HEOS integration unable to play local mp3 files - authentication error persists

[weakspot]

The problem

I added HEOS integration for my HEOS speaker in order to play media files, preferably local files. I can sometimes play a TTS message via the speaker, but most times not. Local mp3 files do not play at all via the speaker (but do play if I use Web Browser as playback device).

In logs I can see my test attempt to play a local mp3 file (doorbell-1.mp3). Every attempt fails with an authentication error, eventually leading to ip ban. I had to disable IP banning temporarily now.

Even if I try to use TTS playback, the logs indicate that there is an authentication error for an attempt to play local mp3 file. See log entries below.

What version of Home Assistant Core has the issue?

core-2024.1.2

What was the last working version of Home Assistant Core?

No response

What type of installation are you running?

Home Assistant OS

Integration causing the issue

heos

Link to integration documentation on our website

https://www.home-assistant.io/integrations/heos

Diagnostics information

home-assistant_heos_2024-01-07T09-59-53.102Z.log

Example YAML snippet

No response

Anything in the logs that might be useful for us?

Log details (WARNING)

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:129 
Integration: HTTP (documentation, issues) 
First occurred: 11:04:05 (9 occurrences) 
Last logged: 11:59:45

Login attempt or request with invalid authentication from 192.168.74.1 (192.168.74.1). Requested URL: '/media/media/doorbell-1.mp3?authSig%3DeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiIxM2Q5MDA0YjVhZmQ0ODRjOGU4MDJjYjQ2NGRmZjlkZSIsInBhdGgiOiIvbWVkaWEvbWVkaWEvZG9vcmJlbGwtMS5tcDMiLCJwYXJhbXMiOltdLCJpYXQiOjE3MDQ2MTU3MjksImV4cC'. (AvegaMediaServer/2.0 Linux/2.6)
Login attempt or request with invalid authentication from 192.168.74.1 (192.168.74.1). Requested URL: '/media/local/doorbell-1.mp3?authSig%3DeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiIxM2Q5MDA0YjVhZmQ0ODRjOGU4MDJjYjQ2NGRmZjlkZSIsInBhdGgiOiIvbWVkaWEvbG9jYWwvZG9vcmJlbGwtMS5tcDMiLCJwYXJhbXMiOltdLCJpYXQiOjE3MDQ2MTkwMzksImV4cC'. (AvegaMediaServer/2.0 Linux/2.6)
Login attempt or request with invalid authentication from 192.168.74.1 (192.168.74.1). Requested URL: '/media/media/doorbell-1.mp3?authSig%3DeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiIyOGVkNDQ0N2ZlZDM0NjEwOWZiZDVhNmQwOWIxNDEwNCIsInBhdGgiOiIvbWVkaWEvbWVkaWEvZG9vcmJlbGwtMS5tcDMiLCJwYXJhbXMiOltdLCJpYXQiOjE3MDQ2MTU0MjIsImV4cC'. (AvegaMediaServer/2.0 Linux/2.6)
Login attempt or request with invalid authentication from 192.168.74.1 (192.168.74.1). Requested URL: '/media/media/doorbell-1.mp3?authSig%3DeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiIxM2Q5MDA0YjVhZmQ0ODRjOGU4MDJjYjQ2NGRmZjlkZSIsInBhdGgiOiIvbWVkaWEvbWVkaWEvZG9vcmJlbGwtMS5tcDMiLCJwYXJhbXMiOltdLCJpYXQiOjE3MDQ2MTU3MzIsImV4cC'. (AvegaMediaServer/2.0 Linux/2.6)

Additional information

Hi, forgot to mention that this issue: https://github.com/home-assistant/core/issues/100492 seems very much similar. I have restarted and rebooted HA, removed the file in question, removed and readded the speaker. Anything else that would help in troubleshooting?

A note: I run HA as a virtual machine on a proxmox server.

[home-assistant[bot]]

Hey there @andrewsayre, mind taking a look at this issue as it has been labeled with an integration (heos) you are listed as a code owner for? Thanks!

Code owner commands

Code owners of `heos` can trigger bot actions by commenting: - `@home-assistant close` Closes the issue. - `@home-assistant rename Awesome new title` Renames the issue. - `@home-assistant reopen` Reopen the issue. - `@home-assistant unassign heos` Removes the current integration label and assignees on the issue, add the integration domain after the command. - `@home-assistant add-label needs-more-information` Add a label (needs-more-information, problem in dependency, problem in custom component) to the issue. - `@home-assistant remove-label needs-more-information` Remove a label (needs-more-information, problem in dependency, problem in custom component) on the issue.

_{^{(message by CodeOwnersMention)}}

---

heos documentation heos source _{^{(message by IssueLinks)}}

[weakspot]

Hi, forgot to mention that this issue: https://github.com/home-assistant/core/issues/100492 seems very much similar. I have restarted and rebooted HA, removed the file in question, removed and readded the speaker. Anything else that would help in troubleshooting?

A note: I run HA as a virtual machine on a proxmox server.

[WebSpider]

@weakspot can you see which firmware versions you run on your HEOS devices? I think they tightened down the devices as part of the recent app overhaul.

[weakspot]

@WebSpider here's the basic info from HEOS app on my speaker:

Model Name: HEOS 1 Name: omitted IP Address: 192.168.74.107 Revision: 3 Version: 3.1.232 Build: 1702025411 Module: 4.0 Release: Production Locale: en_EU Serial No.: ACLG9180832494 LAN: omitted WLAN: omitted Connection: Ethernet Control: UPnP

[Natanji]

I'm having the exact same issue with a Marantz Cinema 70s. HA is running on bare metal on Arch Linux, so this is not a virtualization problem. HEOS app for the device reports player version: 3.1.232 like @weakspot, additionally the Marantz itself has firmware version: 3400-9202-7032-1700 - DTS Version: 3.90.50.82

[Natanji]

Also, when I manually open the URL by combining my local HA adress+port with the path from the log file, I get 401-Unauthorized. So perhaps the issue isn't even related to HEOS, but the included authSig simply doesn't work. Like the URL is supposed to just return the MP3 no?

Potentially related issue: #69489

[GOinfo-Ltd]

I am experiencing the same issue.

What I can tell is that the JWT Token is cropped in the URL that the HEOS integration tries to open.

Login attempt or request with invalid authentication from 10.0.0.51 (10.0.0.51). Requested URL: '/media/local/Music/Muse/Absolution/03%2520-%2520Time%2520is%2520Running%2520Out.flac?authSig%3DeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiIxMmIyMTNhMDExOTU0YjE5YjA0ZWExMTY2OTBjMmJiYyIsInBhdGgiOiIvbWVkaWEvbG9jYWwvTXVzaWMvTXVzZS9BYn'. (AvegaMediaServer/2.0 Linux/2.6)
Login attempt or request with invalid authentication from 10.0.0.51 (10.0.0.51). Requested URL: '/media/local/NAS_Media/Music/Aselin%2520Debison/Bigger%2520Than%2520Me/01%2520-%2520Life.flac?authSig%3DeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiIxMmIyMTNhMDExOTU0YjE5YjA0ZWExMTY2OTBjMmJiYyIsInBhdGgiOiIvbWVkaWEvbG9jYWwvTkFTX01lZ'. (AvegaMediaServer/2.0 Linux/2.6)
Login attempt or request with invalid authentication from 10.0.0.51 (10.0.0.51). Requested URL: '/media/local/Music/StarGate.flac?authSig%3DeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiIxMmIyMTNhMDExOTU0YjE5YjA0ZWExMTY2OTBjMmJiYyIsInBhdGgiOiIvbWVkaWEvbG9jYWwvTXVzaWMvU3RhckdhdGUuZmxhYyIsInBhcmFtcyI6W10sImlhdCI6MTcwNzc1MjEwMiwiZX'. (AvegaMediaServer/2.0 Linux/2.6)
Login attempt or request with invalid authentication from 10.0.0.51 (10.0.0.51). Requested URL: '/media/local/Music/Coeur%2520de%2520Pirate/Coeur%2520de%2520Pirate/03%2520-%2520Fondu%2520au%2520noir.flac?authSig%3DeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiIxMmIyMTNhMDExOTU0YjE5YjA0ZWExMTY2OTBjMmJiYyIsInBhdGgiOiIvbWVkaWEvbG9j'. (AvegaMediaServer/2.0 Linux/2.6)

If we take an example on one of those, the full URL the HEOS integration tries to open is the following: http://10.0.0.10:8123/media/local/Music/StarGate.flac?authSig%3DeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiIxMmIyMTNhMDExOTU0YjE5YjA0ZWExMTY2OTBjMmJiYyIsInBhdGgiOiIvbWVkaWEvbG9jYWwvTXVzaWMvU3RhckdhdGUuZmxhYyIsInBhcmFtcyI6W10sImlhdCI6MTcwNzc1MjEwMiwiZX

...which is exactly 255 characters long. This happens with every other media I try to open. The HEOS seems to have issues trying to open longer URLs.

If we take this example, here's the resulting decoded JWT Token :

As you can see, the "payload" is cropped and missing "exp" attribute, so the JSON is invalid and the authorization can't take place.

It would be great if we could completely disable this authentication for select IP addresses...

• bumping https://github.com/home-assistant/core/issues/69489 couldn't be done, so here we go.

[GOinfo-Ltd]

I also tried to allow my whole network in the trusted networks auth like the following, to no avail.

homeassistant:
  auth_providers:
    - type: trusted_networks
      trusted_networks:
        - 10.0.0.0/24
    - type: homeassistant

The home-assistant webpage doesn't ask for a password after that anymore, but the authSig parameter is still appended to the media URL, which still fails with a 401.

EDIT: those errors happen with an NFS mount that is added through the Settings->System->Storage UI in home-assistant, but this will ring true for any kind of local media.

[iHaveAstream]

Hi, same problems with some Denon AVR-X4700H, latest availa le Firmware. I'm on HA 2024.2.1 on a VM in Proxmox. Used to work on older versions of HA. My NAS is mounted in HA as NFS share.

Edit: some error details from HA log

Logger: homeassistant.util.logging Source: util/logging.py:102 First occurred: 19:53:31 (2 occurrences) Last logged: 19:53:32

Exception in _heos_updated when dispatching 'heos_updated': () Traceback (most recent call last): File "/usr/src/homeassistant/homeassistant/components/heos/media_player.py", line 148, in _heos_updated await self.async_update_ha_state(True) File "/usr/src/homeassistant/homeassistant/helpers/entity.py", line 960, in async_update_ha_state self._async_write_ha_state() File "/usr/src/homeassistant/homeassistant/helpers/entity.py", line 1110, in _async_write_ha_state state, attr, capabilities, shadowed_attr = self.async_calculate_state() ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/src/homeassistant/homeassistant/helpers/entity.py", line 1047, in async_calculate_state state = self._stringify_state(available) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/src/homeassistant/homeassistant/helpers/entity.py", line 995, in _stringify_state if (state := self.state) is None: ^^^^^^^^^^ File "/usr/src/homeassistant/homeassistant/components/heos/media_player.py", line 408, in state return PLAY_STATE_TO_STATE[self._player.state] ~~~~~~~^^^^^^^^^^^^^^^^^^^^ KeyError: 'unknown'

Logger: homeassistant.components.heos Source: components/heos/init.py:489 Integration: Denon HEOS (documentation, issues) First occurred: 19:53:30 (1 occurrences) Last logged: 19:53:30

Unable to update sources: User not logged in (8)

Logger: homeassistant.components.http.ban Source: components/http/ban.py:129 Integration: HTTP (documentation, issues) First occurred: 19:53:29 (1 occurrences) Last logged: 19:53:29

Login attempt or request with invalid authentication from 10.10.40.4 (10.10.40.4). Requested URL: '/media/local/nas_music/Neu/Temp/twitch_stream_arptryx-20240207_150020.wav?authSig%3DeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJlMjU5OWU2ZGNiNDE0Mzg3ODQ4NzM0NjEwMTU5NmRkOSIsInBhdGgiOiIvbWVkaWEvbG9jYWwvbmFzX211c2ljL05ldS9UZW1wL3'. (AvegaMediaServer/2.0 Linux/2.6)

10.10.40.4 is my Denon AVR

[bobvandevijver]

Just hit this as well. Seems to be an issue with the authSig query parameter. Not only the token is incomplete, but it is also encoding the = character while it shouldn't.

I enabled debug logging on the component and found Home Assistant seems to be doing everything as it should:

2024-02-17 10:56:01.224 DEBUG (MainThread) [pyheos.connection] Command executed 'heos://browse/play_stream?sequence=49&pid=-1070890658&url=http://192.168.1.112:8123/media/local/BobV/538%2520Dance%2520Department/01%2520Carry%2520Me%2520Away.mp3?authSig%3DeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI1NTczZWY1ZmYxZjQ0NmU2YTJiMDQxMWE0MTAzODU1MyIsInBhdGgiOiIvbWVkaWEvbG9jYWwvQm9iVi81MzggRGFuY2UgRGVwYXJ0bWVudC8wMSBDYXJyeSBNZSBBd2F5Lm1wMyIsInBhcmFtcyI6W10sImlhdCI6MTcwODE2Mzc2MSwiZXhwIjoxNzA4MjUwMTYxfQ.4pjhE5OKblzAoHaAPPhZ_-5pAZYsTammKI0Z-ouMUEQ': '{'command': 'browse/play_stream', 'result': 'success', 'message': 'sequence=49&pid=-1070890658&url=http://192.168.1.112:8123/media/local/BobV/538%2520Dance%2520Department/01%2520Carry%2520Me%2520Away.mp3?authSig%3DeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI1NTczZWY1ZmYxZjQ0NmU2YTJiMDQxMWE0MTAzODU1MyIsInBhdGgiOiIvbWVkaWEvbG9jYWwvQm9iVi81MzggRGFuY2UgRGVwYXJ0bWVudC8wMSBDYXJyeSBNZSBBd2F5Lm1wMyIsInBhcmFtcyI6W10sImlhdCI6MTcwODE2Mzc2MSwiZXhwIjoxNzA4MjUwMTYxfQ.4pjhE5OKblzAoHaAPPhZ_-5pAZYsTammKI0Z-ouMUEQ'}'
2024-02-17 10:56:01.254 DEBUG (MainThread) [pyheos.connection] Event received for player {Woonkamer - AVC-X4800H (Denon AVC-X4800H)}: {'command': 'event/player_queue_changed', 'message': 'pid=-1070890658'}
2024-02-17 10:56:01.406 DEBUG (MainThread) [pyheos.connection] Command executed 'heos://player/get_now_playing_media?sequence=50&pid=-1070890658': '{'command': 'player/get_now_playing_media', 'result': 'success', 'message': 'sequence=50&pid=-1070890658'}'
2024-02-17 10:56:01.408 DEBUG (MainThread) [pyheos.connection] Event received for player {Woonkamer - AVC-X4800H (Denon AVC-X4800H)}: {'command': 'event/player_now_playing_changed', 'message': 'pid=-1070890658'}
2024-02-17 10:56:01.477 DEBUG (MainThread) [pyheos.connection] Event received for player {Woonkamer - AVC-X4800H (Denon AVC-X4800H)}: {'command': 'event/player_state_changed', 'message': 'pid=-1070890658&state=stop'}
2024-02-17 10:56:01.593 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from Woonkamer---AVC-X4800H.internal.bobvandevijver.nl (192.168.1.239). Requested URL: '/media/local/BobV/538%2520Dance%2520Department/01%2520Carry%2520Me%2520Away.mp3?authSig%3DeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI1NTczZWY1ZmYxZjQ0NmU2YTJiMDQxMWE0MTAzODU1MyIsInBhdGgiOiIvbWVkaWEvbG9jYWwvQm9iVi81MzggRGFuY2U'. (AvegaMediaServer/2.0 Linux/2.6)
2024-02-17 10:56:01.697 DEBUG (MainThread) [pyheos.connection] Event received for player {Woonkamer - AVC-X4800H (Denon AVC-X4800H)}: {'command': 'event/player_playback_error', 'message': 'pid=-1070890658&error=Unable to play media. Please try again later.'}
2024-02-17 10:56:01.711 DEBUG (MainThread) [pyheos.connection] Event received for player {Woonkamer - AVC-X4800H (Denon AVC-X4800H)}: {'command': 'event/player_state_changed', 'message': 'pid=-1070890658&state=stop'}

The url needs to be encoded as it is part of the query command being send to HEOS, but it looks like HEOS doesn't decode the URL correctly. This is visible from that is requested by HEOS (being logged due to invalid authentication). It should have authSig=<key>, but instead it comes with authSig%3d<subkey> which obviously doesn't work. I also tried authSig%3d<key> in the browser, which doesn't work (as expected).

So, the %3D should have been a =, and only the first 255 characters of the URL are actually parsed by HEOS. 255 characters? Coincidence? I think not!

Unfortunate conclusion: the URLs Home Assistant generates to be able to securely share the media file outside Home Assistant are not supported by HEOS 😞

Edit: For my use case I solved it by using DLNA instead of a Home assistant music share, by adding minidlna to my music server.

[GOinfo-Ltd]

DLNA is a no-go for my own usecase so at the moment I'm stuck with the HEOS app or a third-party service.

After (not that much) digging, I found the API documentation for HEOS, and there is no mention of the character length of URLs anywhere in it.

https://assets.denon.com/documentmaster/us/heos_cli_protocolspecification-version_04062020.pdf

However, after very few testing, I can confirm that the URL is cutoff at 255 chars.

The long filename returns success but doesn't start playing. The HEOS app alerts me of "unable to play media, please try again later". The short filename plays straight away.

Does anyone on the HASS team this is a problem with a possible workaround or fix ? The only thing I'm thinking of would be to generate short URLs upon play.

Example : http://10.0.0.10:8123/shortUrl?guid=deadbeef-cafe-babe-1234-abcdef123456 that would internally redirect to http://10.0.0.10:8123/media/local/Music/file.flac?authSig%3Dasdfasdfasdflkajsdflkajsdf....

[GOinfo-Ltd]

I have just now opened a ticket on denon's website to ask if a firmware update was possible to increase that URL length limit. I have my doubts that this email will even be read, but you never know.

[GOinfo-Ltd]

Just got an answer from Denon.

Response By E-mail (Zuzana) (06/03/2024 17:00) Hi Nicolas,

Thank you for contacting Denon Customer Service. After careful review of your case I have contacted our specialists, and they confirmed that 255 is indeed current URL length limit and at the moment there are no plans to change that.

I am sorry of this inconvenience. If you have any other questions or need additional support, please feel free to reach out to us.

Kind regards, Zuzka

[GOinfo-Ltd]

I just tested to pass the long URL through TinyURL.

Turns out that works flawlessly and the device plays, despite the fact that tinyURL literally only does a 301 redirect to the long URL.

Why it works, no idea, but it does just that the device is capable of it !...

...any way to implement an url shortening service right on HASS?

[yutani42]

I recently bought a Denon Home 150 due many people recommending the excellent HA HEOS integration, but now I ran into the same issues described here. Even some(?) radio stations relayed from radio browser aren't working/producing the same error.

Quite a bummer :(

Luckily at least via Spotify integration I can cover most of my needs.

[tkgafs]

I've just run into this issue as well I'm running on a denon avr 2800 and just discovered the Heos integration exists, but unfortunately, like everyone else I cant use it because of this issue. I'll look into the dnla suggestion mentioned above but not sure if my music server will be able to do it

[GOinfo-Ltd]

https://github.com/music-assistant seems to work for my usecase. Give it a try if you wanna avoid DLNA as well.

Even allows youtube music. Integration is a little slow but hey, can't complain too much !