Lovelace: Login attempt or request with invalid authentication

[olbjan]

Home Assistant release with the issue:

0.91.0 - 0.91.2

Last working Home Assistant release (if known):

Operating environment (Hass.io/Docker/Windows/etc.):

Hass.io on HassOS on Pi and NUC

Component/platform:

Frontend

Description of problem: When adding a generic camera entity to a picture-elements card (say a floorplan) in lovelace, I get `Login attempt or request with invalid authentication from IPˋ about one in three or four times upon opening the Home Assistant site. This happens in the iOS companion app and in Safari, Firefox and Chrome on PC.

Problem-relevant configuration.yaml entries and (fill out even if it seems unimportant):

elements:
  - entity: camera.living_room
    style:
      left: 28%
      top: 12%
    type: state-icon
image: /local/floorplan.jpg
title: Floorplan
type: picture-elements

�

Traceback (if applicable):

Additional information:

• Removing the camera entity removes the problem
• I tried a run with log level set to debug but there was nothing logged that did point me towards what caused this

[justinvoelker]

Experiencing the same problem with some cameras from a ZoneMinder instance with the config below.

Home Assistant 0.92.0 running within Docker on a Raspberry Pi

zoneminder:
  - host: 192.168.***.***
    ssl: true
    username: !secret zoneminder_username
    password: !secret zoneminder_password
camera:
  - platform: zoneminder

Checking the device states shows the following. In this instance, indoor_01 is the camera throwing the error.

Entity	State	Attributes
camera.indoor_01	unavailable	friendly_name: indoor-01 entity_picture: /api/camera_proxy/camera.indoor_01?token=... supported_features: 0
camera.indoor_02	idle	access_token: ... friendly_name: indoor-02 entity_picture: /api/camera_proxy/camera.indoor_02?token=... supported_features: 0

[orson1282]

Same here with Zoneminder running Home Assistant 0.93.2 in Docker on Ubuntu 18.04 and Zoneminder on another server.

[jjlawren]

I've run HA through a proxy to see why this occurs. For some reason the picture-* cards will make requests to the camera even when it's just an icon on the card and not acting as a picture/stream:

Example HTTP call made when loading the view that contains one of the above cards:

GET /api/camera_proxy/camera.my_camera?token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 401

For some reason 1) the card requests data from the camera when it shouldn't and 2) this request fails with a 401 auth error somewhat consistently.

[orson1282]

I think I found a solution for my issue. I added the use_x_forwarded_for and trusted_proxies variables to the http integration... as I'm using a proxy.

So it looks like this:

http:
  base_url: https://xxxxxxx.duckdns.org
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.x.x

[sreknob]

Just chiming in here, having the same issue with my iPhone getting IP banned using beta companion app. Running in docker with trusted proxies and use_x_forwarded_for both on.

http:
    base_url: https://ha.xxxxxxx.com
    ip_ban_enabled: true
    login_attempts_threshold: 5
    use_x_forwarded_for: true
    trusted_proxies:
      - 172.17.0.0/16

Just looking at my config, I am using the docker ip address range given that's what I had to use before when using trusted networks. Would it make more sense to use my local subnet for proxies instead?

[Santobert]

Same here. Homeassistant runs in docker. I use a mjpeg camera and floorplans.

2019-09-09 06:01:13 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 192.168.208.1

192.168.208.1 is the docker host that proxyes requests from IPv6. This error also occurs with IPv4. The traceback then contains the IP address of the requesting device.

The error only occurs when my Android device (Google Chrome) reloads the page.

[danbowkley]

Same here on 100.3, no proxy, HA in a venv on Ubuntu 18.04 with UniFi cameras as well as generic camera entities passing the rtmp feed from the UniFi NVR (so I can cast them). Have to ssh in, delete the ban file, and restart to get back in. The NVR and HA are running on the same machine.

[davericher]

+1 :/

[yaba]

+1

[Legsmaniac]

+1

[raymondoooo]

Same here. Been like this for a while. I had to disable IP Bans.

[Legsmaniac]

Same here. Been like this for a while. I had to disable IP Bans.

How do you disable IP Bans please?

[raymondoooo]

Just remove the line from your yaml.

https://www.home-assistant.io/integrations/http

[Legsmaniac]

Um... I don't have any line in my yaml. Yet outside IP's are banned. I even tried adding ip_ban_enabled: false and still no luck. Something amiss somewhere.....

[joaoasilva]

I'm having exactly the same problem since the last version, can this be addressed? All my cameras stopped working with HA. Thanks

[Mariusthvdb]

ha 101.2 here Hassio on Rpi4, getting constant 192.168.1.1 login bans, while my config uses:

  auth_providers:
   - type: homeassistant
   - type: trusted_networks
     trusted_networks:
       - 127.0.0.1
       - 192.168.1.0/24

edit/update

appeared that my long-lived-acces-token got wiped during update, so one of my rest sensors tried to initialize but didn't get authenticated....

how that happend I don't know, but reinstalling an acces-token solved it.

[Legsmaniac]

Got my cameras working again by downgrading to 0.99.3 Wondering if it's got anything to do with the demise of JSON?

[yaba]

Mine is fixed, totally forgot that Node-RED was using legacy auth method. Warning message should include details about where the request is coming from.

[joaoasilva]

This is related with Lovelace @yaba . Also, you didn't provided the steps to fix it which doesn't help much.

[yaba]

@joaoasilva Sorry. I've came to this thread because lovelace/HA was giving Login attempt or request with invalid authentication from every 2 seconds. Since I've also have a camera entity like the top user, I've tried to disable it and restart HA. Same problem. Disabled every camera and possible integrations that could be using legacy auth and problem persisted. Later I've remembered that Node-RED was using node-red-contrib-home-assistant instead of node-red-contrib-home-assistant-websocket, removed the old integration and installed the new one which supports tokens. Fixed.

[Legsmaniac]

No idea what Node Red is so pretty sure that's not my problem. Mine is still camera related though and is to do with my triggers calling via web requests.......

URL = http://xxxxxxxx.noip.me:8123/api/services/media_player/play_media?api_password=<password>

Method - POST

Content Type = Application/JSON

Body = { "entity_id" : "media_player.lounge_display" , "media_content_id" : "http://xxxxxxxx.noip.me:xxxxx/mjpg/Front/video.mjpg" , "media_content_type" : "image/jpg"}

API password is set and correct yet they still kept getting blocked. As I said above, wondering is it's anything to do with the demise of JSON on 0.100.x because of the Content Type = Application/JSON ?

Anyone? Any ideas?

Happy with 0.99.3 for now, works for me with no problems whatsoever.

[tribut]

Authenticating via ?api_password is no longer supported. This is mentioned prominently in the release notes:

https://www.home-assistant.io/blog/2019/10/30/release-101/#api-password-and-trusted-networks

You will have to switch to authentication tokens.

[Legsmaniac]

I did read that but it still works with version 0.99.3 yet it was supposed to have been depreciated long since?

So if I used tokens, how do I call it? I mean, instead of ?api_password what do I use?

[tribut]

Yes, it has long been marked as deprecated, but support for it was only removed in 0.101.

Using authentication tokens is described in the dev docs:

https://developers.home-assistant.io/docs/en/external_api_rest.html

It boils down to setting the an HTTP header like this: Authorization: Bearer ABCDEFG.

[Legsmaniac]

Thank you. I'll give it a whirl in the morning.

[Legsmaniac]

Hmmmm. I'm obviously not doing something right. More help needed please?

So, instead of http://xxxxxxxx.noip.me:8123/api/services/media_player/play_media?api_password=<password> what should it be? I've tried things like http://xxxxxxxx.noip.me:8123/api/services/media_player/play_media?Authorization: Bearer <token> which doesn't work, tried without the ? replacing with a space, still no go. In fact, I must have tried about 20 different ways and now I'm getting into a muddle.
Sorry to be a pain. I'm useless.

[Hypfer]

@Legsmaniac The HTTP Header is not part of the URL

You need to set it somewhere else.

For CURL see https://curl.haxx.se/docs/manpage.html#-H For Postman see https://learning.getpostman.com/docs/postman/sending-api-requests/requests/#headers

[thegame3202]

Found out where an invalid auth was coming from thanks for this issue. Removed my "picture entity" card, that referenced a generic rtsp Unifi camera, and no longer get invalid auths on HASS restarts and some page reloads.

[crus1313]

Found out where an invalid auth was coming from thanks for this issue. Removed my "picture entity" card, that referenced a generic rtsp Unifi camera, and no longer get invalid auths on HASS restarts and some page reloads.

