Hi folks! I have Babybuddy as an add-on in HA. When adding information (such as feeding) through the browser using my PC it works perfectly, but when I try to use the Android HA app to access Babybuddy and add the same information, I have the attached error:
This is my add-on configuration:
Could anyone help?
I get this error in iOS app and on browser (firefox). Any help appreciated.
OP, instructions indicate no space after the coma in between domains.
I added both my IP and the homeassistant.local domain. When I configured INGRESS_USER: admin, it boots logged in to the BabyBuddy dashboard but when attempting to add a child, upon pressing submit I receive the same CSRF error telling me to add the domain/IP to the CSRF trusted origins (which already are).
Exact same issue here. It seemed to work with https using duckdns, but since duckdns was so buggy I swapped to cloudflare and now babybuddy is in op. Works in chrome on desktop using my ip, but doesn’t work anywhere else.
Adding admin in configuration does the exact same where I can see the page but can’t submit without getting the csrf verification error
I see the same thing as @AyudaRubio I can navigate the app if INGRESS_USER: admin, but adding a child gives me one of two CSRF errors.
When my configuration is set to:
CSRF_TRUSTED_ORIGINS: >-
https://<redacted>.ui.nabu.casa,http://homeassistant.local:8123
INGRESS_USER: admin
log_level: debug
I get this screen:
When I tweak my configuration by wrapping the value of CSRF_TRUSTED_ORIGINS in quotes, I get a screen similar to @jfpalomeque
I also started having this problem in December. I can’t pinpoint exactly what changed, but some things that happened around the same time are updates to HA itself, the HA cloudflared add-on, and the HA mobile app.
What’s really interesting is that my wife also uses the HA mobile app for Baby Buddy and has had absolutely no issues whatsoever. It continues to work for her, but not me. So there is merit to the idea it may be cache or client related, but reinstalling the HA mobile app didn’t fix it for me.
That said, I found a workaround for my use case. I exposed the Baby Buddy add-on with an external port to bypass HA addon ingress, published it to a different public hostname through the same cloudflared tunnel, put Cloudflare Access in front of that hostname to secure the web frontend, and appended that new public URL to the list of CSRF_TRUSTED_ORIGINS in the addon. Now I can visit Baby Buddy from my mobile browser on Android.
This doesn’t identify root cause nor solve for the problem of Baby Buddy throwing CSRF errors on HTTP POST requests with HA addon ingress, but it will work for me until fixed upstream.
Worth noting that CSRFv verification failed #81 tracks this issue, so hopefully it will get some attention.
1 Like
I’m having similar issues with CSRF and BB. Ideally everything will continue to work behind my nginx reverse proxy, but I’m still struggling to submit any forms from any device, so the reverse proxy is just a dream right now.
I am hoping there is a way to fix locally, without having to go outside with cloudflare.
By changing how I access Baby Buddy, ie, using the port instead of the integration I was able to login, and change information, and save entries.
However, I too would like to see the CSRF issue resolved.
Before directly connecting via port, I was getting this in my logs trying to do anything.
s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service base-addon-banner: starting
-----------------------------------------------------------
Add-on: Baby Buddy
Track sleep, feedings, diaper changes, tummy time and more!
-----------------------------------------------------------
Add-on version: 2.7.0
You are running the latest version of this add-on.
System: Home Assistant OS 14.2 (aarch64 / yellow)
Home Assistant Core: 2025.2.3
Home Assistant Supervisor: 2025.02.1
-----------------------------------------------------------
Please, share the above information when looking for help
or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
s6-rc: info: service base-addon-banner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service base-addon-log-level: starting
s6-rc: info: service fix-attrs successfully started
Log level is set to DEBUG
s6-rc: info: service base-addon-log-level successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/babybuddy.sh
**** No secret key found, generating one ****
Cache table 'cache_default' already exists.
