Invalid Authentication

[PierreScerri]

The problem

When I open the companion app on my iPhone, I sometimes get a 'Login attempt or request with invalid authentication from...' error (see log below), which forces me to go through the onboarding sequence in the app (as if I have just installed the app)

What is version of Home Assistant Core has the issue?

2021.9.7

What was the last working version of Home Assistant Core?

unknown

What type of installation are you running?

Home Assistant OS

Integration causing the issue

http

Link to integration documentation on our website

https://www.home-assistant.io/integrations/http

Example YAML snippet

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24
  ip_ban_enabled: true
  login_attempts_threshold: 5

Anything in the logs that might be useful for us?

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:124
Integration: HTTP (documentation, issues)
First occurred: 8:08:39 AM (1 occurrences)
Last logged: 8:08:39 AM

Login attempt or request with invalid authentication from fe80::8af:a02c:71c5:1f7e (fe80::8af:a02c:71c5:1f7e). (Mozilla/5.0 (iPhone; CPU iPhone OS 15_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2021.8 (io.robbie.HomeAssistant; build:2021.216; iOS 15.0.0) Mobile/HomeAssistant, like Safari)

Additional information

No response

[probot-home-assistant[bot]]

http documentation http source _{^{(message by IssueLinks)}}

[probot-home-assistant[bot]]

Hey there @home-assistant/core, mind taking a look at this issue as it has been labeled with an integration (http) you are listed as a code owner for? Thanks! _{^{(message by CodeOwnersMention)}}

[zacwest]

The User-Agent here for the invalid token is the frontend (we stuff the "Safari" word in there only for that case) -- makes me think this is likely a case where cameras in the frontend are triggering it.

[PierreScerri]

When it happens I can access HA via Safari and Chrome using either http://homeassistant.local:8123 (on wifi) or https://mydomain.duckdns.org (on 4G) without problems. it is the companion app on the iPhone that is triggering this behaviour.

I do not have any cameras.

[zacwest]

I'm not saying the app isn't the source; what I am saying the particular part of the app provoking this error is the frontend, which I can tell from the User-Agent. The way authentication works in the app for the frontend is slightly different than in other browsers on iOS.

[lordmortis]

I’m getting this as well, since upgrading to iOS 15 (not sure if that’s spurious) I’m running 2021.8.3 and didn’t change home assistant versions and it started happening.

[lordmortis]

iOS 15 is spurious, my partner got this error this morning and she’s still on 14

[PierreScerri]

So how do we resolve this issue which has only recently started manifesting itself.

This morning I launched the app on my iPhone and it was not logged in. I went through all the steps to login.

I left the house and when I came back home it was logged out again.

[lordmortis]

Yeah, what kind of logging do you need?

[zacwest]

Login with a username and password and not local network auth. You can verify the log out reason in App Configuration > Debugging > Event Log.

[lordmortis]

Okay, so I’m seeing a Webhook failed with status code 403 and then a Refresh token is invalid, showing onboarding in the same second. Then another web hook failed. And many webhook failures after that.

the refresh token invalid has the following extra detail:

{
  "error" : "serverError(statusCode: 403, errorCode: nil, error: Optional(\"403: Forbidden\"))"
}

checking my hass.io logs now

[lordmortis]

This seems related:

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:124 
Integration: HTTP (documentation, issues) 
First occurred: September 22, 2021, 11:29:36 (34 occurrences) 
Last logged: 19:21:06

Login attempt or request with invalid authentication from a172-225-156-61.deploy.static.akamaitechnologies.com (172.225.156.61). (Mozilla/5.0 (iPhone; CPU iPhone OS 15_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.0 Mobile/15E148 Safari/604.1)
Login attempt or request with invalid authentication from 104.28.28.14 (104.28.28.14). (Mozilla/5.0 (iPhone; CPU iPhone OS 15_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.0 Mobile/15E148 Safari/604.1)
Login attempt or request with invalid authentication from rev-proxy (172.16.235.60). (Mozilla/5.0 (iPhone; CPU iPhone OS 15_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2021.8 (io.robbie.HomeAssistant; build:2021.216; iOS 15.0.0) Mobile/HomeAssistant, like Safari)
Login attempt or request with invalid authentication from a172-225-156-19.deploy.static.akamaitechnologies.com (172.225.156.19). (Mozilla/5.0 (iPhone; CPU iPhone OS 15_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.0 Mobile/15E148 Safari/604.1)
Login attempt or request with invalid authentication from 172.16.236.206 (172.16.236.206). (Mozilla/5.0 (iPhone; CPU iPhone OS 14_7_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2021.8 (io.robbie.HomeAssistant; build:2021.216; iOS 14.7.1) Mobile/HomeAssistant, like Safari)

(I’m using apple’s new vpn stuff, so I’m guessing that’s why the request is coming in from that host?)

[zacwest]

That does sound like Apple's proxy stuff, yup. It comes through a list of effectively CDN providers, so Akamai being one of them makes sense. The other I'm aware of is Cloudflare.

I think the following are:

(Mozilla/5.0 (iPhone; CPU iPhone OS 15_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.0 Mobile/15E148 Safari/604.1) (Mozilla/5.0 (iPhone; CPU iPhone OS 15_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.0 Mobile/15E148 Safari/604.1) (Mozilla/5.0 (iPhone; CPU iPhone OS 15_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.0 Mobile/15E148 Safari/604.1)

These are all Safari.app, not the Home Assistant app.

(Mozilla/5.0 (iPhone; CPU iPhone OS 15_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2021.8 (io.robbie.HomeAssistant; build:2021.216; iOS 15.0.0) Mobile/HomeAssistant, like Safari) (Mozilla/5.0 (iPhone; CPU iPhone OS 14_7_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2021.8 (io.robbie.HomeAssistant; build:2021.216; iOS 14.7.1) Mobile/HomeAssistant, like Safari)

This is the Home Assistant app's frontend. Two different devices (one on iOS 15, one on iOS 14).

---

Best I can tell, the 403 error with that description (just "403: Forbidden") happens in the following situations:

• You're (already) banned under the IP banning strategy.
• You're using a login method which has made your access token become invalid.

Depending on your login method, the reasons for it differ, but if you're using trusted_networks being off the trusted network will definitely do it. If the app doesn't immediately give up on this scenario, it'll fill your logs with invalid login attempts and (for most people) get itself banned as the trusted_networks flow was changed at the beginning of 2021 to reject auth attempts outside those trusted networks.

[lordmortis]

where is this trusted_networks setting?

[zacwest]

How do you log into your Home Assistant, when you get logged out? Do you pick a username out of a dropdown list, or do you enter a username/password? If it's the former, it'll be the trusted_networks in configuration.yaml somewhere.

[PierreScerri]

I login via username/password.

[lordmortis]

same here, I’ve always used a username/password

[zacwest]

Do either of you have http bans set up? The frontend can errantly use an old token which will cause the invalid auth log, which can then cause the app to see itself as banned and log out.

[PierreScerri]

I have this in configuration.yaml:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24
  ip_ban_enabled: true
  login_attempts_threshold: 5

After my post of 3 days ago, I logged out of every browser/app/ on every device and removed all the refresh tokens from HA. The error has not come up again - for now.

[lordmortis]

So this is 100% connected to the ip_ban enabled for me. I suspect it's not directly related to the iOS app, but rather something else going on. I might dig into it over my christmas holidays. From my perspective this can be closed.

[ultimate-tester]

Just wanted to share my experience. I am experiencing the same behavior (spontaneous logout) which especially triggers if I switch from WiFi to 4G (yet not all the time). I have IP banning disabled and am using Cloudflare but with Proxy off (I just use it as a simple DNS and my own SSL certificate). Furthermore, I have the same internal and external url. My router makes sure that my external ip loops back to my internal network.

In the logs I just see: Login attempt or request with invalid authentication from xxxxxx

EDIT: Tried setting up Google Assistant today. It appears to be triggering the same errors: Login attempt or request with invalid authentication from rate-limited-proxy-108-177-64-32.google.com (108.177.64.32). (OpenAuth)

I therefore think this issue is not related to iOS but is just triggered more often on iOS compared to Android (or desktop for that matter) due to some unknown reason. (please keep in mind I have IP banning disabled)

EDIT2: I have just tried to setup a reverse proxy in front of home assistant. Strangely enough now the problem does not appear anymore. I can use either WiFi or 4G and it works fine. The error as described in the first EDIT still appears though. Google home cannot login. Maybe this finding brings us closer to the issue.

