Closed peledzius closed 2 years ago
Thanks for the report. Is it definitely image related, i.e. Does it certainly stop when you went back to the old fashioned way of fetching images? We've had this problem before with JSMPEG live provider.
Does it certainly stop when you went back to the old fashioned way of fetching images?
Yeah, completely stopped.
@peledzius
With your configuration the image view was caching your camera image for 5 seconds, if during that time the Home Assistant state updated (which is typically very frequent), the image would be re-rendered with the same URL. As the security token on camera images is updated every 5 minutes, this creates a window in which the wrong token could be used.
The attached PR will eject the cached value if the HA attributes for the camera changes, so I hope it will address your issue.
With #400 I still get failed attempt logins, both for desktop and mobile. In Firefox I get them when I return back to tab with HA which was inactive for a while. In iOS HA app I keep getting them after bringing app to foreground which was inactive for a while, or when the screen was locked with HA in foreground and unlocked after some time.
OK -- let me re-use your exact http.ip_ban*
configuration and see if I can reproduce. All cases sound like they involve the browser being in the background rather than the foreground, so perhaps the browser is re-fetching the same content... (which has since expired).
@peledzius
In Firefox I get them when I return back to tab with HA which was inactive for a while.
Roughly how long is "a while" in the above? I am failing to reproduce this (don't have access to iOS devices, so your Firefox case is the one I'm trying to reproduce), precise steps if you have them most welcome!
Roughly how long is "a while" in the above?
It's hard to tell. Maybe more than 15 minutes. When I go back, page refreshes and failed attempt login notification appears.
I am failing to reproduce this (don't have access to iOS devices
I was able to reproduce in Samsung tablet with Android 11. Kept app in background and switched back after about 10 minutes, received failed login attempt notification.
so your Firefox case is the one I'm trying to reproduce), precise steps if you have them most welcome!
Possible steps to reproduce:
Also, I received failed attempt login on HA instance restart that I described in my first post.
OK -- made it happen once! Now lets see if I can make it not happen...
@peledzius Try #434?
Thanks, testing right now.
Looks good for iOS and Firefox, but just got banned after HA restart.
Dang. In what browser?
Just tried again - banned. It's in Firefox with 4 tabs open while doing HA restart.
@peledzius Yeah, looks like Firefox was doing something different to Chrome (where I was testing). After being hidden, when the browser re-shows the image, Firefox seems to be re-fetching it from scratch vs a cached version. This re-fetch is using the old security token.
Solution is to set the image to anything OTHER THAN the camera when the tab is hidden -- then restore it when the tab is visible again. I updated #434 to set the image src to the stock Frigate image when the tab is hidden, so you'll probably notice a brief period when you revisit the tab when the image is the Frigate logo rather than the camera. But, at least in my testing, there are no unauthorized requests (http 401).
Here's how I tested, trying to replicate what you were doing:
Mind trying again? If you still have issues, very precise reproduction information appreciated. Thank you!
@dermotduffy Thank you for the effort.
I was still able to reproduce this issue with updated #434 in Firefox and Chromium. Here's is the video for reproduction, it should explain better than my words:
(At the beggining of video I was switching between tabs)
Reproduce steps:
Worth to mention that one time I was banned instantly without switching to 2nd tab, and one time I was receiving failed login attempts every 5 seconds - card was using old and new token to refresh image, which I found out in Web Developers tools. I guess card used at the same time two loops to refresh image, but I don't what I did to make it happen. (Both issues occured after HA restart)
Used card config:
type: custom:frigate-card
cameras:
- camera_entity: camera.living_room_frigate
live_provider: ha
title: Living room
view:
camera_select: live
default: image
timeout_seconds: 0
menu:
mode: above
image:
refresh_seconds: 5
mode: camera
Wow, this is persistent.
Try #434 again? Now I also reject if the HA instance is not connected. Without this new fix I can reproduce your problem (as in your video), but with this new fix I cannot. Tested in both Firefox & Chrome.
[I think this wasn't happening in my prior tests because I wasn't looking at the dashboard during the restart]
I tested #434 again and thought that was it, but after 2 more HA restarts it happened again :(
EDIT: Hmn.. Interesting. I think something broke, because now it's happening when I switch between tabs.
EDIT 2: And it stopped. I don't know why. Trying to investigate.
EDIT 3:
@dermotduffy Well, I think it was that rare situation when card was trying to fetch image with old token, but also fetching image with new one at the same time.
Anyway, I guess we can close this, because problem in the video is solved and I can't reproduce this rare behaviour(maybe it was perfect timing?).
Thank you again!
@peledzius HA is extremely fragile in this regard, a single rogue request causes this to happen. It's a bit like plugging a damn, so there absolutely could be other ways this could happen that we'll need to defend against.
However, I guess we'll take the win for now and we can re-open if we find a specific way to reproduce the issue. Thank you again, for all the testing.
Requests with invalid authentication came back. Happening casually for past 3-4 days. I noticed them in Chrome, Firefox, iOS. Just didn't find a way to reproduce yet.
This is such a fragile area in HA. Are you sure it's 3-4 days and not related to the image PR you tested today?
Are you sure it's 3-4 days and not related to the image PR you tested today?
Yes, it was before.
Anyway, I didn't notice them for past few days.
Checklist:
Release with the issue: main
Last working release (if known):
Browser and Operating System:
Firefox 97.0, Ubuntu 20.04 HA Companion 2022.2, iOS 15.3.1
Description of problem:
There was a PR #372 which allows to use image from HA camera entity. I really like this because now I don't need to use reverse proxy -> Frigate for fetching snapshots, and with frequently changing token it's more secure than fixed URL.
After testing this PR functionality with multiple Frigate cards in one view, I encountered issue where HA bans my IP. I already got banned like 3 times in 2 days from Home Assistant with
http.ip_ban_enabled: true
andhttp.login_attempts_threshold: 15
in HA main configuration.It seems like when camera token changes, Frigate card will try reuse old token which will cause failed login attempts. It's happening occasionally so I couldn't find a pattern, but failed attempts occurs in both Web browser and HA Companion App.
Also, I investigated that sometimes if you restart your Home Assistant instance and keep Browser tab/tabs open with Frigate card, it will try to refresh image with old camera token. In Network tab of Browser Developers tools there will be at least one request(sometimes more) with
404 Not Found
status code and401 Unauthorized
(which cause failed login attempt). After HA is fully started it will start to use correct token again.For now I switched back to my old image retrieving solution.
Javascript errors shown in the web inspector (if applicable):
Additional information:
Used
image
block in configuration: