feat: support HTTPS connections and SSL verification bypass

[firstof9]

Summary

Adds support for HTTPS connections to the OpenEVSE charger and introduces options to bypass SSL certificate validation for both HTTP requests and WebSocket connections.

Details

• OpenEVSE Client: Updated constructor to accept optional ssl: bool = False and ssl_verify: bool = True parameters. Constructs self.url with the https scheme when ssl is True and http otherwise.
• Request Processing: Updates _process_request_with_session in OpenEVSE and _firmware_check_with_session in CommandsMixin to pass ssl=False to aiohttp requests when using HTTPS with disabled SSL certificate validation.
• WebSocket Listener: Updated OpenEVSEWebsocket constructor to receive ssl_verify and pass ssl=False to session.ws_connect when using a secure WebSocket (wss://) with validation bypassed.
• Examples & Docs: Added a code demonstration to example_external_session.py and updated README.md to document the new ssl and ssl_verify parameters.

Testing

• Added test_ssl_options in tests/test_client.py covering url construction and ssl=False request kwarg passing.
• Added test_websocket_ssl_options in tests/test_websocket.py covering secure websocket uri construction and parameter passing.
• Ran test suite locally (all 423 tests passed).

Context

Enables connecting to OpenEVSE modules running secure local servers with self-signed SSL/TLS certificates, laying the groundwork for secure downstream integration in systems like Home Assistant.

Summary by CodeRabbit

• New Features

  • OpenEVSE client now supports HTTPS configuration with adjustable SSL certificate verification settings.

• Documentation

  • Added HTTPS/SSL configuration documentation and example demonstrating certificate verification control.

• Tests

  • Added test coverage for SSL options and websocket SSL behavior.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ea13f7d8-1fd5-468b-8d2a-e73b934b0f16

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

example_external_session.py (1)

52-73: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

The shared root cause is insecure-first guidance for TLS verification. The PR introduces a useful bypass capability, but both the runnable example and docs currently present ssl_verify=False as a primary/default path, which can propagate MITM-prone usage patterns.

• example_external_session.py#L52-L73: keep SSL-bypass as an explicit opt-in/troubleshooting example, and stop running it as the default __main__ entrypoint.
• README.md#L54-L66: add a clear warning that ssl_verify=False disables certificate validation and show the secure (ssl_verify=True) path first.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@example_external_session.py` around lines 52 - 73, The code is currently
presenting insecure SSL verification bypass as the default example, which
promotes unsafe MITM-prone usage patterns. At example_external_session.py lines
52-73, remove or replace the `example_with_https_and_ssl_bypass()` function call
from the `if __name__ == "__main__":` block; either create a secure example
function (with `ssl_verify=True` as the default) as the primary entrypoint, or
make the SSL-bypass example an explicit opt-in (e.g., commented out or
accessible by a command-line flag). At README.md lines 54-66, add a prominent
security warning that `ssl_verify=False` disables certificate validation and
exposes the connection to MITM attacks, then reorder the documentation to show
the secure path (with `ssl_verify=True`) as the primary/recommended approach
before mentioning the bypass option for troubleshooting only.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@openevsehttp/commands.py`:
- Around line 439-442: The `_firmware_check_with_session` method applies the
`ssl_verify` setting to GitHub API requests, which compromises security for
external trusted services. Since this method exclusively fetches from GitHub's
trusted API (https://api.github.com), which has valid CA-signed certificates,
the SSL bypass logic should not apply here. Remove the conditional check that
sets kwargs["ssl"] = False based on self.ssl_verify within this method, ensuring
GitHub API requests always use proper TLS certificate verification regardless of
the user's local device SSL settings.

---

Outside diff comments:
In `@example_external_session.py`:
- Around line 52-73: The code is currently presenting insecure SSL verification
bypass as the default example, which promotes unsafe MITM-prone usage patterns.
At example_external_session.py lines 52-73, remove or replace the
`example_with_https_and_ssl_bypass()` function call from the `if __name__ ==
"__main__":` block; either create a secure example function (with
`ssl_verify=True` as the default) as the primary entrypoint, or make the
SSL-bypass example an explicit opt-in (e.g., commented out or accessible by a
command-line flag). At README.md lines 54-66, add a prominent security warning
that `ssl_verify=False` disables certificate validation and exposes the
connection to MITM attacks, then reorder the documentation to show the secure
path (with `ssl_verify=True`) as the primary/recommended approach before
mentioning the bypass option for troubleshooting only.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 75cbefc1-d0b0-40cc-8c2e-91a16deaa633

📥 Commits

Reviewing files that changed from the base of the PR and between 15b5a2e and 4cc1405.

📒 Files selected for processing (7)

• README.md
• example_external_session.py
• openevsehttp/client.py
• openevsehttp/commands.py
• openevsehttp/websocket.py
• tests/test_client.py
• tests/test_websocket.py

[firstof9]

We have addressed the outside-diff review comments:

• Reordered the main execution block in example_external_session.py to use the secure example_with_external_session() as the default runnable entry point.
• Updated README.md to show the secure HTTPS configuration (ssl_verify=True by default) first and added a prominent warning alerting users about the security risks of bypassing certificate validation.