twrecked / hass-aarlo

Asynchronous Arlo Component for Home Assistant
GNU Lesser General Public License v3.0
390 stars 78 forks source link

Two Factor Auth - 2FA #177

Open jaburgeson opened 4 years ago

jaburgeson commented 4 years ago

Apologies if this is in the documentation anywhere, but is there a way to implement 2FA?

I have a feeling with Arlo's implementation, this may be a tad difficult, but it looks like it may be required in the next few months.

twrecked commented 4 years ago

Yeah. I have to look into this but my initial thought is it it will make life difficult. Aarlo logs back into web interface as and when needed so it's going to be complicated getting the second piece of authentication.

jaburgeson commented 4 years ago

Yeah, everytime I login using Web my account not dedicated to Hass.io...it requires a one time use passcode from the phone.

On mobile devices, i'm guessing it uses a certificate or a long auth token for approved devices, but there doesn't appear to be a way to do this on the website.

twrecked commented 4 years ago

I have a prototype running - it let my two factor account work. I'm going to tighten the coding up and I'll try and get something out later this week.

jaburgeson commented 4 years ago

Amazing work...Thanks! Can’t wait to test it out.

twrecked commented 4 years ago

If you want to test the CLI version you can try the following:

This installs it.

$ cd ~/tmp
$ virtualenv -p /usr/bin/python3.6 test
$ source test/bin/activate
(test)$ pip install git+https://github.com/twrecked/pyaarlo

Copy this source into your current directory, call it example.py:

#!/usr/bin/env python
#

import os
import sys
import time
import logging
import pyaarlo

USERNAME = os.environ.get('ARLO_USERNAME','test.login@gmail.com')
PASSWORD = os.environ.get('ARLO_PASSWORD','test-password')

# Turn on debugging
logging.basicConfig(level=logging.DEBUG)
_LOGGER = logging.getLogger('pyaarlo')

def camera_update_state(device, attr, value):
    _LOGGER.debug('callback:' + device.name + ':' + attr + ':' + str(value)[:80])

# Login. If 2FA is needed then choose to send code via SMS and enter it
# directly on the console
ar = pyaarlo.PyArlo( username=USERNAME,password=PASSWORD,
                        tfa_type='SMS',tfa_source='console',
                        storage_dir='aarlo',dump=True )
if not ar.is_connected:
    print('failed to connect')
    sys.exit(-1)

time.sleep( 300 )

Then run it:

(test)$ chmod +x example.py
(test)$ ARLO_USERNAME='your-email@gmail.com' ARLO_PASSWORD='your-password' ./example.py

It should stop and ask you for a code.

twrecked commented 4 years ago

https://github.com/twrecked/hass-aarlo/releases/tag/v0.6.89-beta.1

Getting late here so docs might have got a bit garbled...

jason0x43 commented 4 years ago

It would be a bit more effort, but 2FA setup would probably be easier (or at least more robust) through a config flow and/or options flow. Having the integration try to access email, as the README points out, is pretty fragile.

twrecked commented 4 years ago

I'll have a look at that. But how do you get the secondary code into the config flow?

edit: gotcha, you mean by manually typing it in. I think we can support that too. The backend has the options to ask for SMS, email and read a response from the console and IMAP.

jason0x43 commented 4 years ago

Yeah. When you initially setup the integration with a config flow, you'd give it a username and password through the UI, the integration would do the initial authentication, and then ask the user for a code they should receive by email, which they would also enter through the UI.

You could run through the same flow in an options flow for an existing install if the user ever needed to re-authenticate.

jlt24 commented 4 years ago

where do I put the imap info? The config below gives me this error: Invalid config for [aarlo]: [imap_host] is an invalid option for [aarlo]. Check: aarlo->aarlo->imap_host. (See /config/configuration.yaml, line 47).

aarlo: username: !secret arlo_username password: !secret arlo_password scan_interval: 1200 imap_host: 'blah.gmail.com' imap_username: 'blah@gmail.com' imap_password: 'blahblah'

twrecked commented 4 years ago

You needed to be on a beta build but they are going away - the naming was all wrong.

