Unable to authenticate since updating to B14

[johnwalk61]

`Logger: pyaarlo
Source: custom_components/aarlo/pyaarlo/init.py:165
Integration: aarlo (documentation, issues)
First occurred: 10:07:21 PM (20 occurrences)
Last logged: 10:11:24 PM

body-error=JSONDecodeError
authentication failed

and

Logger: custom_components.aarlo
Source: custom_components/aarlo/init.py:495
Integration: aarlo (documentation, issues)
First occurred: 10:07:24 PM (5 occurrences)
Last logged: 10:11:24 PM

unable to connect to Arlo: attempt=1,sleep=15,error=authentication failed
unable to connect to Arlo: attempt=2,sleep=30,error=authentication failed
unable to connect to Arlo: attempt=3,sleep=60,error=authentication failed
unable to connect to Arlo: attempt=4,sleep=120,error=authentication failed
unable to connect to Arlo: attempt=5,sleep=240,error=authentication failed

Using backend: sse but tried without specifying backend.

[johnwalk61]

Not getting my 2fa prompt on my phone. Tested on Arlo website and I get the 2fa prompt.
AArlo was working fine before the last update.

[johnwalk61]

I think this might be related to #760 as I exhibit the same Cloudflare issue error 1020. Tried changing the user_agent to linux but no change.

[twrecked]

You could try dropping back a version. Or it might clear up by itself.

What I think happened is you had some credentials saved and the code tried to use them and that locked you out. Normally it's temporary.

If you are good with a browser you can enable the developer tools and log in to the Arlo web client and trace the headers, see what the code is missing.

[johnwalk61]

Thanks Steve I did roll back but still the same issue. I will wait it out and see if it clears as a first step. Does AArlo keep trying in the background, meaning should I remove the integration for a while? Cheers John Walker

…

________________________________ From: Steve Herrell ***@***.***> Sent: Friday, June 9, 2023 8:48 AM To: twrecked/hass-aarlo ***@***.***> Cc: John Walker ***@***.***>; Author ***@***.***> Subject: Re: [twrecked/hass-aarlo] Unable to authenticate since updating to B14 (Issue #762) You could try dropping back a version. Or it might clear up by itself. What I think happened is you had some credentials saved and the code tried to use them and that locked you out. Normally it's temporary. If you are good with a browser you can enable the developer tools and log in to the Arlo web client and trace the headers, see what the code is missing. — Reply to this email directly, view it on GitHub<#762 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AENBD4UXKVB3UBVSYWJY64DXKMLSDANCNFSM6AAAAAAZAA6VUI>. You are receiving this because you authored the thread.Message ID: ***@***.***>

[twrecked]

It's a pain eh.

And it's going to keep retrying with a back off up to 5 minutes. You should disable it for now.

I'll look at that code, maybe I'll get it to stop after 5 tries.

[johnwalk61]

Thanks for the excellent help and awesome integration.

[shupershuff]

Same issue here.

[johnwalk61]

I tried disabling it but for some reason it kept trying to connect every 5 mins I removed aarlo and will wait and put it back and test. Mine works in the app and web with no issues. Will report back if it starts working.

…

On Jun. 9, 2023, 11:27 AM -0400, shupershuff ***@***.***>, wrote: Same issue here. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: ***@***.***>

[johnwalk61]

Waited 2 hours and readded the integration. Same problem. I'll leave it installed and see what happens.

[johnwalk61]

notification on boot is (after creating a new login)
This error originated from a custom integration.

Logger: custom_components.aarlo
Source: custom_components/aarlo/__init__.py:495
Integration: aarlo (documentation, issues)
First occurred: 3:07:03 PM (4 occurrences)
Last logged: 3:08:53 PM

unable to connect to Arlo: attempt=1,sleep=15,error=2fa startAuth failed
unable to connect to Arlo: attempt=2,sleep=30,error=2fa startAuth failed
unable to connect to Arlo: attempt=3,sleep=60,error=2fa startAuth failed
unable to connect to Arlo: attempt=4,sleep=120,error=2fa startAuth failed

[johnwalk61]

Now getting a different message in the logs (could this be an arlo issue?)

`This error originated from a custom integration.

