Sometimes, maintaining a complex piece of code that relies on third parties for code dependencies, APIs or software support can come with some significant risks and disadvantages. Some of these can be mitigated while others must be either addressed or abandoned.

From the start, SwitchBoard was built with the intention of having the fewest number of dependencies as reasonably possible. The non-developer dependencies are limited to only three core packages. I intentionally peg these to very specific versions so I can have very granular control over their updates and make sure they work. This is more a product of my OCD - but with so few, it’s not much of a burden for a repository that I work on so often.

While npm packages are not a point of major pain, third party APIs sometimes are. One example is the now intermittent Stocks API. It’s fed from a YQL query that comes from Yahoo Finance. One day, the feed started acting erratic. I narrowed it down a bit to clearly be tied to some caching issues. If the feed has interruption, you could simply append an additional stock and it would work again…for a while. At the time, I worked at Yahoo, so I had the luxury of contacting the team responsible for the API. Since the API itself was not official, they were unable to offer any type of official support for it. So I’ve sort of let it rot. It does work on occasion and I still use it myself - with some minor success. Finding a working API is either not possible (licensing fees making it unable to scale for an open source project) or terribly hacky and brittle (parsing the HTML page for the values desired).

Devices themselves have the great luxury of being shipped in great numbers. My Samsung TV likely will not have any changes to it’s API. This means for as long as I own the TV, I should expect (to some reasonable degree) that I’ll be able to make use of it with SwitchBoard. However, Samsung took steps in later models to alter how they manage HTTP commands to be sent. And this (evidentially) includes some encryption. This still remains unaddressed. Not having physical access to the hardware makes development very difficult. While some people have volunteered to help, it’s a difficult thing to do, even with hands-on access. Admittedly, I’ve been stalling a bit in the hopes that someone can reveal additional information about how the new system works so that I can leverage their learnings.

And finally is Chrome. I love Chrome. It has a ton of great functionality, it’s very modern and a pleasure to work with. Mostly. The Chrome team has (rightfully) started adding a lot of security features surrounding trusted sites. One caveat to all this is that if you have a site that does not have SSL, some features will be disabled. But these rules of trusting a site do not appear to be uniformly applied. If you have no SSL, voice recognition will not work. If you have a self-signed certificate, it will. If you have no SSL, appcaching will work. If you have a self-signed certificate, it will not. Most people might ask why I don’t simply get a non-self-signed SSL certificate and be done with all this. Since SwitchBoard is meant to be run on an intranet, it - to my knowledge - cannot be served any SSL certificate from an authorized signing authority. Instead, you must rely on one that is not trusted - and either use it as an untrusted certificate or go to each machine and register that cert as being trusted.

Okay, so you go through the trouble to finally get your system to use a self-signed SSL certificate. You’ve gone to each machine on your network to register that cert so they know to trust it. But now SmartThings no longer reports state back to SwitchBoard. That’s because the associated SmartThings app uses sendHubCommand to send any state changes from the hub directly. This keeps your network safer by not having to punch a hole through your firewall in order to get his bidirectional communication. It’s also faster. It’s just a better experience, in general. But sendHubCommand, to my knowledge, is a very simple system and incapable of dealing with SSL. So once you’re using SSL, those state updates are no longer received. Bum out.