Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lovelace: Login attempt or request with invalid authentication #23055

Open
olbjan opened this issue Apr 12, 2019 · 117 comments
Open

Lovelace: Login attempt or request with invalid authentication #23055

olbjan opened this issue Apr 12, 2019 · 117 comments

Comments

@olbjan
Copy link

@olbjan olbjan commented Apr 12, 2019

Home Assistant release with the issue:

0.91.0 - 0.91.2

Last working Home Assistant release (if known):

Operating environment (Hass.io/Docker/Windows/etc.):

Hass.io on HassOS on Pi and NUC

Component/platform:

Frontend

Description of problem:
When adding a generic camera entity to a picture-elements card (say a floorplan) in lovelace, I get `Login attempt or request with invalid authentication from IPˋ about one in three or four times upon opening the Home Assistant site.
This happens in the iOS companion app and in Safari, Firefox and Chrome on PC.

Problem-relevant configuration.yaml entries and (fill out even if it seems unimportant):

elements:
  - entity: camera.living_room
    style:
      left: 28%
      top: 12%
    type: state-icon
image: /local/floorplan.jpg
title: Floorplan
type: picture-elements

Traceback (if applicable):


Additional information:

  • Removing the camera entity removes the problem
  • I tried a run with log level set to debug but there was nothing logged that did point me towards what caused this
@justinvoelker
Copy link

@justinvoelker justinvoelker commented Apr 28, 2019

Experiencing the same problem with some cameras from a ZoneMinder instance with the config below.

Home Assistant 0.92.0 running within Docker on a Raspberry Pi

zoneminder:
  - host: 192.168.***.***
    ssl: true
    username: !secret zoneminder_username
    password: !secret zoneminder_password
camera:
  - platform: zoneminder

Checking the device states shows the following. In this instance, indoor_01 is the camera throwing the error.

Entity State Attributes
camera.indoor_01 unavailable friendly_name: indoor-01
entity_picture: /api/camera_proxy/camera.indoor_01?token=...
supported_features: 0
camera.indoor_02 idle access_token: ...
friendly_name: indoor-02
entity_picture: /api/camera_proxy/camera.indoor_02?token=...
supported_features: 0

@orson1282
Copy link
Contributor

@orson1282 orson1282 commented Jun 4, 2019

Same here with Zoneminder running Home Assistant 0.93.2 in Docker on Ubuntu 18.04 and Zoneminder on another server.

@jjlawren
Copy link
Contributor

@jjlawren jjlawren commented Jul 9, 2019

I've run HA through a proxy to see why this occurs. For some reason the picture-* cards will make requests to the camera even when it's just an icon on the card and not acting as a picture/stream:

Example HTTP call made when loading the view that contains one of the above cards:

GET /api/camera_proxy/camera.my_camera?token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 401

For some reason 1) the card requests data from the camera when it shouldn't and 2) this request fails with a 401 auth error somewhat consistently.

@orson1282
Copy link
Contributor

@orson1282 orson1282 commented Sep 4, 2019

I think I found a solution for my issue. I added the use_x_forwarded_for and trusted_proxies variables to the http integration... as I'm using a proxy.

So it looks like this:

http:
  base_url: https://xxxxxxx.duckdns.org
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.x.x

@sreknob
Copy link

@sreknob sreknob commented Sep 7, 2019

Just chiming in here, having the same issue with my iPhone getting IP banned using beta companion app. Running in docker with trusted proxies and use_x_forwarded_for both on.

http:
    base_url: https://ha.xxxxxxx.com
    ip_ban_enabled: true
    login_attempts_threshold: 5
    use_x_forwarded_for: true
    trusted_proxies:
      - 172.17.0.0/16

Just looking at my config, I am using the docker ip address range given that's what I had to use before when using trusted networks. Would it make more sense to use my local subnet for proxies instead?

@Santobert
Copy link
Member

@Santobert Santobert commented Sep 9, 2019

Same here. Homeassistant runs in docker. I use a mjpeg camera and floorplans.

