Lovelace: Login attempt or request with invalid authentication

[olbjan]

Home Assistant release with the issue:

0.91.0 - 0.91.2

Last working Home Assistant release (if known):

Operating environment (Hass.io/Docker/Windows/etc.):

Hass.io on HassOS on Pi and NUC

Component/platform:

Frontend

Description of problem: When adding a generic camera entity to a picture-elements card (say a floorplan) in lovelace, I get `Login attempt or request with invalid authentication from IPˋ about one in three or four times upon opening the Home Assistant site. This happens in the iOS companion app and in Safari, Firefox and Chrome on PC.

Problem-relevant configuration.yaml entries and (fill out even if it seems unimportant):

elements:
  - entity: camera.living_room
    style:
      left: 28%
      top: 12%
    type: state-icon
image: /local/floorplan.jpg
title: Floorplan
type: picture-elements

�

Traceback (if applicable):

Additional information:

• Removing the camera entity removes the problem
• I tried a run with log level set to debug but there was nothing logged that did point me towards what caused this

[ascillato]

This issue is the same as https://github.com/home-assistant/frontend/issues/3379

I had this issue also and I found a workaround to it.

My Issue and Tests:

My camera's feeds freezed every 5 minutes exactly when the cameras' token are refreshed, and most of the time, in that exact moment the error Login attempt or request with invalid authentication shows up in notification.

If I see the camera's feed from HADashboard or see the cameras from Motioneye, this doesn't happen ever. I have tested on several browsers and this exact same problem occurs (chrome on PC, chrome on android, fully kiosk on android, and others). On Chrome, if pressing F12, there is no error.

The config I use in my lovelace is:

   - type: picture-glance
     title: Patio
     camera_image: camera.patio
     entity: camera.patio
     camera_view: live
     aspect_ratio: 0%

If using F12 on Chrome, I see that the cameras' feed are not receiving the updated token. As the example of the following image, at start, the 3 cameras receive their token and they work fine, but after 5 minutes (in this case), only one camera receive it and that was the only one that continue working. The other 2 got freezed. After some more 5 minutes, some of these cameras receive the new token and they re-start the feed.

And when moving from one tab to another, I have the following with the Login attempt or request with invalid authentication issue:

When using HADashboard of APPDAEMON on Chrome and pressing F12, we can see the exact same transaction for camera's tokens and it happens every 5 minutes as expected with all cameras. The HA Dashboard uses Knockout.js for that and lovelace uses parts.ts

Why parts.ts misses some calling for token renewals? When it misses one, it might call for the renew after another 5 minutes. So the feed is not reliable on lovelace. Sometimes it works but after some time, some of the feeds freezes and we have to reload the page or wait for another 5 minutes for the new token renewal.

My Workaround:

As in my case, HADashboard works fine (the camera feed never freezes and there is no login error) but this error occurs on a camera feed in a picture-glance of lovelace, so I tried to use instead the camera feed but in a custom:button-card, and surprisingly it works fine. So, I have now a workaround to this issue.

          - type: 'custom:button-card'
            entity: camera.portero
            label: Portero
            show_name: false
            show_label: true
            show_icon: false        
            show_entity_picture: true
            show_live_stream: true
            size: 100%
            styles:          
              entity_picture:
                - position: absolute
                - top: 0%
                - margin: none
              card:             
                - margin: 0px 0px 0px 0px
                - padding: 0px 0px

With the custom:button-card the token is refreshed every 5 minutes as expected and the camera feed never freezes. Also, the Login attempt or request with invalid authentication issue is gone.

So, it seems that there is an issue for tokens but just in the default picture-glance card of lovelace.

I would like to help on finding the bug on picture-glance. What else can I test?