Logger: pyaarlo
Source: custom_components/aarlo/pyaarlo/__init__.py:165
Integration: aarlo (documentation, issues)
First occurred: 4:13:40 PM (14 occurrences)
Last logged: 4:26:52 PM

error in new response={'meta': {'code': 400, 'error': 1193, 'message': 'Unknown error'}}
2fa startAuth failed`

[johnwalk61]

Installed today's update, still auth errors

[twrecked]

Can you turn on verbose debug and upload some traces? And can you post your config?

See here on how to do it.

[johnwalk61]

Config

aarlo:

backend: sse
refresh_devices_every: 2
verbose_debug: True

username: !secret arlo_username
password: !secret arlo_password
tfa_source: push
tfa_type: PUSH

[johnwalk61]

I'll send it when I get to a computer today. Hard from the phone

[pjrish]

I was also unable to login / authenticate with v15 - 2FA codes were not being initiated for some reason via the e-mail (imap) settings.

I reverted to v12 and everything works correctly.

[johnwalk61]

V12 fixed it for me too. Thanks man

…

On Jun. 11, 2023, 11:35 AM -0400, pjrish ***@***.***>, wrote: I was also unable to login / authenticate with v15 - 2FA codes were not being initiated for some reason via the e-mail (imap) settings. I reverted to v12 and everything works correctly. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: ***@***.***>

[twrecked]

The IMAP codes weren't being sent because Cloudflare was intercepting and blocking your connections. As you can see from this diff nothing changed in the IMAP code. I just brought the headers up to date.

v0.7.4b12...v0.7.4b15

What is interesting is why? This Cloudflare stuff is really annoying... Can I ask roughly where you are located? Just country or continent would be fine. I'm still seeing the updated headers in my requests from the official webpage.

[terententen]

I will add that I've been unable to log in for weeks, possibly a month?, well before the b15 update. I thought I was going crazy because no one else here was reporting it and I figured I couldn't be the only one. Debug logs have a bunch of HTML essentially Cloudflare saying You do not have access to ocapi-app.arlo.com.</p><p>The site owner may have set restrictions that prevent you from accessing the site.</p> Thought maybe it was my IP but I finally had time to get a new lease and I'm still unable to sign in. Came back here and I'm kind of glad that I'm not alone on this one anymore.

Edit: I was just on v12 15 mins ago and it was broke. Updated to v15 and it's still broken. But it was definitely broken for me before v12.

Edit2: I'm located east coast US.

[pjrish]

Can I ask roughly where you are located?

I'm in the Southeast USA. I'll take a look at cloudflare, but I couldn't spot anything in the logs.

[johnwalk61]

I'm in Canada but using push not imap..when I reverted versions and restarted, I got the push notification.

…

On Jun. 11, 2023, 4:20 PM -0400, pjrish ***@***.***>, wrote: > Can I ask roughly where you are located? I'm in the Southeast USA. I'll take a look at cloudflare, but I couldn't spot anything in the logs. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: ***@***.***>

[twrecked]

I'm in Canada as well. And I figure all of North America is the same for the cloud flare stuff so I don't know why I'm working and you're not.

And IMAP or PUSH, it doesn't matter, we need to get passed Cloud Flare to make either method happen.

[johnwalk61]

Yes it is strange. V12 is working perfectly but the newer one never manages to get past cloudflare. Very interesting that you're in CA also and yours works.

…

On Jun. 11, 2023, 4:46 PM -0400, Steve Herrell ***@***.***>, wrote: I'm in Canada as well. And I figure all of North America is the same for the cloud flare stuff so I don't know why I'm working and you're not. And IMAP or PUSH, it doesn't matter, we need to get passed Cloud Flare to make either method happen. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: ***@***.***>

[sanded001]

Same issue. Denmark. V12 nor v15 works. Tfa just pending n trying.

[aliaghil]

I am also getting the same error. Based in Australia. Tried different versions of aarlo with no luck.

[nsleigh]

Getting similar problems here in the UK. I have noticed this in the logs "You do not have access to ocapi-app.arlo.com. The site owner may have set restrictions that prevent you from accessing the site."

Don't know if it is relevant but if I browse to https://ocapi-app.arlo.com from my PC I see the error too.

[SchottyOne]

Hello, I have similar problem since upgrade to b15 (one week ago) so i upgraded also HA in 2023.6 at about a same time so...
I tried to test with old b12 unfortunately.
With same information "You do not have access to ocapi-app.arlo.com. The site owner may have set restrictions that prevent you from accessing the site."

