Dear Google,
In 2014, around about the same time that you Nest Labs, I bought and had installed a Nest Learning Thermostat to control our central heating and give us remote access. I think that it has been a great success, so much so that I have recently upgraded to the latest version that also allows our hot water to be controlled.
I then had an idea! What if I could see temperatures around the house and use that data to get better control over resources there? So I wrote a simple dashboard which I called The Weather Station. I’ve extended this over the years and now it not only includes temperatures information but also energy usage and information on power generated by our solar panals.
Initially I used the Nest Labs API to get the information I wanted from the thermostat which was nothing grand just the current temperature and whether the heating was on. This API was simple but effective, didn’t require much work to get it up and running and worked well until…
Then you Google decided to unify your devices under the same API which admitedly increased security through the introduction of OAuth but added greater complexity into the mix too. Eventually, I got it working and all seemed fine but I noticed that after a while the connection between my app and the device was “lost”. I added more logging and found that this was happening exactly every seven days.
I did some digging and I discovered that others were reporting this issue too. I had initially assumed that it is was an issue with my code and there would be a simple solution but actually the underlying cause is that you, Google, are revoking the refresh token after seven days. There is, however, a way around this and that is to put your app into production mode. Great! I thought but hold on what’s this about having the verify the app and write a privacy policy and T&Cs? I can also avoid that by signing up to a paid Google Workspace account it seems.
Basically, all this is set up for larger organisation and developers that are developing apps for the masses and not the hobbiest who just wants quick, simple access to their own devices for their own use. Why would I need to write a privacy policy for an app that only I am ever going to use? In fact, thanks for Cloudflare’s Zero Trust, I am literally the only person that can ever access the app.
Here’s my request Google, a plea from other hobbyists such as myself. Please allow us access to our devices and stop revoking the refresh token weekly. By all means restrict it to only allow access to a single email address and revoke annually if you must but for the love of god please stop the weekly revoke.
Yours,
Neil Thompson