Ingress addons alunched from sidebar return 401: Unauthorized

[mikosoft83]

The problem

When I try to launch any Ingress based addon from sidebar I get 401: Unathorized. This happened just randomly one day on all my devices (3 different computers, android and ios app, ipad app and also in private mode) and has been like that since (several days now). Restarting HA, HassOS or the whole Pi didn't help. The same behavior happens with File Editor, Node Red, ESPHome etc. When I try to launch WebUI directly from Addon page, it works fine.

Environment

• Home Assistant Core release with the issue: 0.114 and 0.155
• Last working Home Assistant Core release (if known): 0.114
• Operating environment (OS/Container/Supervised/Core): OS
• Integration causing this issue: ingress
• Link to integration documentation on our website:

Problem-relevant configuration.yaml

Traceback/Error logs

Additional information

[lovelylain]

Finally someone reported this problem. This seems to have nothing to do with the HA version. As long as the supervisor is version 236 and later, the sidebar ingress addons will report "401: Unauthorized". There is no problem if enter from "Open Web UI" of addon page.

IMAGE                                            NAMES
hassioaddons/node-red-amd64:7.2.0                addon_a0d7b954_nodered
homeassistant/amd64-addon-mosquitto:5.1          addon_core_mosquitto
homeassistant/qemux86-64-homeassistant:0.115.2   homeassistant
homeassistant/amd64-hassio-multicast:3           hassio_multicast
homeassistant/amd64-hassio-observer:3            hassio_observer
homeassistant/amd64-hassio-cli:26                hassio_cli
homeassistant/amd64-hassio-audio:17              hassio_audio
homeassistant/amd64-hassio-dns:9                 hassio_dns
homeassistant/amd64-hassio-supervisor:245        hassio_supervisor

[ludeeus]

The cookie handling changed a while back to be ready for the upcoming samesite requirements.
How are you accessing it? IP? mDNS? Home assistant cloud? Proxy? Tor? Does it matter?
What type and version of browsers?
Are anything logged to browser console?

[lovelylain]

The cookie is Name=ingress_session Path=/api/hassio_ingress/ SameSite=Strict, maybe it's the Path and SameSite property cause the problem.

[ludeeus]

They are both correct, now answer my questions.

[lovelylain]

ok, it's my browser dit not handle SameSite=Strict correctly, I switch to latest chrome and the problem gone.

[ludeeus]

@mikosoft83 Can you take a look at #7090 (comment)?
and/or check your browser version

[lovelylain]

But I think you guys are too radical. I tried a variety of browsers, including PC browsers and Android browsers. Only the latest version of chrome will not show 401: Unauthorized.

latest chrome:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36

tried PC browsers:

Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.25 Safari/537.36 Core/1.70.3775.400 QQBrowser/10.6.4208.400

tried Android browsers:

Mozilla/5.0 (Linux; U; Android 9; zh-cn; MI 6 Build/PKQ1.190118.001) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/11.4.17

Mozilla/5.0 (Linux; Android 9; MI 6 Build/PKQ1.190118.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/77.0.3865.120 MQQBrowser/6.2 TBS/045331 Mobile Safari/537.36 MMWEBID/5252 MicroMessenger/7.0.18.1740(0x2700123B) Process/tools WeChat/arm64 NetType/WIFI Language/zh_CN ABI/arm64

[mikosoft83]

@mikosoft83 Can you take a look at #7090 (comment)?
and/or check your browser version

Sorry for being a little late here but my computer is currently stowed away since the room it was in was remodeled.
The mobile apps started working by themselves.
I am using Vivaldi browser (chromium based). I checked and for some reason it stopped notifying me of updates so I forgot to update. After I updated it the Ingress stuff is now working. Thanks for your help, I wouldn't have noticed the browser was so out of date.

[ludeeus]

@lovelylain I have tested this with multiple browsers on desktop (Windows/Ubuntu/MacOS) and mobile (Android 9/iOS 13), none of which have any issues with connection.

[mikosoft83]

Well, sorry to reopen, but it happened again, out of the blue, without me updating anything. I think I was on sup 248, I updated Core after that, also Sup but it's the same, 401: Unauthorized.

[ludeeus]

My comment still stands #7090 (comment)

[mikosoft83]

I updated my browser and it works again. It was just a minor update.

@ludeeus do I need to religiously update my browser to prevent this from happening? It feels kinda silly.

[ludeeus]

Should not need to.
The browser should have the necessary support, or not, on a version that should not magically disappear 🤷

Closing this for now, if/when it happens again, please open a new issue and provide the details I asked for 👍

[Tyde]

I see this issue happening again in my firefox, but not on chrome.

The request parameters for Firefox are:

GET /api/hassio_ingress/Hg-0CXeijTkA-4E4a_okY-qCMbX4dkKN-eX4NoYE1Uc/ HTTP/1.1
Host: 192.168.178.44:8123
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Referer: http://192.168.178.44:8123/core_configurator
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

While on Chrome it sends the following:

GET /api/hassio_ingress/Hg-0CXeijTkA-4E4a_okY-qCMbX4dkKN-eX4NoYE1Uc/ HTTP/1.1
Host: 192.168.178.44:8123
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.178.44:8123/core_configurator
Accept-Encoding: gzip, deflate
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: ingress_session=#REDACTED#

So it seems like that Firefox is not sending a ingress_session cookie. I alse cleared all data for this site on Firefox but that did not help. Looking at the cookie-store for the site Firefox does indeed show a cookie called ingress_session, but it isn't part of the request header. Is this an issue with firefox?

[ludeeus]

Firefox does not send any cookies when their "Enhanced Tracking Protection" is set to Strict.
They have a warning in their settings:

about:preferences#privacy

[Tyde]

Yep thank you that was the issue

[felurx]

A note for those who don't want to lower their privacy settings (like me): You can just add an exception by clicking the shield next to the URL and toggling the switch off :)