Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecate http.api_password #21884

merged 4 commits into from Mar 11, 2019


Copy link

awarecan commented Mar 10, 2019

Breaking Changes

http.api_password config is deprecated, please add legacy_api_password auth provider if you still want to use api_password as authentication.

For example, if you have following configuration in previous release

# prior 0.90
   - type: homeassistant
   - type: legacy_api_password
  api_password: 12345678

You will get invalid configuration error in 0.90, because api_password config is required options for legacy_api_password auth provider now. You need to change your configuration.yaml to

# after 0.90
   - type: homeassistant
   - type: legacy_api_password
     api_password: 12345678

However, if you don't have auth_providers under your homeassistant configuration section, for example

# prior 0.90

  api_password: 12345678

We will give your more time to migrate your configuration, your HA system can still start up, we will load a legacy_api_password auth provider with api_password for you. However, you will receive a warning message to remind you change to the new configuration.

Please note, api_password authentication will eventually be removed, we advise user change to use one of other authentication methods.


This PR is one more step towards our goal to remove api_password entirely. Now, api_password no long lives in http component, all logic moved to legacy_api_password auth provider.

This PR does not change the way we do authentication, use api_password in query or header is still valid method, but we will print out INFO level log to remind user move away from those method. I am planning increase them to WARN level maybe in 0.91 release.

Detail changes

  • rewrote http auth middleware, better code structure, no function changes
  • deprecated http.api_password
  • removed hass.confg.api.api_password
  • removed password from hassio /homeassistant/options command's payload
  • add few AuthManager helper functions
  • some house clean up

Related issue (if applicable): fixes #

Pull request in with documentation (if applicable): home-assistant/

Example entry for configuration.yaml (if applicable):

   - type: homeassistant
   - type: legacy_api_password
      api_password: 12345678


  • The code change is tested and works locally.
  • Local tests pass with tox. Your PR cannot be merged unless tests pass
  • There is no commented out code in this PR.

If user exposed functionality or configuration variables are added/changed:

If the code does not interact with devices:

  • Tests have been added to verify that the new code works.
Deprecated ApiConfig.api_password
GitHub Drafted PR would trigger CI after changed it to normal PR.
I have to commit a comment change to trigger it

@awarecan awarecan force-pushed the awarecan:deprecated-api-password branch from 3d4323a to a061f07 Mar 10, 2019

@@ -407,7 +407,7 @@ def get_template(self, latest):

no_auth = '1'
if hass.config.api.api_password and not request[KEY_AUTHENTICATED]:
if not request[KEY_AUTHENTICATED]:
# do not try to auto connect on load
no_auth = '0'

This comment has been minimized.

Copy link

balloob Mar 10, 2019


For a future PR, this is no longer used.

@awarecan awarecan changed the title Deprecated http.api_password Deprecate http.api_password Mar 10, 2019

@balloob balloob merged commit fe1840f into home-assistant:dev Mar 11, 2019

4 checks passed

Hound No violations found. Woof!
cla-bot Everyone involved has signed the CLA
continuous-integration/travis-ci/pr The Travis CI build passed
coverage/coveralls Coverage increased (+0.02%) to 92.737%

@wafflebot wafflebot bot removed the in progress label Mar 11, 2019

@awarecan awarecan deleted the awarecan:deprecated-api-password branch Mar 11, 2019

@awarecan awarecan referenced this pull request Mar 11, 2019


Use access_token instead api_password #15376

12 of 19 tasks complete

@alonalon alonalon referenced this pull request Mar 14, 2019


Remove http.api_password #19

@balloob balloob referenced this pull request Mar 20, 2019


0.90.0 #22216

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.