Legacy API password auth provider is not loading if http config file was in packages folder

[point-4ward]

Home Assistant release with the issue: 77.3

Last working Home Assistant release (if known): Pre 77

Operating environment (Hass.io/Docker/Windows/etc.): Debian / Venv

Component/platform: Auth

Description of problem:

I have an API password set - I have removed the 'auth' bits from my configuration so it should be default as per the blog. Anything trying to use the old api password is causing an IP ban. Most recent example thus:

I have a bash script that runs when I sync my config to dropbox, the last line of which is

curl -X POST -H "x-ha-access: $1" $2

$1 = https://MY-HA-URL/api/events/done_sync
$2 = my legacy api password

What should happen is it fires an event called done_sync, which then trigger another automation.

I've just run it, and when the script completed I did not receive the event, but got this...

2018-09-05 13:31:11 WARNING (MainThread) [homeassistant.components.http.auth] You need to use a bearer token to access /api/events/done_sync from MY-HOME-IP
2018-09-05 13:31:11 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from MY-HOME-IP
2018-09-05 13:31:11 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from MY-HOME-IP

So it knows it's on the legacy password, hence the first warning, but it is still not letting it through and has eaten up two of my three chances before an IP ban.

This is also happening with GPS logger and the IOS app, which I've had to disable because we were getting banned every 40 minutes.

Problem-relevant configuration.yaml entries and (fill out even if it seems unimportant):

My whole config is in packages, which you can see on my github if you want, but basically I have removed the

homeassistant:
  auth_providers:
    - type: homeassistant
    - type: legacy_api_password

auth:

...that we had pre 77 and the gpslogger/ios configuration is standard, and the api event call is as per my Description above.

Additional information:

Before the auth system became default and I had

homeassistant:
  auth_providers:
    - type: homeassistant
    - type: legacy_api_password

auth:

in the config, this was working (albeit with countless warnings about bearer tokens!) and I didn't get locked out.

[awarecan]

According your log, the legacy_api_password auth provider didn't loaded. We log that message as info level if you enabled legacy_api_password auth provider, waning if not.

Not sure if the package messed the config processing function. As a quick fix, you can still keep your "pre 77" config, and maybe add in trusted_networks provider if need.

Please post your current core section and http section config in here, so that we can investigate the root cause.

[point-4ward]

No worries...

HTTP component

Interface package:

http:
  api_password: !secret api_password
  ip_ban_enabled: True
  login_attempts_threshold: 3
  ssl_certificate: !secret ssl_certificate
  ssl_key: !secret ssl_key
  base_url: !secret base_url

Cores:

configuration.yaml

homeassistant:
  name: Home Assistant - Node Zero

  latitude: !secret latitude
  longitude: !secret longitude
  elevation: !secret elevation

  time_zone: !secret time_zone
  unit_system: metric

  packages: !include_dir_named packages/

My occupancy package:

homeassistant:
  customize_glob:
    automation.*:
      custom_ui_state_card: state-card-custom-ui
      confirm_controls_show_lock: true

  customize:
    group.all_automations:
      custom_ui_state_card: state-card-custom-ui
      friendly_name: Automations
      icon: mdi:home-automation
      hidden: false
      hide_control: true
      confirm_controls_show_lock: true
      extra_badge:
        - entity_id: sensor.automation_on
        - entity_id: sensor.automation_all

    group.phone_trackers:
      custom_ui_state_card: state-card-custom-ui
      state_card_mode: badges

    sensor.home_status:
      icon: mdi:home-map-marker

    input_boolean.holiday_mode:
      custom_ui_state_card: state-card-custom-ui
      hide_control: true
      extra_badge:
        entity_id: input_boolean.holiday_mode

[awarecan]

OK, I can reproduce your issue by move http section to a separate file under packages folder.
To temporary fix your problem, you can either move http section to configuration.yaml file, or put back auth_provider section.

It is a problem, but we may not be able to fix that since we process auth_provider during the core section loading, it is earlier then do the packages processing.

I will keep this issue open for now, I may revisit it when I have free time.

[point-4ward]

No worries, thanks for looking into it 👍

[balloobbot]

There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates.

Please make sure to update to the latest Home Assistant version and check if that solves the issue. Let us know if that works for you by adding a comment 👍

[point-4ward]

To be fair I think this was an edge case, I moved the http config back to configuration.yaml and it worked fine, and have since abolished all use of the api_password and moved the http configuration back to a package without issue.