Operations to perform:
Apply all migrations: admin, auth, authtoken, axes, babybuddy, contenttypes, core, dbsettings, sessions
Running migrations:
No migrations to apply.
Your models in app(s): 'babybuddy' have changes that are not yet reflected in a migration, and so won't be applied.
Run 'manage.py makemigrations' to make new migrations, and then re-run 'manage.py migrate' to apply them.
cont-init: info: /etc/cont-init.d/babybuddy.sh exited 0
cont-init: info: running /etc/cont-init.d/nginx.sh
cont-init: info: /etc/cont-init.d/nginx.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun babybuddy (no readiness notification)
services-up: info: copying legacy longrun nginx (no readiness notification)
[13:21:23] INFO: NGINX waiting on babybuddy...
s6-rc: info: service legacy-services successfully started
[13:21:23] INFO: Adding config for Ingress User Auth
[2025-02-13 13:21:24 -0700] [203] [DEBUG] Current configuration:
config: ./gunicorn.conf.py
wsgi_app: None
bind: [':8000']
backlog: 2048
workers: 2
worker_class: gthread
threads: 4
worker_connections: 1000
max_requests: 0
max_requests_jitter: 0
timeout: 30
graceful_timeout: 30
keepalive: 2
limit_request_line: 4094
limit_request_fields: 100
limit_request_field_size: 8190
reload: False
reload_engine: auto
reload_extra_files: []
spew: False
check_config: False
print_config: False
preload_app: False
sendfile: None
reuse_port: False
chdir: /app/babybuddy
daemon: False
raw_env: []
pidfile: None
worker_tmp_dir: /dev/shm
user: 0
group: 0
umask: 0
initgroups: False
tmp_upload_dir: None
secure_scheme_headers: {'X-FORWARDED-PROTOCOL': 'ssl', 'X-FORWARDED-PROTO': 'https', 'X-FORWARDED-SSL': 'on'}
forwarded_allow_ips: ['127.0.0.1', '::1']
accesslog: None
disable_redirect_access_to_syslog: False
access_log_format: %(h)s %(l)s %(u)s %(t)s "%(r)s" %(s)s %(b)s "%(f)s" "%(a)s"
errorlog: -
loglevel: debug
capture_output: False
logger_class: gunicorn.glogging.Logger
logconfig: None
logconfig_dict: {}
logconfig_json: None
syslog_addr: udp://localhost:514
syslog: False
syslog_prefix: None
syslog_facility: user
enable_stdio_inheritance: False
statsd_host: None
dogstatsd_tags:
statsd_prefix:
proc_name: None
default_proc_name: babybuddy.wsgi
pythonpath: None
paste: None
on_starting: <function OnStarting.on_starting at 0x7fba765120>
on_reload: <function OnReload.on_reload at 0x7fba765260>
when_ready: <function WhenReady.when_ready at 0x7fba7653a0>
pre_fork: <function Prefork.pre_fork at 0x7fba765580>
post_fork: <function Postfork.post_fork at 0x7fba7656c0>
post_worker_init: <function PostWorkerInit.post_worker_init at 0x7fba765800>
worker_int: <function WorkerInt.worker_int at 0x7fba765940>
worker_abort: <function WorkerAbort.worker_abort at 0x7fba765a80>
pre_exec: <function PreExec.pre_exec at 0x7fba765bc0>
pre_request: <function PreRequest.pre_request at 0x7fba765d00>
post_request: <function PostRequest.post_request at 0x7fba765da0>
child_exit: <function ChildExit.child_exit at 0x7fba765ee0>
