0.77: Authentication system 👮‍♂️ + Hangouts bot 🤖


Thank you team for amazing progress! I have all the users setup and logged, now waiting for the new iOS app and the functionalities to make different UI layouts based on the user, also very much liked the idea for attribution, so to know what was triggered by who, etc. would be also great to know who is currently using the UI / app, etc :slight_smile: keep on the good work, thank you!


Disagree. My microwave works just fine for someone who breaks into my house. I don’t give a crap if someone breaks into my wifi and can then turn on my stereo.

This mandatory change is completely anti user choice.

Having a web product that doesn’t force “security” down my throat was one of the reasons I picked HA. This is a really annoying change in my opinion.

The constant breaking changes and half the time upgrades kill my whole system until I intervene has really soured me on HA over the last few months.

I’m going to be in 0.76 indefinitely at this point.


Well that didn’t work, and now I’m seemingly locked out of my system. I followed the prompt to create a user, then I’m presented with “You’re about to give :8123/ access to your Home Assistant instance” and it doesn’t accept the user/password I just set - “Invalid username or password”. It won’t let me go back or forward. Absolutely no other changes were made. Any tips on how I can get back in?


Try renaming your config/.storage folder to .storage.bak and restart HA.


Thanks, but that’s made it worse. Now I get 403’d on every browser. The .storage folder did seem to recreate on the restart, but something else is going here.


Software that is basically free, and people always complain.

HA has security issues or i’ve been hacked = HA devs responsibility to fix.
Devs implement better security = oh i dont like this, i never asked for it,

You have to wonder why the devs bother some days


From the github awarecan says you can delete [config_folder]/.storage/auth* to refresh start the auth process to recreate. Also remember to clear your browser cache.


Umm. Thanks for trying to help, I really appreciate it. But it just wouldn’t restart the process for me at all (I cleared the cache each time). I’ve downgraded to 0.76.2 for now until I have more time to chase down the cause.


Remove both .storage/auth* and .storage/onboarding to restart the onboarding process and create a new user.


I would like to ask you to take a look at the documentation. It sounds to me that you might want to use Trusted Networks to “get rid of that forced security” and just allow your whole subnet.


No one is forcing you to use this, free and community-driven, product. Fork it, do your changes, and be happy. Also there are many others home automation systems out there ;).


Thank you @balloob and team for trying to better everyone’s lives. I’m really sorry that the attitudes of an outspoken minority might make the community feel less than grateful.

All of your hard work is appreciated and I’m working hard to bring my programming skills up so I can help.

Thanks! X


The problem is that this project was originally conceived as local home automation tool. It now seems to have been usurped by the web remote control community, who are now forcing the original users to have to enact security procedures that are completely unnecessary for its original purpose. Naturally, that is leading to some resentment.

Personally, I am hoping to be able to work around the problems that this has introduced, but forking is definitely a possibility at this point.


Sorry have to disagree, being a local home automation tool did not mean it wasn’t accessible to the user from outside the local LAN.


If problems have been introduced, they should be should be reported and discussed in a constructive manner rather than just proposing to for a project because it introduced a feature that a minority perceives as being “in the way”. Setups where people don’t want to use passwords or even more secure methods of authentication should in my opinion take a look at Trusted Networks to circumvent the necessity to enter a password or TOTP.


Every product goes through some stages. By chosing a product which is community driven and has an exarating development you can expect that things will change. That’s a risk you’ve taken yourself with chosing for Home Assistant. So please don’t blame the developers for willing to move forward, because a minority of early adopters has to change their setup. If the end result is that more people are able to create a secure setup, the whole community will grow and therefor everyone could benefit for a stronger position of Home Assistant.


Yes, and I am working through the bugs in it to try and get it to work. 0.77.1 fixes a problem introduced in 0.77, but I still have to clear the cache when I restart the browser, and select my one user again.

Selecting a single user seems an unnecessary step when I only have one. Does anyone know if its possible to specify the user in the URL?

API access using trusted networks seems to work fine, which was my main concern anyway, since most of my interaction with HA is through that.


You also might want to take a look at how they’ve made it super simple for scripts to integrate with the new auth. You can see a demo here: https://hass-auth-demo.glitch.me/


I am perfectly happy to accept change, and I don’t think I have “blamed developers” for anything.


Just a small thought about being able to restart the onboarding by deleting that mentioned folder: am I correct, that this results in the ability to remotely reset the auth-system when SMB is exposed, and therefore allows the attacker to set his own password easily and locking out the owner of the system?