Releases: nstefanelli/hassio-access-control
Releases · nstefanelli/hassio-access-control
v1.3.1
See CHANGELOG.md for details.
Container images:
ghcr.io/nstefanelli/hassio-access-control-amd64:1.3.1ghcr.io/nstefanelli/hassio-access-control-aarch64:1.3.1
v1.3.0
See CHANGELOG.md for details.
Container images:
ghcr.io/nstefanelli/hassio-access-control-amd64:1.3.0ghcr.io/nstefanelli/hassio-access-control-aarch64:1.3.0
v1.2.6
See CHANGELOG.md for details.
Container images:
ghcr.io/nstefanelli/hassio-access-control-amd64:1.2.6ghcr.io/nstefanelli/hassio-access-control-aarch64:1.2.6
v1.2.5
See CHANGELOG.md for details.
Container images:
ghcr.io/nstefanelli/hassio-access-control-amd64:1.2.5ghcr.io/nstefanelli/hassio-access-control-aarch64:1.2.5
v1.2.4
See CHANGELOG.md for details.
Container images:
ghcr.io/nstefanelli/hassio-access-control-amd64:1.2.4ghcr.io/nstefanelli/hassio-access-control-aarch64:1.2.4
v1.2.3
See CHANGELOG.md for details.
Container images:
ghcr.io/nstefanelli/hassio-access-control-amd64:1.2.3ghcr.io/nstefanelli/hassio-access-control-aarch64:1.2.3
v1.2.2
See CHANGELOG.md for details.
Container images:
ghcr.io/nstefanelli/hassio-access-control-amd64:1.2.2ghcr.io/nstefanelli/hassio-access-control-aarch64:1.2.2
v1.2.1
See CHANGELOG.md for details.
Container images:
ghcr.io/nstefanelli/hassio-access-control-amd64:1.2.1ghcr.io/nstefanelli/hassio-access-control-aarch64:1.2.1
v1.2.0
See CHANGELOG.md for details.
Container images:
ghcr.io/nstefanelli/hassio-access-control-amd64:1.2.0ghcr.io/nstefanelli/hassio-access-control-aarch64:1.2.0
v1.1.0 — HA Ingress + SSO (breaking)
First HA Ingress release. Adds an admin-only sidebar entry to Home Assistant; access via the sidebar (or the add-on page's "Open Web UI" button) uses HA SSO — no separate password to manage.
Breaking change
- The direct
http://<ha-host>:8080endpoint is gone. All access goes through HA Ingress. - If you had bookmarks pointing to the direct port, replace them with the HA sidebar entry.
What's new
- HA Ingress (
ingress: true,ingress_port: 8080). - SSO via HA auth (
auth_api: true) — HA admins are signed in automatically; non-admin HA users get a 403. - Admin-only sidebar (
panel_admin: true, icon:mdi:door-closed-lock). - Header-injection defense —
X-Remote-User-*headers are only trusted when accompanied by a strictly-validatedX-Ingress-Path. Other add-ons on the same Docker bridge can't forge admin status. - Cookie Path scoping — session/CSRF cookies scoped to the per-session ingress URL so they never leak across add-ons or to HA's own pages.
- Frame-headers aware of access mode —
X-Frame-Options: SAMEORIGIN+ CSPframe-ancestors 'self'under ingress (so HA can render the iframe);DENY+'none'otherwise. - Middleware-ordering runtime guard — fails loudly at startup if a future middleware addition silently demotes the ingress middleware from outermost.
- New
ingress.pymodule with 10 dedicated unit tests; 48 total tests passing.
Internal cleanups
_redirect()helper now always prefixes absolute URLs with the active ingress prefix (69 call sites).- 70 hardcoded
/fooURLs across 12 templates converted to relative;<base href>set per request. window.__INGRESS_PREFIX__exposed for JSfetch()andwindow.locationcalls.- Logout link hidden under SSO.
- 5 direct
templates.TemplateResponsecall sites updated to inject ingress context.
Migration
- No DB schema migration.
- Existing
admin_usernamerow is reused. SSO sessions are logged withactor="ha:<HA-display-name>"so you can distinguish them from any legacy cookie sessions in the audit log.
Verified
- All CI jobs green (yamllint, hadolint, shellcheck, pytest, amd64 build, aarch64 build, build-complete aggregator).
- Local smoke-test (
docker run+ curl) confirmed admin/non-admin/forged-header/missing-header paths all behave correctly. - 3 review rounds; final verdict: "Ship it."
Images
ghcr.io/nstefanelli/hassio-access-control-amd64:1.1.0ghcr.io/nstefanelli/hassio-access-control-aarch64:1.1.0
See CHANGELOG.md for the full diff.