Card reuses old camera token, generates failed login attempts

[peledzius]

Checklist:

• [x] I updated to the latest version available
• [x] I cleared the cache of my browser

Release with the issue: main

Last working release (if known):

Browser and Operating System:

Firefox 97.0, Ubuntu 20.04 HA Companion 2022.2, iOS 15.3.1

Description of problem:

There was a PR #372 which allows to use image from HA camera entity. I really like this because now I don't need to use reverse proxy -> Frigate for fetching snapshots, and with frequently changing token it's more secure than fixed URL.

After testing this PR functionality with multiple Frigate cards in one view, I encountered issue where HA bans my IP. I already got banned like 3 times in 2 days from Home Assistant with http.ip_ban_enabled: true and http.login_attempts_threshold: 15 in HA main configuration.

It seems like when camera token changes, Frigate card will try reuse old token which will cause failed login attempts. It's happening occasionally so I couldn't find a pattern, but failed attempts occurs in both Web browser and HA Companion App.

Also, I investigated that sometimes if you restart your Home Assistant instance and keep Browser tab/tabs open with Frigate card, it will try to refresh image with old camera token. In Network tab of Browser Developers tools there will be at least one request(sometimes more) with 404 Not Found status code and 401 Unauthorized(which cause failed login attempt). After HA is fully started it will start to use correct token again.

For now I switched back to my old image retrieving solution.

Javascript errors shown in the web inspector (if applicable):

Additional information:

Used image block in configuration:

image:
  mode: camera
  refresh_seconds: 5

[dermotduffy]

Thanks for the report. Is it definitely image related, i.e. Does it certainly stop when you went back to the old fashioned way of fetching images? We've had this problem before with JSMPEG live provider.

[peledzius]

Does it certainly stop when you went back to the old fashioned way of fetching images?

Yeah, completely stopped.

[dermotduffy]

@peledzius

With your configuration the image view was caching your camera image for 5 seconds, if during that time the Home Assistant state updated (which is typically very frequent), the image would be re-rendered with the same URL. As the security token on camera images is updated every 5 minutes, this creates a window in which the wrong token could be used.

The attached PR will eject the cached value if the HA attributes for the camera changes, so I hope it will address your issue.

[peledzius]

With #400 I still get failed attempt logins, both for desktop and mobile. In Firefox I get them when I return back to tab with HA which was inactive for a while. In iOS HA app I keep getting them after bringing app to foreground which was inactive for a while, or when the screen was locked with HA in foreground and unlocked after some time.

[dermotduffy]

OK -- let me re-use your exact http.ip_ban* configuration and see if I can reproduce. All cases sound like they involve the browser being in the background rather than the foreground, so perhaps the browser is re-fetching the same content... (which has since expired).

[dermotduffy]

@peledzius

In Firefox I get them when I return back to tab with HA which was inactive for a while.

Roughly how long is "a while" in the above? I am failing to reproduce this (don't have access to iOS devices, so your Firefox case is the one I'm trying to reproduce), precise steps if you have them most welcome!

[peledzius]

Roughly how long is "a while" in the above?

It's hard to tell. Maybe more than 15 minutes. When I go back, page refreshes and failed attempt login notification appears.

I am failing to reproduce this (don't have access to iOS devices

I was able to reproduce in Samsung tablet with Android 11. Kept app in background and switched back after about 10 minutes, received failed login attempt notification.

so your Firefox case is the one I'm trying to reproduce), precise steps if you have them most welcome!

Possible steps to reproduce:

1. Open 3 new tabs with HA and Frigate card visible in Lovelace view.
2. Switch to other tab/tabs(not with HA).
3. Wait for 15-20 minutes(you can keep doing your things in other tabs).
4. Switch back to one of the tabs with HA.
5. Page should refresh and you will receive failed attempt login.

Also, I received failed attempt login on HA instance restart that I described in my first post.

[dermotduffy]

OK -- made it happen once! Now lets see if I can make it not happen...

[dermotduffy]

@peledzius Try #434?

[peledzius]

Thanks, testing right now.

