Skip to content

v1.1.0 — HA Ingress + SSO (breaking)

Choose a tag to compare

View all tags
@nstefanelli nstefanelli released this 23 May 15:07
· 18 commits to main since this release
v1.1.0
ba43d07
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

First HA Ingress release. Adds an admin-only sidebar entry to Home Assistant; access via the sidebar (or the add-on page's "Open Web UI" button) uses HA SSO — no separate password to manage.

Breaking change

  • The direct http://<ha-host>:8080 endpoint is gone. All access goes through HA Ingress.
  • If you had bookmarks pointing to the direct port, replace them with the HA sidebar entry.

What's new

  • HA Ingress (ingress: true, ingress_port: 8080).
  • SSO via HA auth (auth_api: true) — HA admins are signed in automatically; non-admin HA users get a 403.
  • Admin-only sidebar (panel_admin: true, icon: mdi:door-closed-lock).
  • Header-injection defenseX-Remote-User-* headers are only trusted when accompanied by a strictly-validated X-Ingress-Path. Other add-ons on the same Docker bridge can't forge admin status.
  • Cookie Path scoping — session/CSRF cookies scoped to the per-session ingress URL so they never leak across add-ons or to HA's own pages.
  • Frame-headers aware of access modeX-Frame-Options: SAMEORIGIN + CSP frame-ancestors 'self' under ingress (so HA can render the iframe); DENY + 'none' otherwise.
  • Middleware-ordering runtime guard — fails loudly at startup if a future middleware addition silently demotes the ingress middleware from outermost.
  • New ingress.py module with 10 dedicated unit tests; 48 total tests passing.

Internal cleanups

  • _redirect() helper now always prefixes absolute URLs with the active ingress prefix (69 call sites).
  • 70 hardcoded /foo URLs across 12 templates converted to relative; <base href> set per request.
  • window.__INGRESS_PREFIX__ exposed for JS fetch() and window.location calls.
  • Logout link hidden under SSO.
  • 5 direct templates.TemplateResponse call sites updated to inject ingress context.

Migration

  • No DB schema migration.
  • Existing admin_username row is reused. SSO sessions are logged with actor="ha:<HA-display-name>" so you can distinguish them from any legacy cookie sessions in the audit log.

Verified

  • All CI jobs green (yamllint, hadolint, shellcheck, pytest, amd64 build, aarch64 build, build-complete aggregator).
  • Local smoke-test (docker run + curl) confirmed admin/non-admin/forged-header/missing-header paths all behave correctly.
  • 3 review rounds; final verdict: "Ship it."

Images

  • ghcr.io/nstefanelli/hassio-access-control-amd64:1.1.0
  • ghcr.io/nstefanelli/hassio-access-control-aarch64:1.1.0

See CHANGELOG.md for the full diff.

Assets 2
Loading