worker_exit: <function WorkerExit.worker_exit at 0x7fba766020>
nworkers_changed: <function NumWorkersChanged.nworkers_changed at 0x7fba766160>
on_exit: <function OnExit.on_exit at 0x7fba7662a0>
ssl_context: <function NewSSLContext.ssl_context at 0x7fba766480>
proxy_protocol: False
proxy_allow_ips: ['127.0.0.1', '::1']
keyfile: None
certfile: None
ssl_version: 2
cert_reqs: 0
ca_certs: None
suppress_ragged_eofs: True
do_handshake_on_connect: False
ciphers: None
raw_paste_global_conf: []
permit_obsolete_folding: False
strip_header_spaces: False
permit_unconventional_http_method: False
permit_unconventional_http_version: False
casefold_http_method: False
forwarder_headers: ['SCRIPT_NAME', 'PATH_INFO']
header_map: drop
[2025-02-13 13:21:24 -0700] [203] [INFO] Starting gunicorn 23.0.0
[2025-02-13 13:21:24 -0700] [203] [DEBUG] Arbiter booted
[2025-02-13 13:21:24 -0700] [203] [INFO] Listening at: http://0.0.0.0:8000 (203)
[2025-02-13 13:21:24 -0700] [203] [INFO] Using worker: gthread
[2025-02-13 13:21:24 -0700] [245] [INFO] Booting worker with pid: 245
[2025-02-13 13:21:24 -0700] [246] [INFO] Booting worker with pid: 246
[2025-02-13 13:21:24 -0700] [203] [DEBUG] 2 workers
[13:21:24] INFO: Starting NGINX...
[2025-02-13 20:21:26 +0000] [246] [DEBUG] Ignored premature client disconnection. No more data after: b'\n'
[2025-02-13 20:21:41 +0000] [245] [DEBUG] GET /
[2025-02-13 20:21:42 +0000] [245] [DEBUG] Closing connection.
[2025-02-13 20:21:42 +0000] [245] [DEBUG] GET /dashboard/
[2025-02-13 20:21:42 +0000] [245] [DEBUG] Closing connection.
[2025-02-13 20:21:42 +0000] [245] [DEBUG] GET /welcome/
[2025-02-13 20:21:43 +0000] [245] [DEBUG] Closing connection.
[2025-02-13 20:21:44 +0000] [246] [DEBUG] GET /children/add/
[2025-02-13 20:21:45 +0000] [246] [DEBUG] Closing connection.
[2025-02-13 20:21:46 +0000] [245] [DEBUG] GET /user/settings/
[2025-02-13 20:21:47 +0000] [245] [DEBUG] Closing connection.
[2025-02-13 20:21:58 +0000] [245] [DEBUG] POST /user/settings/
[2025-02-13 20:21:58 +0000] [245] [DEBUG] Closing connection.
[2025-02-13 20:22:07 +0000] [245] [DEBUG] GET /
[2025-02-13 20:22:07 +0000] [245] [DEBUG] Closing connection.
[2025-02-13 20:22:07 +0000] [245] [DEBUG] GET /dashboard/
[2025-02-13 20:22:07 +0000] [245] [DEBUG] Closing connection.
[2025-02-13 20:22:07 +0000] [245] [DEBUG] GET /welcome/
[2025-02-13 20:22:07 +0000] [245] [DEBUG] Closing connection.
[2025-02-13 20:23:03 +0000] [245] [DEBUG] GET /settings/
[2025-02-13 20:23:03 +0000] [245] [DEBUG] Closing connection.
[2025-02-13 20:23:12 +0000] [246] [DEBUG] GET /admin/
[2025-02-13 20:23:12 +0000] [246] [DEBUG] Closing connection.
[2025-02-13 20:23:15 +0000] [246] [DEBUG] GET /admin/authtoken/tokenproxy/
[2025-02-13 20:23:15 +0000] [246] [DEBUG] Closing connection.
[2025-02-13 20:23:19 +0000] [245] [DEBUG] GET /admin/authtoken/tokenproxy/2/change/
[2025-02-13 20:23:19 +0000] [245] [DEBUG] Closing connection.
[2025-02-13 20:23:19 +0000] [245] [DEBUG] GET /admin/jsi18n/
[2025-02-13 20:23:19 +0000] [245] [DEBUG] Closing connection.
