Here are some thoughts on how this plugin's OAuth login might be attacked by a device at the same LAN. Let the user see what/how many tokens are active in their mi home app. And able to revoke them.