[peledzius]

Looks good for iOS and Firefox, but just got banned after HA restart.

[dermotduffy]

Dang. In what browser?

[peledzius]

Just tried again - banned. It's in Firefox with 4 tabs open while doing HA restart.

[dermotduffy]

@peledzius Yeah, looks like Firefox was doing something different to Chrome (where I was testing). After being hidden, when the browser re-shows the image, Firefox seems to be re-fetching it from scratch vs a cached version. This re-fetch is using the old security token.

Solution is to set the image to anything OTHER THAN the camera when the tab is hidden -- then restore it when the tab is visible again. I updated #434 to set the image src to the stock Frigate image when the tab is hidden, so you'll probably notice a brief period when you revisit the tab when the image is the Frigate logo rather than the camera. But, at least in my testing, there are no unauthorized requests (http 401).

Here's how I tested, trying to replicate what you were doing:

• Opened 4 tabs with a card image showing.
• Changed to a 5th blank tab.
• Restarted HA.
• Revisit the 4 tabs
• (During this process watching my web logs for unauthorized requests)

Mind trying again? If you still have issues, very precise reproduction information appreciated. Thank you!

[peledzius]

@dermotduffy Thank you for the effort.

I was still able to reproduce this issue with updated #434 in Firefox and Chromium. Here's is the video for reproduction, it should explain better than my words:

https://user-images.githubusercontent.com/24360494/156902684-47af0478-fc1a-4ef0-895f-b5314fc4fa92.mov

(At the beggining of video I was switching between tabs)

Reproduce steps:

• Create new dashboard and add 2 Frigate cards with different cameras.
• Open 2 Tabs in Firefox Private Window with newly created dashboard.
• Open 1 Tab with HA Server control page.
• Restart HA
• Switch back to 1st tab and wait until HA starts fully
• Switch to 2nd tab
• Receive failed login attempt

Worth to mention that one time I was banned instantly without switching to 2nd tab, and one time I was receiving failed login attempts every 5 seconds - card was using old and new token to refresh image, which I found out in Web Developers tools. I guess card used at the same time two loops to refresh image, but I don't what I did to make it happen. (Both issues occured after HA restart)

Used card config:

type: custom:frigate-card
cameras:
  - camera_entity: camera.living_room_frigate
    live_provider: ha
    title: Living room
view:
  camera_select: live
  default: image
  timeout_seconds: 0
menu:
  mode: above
image:
  refresh_seconds: 5
  mode: camera

[dermotduffy]

Wow, this is persistent.

Try #434 again? Now I also reject if the HA instance is not connected. Without this new fix I can reproduce your problem (as in your video), but with this new fix I cannot. Tested in both Firefox & Chrome.

[I think this wasn't happening in my prior tests because I wasn't looking at the dashboard during the restart]

[peledzius]

I tested #434 again and thought that was it, but after 2 more HA restarts it happened again :(

EDIT: Hmn.. Interesting. I think something broke, because now it's happening when I switch between tabs.

EDIT 2: And it stopped. I don't know why. Trying to investigate.

EDIT 3:

@dermotduffy Well, I think it was that rare situation when card was trying to fetch image with old token, but also fetching image with new one at the same time.

Anyway, I guess we can close this, because problem in the video is solved and I can't reproduce this rare behaviour(maybe it was perfect timing?).

Thank you again!

[dermotduffy]

@peledzius HA is extremely fragile in this regard, a single rogue request causes this to happen. It's a bit like plugging a damn, so there absolutely could be other ways this could happen that we'll need to defend against.

However, I guess we'll take the win for now and we can re-open if we find a specific way to reproduce the issue. Thank you again, for all the testing.

[peledzius]

Requests with invalid authentication came back. Happening casually for past 3-4 days. I noticed them in Chrome, Firefox, iOS. Just didn't find a way to reproduce yet.

[dermotduffy]

This is such a fragile area in HA. Are you sure it's 3-4 days and not related to the image PR you tested today?

[peledzius]

Are you sure it's 3-4 days and not related to the image PR you tested today?

Yes, it was before.

Anyway, I didn't notice them for past few days.