2019-09-09 06:01:13 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 192.168.208.1

192.168.208.1 is the docker host that proxyes requests from IPv6. This error also occurs with IPv4. The traceback then contains the IP address of the requesting device.

The error only occurs when my Android device (Google Chrome) reloads the page.

@danbowkley
Copy link

@danbowkley danbowkley commented Oct 28, 2019

Same here on 100.3, no proxy, HA in a venv on Ubuntu 18.04 with UniFi cameras as well as generic camera entities passing the rtmp feed from the UniFi NVR (so I can cast them). Have to ssh in, delete the ban file, and restart to get back in. The NVR and HA are running on the same machine.

@davericher

This comment has been minimized.

@yaba

This comment has been minimized.

1 similar comment
@Legsmaniac

This comment has been minimized.

@raymondoooo
Copy link

@raymondoooo raymondoooo commented Nov 5, 2019

Same here. Been like this for a while. I had to disable IP Bans.

@Legsmaniac
Copy link

@Legsmaniac Legsmaniac commented Nov 5, 2019

Same here. Been like this for a while. I had to disable IP Bans.

How do you disable IP Bans please?

@raymondoooo
Copy link

@raymondoooo raymondoooo commented Nov 5, 2019

Just remove the line from your yaml.

https://www.home-assistant.io/integrations/http

@Legsmaniac
Copy link

@Legsmaniac Legsmaniac commented Nov 5, 2019

Um... I don't have any line in my yaml.
Yet outside IP's are banned.
I even tried adding ip_ban_enabled: false and still no luck.
Something amiss somewhere.....

@joaoasilva
Copy link

@joaoasilva joaoasilva commented Nov 5, 2019

I'm having exactly the same problem since the last version, can this be addressed? All my cameras stopped working with HA.
Thanks

@Mariusthvdb
Copy link
Contributor

@Mariusthvdb Mariusthvdb commented Nov 5, 2019

ha 101.2 here Hassio on Rpi4, getting constant 192.168.1.1 login bans, while my config uses:

  auth_providers:
   - type: homeassistant
   - type: trusted_networks
     trusted_networks:
       - 127.0.0.1
       - 192.168.1.0/24

Schermafbeelding 2019-11-04 om 15 38 39

edit/update

appeared that my long-lived-acces-token got wiped during update, so one of my rest sensors tried to initialize but didn't get authenticated....

how that happend I don't know, but reinstalling an acces-token solved it.

@Legsmaniac
Copy link

@Legsmaniac Legsmaniac commented Nov 5, 2019

Got my cameras working again by downgrading to 0.99.3
Wondering if it's got anything to do with the demise of JSON?

@yaba
Copy link

@yaba yaba commented Nov 6, 2019

Mine is fixed, totally forgot that Node-RED was using legacy auth method.
Warning message should include details about where the request is coming from.

@joaoasilva
Copy link

@joaoasilva joaoasilva commented Nov 6, 2019

This is related with Lovelace @yaba . Also, you didn't provided the steps to fix it which doesn't help much.

@yaba
Copy link

@yaba yaba commented Nov 6, 2019

@joaoasilva Sorry. I've came to this thread because lovelace/HA was giving Login attempt or request with invalid authentication from every 2 seconds.
Since I've also have a camera entity like the top user, I've tried to disable it and restart HA. Same problem.
Disabled every camera and possible integrations that could be using legacy auth and problem persisted.
Later I've remembered that Node-RED was using node-red-contrib-home-assistant instead of node-red-contrib-home-assistant-websocket, removed the old integration and installed the new one which supports tokens. Fixed.

@Legsmaniac
Copy link

@Legsmaniac Legsmaniac commented Nov 6, 2019

No idea what Node Red is so pretty sure that's not my problem.
Mine is still camera related though and is to do with my triggers calling via web requests.......

URL = http://xxxxxxxx.noip.me:8123/api/services/media_player/play_media?api_password=<password>

Method - POST

Content Type = Application/JSON

Body = { "entity_id" : "media_player.lounge_display" , "media_content_id" : "http://xxxxxxxx.noip.me:xxxxx/mjpg/Front/video.mjpg" , "media_content_type" : "image/jpg"}

API password is set and correct yet they still kept getting blocked.
As I said above, wondering is it's anything to do with the demise of JSON on 0.100.x because of the Content Type = Application/JSON ?

Anyone? Any ideas?

Happy with 0.99.3 for now, works for me with no problems whatsoever.

@tribut
Copy link
Contributor

@tribut tribut commented Nov 6, 2019

Authenticating via ?api_password is no longer supported. This is mentioned prominently in the release notes:

https://www.home-assistant.io/blog/2019/10/30/release-101/#api-password-and-trusted-networks

You will have to switch to authentication tokens.

@Legsmaniac
Copy link

@Legsmaniac Legsmaniac commented Nov 6, 2019

I did read that but it still works with version 0.99.3 yet it was supposed to have been depreciated long since?

So if I used tokens, how do I call it? I mean, instead of ?api_password what do I use?

@tribut
Copy link
Contributor

@tribut tribut commented Nov 6, 2019

Yes, it has long been marked as deprecated, but support for it was only removed in 0.101.

Using authentication tokens is described in the dev docs:

https://developers.home-assistant.io/docs/en/external_api_rest.html

It boils down to setting the an HTTP header like this: Authorization: Bearer ABCDEFG.

@Legsmaniac
Copy link

@Legsmaniac Legsmaniac commented Nov 7, 2019

Thank you.
I'll give it a whirl in the morning.

@Legsmaniac
Copy link

@Legsmaniac Legsmaniac commented Nov 7, 2019

Hmmmm. I'm obviously not doing something right. More help needed please?

So, instead of
http://xxxxxxxx.noip.me:8123/api/services/media_player/play_media?api_password=<password>
what should it be? I've tried things like
http://xxxxxxxx.noip.me:8123/api/services/media_player/play_media?Authorization: Bearer <token>
which doesn't work, tried without the ? replacing with a space, still no go. In fact, I must have tried about 20 different ways and now I'm getting into a muddle.
Sorry to be a pain. I'm useless.

@Hypfer
Copy link
Contributor

@Hypfer Hypfer commented Nov 8, 2019

@Legsmaniac The HTTP Header is not part of the URL

You need to set it somewhere else.

For CURL see https://curl.haxx.se/docs/manpage.html#-H
For Postman see https://learning.getpostman.com/docs/postman/sending-api-requests/requests/#headers

@AndreCox
Copy link

@AndreCox AndreCox commented Jun 28, 2021

Do you have a failed login attempt though, if not your probably suffering from another issue.

Yes, I do and they actually appear exactly when picture entity fails to load camera stream.

I have a feeling that this might be token related, maybe using outdated tokens to authenticate camera entities as this problem only seems to happen when switching back to a previously opened mobile app or browser window and not when it is refreshed. Has this been your experience.

@ttaidapos
Copy link

@ttaidapos ttaidapos commented Jun 29, 2021

I keep an eye on those suckers regularly. I did have one that hasn't been used for a bit that I just killed. I'll report back...

Home habits...

  • Phones: Primarily used using the official app on Android
  • Tablets: There's one mounted on our wall that we use regularly, also uses the official android app
  • Browser: I typically have hass open using Chrome throughout the day

Update
Fairly certain this has to do with Google Chrome and having the session open. It seems that once you change tabs after a certain amount of time, it doesn't like the token for some reason and triggers the issue. Dismissing the error in hass and refreshing the page is a good workaround but if gone unnoticed, that's when my router gets banned. Not sure if others can test this theory as well.

I presume the android app deals w/the token the same way so similar experience there.