So removing stuff is the solution? You no longer use that camera now? I don't understand this fix. Plese detail it more.

[thegame3202]

Found out where an invalid auth was coming from thanks for this issue. Removed my "picture entity" card, that referenced a generic rtsp Unifi camera, and no longer get invalid auths on HASS restarts and some page reloads.

So removing stuff is the solution? You no longer use that camera now? I don't understand this fix. Plese detail it more.

I removed the Lovelace card from my view tab. The camera itself is still an entity in HomeAssistant. As soon as I have the card on my Lovelace page, it randomly throws the invalid login error. Not sure what you need from me, but as someone who doesn't code - This was what I did to "resolve" the issue. Thanks!

[Santobert]

I did some research. Camera resources are available at:

http://<hostname>:8123/api/camera_proxy_stream/camera.<entity_id>?token=<some long token>

I may be wrong, but I think some browsers tend to cache this url including the token. So after some time they try to access the camera resource with an outdated token, which causes the invalid authentication error.

The camera preview uses a different link, but the underlying mechanics are the same:

http://<hostname>:8123/api/camera_proxy/camera.<entity_id>?authSig=<some very long string>

[thegame3202]

I did some research. Camera resources are available at:

http://<hostname>:8123/api/camera_proxy_stream/camera.<entity_id>?token=<some long token>

I may be wrong, but I think some browsers tend to cache this url including the token. So after some time they try to access the camera resource with an outdated token, which causes the invalid authentication error.

The camera preview uses a different link, but the underlying mechanics are the same:

http://<hostname>:8123/api/camera_proxy/camera.<entity_id>?authSig=<some very long string>

That would make total sense. It does seem to happen the most in Chrome for me.

[Legsmaniac]

@Legsmaniac The HTTP Header is not part of the URL

You need to set it somewhere else.

For CURL see https://curl.haxx.se/docs/manpage.html#-H For Postman see https://learning.getpostman.com/docs/postman/sending-api-requests/requests/#headers

Thanks for reply but sorry, that went over my head. I've been tinkering and trying to understand it but still no go. If I created a Curl file, what do I call it? Where do I put it? How do I include it? So lost.

[comittedcode]

@Legsmaniac curl is a commandline program, that can be used for making http requests. If you are unconfortable with the commandline use Postman, it is really easy to use. Just remember to set the HTTP Authorization header.

[Legsmaniac]

@Legsmaniac curl is a commandline program, that can be used for making http requests. If you are unconfortable with the commandline use Postman, it is really easy to use. Just remember to set the HTTP Authorization header.

Um.... Thank you for your reply but as I said above, even Postman went over my head. It might seem really easy to you but I honestly couldn't fathom it out. I was only able to get HA up and running because there are plenty step-by-step tutes out there, both in text and YouTube but sadly, there's no tute on how to slot in the call for Token API, particularly from BlueIris. If there was I'd be able to follow that. :-(

[somar05]

I did some research. Camera resources are available at:

http://<hostname>:8123/api/camera_proxy_stream/camera.<entity_id>?token=<some long token>

I may be wrong, but I think some browsers tend to cache this url including the token. So after some time they try to access the camera resource with an outdated token, which causes the invalid authentication error.

The camera preview uses a different link, but the underlying mechanics are the same:

http://<hostname>:8123/api/camera_proxy/camera.<entity_id>?authSig=<some very long string>

I think the same. Same scenario with Chrome. I have checked the browser cache, and it keep the old token, so probably there something wrong when the lovelace card show camera entity. No idea if its possible force the cache update in Chrome with no manual intervention.

[26tajeen]

I think I've got this issue. See here if interested.

[TheBurgundyBear]

I've got the same problem. I'm using motionEye and I'm pointing my picture entities to streams running off the motionEye Home Assistant add-on. As soon as I click on "Overview," I get the "WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication"

[26tajeen]

yeah I've had to give up on the picture entity for now!

[Legsmaniac]

I managed to solve my problem by installing MQTT. For this I chose to use Mosquitto. Obviously there's some setting up to do with Mosquitto and MQTT but there's plenty into available online for this. It's how I discovered it after all. This, and the following code, is not my own. Alas, I'm not that clever. I can't remember where I found it all now but basically, here's what I did.....

