Would like to secure puck.js with a pin code but it fails

Hi
Would like to secure my puck from connection/writing attempts.
Not sure what others use - would like some input.
Was thinking of either using a PIN code if I wanted to do something like connect/write new code, or making it connectable only when the button is pressed.

Tried using this in the onInit function

function onInit() {
  NRF.setSecurity({display : 1, keyboard : 1, mitm : 1, passkey : '1234'});

but get this error

Running onInit()...
BLE Connected, queueing BLE restart for later
Uncaught Error: ERR 0x7 (INVALID_PARAM)
 at line 1 col 72
...mitm : 1, passkey : '1234'});
                              ^
in function called from system

Later I moved the NRF.setSecurity({display : 1, keyboard : 1, mitm : 1, passkey : '123456'});
into the main body of the code and added "56", as it requires 6 characted PIN code.
But I can still connect to it and it does not ask for the code

And worst part is that now I am not able to connect to it =( It connects and then instantly disconnects

just did a hard reset to get back to it. Removed the "keyboard" option
Now, while I was not able to push the code, I was still able to correct to it via nRF client and change its name

Hi! There are some options shown here that might help you: http://www.espruino.com/BLE+Security#passkey-pin-pairing

This should work fine to stop connections: NRF.setSecurity({passkey:"123456", mitm:1, display:1});

I was still able to correct to it via nRF client and change its name

I'm not quite sure what you mean here. I believe you may be able to connect to the Puck but you won't be able to actually do anything. 'Changing the name' may just be the name that appears in nRF Connect - so nothing on the actual device.

making it connectable only when the button is pressed.

This is probably safest. Also, if you're not advertising data all the time you can use less power and make it last longer. Again there are a few code examples on http://www.espruino.com/BLE+Security

nRF client shows writeable attributes and name is one of them. I do not know how nRF client connects to change the name (as pairing/bonding is asking for a pin code) without real pairing. But it does and it does it on a device- once changed I can see it changed when I connect from IDE as well as other devices

Wow, thanks! I'll look into getting that changed - issue filed here: https://github.com/espruino/Espruino/issues/2033

In Bluetooth LE each attribute has some security flags - whether it can be read/written by an insecure connection or not. The UART connection security flags are set so that you can't communicate without being in a secure connection (hence the need for a Pin) but it looks like you can change the name without that!