I'll be releasing 0.7.0-alpha this evening and it will have 2fa support. Although the options are now called

tfa_host: 'blah.gmail.com'
tfa_username: 'blah@gmail.com'
tfa_password: 'blahblah'

because I'm adding other mechanisms for getting the code.

twrecked commented 4 years ago

I just published 0.0.7-alpha if you want to give it a try.

jlt24 commented 4 years ago

I just published 0.0.7-alpha if you want to give it a try.

Got it working. I'm pretty new to the lovelace config so I haven't got the custom card working yet. But I was able to use the picture element card to see the camera's last recording and badges for the battery percentage.

I set up a separate gmail account for this but I don't see emails coming in there for the authentication? Am I wrong or shouldn't I see emails coming in from Arlo ?

Thanks for your help BTW

twrecked commented 4 years ago

You might not have 2FA authentication turned on. If your not seeing the emails but everything is working you're good to go.

2FA is not mandatory now but will be later in the year.

jaburgeson commented 4 years ago

Just wanted to add, that I have been running this for awhile now and it has been working great.

Thank you for the hard work on this!

texanman commented 4 years ago

Tried both version 0.7.0-alpha.4 and 0.6.19.1.

When adding the TFA options I am getting the following error:

Invalid config for [aarlo]: [tfa_host] is an invalid option for [aarlo].

twrecked commented 4 years ago

It definitely shouldn't work on 0.6.xxx, there is no support for TFA in there. But it should work for 0.7.xx, can you paste your config in here?

texanman commented 4 years ago

aarlo:
  username: myemail@email.com
  password: mypassword
  refresh_devices_every: 2
  stream_timeout: 120
  tfa_source='imap'
  tfa_type='email'
  tfa_host='imap.host.com'
  tfa_username='gmailacct'
  tfa_password='gmailpass'

alarm_control_panel:
  - platform: aarlo
    away_mode_name: Armed
    home_mode_name: Home

Tried it both ways by wrapping the tfa lines in and without ' marks

Just for giggles I went into the init python file and manually edited the lines specifying the variables for the tfa lines with the values from the config then removed them from the config file. From there it worked. Are the lines being called wrong?

twrecked commented 4 years ago

This is a documentation error, sorry. I must have left it in when I copied it from the pyaarlo docs, I'll update it now.

The = shouldn't be there, it should be:

aarlo:
  username: myemail@email.com
  password: mypassword
  refresh_devices_every: 2
  stream_timeout: 120
  tfa_source: imap
  tfa_type: email
  tfa_host: imap.host.com
  tfa_username: gmailacct
  tfa_password: gmailpass

edit: not sure about the quotes...

nicolap75 commented 4 years ago

When I check the configuration I receive the following error message: (Note: I just copied the sources, the aarlo folder in the "custom_component" folder)

aarlo: tfa_host: imap.gmail.com tfa_username: gmailuser tfa_password: gmailpass

These are the 3 lines that I added to the file configured.yaml for 2FA

Configuration invalid

Invalid config for [aarlo]: [tfa_host] is an invalid option for [aarlo]. Check: aarlo->aarlo->tfa_host. (See /config/configuration.yaml, line 132).

twrecked commented 4 years ago

@nicolap75 You config looks ok. Can you double check you installed it in the correction location and then check the version.

$ grep version custom_components/aarlo/__init__.py
__version__ = '0.7.0.beta.2'
nicolap75 commented 4 years ago

@nicolap75 You config looks ok. Can you double check you installed it in the correction location and then check the version.

$ grep version custom_components/aarlo/__init__.py
__version__ = '0.7.0.beta.2'

Hi, I confirm the version '0.7.0.beta.2'

twrecked commented 4 years ago

I assume you restarted after installing aarlo?

nicolap75 commented 4 years ago

I assume you restarted after installing aarlo?

absolutely yes, even more than once ;-)

twrecked commented 4 years ago

Sorry, I had to ask.

I just pasted your configuration in to my system and it worked fine so somehow it has to be picking up the wrong version of the code. I just don't include the version number in the debug which I should. I'll push a new version of the code with the version printed out as debug.

Mean while, one thing to try might be a re-install aarlo into custom_components. Start by removing the old version completely to make sure no python compilation files are hanging around.

nicolap75 commented 4 years ago

Sorry, I had to ask.

I just pasted your configuration in to my system and it worked fine so somehow it has to be picking up the wrong version of the code. I just don't include the version number in the debug which I should. I'll push a new version of the code with the version printed out as debug.

Mean while, one thing to try might be a re-install aarlo into custom_components. Start by removing the old version completely to make sure no python compilation files are hanging around.

Hi, it seems to work, sorry, I left the old folder renamed aarlo_old inside custom_components. Now I removed it and it seems to work.

I'm obsessed with backups, I never 100% trust the IT) ;-)

Now I have some problems with the Insert and Disconnect panel.

Isn't there a more effective way to stop the HA side login? This would allow me to do it on the official my arlo web page, otherwise it will throw me out after 3 seconds of logging in. Now I deliberately make an error in the login user in the secret file and reboot. After that Ha cannot authenticate and I can operate in the official web page with the right credentials.

Thank you very much for your support and sorry for any inconvenience. Good night (switzerland time zone)

twrecked commented 4 years ago

You have to create a dedicated account for aarlo, see here and make sure to give it admin access.

This is an Arlo restriction and there isn't much I can do about it.

nicolap75 commented 4 years ago

You have to create a dedicated account for aarlo, see here and make sure to give it admin access.

This is an Arlo restriction and there isn't much I can do about it.

Absolutely yes, I did do a dedicated account, but I had to log in with the account in my arlo to enable 2FA. ;-)

thx

rafuz commented 4 years ago

Just to report that I have setup 2FA with dedicated arlo account and gmail and it works. The messages I receive are in italian.

chavez7 commented 4 years ago

Just to report that I have setup 2FA with dedicated arlo account and gmail and it works. The messages I receive are in italian.

Mi potresti aiutare nella configurazione? a me le OTP arrivano via SMS non via mail. Non ho capito come si fa

twrecked commented 4 years ago

@chavez7 I was going to ask @rafuz if he could you but you got here first! Hope you get it working.

rafuz commented 4 years ago

I did nothing special. I turned off the integration in home assistant then I started the enrollment to 2FA on the HA Arlo account using the SMS only once. I put the configuration for gmail IMAP and then restarted AArlo. Everything has gone smoothly, I also see the emails with the OTP once every 90 minutes or so. The emails are in italian but AArlo parses them without problem.

chavez7 commented 4 years ago

I did nothing special. I turned off the integration in home assistant then I started the enrollment to 2FA on the HA Arlo account using the SMS only once. I put the configuration for gmail IMAP and then restarted AArlo. Everything has gone smoothly, I also see the emails with the OTP once every 90 minutes or so. The emails are in italian but AArlo parses them without problem.

I state my ignorance. Forgive me but I cannot understand what to do. Apart from that I don't see from the integration aarlo how to turn it off. Then where do I put the sms code? and how do i get it sent. qunado for example I did it on other devices such as tablets when I open the application I get sms and then enter the code and put it among the trusted devices. here how do you do it?

HumanSkunk commented 4 years ago

I have just tried to set it up too. I live in GB and when I log into the Arlo on the web 2FA defaults to SMS and won't send an Email unless you select it manually. Does this plugin automatically request an email 2FA verification to be sent? I cannot work out in any settings on the Arlo website or application how to make it work.

Gmail isn't my usual email provider so I set up a new account specific for this purpose, enabled 2FA on the gmail account and created an app password for the plugin and used that password as the 2fa password for the plugin.

This is the section I created in my configuration json

aarlo: username: {{Arlo email address for account}} password: {{Arlo access password}} refresh_devices_every: 2 stream_timeout: 120 tfa_source: imap tfa_type: email tfa_host: imap.host.com tfa_username: {{Arlo email address for account}} tfa_password: {{app password generated in gmail account settings}}

I get this error in the home assistant log files:

2020-10-10 14:44:37 ERROR (MainThread) [homeassistant.setup] Error during setup of component aarlo Traceback (most recent call last): File "/usr/src/homeassistant/homeassistant/setup.py", line 213, in _async_setup_component result = await task File "/usr/local/lib/python3.8/concurrent/futures/thread.py", line 57, in run result = self.fn(*self.args, **self.kwargs) File "/config/custom_components/aarlo/init.py", line 234, in setup arlo = PyArlo(username=username, password=password, File "/config/custom_components/aarlo/pyaarlo/init.py", line 143, in init self._be = ArloBackEnd(self) File "/config/custom_components/aarlo/pyaarlo/backend.py", line 44, in init self._logged_in = self._login() File "/config/custom_components/aarlo/pyaarlo/backend.py", line 477, in _login if not self._auth(): File "/config/custom_components/aarlo/pyaarlo/backend.py", line 399, in _auth if not tfa.start(): File "/config/custom_components/aarlo/pyaarlo/tfa.py", line 49, in start self._imap = imaplib.IMAP4_SSL(self._arlo.cfg.tfa_host) File "/usr/local/lib/python3.8/imaplib.py", line 1297, in init IMAP4.init(self, host, port) File "/usr/local/lib/python3.8/imaplib.py", line 198, in init self.open(host, port) File "/usr/local/lib/python3.8/imaplib.py", line 1310, in open IMAP4.open(self, host, port) File "/usr/local/lib/python3.8/imaplib.py", line 303, in open self.sock = self._create_socket() File "/usr/local/lib/python3.8/imaplib.py", line 1300, in _create_socket sock = IMAP4._create_socket(self) File "/usr/local/lib/python3.8/imaplib.py", line 293, in _create_socket return socket.create_connection((host, self.port)) File "/usr/local/lib/python3.8/socket.py", line 787, in create_connection for res in getaddrinfo(host, port, 0, SOCK_STREAM): File "/usr/local/lib/python3.8/socket.py", line 918, in getaddrinfo for res in _socket.getaddrinfo(host, port, family, type, proto, flags): socket.gaierror: [Errno -2] Name does not resolve

twrecked commented 4 years ago

The plug will choose email if you set tfa_type: email, you don't have to set anything on the website. Arlo will automatically use the email you set for the account.

For the last issue, try tfa_host: imap.gmail.com.

HumanSkunk commented 4 years ago

The plug will choose email if you set tfa_type: email, you don't have to set anything on the website. Arlo will automatically use the email you set for the account.

For the last issue, try tfa_host: imap.gmail.com.

Im an idiot... I didnt realise the subtle difference in your response. 'gmail' being the key.

Google just blocked the request so I know its now working just need to sort out my google security access!

twrecked commented 4 years ago

@HumanSkunk You get that working?

HumanSkunk commented 4 years ago

@HumanSkunk You get that working?

Yes I did thanks. Set up what I had done originally and it all works fine.

sysrage commented 3 years ago

Is it possible to have this check both the Inbox and the Spam folder (in Gmail)? The emails randomly started going to my spam folder and I didn't notice until HA had tried to log in every minute for 300 attempts.

twrecked commented 3 years ago

That is possible, the only problem is not all IMAP servers use the same naming so I'd have to provide a mechanism to allow folders to be searched.

In the meantime I'd recommend creating a filter to never mark those as spam.

hongkiatsim commented 3 years ago

Hi, I have posted something in the forum, but thought of getting more info here as it looks to me like a isolated bug? I could be wrong though.

Had the component working fine until recently so pretty sure the rest of the configuration is correct. My HA installation has been on a separate installation from Debian since day 1.

Core: core-2021.8.6 Supervisor: supervisor-2021.06.8 Host: Debian GNU/Linux 11 (bullseye) Docker: 20.10.8

configuration.yaml

aarlo:
  username: myemail[@]gmail
  password: mypassword
  refresh_devices_every: 1
  stream_timeout: 60
  reconnect_every: 1
  save_session: false
  tfa_source: push
  tfa_type: PUSH
  #tfa_host: imap.gmail.com
  #tfa_username: myemail[@]gmail
  #tfa_password: myapppassword

camera:
  platform: aarlo

I have tried replacing the source to tfa_source: email and type to tfa_type: imap and then uncomment the account I used for email 2fa while ensuring the Arlo android app 2fa method is selected accordingly beforehand; i.e. when i used push, i select the target device as primary option and when i used imap, i have selected my email. Both method failed. Each time HA started, I’ll get a notification that it failed auth.

For email:

For app:

Either way, tried multiple time. I even went through uninstalling, rebooting HA core and supervisor, updated (had several updates on fhis component, supervisor and core). The problem only occurred when 2fa was turned on. Error details below - hopefully it gives some ideas as to where went wrong.

HA Notification

aarlo Component Setup

Error: authentication failed
If error persists you might need to change config and restart.

HA Log

This error originated from a custom integration.

Logger: custom_components.aarlo
Source: custom_components/aarlo/init.py:449
Integration: Arlo Camera Support (documentation, issues)
First occurred: 2:02:43 PM (17 occurrences)
Last logged: 3:09:32 PM

unable to connect to Arlo: attempt=13,sleep=300,error=authentication failed
unable to connect to Arlo: attempt=14,sleep=300,error=authentication failed
unable to connect to Arlo: attempt=15,sleep=300,error=2fa finishAuth failed
unable to connect to Arlo: attempt=16,sleep=300,error=2fa finishAuth failed
unable to connect to Arlo: attempt=17,sleep=300,error=authentication failed

Syslog

Aug 13 05:09:28 rpi3-20210629 cab3816d3653[615]: #033[33m2021-08-13 15:09:28 WARNING (SyncWorker_4) [pyaarlo] request-error=CloudflareChallengeError#033[0m

Aug 13 05:09:29 rpi3-20210629 cab3816d3653[615]: #033[33m2021-08-13 15:09:29 WARNING (SyncWorker_4) [pyaarlo] request-error=CloudflareChallengeError#033[0m

Aug 13 05:09:31 rpi3-20210629 cab3816d3653[615]: #033[33m2021-08-13 15:09:31 WARNING (SyncWorker_4) [pyaarlo] request-error=CloudflareChallengeError#033[0m

Aug 13 05:09:32 rpi3-20210629 cab3816d3653[615]: #033[31m2021-08-13 15:09:32 ERROR (SyncWorker_4) [pyaarlo] authentication failed#033[0m

Aug 13 05:09:32 rpi3-20210629 cab3816d3653[615]: #033[31m2021-08-13 15:09:32 ERROR (SyncWorker_4) [custom_components.aarlo] unable to connect to Arlo: attempt=17,sleep=300,error=authentication failed#033[0m

Aug 13 05:14:37 rpi3-20210629 cab3816d3653[615]: #033[33m2021-08-13 15:14:37 WARNING (SyncWorker_4) [pyaarlo] error in new response={‘meta’: {‘code’: 400, ‘error’: 9233, ‘message’: ‘Authentication is not finished yet’}}#033[0m

Aug 13 05:14:37 rpi3-20210629 cab3816d3653[615]: #033[33m2021-08-13 15:14:37 WARNING (SyncWorker_4) [pyaarlo] 2fa finishAuth - tries 1#033[0m

Aug 13 05:14:44 rpi3-20210629 cab3816d3653[615]: #033[33m2021-08-13 15:14:44 WARNING (SyncWorker_4) [pyaarlo] error in new response={‘meta’: {‘code’: 400, ‘error’: 9233, ‘message’: ‘Authentication is not finished yet’}}#033[0m

Aug 13 05:14:44 rpi3-20210629 cab3816d3653[615]: #033[33m2021-08-13 15:14:44 WARNING (SyncWorker_4) [pyaarlo] 2fa finishAuth - tries 2#033[0m

Aug 13 05:14:50 rpi3-20210629 cab3816d3653[615]: #033[33m2021-08-13 15:14:50 WARNING (SyncWorker_4) [pyaarlo] error in new response={‘meta’: {‘code’: 400, ‘error’: 9233, ‘message’: ‘Authentication is not finished yet’}}#033[0m

Aug 13 05:14:50 rpi3-20210629 cab3816d3653[615]: #033[33m2021-08-13 15:14:50 WARNING (SyncWorker_4) [pyaarlo] 2fa finishAuth - tries 3#033[0m

Aug 13 05:16:56 rpi3-20210629 cab3816d3653[615]: #033[31m2021-08-13 15:16:56 ERROR (MainThread) [homeassistant.components.websocket_api.http.connection] [3841824080] Received invalid command: aarlo_library#033[0m

Aug 13 05:16:56 rpi3-20210629 cab3816d3653[615]: #033[31m2021-08-13 15:16:56 ERROR (MainThread) [homeassistant.components.websocket_api.http.connection] [3841824080] Received invalid command: aarlo_library#033[0m

Thanks

twrecked commented 3 years ago

The problem here is the CloudflareChallengeFailure. It means we're not getting by Cloudfare's antibot check. I run into this problem occasionally and I don't know of a full fix yet. One thing to try is to force the check to use a specific IP address.

Try adding the following line to the host's /etc/hosts file.

104.18.30.98 ocapi-app.arlo.com
#104.18.31.98 ocapi-app.arlo.com

Try starting HA again, if this doesn't work move the # about and try again.

#104.18.30.98 ocapi-app.arlo.com
104.18.31.98 ocapi-app.arlo.com

And revert you aarlo config.

aarlo:
  ..
  tfa_source: imap
  tfa_type: email
hongkiatsim commented 3 years ago

@twrecked thanks for the prompt response. Really appreciate it.

Just to clarify - you meant CloudflareChallengeError or CloudflareChallengeFailure? Are they the same or it have different meaning?

Nevertheless, I had tried your suggestion but still received the same error. Maybe it is time to temporarily disable the plugin and hoping CloudFare will not see my IP as requiring the challenge.

twrecked commented 3 years ago

@hongkiatsim I meant CloudChallengeError sorry.

One more thing to try, use a different user agent:

aarlo:
  ...
  user_agent: linux

You can also try mac or firefox or ipad or iphone.

hongkiatsim commented 3 years ago

@twrecked I tried adding the user_agent as suggested, along with swapping the entry in host file.

The user agent I tried include those you have given and also lookup the actual user agent for Chrome, Firefox etc and tried various version. It just gives me the same error each time.

hongkiatsim commented 3 years ago

@twrecked - in my last ditch attempt, i decided to use Android as user agent and it works

psu1989 commented 3 years ago

mine was working fine for weeks and now: 2021-10-11 15:21:58 ERROR (MainThread) [homeassistant.components.websocket_api.http.connection] [140639282623104] Received invalid command: aarlo_library

I am not getting any emails for 2FA and the google 2-step app password website says no activity. It seems HA is not making the call to arlo at all. I can see battery and signal strength but no camera feed. I can log in to MyArlo website without issue.