I added to configuration.yaml.....

mqtt:
  broker: 192.168.1.xxx
  port: xxxx
  client_id: <my client ID name>
  username: !secret <my MQTT Username>
  password:  !secret <my MQTT Password>

Also in configuration.yaml, I added a binary sensor for (for example) my door camera.....

binary_sensor:
  - platform: mqtt
    name: "Door Motion"
    state_topic: "blue_iris/binary_sensor/door_motion/state"
    payload_on: "ON"
    payload_off: "OFF"
    device_class: "motion"

In automation.yaml, I added.......

bi_door:
  sequence:
  - data:
      entity_id: media_player.mini_display
      media_content_id: http://192.168.1.xxx:xxxxx/mjpg/door/video.mjpg
      media_content_type: image/jpg
    service: media_player.play_media
  - alias: ''
    data:
      entity_id: media_player.lounge_display
      media_content_id: http://192.168.1.xxx:xxxxx/mjpg/door/video.mjpg
      media_content_type: image/jpg
    service: media_player.play_media
  - delay: 00:00:30
  - data:
      entity_id: media_player.mini_display
    service: media_player.turn_off
  - data:
      entity_id: media_player.lounge_display
    service: media_player.turn_off

The above was my own choice preference to cast to both of my displays for 30 seconds only. Obviously, you can alter the code to your own preference.

Then in BlueIris, on the camera Settings, Alerts tab - Configure Web or MQTT Alert - I selected MQTT in the dropdown then typed

MQTT Topic: blue_iris/binary_sensor/door_motion/state
Post/Payload: ON

Now, whenever motion is detected on the door camera via BlueIris, up pops the live stream on both of my Google displays for 30 seconds then revert back to normal until next motion detection. And it's pretty quick too.

I've also followed the instructions to add Google Assistant to Home Assistant whereupon you can ask whichever display you want for whatever Blue Iris camera stream you want but I haven't quite managed to get that fully working as yet as I have a problem with my "Stream" component, something about my needing to add AV 6.1.2 to Python which I haven't managed to do as yet. I'm running my server (and Python) on Windows 10 and all suggestions on various forums say to ditch Windows and use Linux. Not very helpful when I want to continue using Windows. There seems to be very little help out there for Windows users and plenty for Hassio users on Linux.

However, I am able to use IFTTT now that I have MQTT installed and use that to call for cameras. For now.

[Legsmaniac]

As for the Picture Entity, that's easy.

Add to configuration.yaml.......

#camera:
  - platform: mjpeg
    mjpeg_url: http://<BlueIris server address and Port>/mjpg/Front/video.mjpg
    name: Front

Add as many cameras as you like just by repeating the - platforms. Restart HA.

Then in Lovelace in your Picture Entity Card just select camera.front as your entity and you have a live stream right there in Lovelace.

[gavinwoolley]

@Legsmaniac I did exactly as you did. And I got stream working. But the stream was useless and slow. So I removed it.. Then i opted for a different approach. Make a home assistant script that runs the same services as your motion detection automation to push images to displays. Then expose that to Google assistant. So you can say, ok Google activate "alias name of your script"

You might be able to just make a script that triggers your motion automation. And call it that way via Google to

[Legsmaniac]

@Legsmaniac I did exactly as you did. And I got stream working. But the stream was useless and slow. So I removed it..

Hmmmm, thanks for that confirmation. I read someone else said the same thing, that the stream was so behind because it has to be re-encoded via ffmpeg so I don't think I'll bother faffing around trying to get it working then.

And thanks for the script idea. Why didn't you think of that?! LOL I already have a script set up actually but never thought of linking it to Google. I'll certainly have to have a go with that. Cheers.

[daxl10]

I managed to solve my problem by installing MQTT. For this I chose to use Mosquitto. Obviously there's some setting up to do with Mosquitto and MQTT but there's plenty into available online for this. It's how I discovered it after all. This, and the following code, is not my own. Alas, I'm not that clever. I can't remember where I found it all now but basically, here's what I did.....

