New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable auth by default 馃檲 #16107
Enable auth by default 馃檲 #16107
Conversation
Sounds not right. To allow users to log in without entering password, you can use the trusted networks auth provider. Example configuration for trusted networks auth provider:
|
My bad, that didn't sound right. I am going to add some docs . Will add the config example there. |
Another thought, if user doesn't set api_password, we should either not load leagcy_api_password auth provider, or let it failed quietly. |
@awarecan good point, I will open a PR. |
Not load with a error is better. Fails is a bit hard for docker user. |
I have a better idea, cooking up a PR :) |
Legacy API password provider will now abort any login flow if API password has not been set: #16127 |
So the new user will see two auth providers, and the legacy one is broken out-of-box? |
They will see an abort message saying that it won't work because there is no HTTP password. They already created an owner via onboarding, so they can log in with that. |
Why we need |
I think we should auto load legacy_api_pasword depends on if http.api_password exist |
I like that idea. |
Updated. |
@@ -87,9 +87,11 @@ def from_config_dict(config: Dict[str, Any], | |||
log_no_color) | |||
|
|||
core_config = config.get(core.DOMAIN, {}) | |||
has_api_password = bool((config.get('http') or {}).get('api_password')) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If a user has just http:
in their config, the key exists but is None
. The or
solves both if key does not exist or when it's None
.
Pascal you were right, we should avoid to get people to configure auth themselves. The default settings should suffice. This is a good solution. |
* Enable auth by default * Only default legacy_api_password if api_password set * Tweak bool check * typing
Description:
This enabled the new authentication system by default. This will enable both the Home Assistant local auth provider and the Legacy API password auth provider. New users will be routed via an onboarding flow on initial boot to create a new user. This new user will be owner and is able to add more users.
Breaking change: It is no longer possible to use Home Assistant without authentication. To allow users to log in without entering a username or password, you can configure the trusted networks auth provider. If you were using another application to provide authentication, like NGINX, configure it to set the header
x-ha-access: <API PASSWORD>
on each request. In the future, this header will be replaced with a header containing a long lived access token (#15195).(I don't use these platforms like NGINX, would be nice if people would contribute config examples)
Related issue (if applicable): #15703
Checklist:
tox
. Your PR cannot be merged unless tests passIf the code does not interact with devices: