Annoying "Unable to connect to Home Assistant." issue after logging in

This has started in the past week. I am not sure what caused it, as I did not update HA before the issue started.
The web interface becomes unresponsive, so I go to the log in screen, it seems to accept my credentials but then says

"Unable to connect to Home Assistant.

Retrying in … seconds"

If I check the Web Developer tools, I can see that it’s a POST to /auth/token that results in 400 Bad Request:

This is logged at the same time

2024-05-06 22:04:21.023 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0)

I assume this is the cause of the issue.

I had this problem a few days ago and restarting the HA container didn’t fix it and it was about time for an update, so I just updated to the current version [whatever was current on 2023/05/03]. The issue seemed to go away, but now it is back again!

It looks like it’s this:

banning 127.0.0.1 due to some perceived infraction [I say “perceived” because I *know* I didn’t put the credentials in wrong, they’re saved in the password manager, so they’re never entered manually].

In the documentation it says “ip_ban_enabled boolean (Optional, default: false)”, so it’s off by default. I have no http: entry in my configuration.yaml, so why is it banning me?

This is really annoying. I am trying to get an old Fire tablet working as an HA “display” for the kitchen. I got the password wrong a few times, then got it right. Logged in. Messed about with dashboard. Tablet rebooted to install some updates. Now the tablet is banned. Doesn’t make any sense, if it was going to be banned it should be banned before I got the password right, not after!

Additionally, no ip_bans.yaml file is created, that I can find anywhere.

Even

http:
  ip_ban_enabled: false

in configuration.yaml doesn’t stop this from happening. What is this nonsense???

Even though the log message is identical apart from the IP address, the issue with the tablet is that it has an IPv6 address. This is “remote” by default, so the user needed “Can only log in from the local network” to be un-ticked.

Would be great if the log message actually said what the issue was here!

2024-05-30 22:48:46.297 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 2001:xx (2001:xx). Requested URL: '/auth/login_flow/902b2021d306a67f0b699365c042c5c9'. (Mozilla/5.0 (Linux; Android 5.1.1; KFFOWI Build/LVY48F; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/59.0.3071.125 Safari/537.36 Home Assistant/2024.4.1-12576 (Android 5.1.1; KFFOWI))

Looks like this issue or variations on it have been going on for some time:

I have started a feature request thread pleading for an improvement in the documentation and logging:

I receive the same message too. It seems this is a Firefox thing, what goes wrong at least when my HA container is updated while the HA tab is refreshing. But e.g. when i open an Edge browser, or when is was already opened, the same issue does not appear.