finish |
s6 service finish/exit-code script |
api_explorer/rootfs/etc/s6-overlay/s6-rc.d/api-explorer/type |
s6 service type (longrun) |
api_explorer/rootfs/etc/s6-overlay/s6-rc.d/api-explorer/dependencies.d/base |
s6 dependency marker |
api_explorer/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/api-explorer |
s6 user bundle contents marker |
api_explorer/README.md |
User-facing readme |
api_explorer/DOCS.md |
Extended documentation |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| async def ingress_headers(request: web.Request) -> web.Response: | ||
| """Return all incoming request headers as JSON.""" | ||
| headers = dict(request.headers) | ||
| return web.json_response(headers) |
There was a problem hiding this comment.
The ingress_headers endpoint exposes all request headers (including Authorization, Cookie, and any X-Supervisor-* tokens) verbatim as a JSON response. While this is intentional for debugging ingress headers, any authenticated user who can reach the panel will see the raw SUPERVISOR_TOKEN bearer value if it happens to be forwarded as a header. Consider filtering or redacting sensitive headers (e.g., Authorization) before returning them.
There was a problem hiding this comment.
The token is always filtered by Supervisor. Besides, the whole point of this app is to debug these type of things, so we should not redact it here.
- Use dynamic ingress port (ingress_port: 0) instead of hard-coded 8099, read assigned port from environment via bashio in the run script - Add stage: experimental to match repository convention - Cache index.html at startup instead of reading from disk on every request - Fix WebSocket proxy shutdown: use asyncio.wait with FIRST_COMPLETED to cancel the other direction when one side disconnects - Forward custom headers from the browser to Core in the REST proxy - Build header row inputs with createElement instead of innerHTML to avoid attribute injection edge cases - Actually merge custom headers into fetch request (were collected but never sent) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Development app with ingress support for inspecting Supervisor ingress proxy headers and testing Home Assistant Core API calls. Provides a web UI with an ingress header inspector, API request builder, and quick action presets for common endpoints.