I'm in France (FR) and 2FA is used with email and gmail unique password.
Authentication with 2FA from Arlo web portal work fine.

• Retry to unsinstall and re install b15 => KO
• Retry to unsinstall and re install b14 = OK
• With b14 : 2FA authentication work fine.
• Upgrade to b15 : All work fine.

Finally, perhaps first issue was from Arlo side ?

From my side all is ok with this config :

`aarlo:
host: https://my.arlo.com
username: !secret arlo_username
password: !secret arlo_password
mode_api: auto

tfa_host: imap.gmail.com
tfa_username: !secret tfa_username
tfa_password: !secret tfa_password`

[Avatar1976]

Hi guys, twrecked always a big fan of your integration buddy but for Australia I found I wasn't getting my tfa auth after jumping up two versions.
Do I need to delete any session file etc when coming up from version 12? I jumped from 12 - > 13 - > 15 and had to come back to 12 before I could successfully auth (noted no 2fa emails on my outlook mailbox until rolling back to version 12).

[SchottyOne]

From my side i didn't need to delete any files. Just installed or rollbacked from HACS (by changing version numbers directly to override)

[nsleigh]

Getting similar problems here in the UK. I have noticed this in the logs "You do not have access to ocapi-app.arlo.com. The site owner may have set restrictions that prevent you from accessing the site."

Don't know if it is relevant but if I browse to https://ocapi-app.arlo.com from my PC I see the error too.

Rolling back to v0.7.4b12 fixed the issue for me.

[nsleigh]

Same here, upgrade to v0.7.4b15 and it works.

@aliaghil it is not in your post but in the github notification email I saw you had "host: https://my.arlo.com/" - I found some references on the Arlo community site recommend connecting to that URL. Do you use that setting.

@twrecked is it possible that when a new update to aarlo is released we all upgrade and that somehow triggers an alert on the cloudflare front end as we all connect in the same way or with a similar headers?

[SchottyOne]

@nsleigh I use this parameter (host: https://my.arlo.com) to work fine because (I don't know why) tfa source and tfa type don't match in my config.
I found this configuration in HACF but I don't know exactly where.

[riro-at]

v0.7.4b15 not works, roll back to V11 doesn't work for me either

[johnwalk61]

I just updated to b15 from b12 and now it is working. Didn't change anything in my configuration. Cheers John Walker

…

________________________________ From: riro-at ***@***.***> Sent: Tuesday, June 13, 2023 3:06 AM To: twrecked/hass-aarlo ***@***.***> Cc: John Walker ***@***.***>; Author ***@***.***> Subject: Re: [twrecked/hass-aarlo] Unable to authenticate since updating to B14 (Issue #762) v0.7.4b15 not works, roll back to V11 doesn't work for me either — Reply to this email directly, view it on GitHub<#762 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AENBD4URKQOQKBWUYEQMIO3XLAGPRANCNFSM6AAAAAAZAA6VUI>. You are receiving this because you authored the thread.Message ID: ***@***.***>

[twrecked]

@nsleigh Maybe, I have no idea how cloud flare works. I just know it's annoying :)

[aliaghil]

@nsleigh
Hi Neil
Thank you for your reply. That time I had the problem, I tried with and without host option in my config with no luck.
I don't have "host: https://my.arlo.com/" in my config now. Anyway, it is working fine. still not sure why that happened,

[nsleigh]

@nsleigh Maybe, I have no idea how cloud flare works. I just know it's annoying :)

I know that you can setup rules to combat attacks, so am wondering if it sees lots of identical messages so sets up a block and then as they subside it releases the block. No idea how to go about proving that or fixing it!

[dfzamora]

been dealing with this issue for 2 days... and it wasn't until i found this site that i fixed it... i had to downgrade from b15 to b12 and immediately everything works... for information, i'm in NJ (US) and everything worked until the upgrade to b15.

[seanmccabe]

Same issue.

Upgrading to .b14 broke 2FA via the app.
Upgrading to .b15 still broken.
Downgrade to .b12 - 2FA via the app working again.

For reference in NZ.

