0.77: Authentication system šŸ‘®ā€ā™‚ļø + Hangouts bot šŸ¤–

I am running the config checker addon for Hass.io going from .74.0- .77.1 and man its throwing a butt ton of errors. I dont even know where to go from here except start from scratch.

The log:

running build_py
creating build
creating build/lib.linux-armv7l-3.6
creating build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/http_writer.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/payload_streamer.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/client_ws.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/web_exceptions.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/web_request.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/web_routedef.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/pytest_plugin.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/http_exceptions.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/web_ws.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/web_runner.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/cookiejar.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/client_proto.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/signals.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/web.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/web_urldispatcher.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/client_reqrep.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/hdrs.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/multipart.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/web_response.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/web_protocol.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/web_app.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/frozenlist.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/typedefs.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/streams.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/log.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/client_exceptions.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/base_protocol.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/web_middlewares.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/http_parser.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/http_websocket.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/tcp_helpers.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/web_server.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/__init__.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/client.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/abc.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/connector.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/locks.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/formdata.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/resolver.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/http.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/worker.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/helpers.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/payload.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/tracing.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/test_utils.py -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/web_fileresponse.py -> build/lib.linux-armv7l-3.6/aiohttp
running egg_info
writing aiohttp.egg-info/PKG-INFO
writing dependency_links to aiohttp.egg-info/dependency_links.txt
writing requirements to aiohttp.egg-info/requires.txt
writing top-level names to aiohttp.egg-info/top_level.txt
reading manifest file 'aiohttp.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
warning: no files found matching 'aiohttp' anywhere in distribution
warning: no previously-included files matching '*.pyc' found anywhere in distribution
warning: no previously-included files matching '*.pyd' found anywhere in distribution
warning: no previously-included files matching '*.so' found anywhere in distribution
warning: no previously-included files matching '*.lib' found anywhere in distribution
warning: no previously-included files matching '*.dll' found anywhere in distribution
warning: no previously-included files matching '*.a' found anywhere in distribution
warning: no previously-included files matching '*.obj' found anywhere in distribution
warning: no previously-included files found matching 'aiohttp/*.html'
no previously-included directories found matching 'docs/_build'
writing manifest file 'aiohttp.egg-info/SOURCES.txt'
copying aiohttp/_cparser.pxd -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/_find_header.c -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/_find_header.h -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/_find_header.pxd -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/_frozenlist.c -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/_frozenlist.pyx -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/_headers.pxi -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/_helpers.c -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/_helpers.pyi -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/_helpers.pyx -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/_http_parser.c -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/_http_parser.pyx -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/_http_writer.c -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/_http_writer.pyx -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/_websocket.c -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/_websocket.pyx -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/frozenlist.pyi -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/py.typed -> build/lib.linux-armv7l-3.6/aiohttp
copying aiohttp/signals.pyi -> build/lib.linux-armv7l-3.6/aiohttp
running build_ext
building 'aiohttp._websocket' extension
creating build/temp.linux-armv7l-3.6
creating build/temp.linux-armv7l-3.6/aiohttp
gcc -Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -DTHREAD_STACK_SIZE=0x100000 -fPIC -I/usr/local/include/python3.6m -c aiohttp/_websocket.c -o build/temp.linux-armv7l-3.6/aiohttp/_websocket.o
In file included from aiohttp/_websocket.c:17:0:
/usr/local/include/python3.6m/Python.h:11:20: fatal error: limits.h: No such file or directory
 #include <limits.h>
                    ^
compilation terminated.
error: command 'gcc' failed with exit status 1

Hi there.

Iā€™ve read all the docs and threads about the removal of homeassistant.remote Python API and I canā€™t get how it is supposed to work now.

I have a bunch of custom python scripts that must connect to HomeAssistant and I donā€™t know how to do it now that this API is gone.

Is this doc page obsolete? Any hints?

Thanks.

The only thing that is gone is the Python wrapper for the Rest API that was bundled in Home Assistant. The Rest API is still available. You can copy the old homeassistant.remote source code into your scripts.

Yes, that page is obsolete. I thought I removed it :man_shrugging:

Itā€™s a good thing a authentication system is introduced. But it would be great if there was a possibility to go back the way the ā€˜previousā€™ system works: visiting the page gives you direct access to Home Assistant. Passwords were optional.

Why? Security is good!
Yes, security is good. And for most people the auth system is a good start.
But users like me are already securing their networks (and Home Assistant) with firewalls, vlans, vpn access etc.
Also, my browser automatically deletes cookies and cached files after closing the browser and changes agent every tab change. Everytime I access Home Assistant from my desktop, I am forced to login with a username and passwordā€¦

What do you suggest?
I think it could be solved quite easily. How about the following optional configuration variable:

  • Specify a default user account to automatically login with (user account can have password, but will not be prompted since youā€™re on a trusted network)
  • The user you login with can be set permissions to (read-only or read-wite)
  • Only works for specified trusted networks
8 Likes

I had a few problems getting this to work, perhaps specific to my setup. But just in case it helps anyone elseā€¦

I couldnā€™t complete the Auth process and ended up locked out - getting 403 from every browser, even clearing the cache and deleting the .auth folder wouldnā€™t restart the process. This turned out to be because my internal docker IP wasnā€™t in my trusted networks. This never mattered before, but now that IP was getting banned before the Auth setup finished.

Not certain itā€™s the best solution but adding 172.0.0.0/8 to my trusted networks seemed to solve it. I really appreciate the devs work on this - my setup isnā€™t exposed to the internet, but now I might finally look into it.

1 Like

For anyone else who is struggling with this, I got it working like this:

- alias: hangout_checker
  trigger:
    - platform: state
      entity_id: input_boolean.send_message
      to: 'on'
  action:
    - service: hangouts.send_message
      data: 
        target:
          - id: !secret hangout_id
        message:
          - text: "automated message"

If anyone is looking for this, hereā€™s a cli request that works

curl --data ā€œclient_id=http://testhass:8123/&grant_type=refresh_token&refresh_token=_[REFRESH_TOKEN]_&client_id=_[CLIENT_ID]_ā€ -X POST ā€œhttp://testhass:8123auth/tokenā€

it returns a json message :

{ā€œaccess_tokenā€: ā€œxxxxā€, ā€œexpires_inā€: 1800, ā€œtoken_typeā€: ā€œBearerā€}

Parse it out for reuse.

In my users list I now have me, my wife, and two instances of ā€œHass.ioā€. Is this right? Iā€™d have thought only one instance were required? If thatā€™s the case, how do I know which to delete?

James

Nm, I misread.

Update to 0.77.1 on RPi hassio.

Anyone using the embedded MQTT broker?

Iā€™ve had to disable it as it keeps causing Failed login attempt at 172.30.32.1.

Since disabling it, this persistent notification has gone away.

Any ideas?

hassio, update to 77.1 and getting error

[homeassistant.components.websocket_api] WS 1827720944: Message incorrectly formatted: expected str for dictionary value @ data[ā€˜api_passwordā€™]. Got None

help?

You have to set an own password for the embedded broker

Before release 0.76, the embedded broker would use your API password as a password to the MQTT user. This is no longer the case.

I already did that with 0.76 and it was working fine.
Issue only started with 0.77.

I had the same issue until I took out my login/password in the mqtt call. My configuration.yaml now looks like this:

mqtt:
  broker: pi3
  discovery: true
  discovery_prefix: homeassistant

and I created a homeassistant account with my default API password.

Well, looking back at my post:

Iā€™m in 0.77.2 and at least the trusted_network is still working with Node.JS that accesses the Home Assistant API. For that, I do apologize for my resentment about the change in new authentication system. Iā€™ve added a user for Home Assistant, opted to make use of Trusted Network, and once Iā€™m logged in, itā€™s working. Playing a movie in Plex turns off my light and when I pause or stop the movie, the lights come back on, so everything is working as it should using the trusted_networks.

TL;DR: I was worried about my Node.JS (Javascript) code failing due to trusted_networks not working at all starting with 0.77.

This discussion about security breaking functionality would not have been started from this whole mess had I not seen trusted_networks listed in breaking changes. In the future, Iā€™m going to wait for .2 to stabilize before I upgrade. Well, at least I did when I upgraded from 0.74.2 to 0.77.2.

At the end of the day, all is well. :slight_smile:

4 Likes

Since this new release, I have to type my login and password each time I go to Home Assistant. Their is no remember me option. Tested on Desktop Firefox and Android Chrome. I cannot see any cookie set when login.
Any idea on how to resolve this?

What you proposed is ā€œtrusted networks authentication providerā€, which is default enabled if you configured ā€œtrusted_networksā€ option in http config.

1 Like

Again, breaking change is for trusted networks and websocket API used together. It clearly stated in release note and PR description.

Got it up and running. I completely forgot the changeover to Hassos.

The only issue I have now is that on Mobile Edge or Chrome on Android it is not asking to save the passwords under the new user system. It is under the legacy password though.

Iā€™m just getting invalid config if I remove the password.
Iā€™m using the embedded broker, so this is what my config looks like now:

mqtt:
  discovery: true

I tried creating a new user called ā€œhomeassistantā€ with the mqtt password I was using, but to no avail.