[ttaidapos]

I see this issue elsewhere as well. Below is a lovelace component that uses the camera integration to display a *.gif. I have automation that changes the file path to a location hass has access to. A few times a day i'll get the errors below. Note the IP address in question is my router. I've tried whitelisting and changing permissions a million times with no luck. It has gotten better since i chown homeassistant:homeassistant across all files/directories but I still get this 5-10 times a day depending how often we login to hass. We do have google authenticator enabled. This smells something to do with the token because as soon as I refresh a second later, it goes away and the image below in question displays properly. Hope this helps!

Lovelace Card

cards:
  - aspect_ratio: 35%
    camera_image: camera.mail_usps
    camera_view: live
    entity: sensor.mail_usps_mail
    name: Today's Mail
    type: picture-entity
  - entities:
      - entity: sensor.mail_usps_delivered
        icon: 'mdi:package-variant'
        name: USPS Packages Delivered
      - entity: sensor.mail_fedex_delivered
        icon: 'mdi:package-variant'
        name: FedEx Packages Delivered
      - entity: sensor.mail_usp_delivered
        icon: 'mdi:package-variant'
        name: UPS Packages Delivered
      - entity: sensor.mail_usps_delivering
        icon: 'mdi:package-variant-closed'
        name: USPS Packages in Transit
      - entity: sensor.mail_fedex_delivering
        icon: 'mdi:package-variant-closed'
        name: FedEx Packages in Transit
      - entity: sensor.mail_ups_delivering
        icon: 'mdi:package-variant-closed'
        name: UPS Packages in Transit
      - entity: sensor.mail_updated
        name: Mail Updated
    state_filter:
      - operator: '>'
        value: '0'
    type: entity-filter
title: Mail Today
type: 'custom:vertical-stack-in-card'

yaml

# Camera Platforms
camera:
  #Mail and Packages custom component
  - platform: local_file
    file_path: /home/homeassistant/.homeassistant/custom_components/mail_and_packages/mail_none.gif
    name: mail_usps

Error 1 of 2

Log Details (WARNING)
Logger: homeassistant.components.local_file.camera
Source: components/local_file/camera.py:92
Integration: local_file (documentation, issues)
First occurred: 2:25:29 PM (59 occurrences)
Last logged: 9:23:26 PM

Could not read camera mail_usps image from file: /home/homeassistant/.homeassistant/images/mail_and_packages/fc726191-7e18-434e-b16b-2996bd0d22e2.gif

Error 2 of 2

Log Details (WARNING)
Logger: homeassistant.components.http.ban
Source: components/http/ban.py:74
Integration: http (documentation, issues)
First occurred: 5:02:32 PM (4 occurrences)
Last logged: 7:48:44 PM

Login attempt or request with invalid authentication from 192.168.50.1

[mbaran5]

I am experiencing the same issue. I even tried the solution above by @ascillato but still repeatedly get invalid authentication notices when displaying a local file as a camera entity. The issue appears more often if I am coming through my reverse proxy but seems to appear either way.

[Maco65]

I have the same issue with ESP32 CAM module. Running 0.111.1, HassOS 4.10, supervisor 227. Whenever camera is on and I am viewing the picture the Login problem appears once a while (few time per hour). ESP32 CAM yaml configuration:

  external_clock:
    pin: GPIO0
    frequency: 20MHz
  i2c_pins:
    sda: GPIO26
    scl: GPIO27
  data_pins: [GPIO5, GPIO18, GPIO19, GPIO21, GPIO36, GPIO39, GPIO34, GPIO35]
  vsync_pin: GPIO25
  href_pin: GPIO23
  pixel_clock_pin: GPIO22
  power_down_pin: GPIO32
  name: test_camera
  resolution: 800x600

[mihail4anov]

I had the problem Login attempt or request with invalid authentication But the reason of this was that camera had no authentication. And the camera.yaml config had authentication: basic Now both (camera and config) have basic authentication and the error almost gone. (Become very rare)

[fermulator]

I had this as a "one off" I guess, while editing an automation, the save button wasn't working, and I was getting this same error message every time I clicked "Save". This caused me to lose my work. After a full HA restart, things worked fine again :/ 0.109.6

[barrymossel]

Getting the login error message when opening HA in app or browser on a view with camera's in picture-glance card. Only happens when tab/app is out of sight (not closed I believe) for a set amount of time (5mins?). Happens for Android, iOS and Windows (all browsers).

Please let me know if I have to test something...

[entropie]

edit: Nevermind

[Maco65]

I am getting this error once a while but at this point my ESP32-CAM module is not used so it must be related to other reason. Most often I get it when I use mobile app from phone connected to different networks.

[barrymossel]

Anyone looking into this?

[alphasixtyfive]

I keep getting those warnings and I even had to disable banning.

[Maco65]

@alphasixtyfive - can you confirm that this happens when you are loging at the same time from mobile and several tabs on PC ?

[github-actions[bot]]

There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates. Please make sure to update to the latest Home Assistant version and check if that solves the issue. Let us know if that works for you by adding a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thank you for your contributions.

[Santobert]

Still relevant

[Maco65]

Relevant. I suspect it may have something to do with several WiFi's with the same name. I am using WiFi extension coverage with additional 2 Access Points. Main router and those 2 APs are running Fresh Tomato OS and APs are configured with the same SSID name. It may be that once my phone or laptop are switching to another AP then some lower level identifiers are changed and Home Assistant is detecting this reporting error ? Here is the latest case (I have 1-2 per week) with detailed log:

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:116
Integration: HTTP (documentation, issues)
First occurred: 23 March 2021, 11:38:05 (7 occurrences)
Last logged: 11:36:08
* Login attempt or request with invalid authentication from MS-Carbon.dom (192.168.1.237). (Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0)
* Login attempt or request with invalid authentication from MS7.dom (192.168.1.210). (Mozilla/5.0 (iPhone; CPU iPhone OS 14_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2021.3 (io.robbie.HomeAssistant; build:2021.77; iOS 14.4.0) Mobile/HomeAssistant, like Safari)
* Login attempt or request with invalid authentication from localhost (127.0.0.1). (Mozilla/5.0 (iPhone; CPU iPhone OS 14_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2021.3 (io.robbie.HomeAssistant; build:2021.77; iOS 14.4.0) Mobile/HomeAssistant, like Safari)
* Login attempt or request with invalid authentication from MS7.dom (192.168.1.210). (Mozilla/5.0 (iPhone; CPU iPhone OS 14_4_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2021.3 (io.robbie.HomeAssistant; build:2021.77; iOS 14.4.2) Mobile/HomeAssistant, like Safari)
* Login attempt or request with invalid authentication from MS-Carbon.dom (192.168.1.237). (Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0)

EDITED: And yes, I also have live camera view.

[alphasixtyfive]

This is till happening a few times a day and I'm sure it is linked to camera entities.

[barrymossel]

It only happens when a view with live camera is open. So yes, definitely linked to camera entities.

Op ma 5 apr. 2021 12:31 schreef άλφα 65 @.***>:

This is till happening a few times a day and I'm sure it is linked to camera entities.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/home-assistant/core/issues/23055#issuecomment-813328083, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACPIPGJMIU5VCDPMJLXBN73THGGRJANCNFSM4HFS6Z3Q .

[ascillato]

Yes, this issue is on the picture glance card. Please, check my comment for a workaround. With this workaround I have never had this issue again. https://github.com/home-assistant/core/issues/23055#issuecomment-620309182

[barrymossel]

Yes, this issue is on the picture glance card. Please, check my comment for a workaround. With this workaround I have never had this issue again. #23055 (comment)

Great if that works. Will I be able to add entities in there like in the picture-glance?

[ascillato]

Yes, you can. Please check the documentation of button-card

[barrymossel]

Yes, you can. Please check the documentation of button-card

Been checking it for an hour. Can't seem to find anything on states from other entities. Just of the main entity. Might be able with templates, but would not know how.

[entropie]

Yes, this issue is on the picture glance card.

I actually don't use picture-glance. I embedd via picture-entity

type: picture-entity
camera_image: camera.hallway
camera_view: live
entity: camera.hallway
aspect_ratio: 50%
show_name: false
show_state: false
style: |
  ha-card {
  opacity: .5
    }

Also, I was trying to get the cause for the error multiple times. I just can't reproduce it. I think I actually removed all the picture elements from my dashboards and still got the error but not when I wait for it.

I get like 3-10 errors a day. I have almost all the time a sticky HA tab open when my PC is running (10+ hours a day). There are two companion apps accessing the HA instance. I'am almost sure i've seen popping this errors up since I use the android companion app.

We need to find a way to reproduce it. Maybe we should collect potential reasons for the cause.

I use:

• android companion
• unifi protect hacs plugin
• embed in via picture-entity
• access via public duckdns url, even when in lan
• multiple access points that mesh (I would never thought of that, but it was mentioned before)
• node-red

Iam almost certain it happens when I first (re)load the companion on the mobile.

[Legsmaniac]

I had totally forgotten about this. I never did get to the bottom of this authenticity myself but since it only caused error messages to appear in the logs, I just had to ignore it because I never could sort it, no matter what I tried. As I posted way back in November 2019 I downgraded and stayed there for a while in order to keep my cameras working.

I can't remember when or what version I upgraded to but I did eventually upgrade and discovered my cameras were working once again with no error logs. I just assumed it was fixed. The only problem I was getting was a error regarding authenticity when I used File Editor. Again, since it was only a warning and File Editor actually did work, I just ignored it. It's not as if I used File Editor very often anymore anyway.

However, because this reawoken chat came up in my inbox, I checked to see what it was about out of interest and it reminded me I still had the File Editor access authenticity error - or so I thought I did. I just tried it and - no error! Again, I haven't done anything except to upgrade over time as and when new releases came out and I can only assume somewhere along the line, it's fixed itself.

I don't nor have ever used Picture Glance either, only Picture Entity so I decided to check in Developer Tools to see what was different with my Camera Entity settings and was surprised to see they appear to have set themselves up with Access Tokens, something I had always been trying to do myself but failed miserably, each camera entity had been assigned its own token, one for each of the 12 cameras I have set up on HA. Looking in my Profile under Refresh Tokens, I can see they were all created 22 weeks ago. Whether they were newly created 22 weeks ago or whether they were refreshed 22 weeks ago, I have no idea.

All I know is, it seems to have set itself up and done by itself what I've tried to do for months and months. I'm just happy it's working. No auth errors whatsoever. Sorry I can't help advise anyone further on this as I don't really have a great working knowledge on how this all works but maybe this post might trigger some idea or another with someone? I'll help with any questions of my setup if I can, if it would help but just remember that I didn't actually "do" anything except auto updates/upgrades.

The only other thing I can say is when I first reported my problems back in the end of 2019, I had HA running on Windows 10 with Python 37 installed. Then last year when I read that Python 37 support was going to be discontinued in HA and that I should upgrade to Python 38, I remember pulling my hair out trying to get it upgraded to P38. In the end I decided to run HA Linux version on VMWare on the same Windows 10 machine I used as a server PC. It was either that or consider running it on RPi and I hate RPi. It's been a LOT better since I did and much more fully automated with more features too. More features than I can throw a stick at, more features than I'll ever use or understand! LOL What matters is it's doing what I want it for, running my painstakingly set up automations every day without fail.

[Maco65]

Yes, this issue is on the picture glance card. Please, check my comment for a workaround. With this workaround I have never had this issue again. #23055 (comment)

Thank you, it seems I have missed this info... Now I have removed my picture-glance cards and replaced them with custom: button-card as directed. At this point all works fine. Will see if I have those error any more.

@barrymossel - I have the same challenge and I could not find the way to make those in custom: button-card. So, what I did, I have created horizontal-stack card with all my "icons/buttons" as buttons in one raw. This card is just below camera picture so it "almost" looks the same and it does the job for me. I am thinking of creating versitcal-stack card with first raw camera picture and second raw horicontal-stack with buttons. But this shoudl be probably separate topic.

[entropie]

I unchecked "Automatically close connection" on profile page yesterday. Since then I got no notification. Trying for longer.

Edit: running for 48 hours without notif. Someone care to confirm?

Edit2: got a single auth error today, SO accessed HA instance via android companion. Turned her setting off as well.

I'am pretty sure its at least related if not the main reason.

[Strangehadron]

Same for me since i've configured an esp32 cam and put in a live picture glance card. I've the login failed error when i open my mac app or my iphone app.

I'm also using Duckdns and nginx ssl as a reverse proxy to access HA outside of home and with the local adress when i'm home but the login error has started since i've the live camera view.

[Maco65]

I unchecked "Automatically close connection" on profile page yesterday. Since then I got no notification. Trying for longer.

Will try this as well.

[Maco65]

Unfortunately unchecked "Automatically close connection" does not seem to solve the issue. Since I have done it I had Login attempt or request with invalid authentication from ... error 5 times over the period of 2 days. :(

[TheLastProject]

I just got myself banned from my own instance again too because of a picture element that is filled over MQTT that is sometimes unavailable or whatever. Seems to be this issue.

[alphasixtyfive]

It just keeps happening over and over again.

[Maco65]

I keep getting those errors even after I have removed my picture-glance card and replaced it with custom: button-card as directed by @barrymossel. Yesterday, the message appeared 3 times and in my view it is connected with the fact that I am checking my camera from phone, which frequently disconnects from home WiFi to Cellura network and also in home between 3 routers (main + 2 WiFi extentions - same BSS ID)

[AndreCox]

Yes looks like this issue happens with a camera card on two or more wifi networks with the same name, for me I have a Omada mesh network and I use the deebot smart vaccum Ozmo T8 with a custom vacuum card this caused the issue.

[AndreCox]

I just got myself banned from my own instance again too because of a picture element that is filled over MQTT that is sometimes unavailable or whatever. Seems to be this issue.

Do you have multiple wifi networks with the same BSSID? Then we can conclude that it has something to do with the multiple networks and camera component

[ttaidapos]

I have 2ghz and 5ghz with the same name as it is the default you can't change. Router switches clients based on compatibility and distance from nearest access point.

[AndreCox]

You wouldn't happen to be using nginx proxy would you

[AndreCox]

Also are you using nat loopback on your router?

[ttaidapos]

No to both. I can also confirm all my clients using hass are on 5ghz and not mixed. I do however have my PC on 24/7 with a chrome browser window open always with hass.

[AndreCox]

No to both. I can also confirm all my clients using hass are on 5ghz and not mixed. I do however have my PC on 24/7 with a chrome browser window open always with hass.

Ok so I guess we can rule out nginx and multiple BSSIDs. Would I be corrected to assume that you are using some kind of camera card in home assistant such as a smart vaccum with camera or another kind of camera card

[ttaidapos]

Using HACS mail and packages integration. It creates a generic camera I believe. Also I'm using several nest and blink cameras, Dyson fans, and vacuums in cards.

[alphasixtyfive]

No to both. I can also confirm all my clients using hass are on 5ghz and not mixed. I do however have my PC on 24/7 with a chrome browser window open always with hass.

Ok so I guess we can rule out nginx and multiple BSSIDs. Would I be corrected to assume that you are using some kind of camera card in home assistant such as a smart vaccum with camera or another kind of camera card

I currently only have picture entity cards for 16 cameras. I've also noticed that those cameras fail to load in iOS app from time to time and I'm forced to reload the page for them to appear.

[AndreCox]

Do you have a failed login attempt though, if not your probably suffering from another issue.

[ttaidapos]

No to both. I can also confirm all my clients using hass are on 5ghz and not mixed. I do however have my PC on 24/7 with a chrome browser window open always with hass.

Ok so I guess we can rule out nginx and multiple BSSIDs. Would I be corrected to assume that you are using some kind of camera card in home assistant such as a smart vaccum with camera or another kind of camera card

I currently only have picture entity cards for 16 cameras. I've also noticed that those cameras fail to load in iOS app from time to time and I'm forced to reload the page for them to appear.

I get this exactly on Android Hass app and Chrome (regardless of OS). Need to refresh to get the cards rendered.

Do you have a failed login attempt though, if not your probably suffering from another issue.

I do get the failed login attempts. If i dismiss it on time, I don't get my router's IP banned which is great. Otherwise i have to clear the ban list and reboot hass.

Here's a sample of the cards I'm using.

[alphasixtyfive]

Do you have a failed login attempt though, if not your probably suffering from another issue.

Yes, I do and they actually appear exactly when picture entity fails to load camera stream.

[AndreCox]

Do you have a failed login attempt though, if not your probably suffering from another issue.

Yes, I do and they actually appear exactly when picture entity fails to load camera stream.

I have a feeling that this might be token related, maybe using outdated tokens to authenticate camera entities as this problem only seems to happen when switching back to a previously opened mobile app or browser window and not when it is refreshed. Has this been your experience.

[ttaidapos]

I keep an eye on those suckers regularly. I did have one that hasn't been used for a bit that I just killed. I'll report back...

Home habits...

• Phones: Primarily used using the official app on Android
• Tablets: There's one mounted on our wall that we use regularly, also uses the official android app
• Browser: I typically have hass open using Chrome throughout the day

Update Fairly certain this has to do with Google Chrome and having the session open. It seems that once you change tabs after a certain amount of time, it doesn't like the token for some reason and triggers the issue. Dismissing the error in hass and refreshing the page is a good workaround but if gone unnoticed, that's when my router gets banned. Not sure if others can test this theory as well.

I presume the android app deals w/the token the same way so similar experience there.

[alphasixtyfive]

Do you have a failed login attempt though, if not your probably suffering from another issue.

Yes, I do and they actually appear exactly when picture entity fails to load camera stream.

I have a feeling that this might be token related, maybe using outdated tokens to authenticate camera entities as this problem only seems to happen when switching back to a previously opened mobile app or browser window and not when it is refreshed. Has this been your experience.

I strongly believe this is exactly the case.

[alphasixtyfive]

I keep an eye on those suckers regularly. I did have one that hasn't been used for a bit that I just killed. I'll report back...

Home habits...

• Phones: Primarily used using the official app on Android
• Tablets: There's one mounted on our wall that we use regularly, also uses the official android app
• Browser: I typically have hass open using Chrome throughout the day

Update Fairly certain this has to do with Google Chrome and having the session open. It seems that once you change tabs after a certain amount of time, it doesn't like the token for some reason and triggers the issue. Dismissing the error in hass and refreshing the page is a good workaround but if gone unnoticed, that's when my router gets banned. Not sure if others can test this theory as well.

I presume the android app deals w/the token the same way so similar experience there.

Same thing happens with Safari and iOS app which is basically a Safary's webView.

[AndreCox]

I think this issue should be looked at more seriously as it is a potential security risk, due to people possibly disabling brute force protection and ignoring the login warnings from irritation.

[ttaidapos]

I think this issue should be looked at more seriously as it is a potential security risk, due to people possibly disabling brute force protection and ignoring the login warnings from irritation.

I agree 100% and I know many people have from random postings. I noticed this behavior long time ago and issues i had opened were closed. I just couldn't articulate the problem and provide the right logs. Hopefully this around of energy translates to acknowledgement and future remediation!

[Codelica]

Do you have a failed login attempt though, if not your probably suffering from another issue.

Yes, I do and they actually appear exactly when picture entity fails to load camera stream.

I have a feeling that this might be token related, maybe using outdated tokens to authenticate camera entities as this problem only seems to happen when switching back to a previously opened mobile app or browser window and not when it is refreshed. Has this been your experience.

I strongly believe this is exactly the case.

@ascillato documented this behavior a while back, both here and in this frontend thread.