[riro-at]

downgrade to .b11 - 2FA still not working
upgrading to .b15 again, 2FA via the app is working

[codypet]

V12 fixed it for me too. Thanks man
…
On Jun. 11, 2023, 11:35 AM -0400, pjrish @.>, wrote: I was also unable to login / authenticate with v15 - 2FA codes were not being initiated for some reason via the e-mail (imap) settings. I reverted to v12 and everything works correctly. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.>

Mine won't revert to b12. What is going on? I still can't get 2FA to come up. Even after removing the whole thing and reinstatlling. If I reinstall to .12, it'll download b15 instead.

[mcvicthor]

V12 fixed it for me too. Thanks man
…
On Jun. 11, 2023, 11:35 AM -0400, pjrish @.>, wrote: I was also unable to login / authenticate with v15 - 2FA codes were not being initiated for some reason via the e-mail (imap) settings. I reverted to v12 and everything works correctly. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: _@**.**_>

Mine won't revert to b12. What is going on? I still can't get 2FA to come up. Even after removing the whole thing and reinstatlling. If I reinstall to .12, it'll download b15 instead.

Download from here and upload custom_components/aarlo to HA:
https://github.com/twrecked/hass-aarlo/tree/1297acbfeb090da0d78244cd03dc4927eaaf8cf9

This got things working for me

[codypet]

Thank you. I'm back up and running

[shupershuff]

New Zealand here. Rolled back to b12 and for the first time in several months I received an Arlo MFA request on my phone. Still got some aarlo errors but these were different and around name resolution instead of auth. Updated again to B15, restarted (no MFA prompt but maybe because I just did one) and got the same error as I got in B12:

Error: general-error=gaierror
Traceback (most recent call last):
File "/config/custom_components/aarlo/pyaarlo/backend.py", line 497, in _mqtt_main
self._event_client.connect(self._arlo.cfg.mqtt_host, port=443, keepalive=60)
File "/usr/local/lib/python3.11/site-packages/paho/mqtt/client.py", line 914, in connect
return self.reconnect()
^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/paho/mqtt/client.py", line 1044, in reconnect
sock = self._create_socket_connection()
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/paho/mqtt/client.py", line 3685, in _create_socket_connection
return socket.create_connection(addr, timeout=self._connect_timeout, source_address=source)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/socket.py", line 827, in create_connection
for res in getaddrinfo(host, port, 0, SOCK_STREAM):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/socket.py", line 962, in getaddrinfo
for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
socket.gaierror: [Errno -2] Name does not resolve

If error persists you might need to change config and restart.

[twrecked]

Arlo is doing something with mqtt, try setting your back end to sse.

[shupershuff]

Arlo is doing something with mqtt, try setting your back end to sse.

I'm not sure what this means sorry. I can't see any config options within Mosquitto Broker for 'sse'.

[twrecked]

https://github.com/twrecked/hass-aarlo#missing-events

You need to adjust the Arlo config in HA.

[shupershuff]

https://github.com/twrecked/hass-aarlo#missing-events

You need to adjust the Arlo config in HA.

That sorted it immediately.
Thanks mate, much appreciated.

Other folk here having issues, take note that this fix might work for you.

[djjoakim]

Tried every version of it, dosen't work for me.. I get this in the logs
I also have backend: sse

unable to connect to Arlo: attempt=1,sleep=15,error=authentication failed unable to connect to Arlo: attempt=2,sleep=30,error=authentication failed unable to connect to Arlo: attempt=3,sleep=60,error=authentication failed unable to connect to Arlo: attempt=4,sleep=120,error=authentication failed

[sological]

I possibly posted this in the wrong issue. Here it is again.
This is what I get in the debug log when failing to connect to arlo

Edit:
What I wanted to share is that Cloudflare asks me to enable cookies.
I don't know how to do that. Is there a setting somewhere or not possible at all?

<head>
<title>Attention Required! | Cloudflare</title>
<meta charset="UTF-8" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=Edge" />
<meta name="robots" content="noindex, nofollow" />
<meta name="viewport" content="width=device-width,initial-scale=1" />
<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />
<!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]-->
<style>body{margin:0;padding:0}</style>


<!--[if gte IE 10]><!-->
<script>
  if (!navigator.cookieEnabled) {
    window.addEventListener('DOMContentLoaded', function () {
      var cookieEl = document.getElementById('cookie-alert');
      cookieEl.style.display = 'block';
    })
  }
</script>
<!--<![endif]-->


