It seems acceptable within reason:
- even though the
TCP connection is not TLS protected you still have encryption of the physical layer provided by WPA2
- enabling TLS will be confusing to most users because you can't provide valid server certificates to each ESP32 device. Arguably this
detracts from security because you're conditioning users to ignore invalid cert warnings (vs. ignoring "unencrypted connection" connection warnings ¯\_ (ツ)_/¯ )
- traffic can't be sniffed easily, since you are the only connected party
- I assume you require physical interaction with the ESP device to activate the access point?
- corz's caveat applies only if you are using and unprotected WiFi network, but since you say you are changing the WiFi password I assume this is not the case
- technically you are mixing authentication and authorization which is generally considered problematic, and you may want to differentiate admins who can change the password and users of the device in future ...
Rationale: this is how most home routers handle this scenario, though they might require an additional administrative password.
I hope it's obvious that this advice is limited to devices requiring security from casual attackers and wouldn't apply to devices requiring e.g. HIPAA or PCI certification if only for the lack of differentiating authentication and authorization.
It's possible that even if only a single device can connect to the wifi, a previously connected device may be able to reuse some of the keying material, or compromise the ESP in any number of other ways. Also, allowing only a single device to connect definitely opens you to denial of service attacks. As well as certainly a number of further problems I'm not aware of
