0.77: Authentication system 👮‍♂️ + Hangouts bot 🤖


#21

As per dshokouhi’s suggestion, you’ll still need to create a user. The trusted networks options will just bypass the login based on your LAN IP.


#22

That doesn’t seem to work. I created a user ( I add to add homeassistant auth_provider to do this), but then when I connect I get a login prompt with the option to switch to trusted networks
image

Then if I pick trusted_networks I get an error

image

No errors are showing up in the log:thinking:


#23

I’m actually getting the same. The “Something went wrong” isn’t very helpful, and suggests this is a bug. I’ll get it raised.

Edit: It’s already been raised: https://github.com/home-assistant/home-assistant/issues/16260


#24

Thanks, guys, for the amazing work.

I have had some problems installing 0.77 - I think my Pi browned out on restarting Home Assistant and the OS crashed. Anyhoo, I had a backup of the configuration directory and restored that. Trying to log in again, I got myself IP banned during the process of creating the owner. After fixing that, and when I logged in again, I have a new user account that does not appear to be the owner of the system. I can use Hass, but I can’t create or see other users. How can I go about fixing my mess?

As part of the potential answer - where are the user credentials stored? Can I go in and delete or amend them in some way?

A huge thank you in advance.


#25

Clear your [config]/.storage folder


#26

Thanks for that.

The other odd thing is that the api seems to work without any authentication anyway, which seems very odd. I am glad I don’t rely on it for any security.


#27

That is still the case, trusted networks allow you access API anonymously, this release we only changed websocket API behaviour


#28

Got it. The api doesn’t take any notice of the auth_providers section (which I had commented out), it just checks the presence of the trusted_networks parameter of http, which I had left in.


#29

I cleared the onboarding and two auth-associated files, but kept the core configuration ones. On restart it worked and I now have an owner.

Thank you very much for the help.


#30

“It’s no longer possible to use a trusted network to connect to the websocket API.”

I will stick with current version of Home Assistant 0.74. There’s nothing new for me that prompts me to upgrade to the latest version and I see absolutely no need to create a new user for Home Assistant. Any communication to Home Assistant from the outside world goes through VPN and simple password.

I simply do not want to be forced to create a new user as I’m the only user of Home Assistant. I’m the only one with access to my private home network. As long as I use VPN, the new authentication system makes zero sense to me.

I insist in using trusted networks and that’s the most important feature to me.

And besides, I currently use NodeJS file for Plex Webhook.


Migrate my Node.JS to new Home Asssistant Auth System
#31

I upgraded and got all sorts of interesting error messages. I was following the “pre-installed Python” upgrade instructions as I am running this on my Armbian based OMV device (Helios4 NAS)… The solution was to install libffi-dev in the OS which I had not required up until this point. You probably should make some mention of that in the documentation as I didn’t see it anywhere and upgrading from 0.75.3 (I think) shouldn’t have been that big a jump.


#32

I agree with this and find the push to force users to use a password on the websocket silly. This is not a piece of software used by the technically inclined; people using this innately posses a sense of security. I too have hass completely separated from the internet by hardware and additional vpn. It’s even shielded from other internal networks and actively monitored.
The parameter to get it to work has ‘legacy’ in it’s name; that doesn’t seem to bolster a lot of confidence that the option will be supported going forward.
I can see the scenarios with multiple users helping with new development and features but to drop this without offering to ‘opt out’ is annoying. Perhaps,.If you really want to track what called who how and when then have it come in as attributes or metadata or otherwise log what’s known.

I’d keep the hurdles towards adopting and integrating hass as low as possible, the rest and ws was ideally positioned for that.


#33

After we have long-lived access token fully implement, you can use that token to access WS API, just add one round-trip. Even now, you can still use current access token cached in your browser’s localstorage to access WS API, the token is only asked when establishing connection.


#34

Yes and I’ve been able to get the expiring token from the browser to work connecting to the ws on my test hass setup. However, asking for a new token using the refresh token

grant_type=refresh_token&
refresh_token=IJKLMNOPQRST

like http://testhass:8123/auth/authorize?grant_type=refresh_token&refresh_token=BLABLA
redirects me to the frontend http://testhass:8123/frontend_latest/authorize.html?grant_type=refresh_token&refresh_token=BLABLA instead of serving the json with the new token.


#35

When you remove password in http section, Legacy API password dissapear.
In my opinion Home assistant local logging with trusted networks is something that should be implemented. When I try to connect to HA from my private network I should have option to add my network as trusted and don`t have to login with multifactor authentication . TOTP is great but in this option will be more usefull in private networks.


#36

I’m kind of frightened by how people percieve the added security as a bad thing only because it introduces minor inconveniences. Especially with regard to the numerous topics we had about people being hacked by unknowingly expose their HASS to the web unsecured. :thinking:


#37

That’s not how you get a new token. We follow the OAuth2 spec and we linked from the release notes to our API docs that explain how to get a new token.


#38

For the POWER user want to have long-lived access token, you can run this gist https://gist.github.com/awarecan/99df002485596a08fd42edc72f3a36b9

100% NO SUPPORT FOR THIS SCRIPT, THIS IS DRAGON KILLING SWORD


#39

A double-edged sword. Breaking functionality while still getting improved security is not my idea, especially since I segregated Home Assistant from my home network where Home Assistant is denied connectivity to the Internet.

No one will ever feel frightened once someone can help me migrate my code to Home Assistant’s new auth system:

However, perceiving the added security as a bad thing is unfounded. If anyone exposes HASS to the Internet whether it’s secured via HTTPS or not, I do not sympathize them.

I don’t want to continue my debate about Home Assistant security. And I do apologize for sidetracking this thread. It is not my intention, but I need to bring up about trusted networks which is what I use.

And yes, I also use Tasker to activate a script when my phone rings.


#40

I upgraded to 0.77, set up user and password, removed the legacy one from config, activated the totp authentication and I had time to switched to Lovelace. it’s cool, fast and secure, but I use very often HTTP POST to send commands to HA from Tasker and now I can’t understand how to authenticate those requests.