</head>
<body>
  <div id="cf-wrapper">
    <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div>
    <div id="cf-error-details" class="cf-error-details-wrapper">
      <div class="cf-wrapper cf-header cf-error-overview">
        <h1 data-translate="block_headline">Sorry, you have been blocked</h1>
        <h2 class="cf-subheadline"><span data-translate="unable_to_access">You are unable to access</span> ocapi-app.arlo.com</h2>
      </div><!-- /.header -->

[HunterDG]

For anyone else still struggling with this issue, maybe this will help:

I think that for some reason, the 2FA prompt requested by HACS aarlo isn't delivered to the phone app if:

• the 2FA prompt hasn't recently been otherwise successfully delivered (e.g. via a login attempt from https://my.arlo.com )
• the phone app's notifications are turned off (even if I had the app open in the foreground waiting for a prompt)

Perhaps also important: I'm using a separate arlo account/email address for HACS aarlo (main account is configured to "grant access" to the secondary account) - and of course I was using this secondary account in all of the steps below.

Rationale:
Despite deleting the config/.aarlo/aarlo.pickle and session.pickle files, downgrading versions, trying mqtt_hostname_check: False config entry, etc, I was still stuck with NO 2FA prompt (I'm using app PUSH). I assumed I SHOULD be receiving the prompt because of course I had successfully received it when I originally set up HACS aarlo, so why would that have changed? After poking around with verbose debug/logger settings, I decided to start over from scratch.

I finally resolved this by:

1. uninstalling aarlo from HACS completely (and commenting out all the aarlo entries in configuration.yaml)
2. deleting the config/.aarlo folder
3. restarting Home Assistant
4. changing my 2FA method (via the arlo app) to an alternative, then back to PUSH
5. ENSURING I had arlo app notifications enabled in my PHONE'S settings (I had previously disabled them at the OS level)
6. logging in to https://my.arlo.com (via web browser using the same internet connection as Home Assistant) and accepting the PUSH 2FA prompt on my phone (which kicked me out of the phone app)
7. re-logging in to my phone's arlo app
8. re-installing latest version of aarlo from HACS (and un-commenting all the aarlo entries in configuration.yaml)
9. restarting Home Assistant again

I then finally received the 2FA PUSH prompt from aarlo's login attempt, accepted it, and all was good!

just for reference, here is all of my (working) aarlo config:

aarlo:
  username: !secret arlo_username
  password: !secret arlo_password
  tfa_source: push
  tfa_type: PUSH
  backend: sse
media_player:
  - platform: aarlo
camera:
  - platform: aarlo

[neilsleightholm-paxton]

I am not using push but seeing the same, in fact it was working fine and then I restarted without any upgrade and authentication failed. I then upgraded HA to 2023.7 and the auth still failed. Upgrading to B18 and still not working.

I tend to have this when a new release comes out then a few days later it is ok.

Does anyone know if you can retry aarlo auth without restarting all of HA?

[terententen]

I essentially gave up for the last 6 weeks. Saw some recent activity on here so figured I'd try HunterDG's stuff from above however that didn't work for me. This still has everything to do with Cloudflare blocking.

...
<h2 class="cf-subheadline"><span data-translate="unable_to_access">You are unable to access</span> ocapi-
app.arlo.com</h2>
...

I can access from my phone and from my web browser but just cannot through HA.

[riro-at]

it doesn't work again 😱
v0.7.4b18
/config/.aarlo/aarlo.pickle: 'utf-8' codec can't decode byte 0x80 in position 0: invalid start byte
please help

[HunterDG]

I essentially gave up for the last 6 weeks. Saw some recent activity on here so figured I'd try HunterDG's stuff from above however that didn't work for me. This still has everything to do with Cloudflare blocking.

...

<h2 class="cf-subheadline"><span data-translate="unable_to_access">You are unable to access</span> ocapi-

app.arlo.com</h2>

...

I can access from my phone and from my web browser but just cannot through HA.

I was also seeing the same thing, but couldn't rationalize how arlo/cloudflare was blocking only HA, but not my phone/laptop, while all 3 devices are using the same internet provider/IP address. I was also seeing 2FA failures in the HA logs, thus my decision to start over from scratch.

Wish I could help more though.

[koira]

using HA with aarlo from southern Thailand I can confirm same findings: downgrading to b12 made it all work again.

[rhino53150]

Commenting so I can get an update about the same issue.