@alphasixtyfive
Copy link

@alphasixtyfive alphasixtyfive commented Jul 1, 2021

Do you have a failed login attempt though, if not your probably suffering from another issue.

Yes, I do and they actually appear exactly when picture entity fails to load camera stream.

I have a feeling that this might be token related, maybe using outdated tokens to authenticate camera entities as this problem only seems to happen when switching back to a previously opened mobile app or browser window and not when it is refreshed. Has this been your experience.

I strongly believe this is exactly the case.

@alphasixtyfive
Copy link

@alphasixtyfive alphasixtyfive commented Jul 1, 2021

I keep an eye on those suckers regularly. I did have one that hasn't been used for a bit that I just killed. I'll report back...

Home habits...

  • Phones: Primarily used using the official app on Android
  • Tablets: There's one mounted on our wall that we use regularly, also uses the official android app
  • Browser: I typically have hass open using Chrome throughout the day

Update
Fairly certain this has to do with Google Chrome and having the session open. It seems that once you change tabs after a certain amount of time, it doesn't like the token for some reason and triggers the issue. Dismissing the error in hass and refreshing the page is a good workaround but if gone unnoticed, that's when my router gets banned. Not sure if others can test this theory as well.

I presume the android app deals w/the token the same way so similar experience there.

Same thing happens with Safari and iOS app which is basically a Safary's webView.

@AndreCox
Copy link

@AndreCox AndreCox commented Jul 1, 2021

I think this issue should be looked at more seriously as it is a potential security risk, due to people possibly disabling brute force protection and ignoring the login warnings from irritation.

@ttaidapos
Copy link

@ttaidapos ttaidapos commented Jul 1, 2021

I think this issue should be looked at more seriously as it is a potential security risk, due to people possibly disabling brute force protection and ignoring the login warnings from irritation.

I agree 100% and I know many people have from random postings. I noticed this behavior long time ago and issues i had opened were closed. I just couldn't articulate the problem and provide the right logs. Hopefully this around of energy translates to acknowledgement and future remediation!

@Codelica
Copy link

@Codelica Codelica commented Jul 1, 2021

Do you have a failed login attempt though, if not your probably suffering from another issue.

Yes, I do and they actually appear exactly when picture entity fails to load camera stream.

I have a feeling that this might be token related, maybe using outdated tokens to authenticate camera entities as this problem only seems to happen when switching back to a previously opened mobile app or browser window and not when it is refreshed. Has this been your experience.

I strongly believe this is exactly the case.

@ascillato documented this behavior a while back, both here and in this frontend thread.

@AndreCox
Copy link

@AndreCox AndreCox commented Jul 11, 2021

Hey there was a new HA update about 3 days ago and it looks like this issue may be fixed still need to test it some more though.

@AndreCox
Copy link

@AndreCox AndreCox commented Jul 11, 2021

Hey there was a new HA update about 3 days ago and it looks like this issue may be fixed still need to test it some more though.

Nope after some more testing the issue showed up again after I re-added my camera card.

1 similar comment
@AndreCox
Copy link

@AndreCox AndreCox commented Jul 11, 2021

Hey there was a new HA update about 3 days ago and it looks like this issue may be fixed still need to test it some more though.

Nope after some more testing the issue showed up again after I re-added my camera card.

@alphasixtyfive
Copy link

@alphasixtyfive alphasixtyfive commented Jul 12, 2021

I've noticed that not having live picture entity card may help.

@AndreCox
Copy link

@AndreCox AndreCox commented Sep 9, 2021

I've noticed that not having live picture entity card may help.

Yes noticed that too also going to do some testing to see if it happens if I put the live picture entity on a different page in Lovelace. Hopefully this bug can be fixed because it's been driving me nuts.

@entropie
Copy link

@entropie entropie commented Sep 9, 2021

This bug is like 30month old. Face it, nobody cares to fix unfortunately.

