0.77: Authentication system 👮‍♂️ + Hangouts bot 🤖


#202

I’m not sure the number of persons at home has to imply the number of accounts.

We are 5.
Kid would share an account. Parents another. I wish, based on the auth, that the interface would change.
An admin account for all access, including maintenance.
And maybe a guest account so that when I have family at home, they can set things in an obvious way.

And maybe some other 5 members family will like a one account setup.


#203

You keep mentioning cookies but we don’t use cookies to store auth :man_shrugging: we use local storage. But yeah, if you keep clearing all your browser settings, it’s up to yourself to deal with that.

We don’t automatically select a user with trusted networks because it means a malicious website can link to your authorize page, it will automatically pick your user and then redirect back to malicious website with a refresh token.


#204
homeassistant:
  name: Maison
  latitude: !secret ha_latitude
  longitude: !secret ha_longitude
  elevation: 0
  unit_system: metric
  time_zone: Europe/Paris
  customize: !include config/customize.yaml

  auth_providers:
    - type: trusted_networks

http:
  trusted_networks:
    - 127.0.0.1
    - 192.168.2.0/26

I connect with Firefox, I keep cookies in the standard interface but I use “cookie autodelete”, my server is not in the white list.
If I don’t use the network trusted auth, it even asks for a password everytime I restart the browser. Linux, W10 or mobile browser.


#205

You are probably right, unfortunately there is no option in Firefox 62 to differ cookies from local storage. The appropriate setting (“Privacy & Security”) reads “Accept cookies and website-data (recommended)” and “Keep, until Firefox is closed”

I somebody know’s a more fine-grained setting, please let me know.


#206

Looks similar to mine, but I am not at home currently and (as I am obviously unfamiliar with security) my HA installation is not exposed to the internet. Will check as soon as possible.


#207

Is it safe to assume the new Auth system will one day allow HASS to know if an external(outside hass) source or unknown source changed a state? For example if someone turned on a light via a switch on the wall vs an automation or UI doing so?

A system to see who did what would be awesome.


#208

Yes. This is why we did the migration a couple of releases ago. We just need to update the logbook to give insight into this information.


#209

Ah that makes sense why we have different behavior then !
Cookies Autodelete handles the local storage too, using the same whitelist…

But FF has a limitation about site with local storage but no cookie.

I don’t delete cookies neither local storage from standard FF options, but using the add-on instead. @m0wlheld : you should try with an add-on and see if it works.

As I’m home, I found out the behavior of trusted networks auth not to be as expected : if you’re out of a trusted network, then you won’t be able to log in at all. I was expecting it to fall back to user/password.
I revert to standard !


#210

@Mister_Slowhand I checked my configuration and it looks similar to yours. I do have trusted_networks authentication enabled (as only auth) and trusted_networks matches localhost and my private home network. Additionally, since my Home Assistant installation is proxied by an nginx server on the same host, I have trusted_proxies set to localhost, too. Still - selecting the only defined user upon initial UI call or on page reload is required.

I’ve even put the HA host on FF’s whitelist, but that does not save the “login” either. Using the “Daten verwalten…” button from the dialog above, no data (cookies or “Websitedaten”) is stored for the HA host.


#211

What version on your on? Did you ever saw “save login” dialog pop-up in your right bottom corner?


#212

Sure. Everytime after login. And yes - I did click the “yes” button. If it helps, I could watch the request/response headers to check what’s going on. What should I look for?


#213

I think you only clear browser upon exit, but why reload page need relogin?


#214

Don’t now. By “reload” I mean full refresh, using Ctrl-r


#215

There was a bug in 0.77.2 that caused this with Firefox, have you updated to 0.77.3? This fixed it for me.


#216

I’m on 0.77.3


#217

My HA wouldn’t load back up tonight after a restart (Hassio) so I saved my files deleted the SD card and formatted then used etcher. After putting my as card back in my Pi the HA screen comes on and says it will take 20mins after that it asks for a user name and password. But it hasn’t loaded again it just spins. Is there something I’m missing?

Thanks!


#218

Okay, my bad. I had to put the HA host on Firefox’s whitelist incl. the protocol (http://) to make local storage (and cookies) persist. Once done, I don’t need to select a user upon opening the HA site or reloading it.

Next: Add this setting to the 3 other in-house PCs for each of the 4 Windows accounts …


#219

Why 4 accounts per PC if everything (like controlling the house) is shared on a family-based trust-level? :wink:
(Please don’t take my statement too seriously, I’m just teasing. Of course on the PCs everybody has their personal data.)


#220

You don’t want my son’s YouTube history to open in your brower or get your Windows installation messed up by a fancy total-serious-minecraft-addon.doc.exe …


#221

Can you explain how you did this? I have no extensions installed. I am on version 62.0 of Firefox