I added to configuration.yaml.....

mqtt:
  broker: 192.168.1.xxx
  port: xxxx
  client_id: <my client ID name>
  username: !secret <my MQTT Username>
  password:  !secret <my MQTT Password>

Also in configuration.yaml, I added a binary sensor for (for example) my door camera.....

binary_sensor:
  - platform: mqtt
    name: "Door Motion"
    state_topic: "blue_iris/binary_sensor/door_motion/state"
    payload_on: "ON"
    payload_off: "OFF"
    device_class: "motion"

In automation.yaml, I added.......

bi_door:
  sequence:
  - data:
      entity_id: media_player.mini_display
      media_content_id: http://192.168.1.xxx:xxxxx/mjpg/door/video.mjpg
      media_content_type: image/jpg
    service: media_player.play_media
  - alias: ''
    data:
      entity_id: media_player.lounge_display
      media_content_id: http://192.168.1.xxx:xxxxx/mjpg/door/video.mjpg
      media_content_type: image/jpg
    service: media_player.play_media
  - delay: 00:00:30
  - data:
      entity_id: media_player.mini_display
    service: media_player.turn_off
  - data:
      entity_id: media_player.lounge_display
    service: media_player.turn_off

The above was my own choice preference to cast to both of my displays for 30 seconds only. Obviously, you can alter the code to your own preference.

Then in BlueIris, on the camera Settings, Alerts tab - Configure Web or MQTT Alert - I selected MQTT in the dropdown then typed

MQTT Topic: blue_iris/binary_sensor/door_motion/state
Post/Payload: ON

Now, whenever motion is detected on the door camera via BlueIris, up pops the live stream on both of my Google displays for 30 seconds then revert back to normal until next motion detection. And it's pretty quick too.

I've also followed the instructions to add Google Assistant to Home Assistant whereupon you can ask whichever display you want for whatever Blue Iris camera stream you want but I haven't quite managed to get that fully working as yet as I have a problem with my "Stream" component, something about my needing to add AV 6.1.2 to Python which I haven't managed to do as yet. I'm running my server (and Python) on Windows 10 and all suggestions on various forums say to ditch Windows and use Linux. Not very helpful when I want to continue using Windows. There seems to be very little help out there for Windows users and plenty for Hassio users on Linux.

However, I am able to use IFTTT now that I have MQTT installed and use that to call for cameras. For now.

in your automation the "bi_door" what is this calling? I'm trying to do that same setup but can't see what this is linking to?

[Legsmaniac]

Good question!!! LOL I had to scratch my head over then one for a minute until I checked my automation.yaml file again. The correct script is......

- id: blueiris_cast_door
  alias: Blue Iris Cast Door
  trigger:
  - entity_id: binary_sensor.door_motion
    from: 'off'
    platform: state
    to: 'on'
  action:
  - data:
      entity_id: media_player.mini_display
      media_content_id: http://192.168.1.150:21010/mjpg/door/video.mjpg
      media_content_type: image/jpg
    service: media_player.play_media
  - alias: ''
    data:
      entity_id: media_player.lounge_display
      media_content_id: http://192.168.1.150:21010/mjpg/door/video.mjpg
      media_content_type: image/jpg
    service: media_player.play_media
  - delay: 00:00:30
  - data:
      entity_id: media_player.mini_display
    service: media_player.turn_off
  - data:
      entity_id: media_player.lounge_display
    service: media_player.turn_off

The original script listed above was placed in Scripts.yaml actually, and was called for as bi_door for something else I was doing. Sorry about that. Hope this clears up any confusion.

[daxl10]

@Legsmaniac Thanks that helped.

[ascillato]

If you have set a camera, check that the correct config has been set as described in https://www.home-assistant.io/integrations/generic_ip_camera/#image-from-http-only-camera

Remember to add the correct

verify_ssl: false

[Legsmaniac]

Remember to add the correct

verify_ssl: false

I had forgotten about that. Yet my cameras are indeed HTTP and Home Assistant is HTTPS. But still, I can see all my cameras no problem.

[Legsmaniac]

Thanks for that but I have tried that many times and sadly, it has never worked. I've searched for help no end of times on various forums on this subject and I discovered that I'm not alone in this matter. It seems that Trusted Networks doesn't work for a good many users. I also read that it's being (if not already has?) discontinued? Perhaps that's why?

Anyhow, I don't really need it anymore as my cameras are all working exactly how I want/need them to. So far. I do get a warning that the IP address of my router has accessed the network, only when I use Configurator, nothing else. Even so, Trusted Networks still doesn't stop that. Configurator works anyway so I just ignore it for now.

[ttaidapos]

Any solution to this? it's obviously not working as expected.