[lowrisk75]

same issue here, I'm using cloudflare for team for DNS filtering (although the Home assistant is on the IoT VLAN which use normal cloudflare / malware DNS without filtering)

client side (iOS 15.3) I can see that some domains are blocked so that might

my domain is also using cloudflare, and I have very restrictive firewall setting (I just removed Cloudflare access for troubleshooting) -- I removed most of the user agents in the firewall rules though although in my deny rules I have some :

user agent does not contain " Home Assistant/2", "Mozilla/5.0 (iPhone; CPU iPhone OS 1", "Mozilla/5.0 (Macintosh; Intel Mac OS X"

here is my HTTP setup

`http:
  ip_ban_enabled: true
  login_attempts_threshold: 5
  use_x_forwarded_for: true
  trusted_proxies: 
    - 127.0.0.1
    - ::1
    - 172.16.0.0/12    
    - 172.30.33.0/24
    - 172.30.0.0/16
    - 10.0.30.0/30
   # - 192.168.1.0/24
    - 10.0.0.200      # Add the IP address of the proxy server ##CloudFlare
    - 173.245.48.0/20
    - 103.21.244.0/22
    - 103.22.200.0/22
    - 103.31.4.0/22
    - 141.101.64.0/18
    - 108.162.192.0/18
    - 190.93.240.0/20
    - 188.114.96.0/20
    - 197.234.240.0/22
    - 198.41.128.0/17
    - 162.158.0.0/15
    - 104.16.0.0/13
    - 104.24.0.0/14
    - 172.64.0.0/13
    - 131.0.72.0/22`

I have very random result, at one stage I was getting IP ban every few minutes on different cloudflare IPs

in my case I'm using NPM but honestly I'm not to sure about the config template.

also I'm probably doing something wrong but when I'm using trusted users, I'm booting in safe mode

  auth_providers:
    - type: trusted_networks
      trusted_networks:
        - 172.16.0.1/24
 ¯    trusted_users:
        172.16.0.199:
          -  ###############
      allow_bypass_login: true
    - type: homeassistant
 end

more details and screenshot on the community post here : https://community.home-assistant.io/t/daily-log-off-and-issues-with-ios-companion-app/371681

[zacwest]

If you use a trusted network/user and leave the trusted network, you will be signed out; log in with a username/password instead.

For the rest, it would be useful to see if the app is logging the underlying error in its event log. Go to App Configuration > Debugging > Event Log; when logging out it'll put the reason there. You can tap in for more details.

It is also worth seeing if you can grab the access/error logs from your proxy/cloudflare. Any 403 in the middle (which it may be doing) will log you out.

[ultimate-tester]

If you use a trusted network/user and leave the trusted network, you will be signed out; log in with a username/password instead.

For the rest, it would be useful to see if the app is logging the underlying error in its event log. Go to App Configuration > Debugging > Event Log; when logging out it'll put the reason there. You can tap in for more details.

It is also worth seeing if you can grab the access/error logs from your proxy/cloudflare. Any 403 in the middle (which it may be doing) will log you out.

Thanks for replying. So for my case Cloudflares features have been disabled, I just use the dns. Therefore I won't have any logs on cloudflare, this makes troubleshooting easier I think.

This is the log message I found:

{ "error" : "serverError(statusCode: 403, errorCode: Optional(\"access_denied\"), error: Optional(\"User cannot authenticate remotely\"))" }

Based on the below image you can see I'm getting this quite often making home assistant completely untrustworthy when I leave the house:

Is there a way to disable the trusted network stuff? I'd like to be able to easily access my home assistant from anywhere in the world.

[zacwest]

Choose the username & password login method rather than trusted user when signing in. It will be a link at the bottom.

[ultimate-tester]

Choose the username & password login method rather than trusted user when signing in. It will be a link at the bottom.

I think you misunderstand. I have never setup anything related to trusted users or trusted networks and I always have logged in using username + password combination and never before with anything else. My configuration is very plain if you look at my "homeassistant" and "http" sections of the config:

homeassistant:
  external_url: "<REDACTED>"
  auth_providers:
    - type: homeassistant

http:
  ssl_certificate: <REDACTED>
  ssl_key: <REDACTED>
  ip_ban_enabled: false

I have, compared to when I made my previous post, removed the reverse proxy setup again as it seems to have been a fluke to say that it works better with the proxy. My first post about reporting the issue was also without a reverse proxy setup, so the issue exists regardless.

[zacwest]

"User cannot authenticate remotely" appears to be an error message which exclusively exists for "local only" users, which was a new feature in 2021.11. See here for the toggle you'll need to turn off: https://www.home-assistant.io/blog/2021/12/11/release-202112/#users-that-can-only-log-in-from-the-local-network

[ultimate-tester]

"User cannot authenticate remotely" appears to be an error message which exclusively exists for "local only" users, which was a new feature in 2021.11. See here for the toggle you'll need to turn off: https://www.home-assistant.io/blog/2021/12/11/release-202112/#users-that-can-only-log-in-from-the-local-network

And there we go, that setting was enabled on my users! Disabling it and testing a few times back and forth shows it's working right now. Also my Google Assistant connected right away now. Thanks a lot, this seems to solve the problem completely for me.

Now, not to be an asshole but this Github issue should then actually be exactly the opposite as I was able to login several times with this "local only" user even though I was on 4G (i.e. outside my local network). It seems that retrying to login a few times will bypass the local check. Though I'm not bothered by that..

[Don-Swanson]

Unfortunately I do not believe this is the resolution. I have the same exact errors in my logs, however my user did not have that setting enabled.

[zacwest]

This "login attempt or…" log is now additionally showing up I believe due to a workarounds for iOS 15's issues with the frontend becoming stale, there's a few different things occurring in this ticket.

[sandschi]

The Same behaviour also occurs on my Galaxy A12 with Android 11, as soon as the Connection Changes theres a

Login attempt or request with invalid authentication from 77.119.170.XXX.wireless.dyn.drei.com (77.119.170.XXX). See the log for details.

In Chrome i can open the Dashboards just Fine but the App needs a Hardreset everytime.

[snhnic]

So nobody has solved this? I get really tired of searching for the right solution. It's a hell. Synology Docker In my config:

homeassistant: customize: !include customize.yaml auth_providers:

• type: homeassistant
• type: trusted_networks trusted_networks:
  • 192.168.1.0/24 http: use_x_forwarded_for: true trusted_proxies:
• 192.168.1.106

`Logger: homeassistant.components.http.ban Source: components/http/ban.py:125 Integration: HTTP (documentation, issues) First occurred: 12:47:22 (5 occurrences) Last logged: 13:34:32

Login attempt or request with invalid authentication from 89.205.134.160 (89.205.134.160). (Home Assistant/2022.2 (io.robbie.HomeAssistant; build:2022.345; iOS 15.3.0) Alamofire/5.4.4) Login attempt or request with invalid authentication from 192.168.1.217 (192.168.1.217). (Mozilla/5.0 (iPhone; CPU iPhone OS 15_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2022.2 (io.robbie.HomeAssistant; build:2022.345; iOS 15.2.1) Mobile/HomeAssistant, like Safari) Login attempt or request with invalid authentication from 192.168.1.120 (192.168.1.120). (Mozilla/5.0 (iPhone; CPU iPhone OS 15_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2022.2 (io.robbie.HomeAssistant; build:2022.345; iOS 15.2.1) Mobile/HomeAssistant, like Safari)`

[supermarkert]

So, I'm having the same issue and can't track it down, but I'm not using iOS. I am using Cloudflare, and the NGINX Reverse Proxy add-on. Been using it successfully for a while, and using the trusted proxies setting. Using the same user account, I have no issues logging in from local, or from remote using the Android app or web using my phone, or from a local PC. The problem is that recently, the one device (so far) which can't log in is my company laptop (which uses a VPN, so everything is external). Everything goes through an external URL I own, via Cloudflare. But something is causing logins from this device to be banned. I have not setup "ip_ban" rules. The extent of my config is:

http:
  use_x_forwarded_for:  true
  trusted_proxies:
    - 172.30.33.0/24     # <--Added after upgrade to 2021.7; obtained from my logs
    - 192.168.0.21       # <--added just in case, but doesn't seem to have made a difference

And the error I see when trying to login with my laptop is:

Logger: homeassistant.components.http.ban
Source: [components/http/ban.py:125](http://components/http/ban.py:125)
Integration: HTTP (documentation, issues)
First occurred: 1:11:37 PM (6 occurrences)
Last logged: 1:15:37 PM

Login attempt or request with invalid authentication from 172.70.134.205 (172.70.134.205). (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36)
Login attempt or request with invalid authentication from 172.70.135.104 (172.70.135.104). (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36)
Login attempt or request with invalid authentication from 172.70.34.235 (172.70.34.235). (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Edg/98.0.1108.56)
Login attempt or request with invalid authentication from 162.158.78.95 (162.158.78.95). (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Edg/98.0.1108.56)
Login attempt or request with invalid authentication from 172.70.174.211 (172.70.174.211). (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Edg/98.0.1108.56)

All those IPs are Cloudflare. But again, I have no issue logging in using the same URL from other devices. I've even checked, and every potentially firewall rule on Cloudflare seems to be disabled, although not sure if it's related.

[zacwest]

Those logs indicate it is not related to the iOS/macOS app but is instead Chrome, so likely a configuration for your trusted proxies that you may need to find help on in the forums or core repo.

For others in iOS & macOS, I think I may have fixed some of the issues in the latest beta -- please give it a try.

[ajobbins]

Just moved from Android to an iPhone. Never had any issues on the Android with the companion app, but on the iPhone I’m getting logged out several times a day - i suspect after a change in network. Logs show the error “Refresh token is invalid, showing onboarding”.

Driving me crazy as logging in involves manually pulling my password from password manager (as the onboarding flow doesn’t seem to support the pw manager integration with iOS) and getting a 2FA code

[zacwest]

You are commenting on an unrelated issue. If this isn't sufficient please create a new one or a forum post.

Tap into that event log entry and it will include the reason for the token being invalidated. Very likely the status code returned was 4xx - if your reverse proxy, network config, or anything in the middle can send these status codes incorrectly the app will still trust it.

[ScottG489]

I'm also encountering this problem with a user who is set up to only be able to log in locally. While turning that option off may fix the issue, shouldn't it not be necessary? I have that option purposely turned on.

[toby-griffiths]

I'm experiencing a similar issue. I regularly get logged out and have t o re-authenticate.

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:82 
Integration: HTTP ([documentation](https://www.home-assistant.io/integrations/http), [issues](https://github.com/home-assistant/home-assistant/issues?q=is%3Aissue+is%3Aopen+label%3A%22integration%3A+http%22)) 
First occurred: 14:37:14 (2 occurrences) 
Last logged: 14:46:55

Login attempt or request with invalid authentication from 192.168.1.218 (192.168.1.218). Requested URL: '/auth/login_flow/{REDACTED}'. (Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Safari/605.1.15)
Login attempt or request with invalid authentication from 192.168.1.193 (192.168.1.193). Requested URL: '/auth/login_flow/{REDACTED}'. (Mozilla/5.0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Mobile/15E148 Safari/604.1)

Is this the same issue, or should I raise a new ticket?

For info, we have several Wifi networks at home, all on the same subnet, so not sure if this is related. But I also seem to hop on to mobile data occasionally too.

Can I provide any more info on this?

[toby-griffiths]

So I've done some more digging into this, and it appears that both my local IP address, and 127.0.0.1 are being banned regularly, meaning I lose any kind of access when away from home, and not being able to get back in until I can log in with a separate machine on the local network to remove the IP bans.

Looking at the logs, it appear that the problem requests could be being made by my dashboard widgets…

Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/history/period/2022-12-02T18:15:37.617Z?filter_entity_id=sensor.[REDACTED_NAME]_s_room_humidity&end_time=2022-12-02T18:24:09.828Z&skip_initial_state&minimal_response'. (Mozilla/5.0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2022.10.1 (io.robbie.HomeAssistant; build:2022.424; iOS 16.1.1) Mobile/HomeAssistant, like Safari)
Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/history/period/2022-12-02T18:15:37.637Z?filter_entity_id=sensor.living_room_humidity&end_time=2022-12-02T18:24:09.841Z&skip_initial_state&minimal_response'. (Mozilla/5.0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2022.10.1 (io.robbie.HomeAssistant; build:2022.424; iOS 16.1.1) Mobile/HomeAssistant, like Safari)
Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/history/period/2022-12-02T18:15:37.619Z?filter_entity_id=sensor.bathroom_humidity&end_time=2022-12-02T18:24:09.840Z&skip_initial_state&minimal_response'. (Mozilla/5.0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2022.10.1 (io.robbie.HomeAssistant; build:2022.424; iOS 16.1.1) Mobile/HomeAssistant, like Safari)
Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/history/period/2022-12-02T18:15:37.699Z?filter_entity_id=sensor.co2_intensity&end_time=2022-12-02T18:24:09.809Z&skip_initial_state&minimal_response'. (Mozilla/5.0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2022.10.1 (io.robbie.HomeAssistant; build:2022.424; iOS 16.1.1) Mobile/HomeAssistant, like Safari)
Banned IP 127.0.0.1 for too many login attempts

Every one of these request look like it's related to a sensor entity on my Home dashboard screen that is displaying a graph of the sensor history. Could this be the cause, somehow?

[emirkmo]

So I've done some more digging into this, and it appears that both my local IP address, and 127.0.0.1 are being banned regularly, meaning I lose any kind of access when away from home, and not being able to get back in until I can log in with a separate machine on the local network to remove the IP bans.

Looking at the logs, it appear that the problem requests could be being made by my dashboard widgets…

Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/history/period/2022-12-02T18:15:37.617Z?filter_entity_id=sensor.[REDACTED_NAME]_s_room_humidity&end_time=2022-12-02T18:24:09.828Z&skip_initial_state&minimal_response'. (Mozilla/5.0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2022.10.1 (io.robbie.HomeAssistant; build:2022.424; iOS 16.1.1) Mobile/HomeAssistant, like Safari)
Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/history/period/2022-12-02T18:15:37.637Z?filter_entity_id=sensor.living_room_humidity&end_time=2022-12-02T18:24:09.841Z&skip_initial_state&minimal_response'. (Mozilla/5.0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2022.10.1 (io.robbie.HomeAssistant; build:2022.424; iOS 16.1.1) Mobile/HomeAssistant, like Safari)
Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/history/period/2022-12-02T18:15:37.619Z?filter_entity_id=sensor.bathroom_humidity&end_time=2022-12-02T18:24:09.840Z&skip_initial_state&minimal_response'. (Mozilla/5.0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2022.10.1 (io.robbie.HomeAssistant; build:2022.424; iOS 16.1.1) Mobile/HomeAssistant, like Safari)
Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/history/period/2022-12-02T18:15:37.699Z?filter_entity_id=sensor.co2_intensity&end_time=2022-12-02T18:24:09.809Z&skip_initial_state&minimal_response'. (Mozilla/5.0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2022.10.1 (io.robbie.HomeAssistant; build:2022.424; iOS 16.1.1) Mobile/HomeAssistant, like Safari)
Banned IP 127.0.0.1 for too many login attempts

Every one of these request look like it's related to a sensor entity on my Home dashboard screen that is displaying a graph of the sensor history. Could this be the cause, somehow?

Very similar issue. I think it has to do with iOS or Mac OS X default privacy settings with IP. Works fine from Linux machine, never gets banned. But on my laptop the various browsers get timed out for 5 minutes or more. Would love to be able to customize the nginx fail to ban etc. from the dashboard.

[toby-griffiths]

Interestingly, after posting the above comment I uninstalled the iOS app from my iPhone and re-installed it, and so far, no ban. I also use the MacOS client every day, so I don't think that's causing my issue.

[emirkmo]

I don't use the client on Mac, I use the browser to access. I will try with the client and report back

[toby-griffiths]

So almost a week's gone by and still no further issues, so it appears that re-installing the app has resolved my issue. Will update again if I have any further issues.

[toby-griffiths]

Looks like I spoke too soon. This is happening again now, and more often now. I’ve been out and about more over the holiday season, which could be the cause of the increased frequency of the problem, however.

This is extremely frustrating, and it means when I go away, I have no way of connecting back to Home Assistant until I return home.

My setup is using Home Assistant and the iOS companion app, logged in using username, password and notification style 2-factor authentication. I’m accessing remotely using the Nabu Casa subscription service.

The cause of the problem appears to be the ip banning of 127.0.0.1 (or my mobile phone IP when it happens at home) due to rejected credentials.

I’ve just tested at home by disabling my WiFi and refreshing my app home dashboard and this triggered the problem, so perhaps it’s being caused by a rapid IP address change?

Should this maybe also be reported on the core project with regards to how the IP address banning works, if not already? I’ll go take a look now.

[zacwest]

I'm fairly certain I've eliminated the app-side causes of invalid authentication calls, but it's possible timing issues can arise if a request with an expired token is retried or otherwise issued. However, the fact that it's coming through as 127.0.0.1 is an indication that you do not have your trusted proxies configured for your reverse proxies and so the 'cost' of all the invalid calls is going to be fairly universally applied. I suggest fixing that too.

The API calls you're listing in that core ticket aren't called by the frontend anymore, making me wonder if it's a custom card that's incorrectly retrying/reusing an access token that isn't valid anymore. Are you using any custom cards for graphs or whatnot?

[toby-griffiths]

For reference, here are the problem log entries from the other ticket I raised, for clarity here…

Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/history/period/2022-12-02T18:15:37.617Z?filter_entity_id=sensor.[REDACTED_NAME]_s_room_humidity&end_time=2022-12-02T18:24:09.828Z&skip_initial_state&minimal_response'. (Mozilla/5.0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2022.10.1 (io.robbie.HomeAssistant; build:2022.424; iOS 16.1.1) Mobile/HomeAssistant, like Safari)
Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/history/period/2022-12-02T18:15:37.637Z?filter_entity_id=sensor.living_room_humidity&end_time=2022-12-02T18:24:09.841Z&skip_initial_state&minimal_response'. (Mozilla/5.0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2022.10.1 (io.robbie.HomeAssistant; build:2022.424; iOS 16.1.1) Mobile/HomeAssistant, like Safari)
Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/history/period/2022-12-02T18:15:37.619Z?filter_entity_id=sensor.bathroom_humidity&end_time=2022-12-02T18:24:09.840Z&skip_initial_state&minimal_response'. (Mozilla/5.0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2022.10.1 (io.robbie.HomeAssistant; build:2022.424; iOS 16.1.1) Mobile/HomeAssistant, like Safari)
Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/history/period/2022-12-02T18:15:37.699Z?filter_entity_id=sensor.co2_intensity&end_time=2022-12-02T18:24:09.809Z&skip_initial_state&minimal_response'. (Mozilla/5.0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2022.10.1 (io.robbie.HomeAssistant; build:2022.424; iOS 16.1.1) Mobile/HomeAssistant, like Safari)
Banned IP 127.0.0.1 for too many login attempts

---

@zacwest thanks for the tip on the API calls from the front end. I've searched the raw dashboard config for the sensor.living_room_humidity which is one of the problem one, and this is only displayed using the sensor card, so I can't find any use of a custom card as you suggest. Also, all my sensor graphs display the past 24 hours, even though the API calls suggest they're requesting approximately 9 mins of data.

I've checked all my cards, and the only ones I'm using are either the core ones, or the Mushroom ones, but the Mushroom ones I'm only using the light, climate & entity ones, and not for any of these entities.

I did set up an Areas dashboard a while back, with an area card for each area in my home, and this cards display the humidity for each room, if available, so perhaps this might be something to explore. The only fly in this suggestion is the request for the sensor.co2_intensity sensor, as this doesn't appear anywhere on any of the area cards as the temperature & humidity do.

---

Regarding the trusted proxies, should I have 127.0.0.1 included as a trusted proxy? The same config on the http integration page doesn't include 127.0.0.1, and I would have thought this would be a core kind of config, as I have a pretty standard HA setup with Nabu Casa remote access.

Here's my http config…

http:
  server_port: 443
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24
  ip_ban_enabled: true
  login_attempts_threshold: 5

[toby-griffiths]

I've had a quick look through the Area card to see if I could see anything obvious, but it looks like it accesses the entity values via the EntityRegistryEntry array property (please excuse my terminology if it's not correct. My Typescript is pretty poor), so I'm assuming this is, as @zacwest was suggesting, the "right way" of fetching the data.

I've also tried searching home-assistant/frontend repo and found the fetchRecent() function, which looks like it could be performing the request, but it defers the actual call to callApi(), which in turn called hassCallApi(), which ultimately calls fetchWithAuth() then fetchWithAuth(). Does this sound right? (Sorry for saying it how it is, if I've got it right. I'm just trying to understand to I can maybe help fix something).

I've also just checked my log file for today's IP banning, as I wanted to check timings of these failures, and interestingly, this set entires include an 'un-ban' from a successful login immediately after the ban, which I would question how that's possible, if the IP is banned… unless things running concurrently are causing issues…

2023-01-05 21:50:31.499 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL
: '/api/history/period/2023-01-05T21:22:07.260Z?filter_entity_id=sensor.[REDACTED_NAME]_room_humidity&end_time=2023-01-05T21:32:22.531Z&skip_initial_state&minimal_response'. (Mozilla/5
.0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2022.10.1 (io.robbie.HomeAssistant; build:2022.424; iOS 16.1.1) Mobile/
HomeAssistant, like Safari)
2023-01-05 21:50:31.756 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL
: '/api/history/period/2023-01-05T21:22:07.282Z?filter_entity_id=sensor.bathroom_humidity&end_time=2023-01-05T21:32:22.532Z&skip_initial_state&minimal_response'. (Mozilla/5.0
(iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2022.10.1 (io.robbie.HomeAssistant; build:2022.424; iOS 16.1.1) Mobile/Hom
eAssistant, like Safari)
2023-01-05 21:50:31.780 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL
: '/api/history/period/2023-01-05T21:22:07.260Z?filter_entity_id=sensor.[REDACTED_NAME]_room_temperature&end_time=2023-01-05T21:32:22.532Z&skip_initial_state&minimal_response'. (Mozill
a/5.0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2022.10.1 (io.robbie.HomeAssistant; build:2022.424; iOS 16.1.1) Mobi
le/HomeAssistant, like Safari)
2023-01-05 21:50:31.799 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL
: '/api/history/period/2023-01-05T21:22:07.290Z?filter_entity_id=sensor.living_room_humidity&end_time=2023-01-05T21:32:22.535Z&skip_initial_state&minimal_response'. (Mozilla/5
.0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2022.10.1 (io.robbie.HomeAssistant; build:2022.424; iOS 16.1.1) Mobile/
HomeAssistant, like Safari)
2023-01-05 21:50:31.821 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL
: '/api/history/period/2023-01-05T21:22:07.253Z?filter_entity_id=sensor.bedroom_temperature&end_time=2023-01-05T21:32:22.529Z&skip_initial_state&minimal_response'. (Mozilla/5.
0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2022.10.1 (io.robbie.HomeAssistant; build:2022.424; iOS 16.1.1) Mobile/H
omeAssistant, like Safari)
2023-01-05 21:50:31.825 WARNING (MainThread) [homeassistant.components.http.ban] Banned IP 127.0.0.1 for too many login attempts
2023-01-05 21:50:32.861 DEBUG (MainThread) [homeassistant.components.http.ban] Login success, reset failed login attempts counter from 127.0.0.1

So it looks like all these requests are coming in at almost the same time. Is it possible that the refreshing of the token that happens at the top of fetchWithAuth() by multiple concurrent requests could be causing the issue?

[zacwest]

The access tokens for the frontend when running in the app go through the app itself for authentication (hence why these issues are usually sent to this repo), so the Auth object there is this one: https://github.com/home-assistant/frontend/blob/7286aa7dc472236449ce9eb1a608ccd65e80f4e1/src/external_app/external_auth.ts#L69 and the app's response for that is created here: https://github.com/home-assistant/iOS/blob/96f35a51c476b194a775a002e9836006e7c1ae39/Sources/Shared/API/Authentication/TokenManager.swift#L91-L97 the only issue I can vaguely see is if the expires_in differs from expectations, or there's some kind of multi-threaded issue happening.

I'm not familiar enough with the frontend code to definitely pinpoint the issue, but it does sound like perhaps simultaneous access by that sensor card is causing it, and maybe only affecting the apps because of how the token refresh system works there.

[toby-griffiths]

Interestingly, my iPhone has just been banned again, and it's been banned twice…

192.168.1.193:
  banned_at: '2023-01-09T07:56:41.760167+00:00'

192.168.1.193:
  banned_at: '2023-01-09T07:56:41.773816+00:00'

I'm guessing this is just down to concurrent request being banned at the same time?

[toby-griffiths]

Thanks @zacwest I'm happy to see if I can spot how the Auth works, however I'm not familiar with the language, or file structure so if anyone can point me in the right direction that would be great?