@TheLastProject
Copy link
Contributor

@TheLastProject TheLastProject commented Sep 9, 2021

I personally haven't had any issues anymore since a lovelace-valetudo-map-card contributor replaced fetch with this._hass.fetchWithAuth in the Lovelace Valetudo Map Card here: https://github.com/TheLastProject/lovelace-valetudo-map-card/pull/93/files

So, the solution for the picture entity card may be similar.

@cmatte
Copy link

@cmatte cmatte commented Dec 13, 2021

This issue has been occurring to me pretty much forever after I have setup cameras years ago, and the only "solution" has been to disable ip bans, which is, well, extremely un-wanted to be honest so I have never done it and got used to login via VPN, change the bans file, and reboot HA. Is anyone able to look at a resolution?

Available to troubleshoot if that helps.

@TeaRexJack
Copy link

@TeaRexJack TeaRexJack commented Jan 12, 2022

I had a lot of these failed login attempts messages because of camera streams in lovelace cards.
As a workaround I created a toggle helper called camera_feeds and use this helper in a conditional card before showing the camera feed. This creates a tiny delay which is enough to prevent the login attempt fail errors (at least in my case).
Maybe you could try it out?

@FHeilmann
Copy link
Contributor

@FHeilmann FHeilmann commented Feb 3, 2022

@TeaRexJack would you mind elaborating on your solution? How did you implement it.

@TeaRexJack
Copy link

@TeaRexJack TeaRexJack commented Feb 4, 2022

@TeaRexJack would you mind elaborating on your solution? How did you implement it.

On which part do you need more information?
First I created a toggle helper (input_boolean) which I named camera_feeds because I want to use it for all my camera's.
Then instead of directly using the picture entity lovelace card I used the Conditional Card which checks the state of the boolean.
If the state is on, the card will be shown.

My card would look like this:

type: conditional
conditions:
  - entity: input_boolean.camera_feeds
    state: 'on'
card:
  type: picture-entity
  camera_image: camera.camera1
  show_state: false
  show_name: false
  aspect_ratio: '1:1'
  entity: camera.camera1

I'm by no means a professional programmer but from reading online and in this topic my guess is that by doing it this way a connection to home assistant is forced to retrieve the state of the helper before the camera lovelace card can give the login attempt error.

@FHeilmann
Copy link
Contributor

@FHeilmann FHeilmann commented Feb 4, 2022

Perfect, thank you!

@Maco65
Copy link

@Maco65 Maco65 commented Feb 8, 2022

@TeaRexJack - thank you. Will try this "feature" on my card.

Even if this workaround is eliminating Login error I am thinking what can be done to fix this issue where the "root cause" is ?
This issue will soon have 3 years being open...

@entropie
Copy link

@entropie entropie commented Feb 9, 2022

@TeaRexJack's workaround is not working for me.

@Maco65
Copy link

@Maco65 Maco65 commented Feb 9, 2022

I have added conditional card to my existing button card (with camera feed) and for a day it was OK but today error appeared again. :(
Will try with exactly the same cars as @TeaRexJack has used (picture-entity card) and will see...

@TeaRexJack
Copy link

@TeaRexJack TeaRexJack commented Mar 4, 2022

I have added conditional card to my existing button card (with camera feed) and for a day it was OK but today error appeared again. :( Will try with exactly the same cars as @TeaRexJack has used (picture-entity card) and will see...

Did it work with the picture-entity card?

I noticed I got one login attempt error last week when I got my dashboard open in the home assistant app and the phone is on standby. Then I travelled and my phone switched wifi networks, I opened my app and I got the error.

@Maco65
Copy link

@Maco65 Maco65 commented Mar 4, 2022

I have added conditional card to my existing button card (with camera feed) and for a day it was OK but today error appeared again. :( Will try with exactly the same cars as @TeaRexJack has used (picture-entity card) and will see...

Unfortunately it seems that in my cane neither from above solutions works. I am still getting this error and I think it is related to the fact that I am viewing camera feed from my laptop and smartphone quite often at the same time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests