Yes and Iāve been able to get the expiring token from the browser to work connecting to the ws on my test hass setup. However, asking for a new token using the refresh token
grant_type=refresh_token&
refresh_token=IJKLMNOPQRST
like http://testhass:8123/auth/authorize?grant_type=refresh_token&refresh_token=BLABLA
redirects me to the frontend http://testhass:8123/frontend_latest/authorize.html?grant_type=refresh_token&refresh_token=BLABLA instead of serving the json with the new token.
When you remove password in http section, Legacy API password dissapear.
In my opinion Home assistant local logging with trusted networks is something that should be implemented. When I try to connect to HA from my private network I should have option to add my network as trusted and don`t have to login with multifactor authentication . TOTP is great but in this option will be more usefull in private networks.
Iām kind of frightened by how people percieve the added security as a bad thing only because it introduces minor inconveniences. Especially with regard to the numerous topics we had about people being hacked by unknowingly expose their HASS to the web unsecured. 
Thatās not how you get a new token. We follow the OAuth2 spec and we linked from the release notes to our API docs that explain how to get a new token.
For the POWER user want to have long-lived access token, you can run this gist https://gist.github.com/awarecan/99df002485596a08fd42edc72f3a36b9
100% NO SUPPORT FOR THIS SCRIPT, THIS IS DRAGON KILLING SWORD
A double-edged sword. Breaking functionality while still getting improved security is not my idea, especially since I segregated Home Assistant from my home network where Home Assistant is denied connectivity to the Internet.
No one will ever feel frightened once someone can help me migrate my code to Home Assistantās new auth system:
However, perceiving the added security as a bad thing is unfounded. If anyone exposes HASS to the Internet whether itās secured via HTTPS or not, I do not sympathize them.
I donāt want to continue my debate about Home Assistant security. And I do apologize for sidetracking this thread. It is not my intention, but I need to bring up about trusted networks which is what I use.
And yes, I also use Tasker to activate a script when my phone rings.
I upgraded to 0.77, set up user and password, removed the legacy one from config, activated the totp authentication and I had time to switched to Lovelace. itās cool, fast and secure, but I use very often HTTP POST to send commands to HA from Tasker and now I canāt understand how to authenticate those requests.
Great, so now I can login from my laptop, but iPhone wont accept legacy API which I use when travelling!!! Nice job NOT!
The number of open configurations that can be found with a few mouse clicks, and the number of āIāve been hackedā threads would suggest that you are incorrect in your presuppositions.
Why shouldnāt you be able to use your iPhone?
Well then put a sticky up informing people that security is no luxury. I donāt leave my car unlocked on a public parking lot, thatās common sense.
But when itās in the garage at home I leave it unlocked, for easy access.
And when I want to leave it unlocked I donāt have to bust out the passenger window, weld shut the bonnet and stick the key in the exhaust pipe.
Relevant.
Youād be pretty annoyed if your car didnāt come with locks to begin with though.
Iām not annoyed that Home Assistant did not include security out of the box. Itās up to us to secure our Home Assistant installation. And if Iām running Hass.io, Iād make sure to be diligent and look over the SMB configuration, but since I use Linux, I simply use SSH to get into the Home Assistant configuration. The only thing that I expose is my VPN and thatās it. I have a certificate for my smartphone and I already have created a certificate authority in my server.
There is a way to do this but it is not well documented and only developers are familiar with it, I think in the next release or 2 it will be addressed in a easier way. For now I am keeping the api_passowrd for IFTTT , Tasker and other components that depend on it.
Yeh, because thatās one of the deciding factors on buying a car.
At the risk of giving this car analogy even more stage time,ā¦ imaging taking it in for service and when you get it back the only way to start the car is having to call the dealer for a pincode with no way of turning that off. Iād have questions.
But what is your problem then?
So to use @drbytes car analogy, youād rather buy a car with no locks on the doors and no need for a key for the ignition and sort those things out yourself later?
Obviously if you choose to secure your car differently then you can use āaftermarketā stuff, or you can just stick with what it comes with.
Same with homeassistant. If you donāt want to use the Auth system, take it off. If you want to use something different, code it up.
Donāt make it harder for everyone else just because you know best.
I really donāt see where that would be the case with 0.77. Would you care to explain without a car analogy?
Please examine the code in my thread:
I want to get my code to work with the new authentication system going forward, even if trusted_networks no longer work.
Iām not making it harder for anyone in here and I do not know best.
If that new security feature was in response to lots of that model being stolen due to a previous security flaw that was becoming well known amongst the local car theives and was provided for free by the dealer, Iād be frivkinā ecstatic.
Remind me of your address again? My new car isnāt arriving until the end of October so Iāll just borrow yours in the meantime. 