[2025-02-13 20:23:29 +0000] [246] [DEBUG] GET /
[2025-02-13 20:23:29 +0000] [246] [DEBUG] Closing connection.
[2025-02-13 20:23:29 +0000] [246] [DEBUG] GET /dashboard/
[2025-02-13 20:23:29 +0000] [246] [DEBUG] Closing connection.
[2025-02-13 20:23:29 +0000] [246] [DEBUG] GET /welcome/
[2025-02-13 20:23:29 +0000] [246] [DEBUG] Closing connection.
[2025-02-13 20:23:38 +0000] [245] [DEBUG] GET /user/settings/
[2025-02-13 20:23:38 +0000] [245] [DEBUG] Closing connection.
[2025-02-13 20:23:43 +0000] [246] [DEBUG] GET /user/settings/
[2025-02-13 20:23:43 +0000] [246] [DEBUG] Closing connection.
[2025-02-13 20:23:55 +0000] [246] [DEBUG] POST /user/settings/
[2025-02-13 20:23:55 +0000] [246] [DEBUG] Closing connection.
[2025-02-13 20:23:56 +0000] [246] [DEBUG] GET /user/settings/
[2025-02-13 20:23:57 +0000] [246] [DEBUG] Closing connection.
s6-rc: info: service legacy-services: stopping
[2025-02-13 13:25:38 -0700] [203] [INFO] Handling signal: term
s6-supervise nginx: warning: unable to spawn ./finish: Permission denied
[2025-02-13 20:25:38 +0000] [246] [INFO] Worker exiting (pid: 246)
[2025-02-13 20:25:39 +0000] [245] [INFO] Worker exiting (pid: 245)
[2025-02-13 13:25:39 -0700] [203] [INFO] Shutting down: Master
s6-supervise babybuddy: warning: unable to spawn ./finish: Permission denied
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service base-addon-log-level: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service base-addon-log-level successfully stopped
s6-rc: info: service base-addon-banner: stopping
s6-rc: info: service base-addon-banner successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped
Now that I have enabled the port, I am getting this:
s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service base-addon-banner: starting
-----------------------------------------------------------
Add-on: Baby Buddy
Track sleep, feedings, diaper changes, tummy time and more!
-----------------------------------------------------------
Add-on version: 2.7.0
You are running the latest version of this add-on.
System: Home Assistant OS 14.2 (aarch64 / yellow)
Home Assistant Core: 2025.2.3
Home Assistant Supervisor: 2025.02.1
-----------------------------------------------------------
Please, share the above information when looking for help
or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
s6-rc: info: service base-addon-banner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service base-addon-log-level: starting
s6-rc: info: service fix-attrs successfully started
Log level is set to DEBUG
s6-rc: info: service base-addon-log-level successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/babybuddy.sh
**** No secret key found, generating one ****
Cache table 'cache_default' already exists.
Operations to perform:
Apply all migrations: admin, auth, authtoken, axes, babybuddy, contenttypes, core, dbsettings, sessions
Running migrations:
No migrations to apply.
Your models in app(s): 'babybuddy' have changes that are not yet reflected in a migration, and so won't be applied.
Run 'manage.py makemigrations' to make new migrations, and then re-run 'manage.py migrate' to apply them.
cont-init: info: /etc/cont-init.d/babybuddy.sh exited 0
cont-init: info: running /etc/cont-init.d/nginx.sh
cont-init: info: /etc/cont-init.d/nginx.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun babybuddy (no readiness notification)
services-up: info: copying legacy longrun nginx (no readiness notification)
[13:26:44] INFO: NGINX waiting on babybuddy...
s6-rc: info: service legacy-services successfully started
[13:26:44] INFO: Adding config for Ingress User Auth
[2025-02-13 13:26:44 -0700] [203] [DEBUG] Current configuration:
config: ./gunicorn.conf.py
wsgi_app: None
bind: [':8000']
backlog: 2048
workers: 2
worker_class: gthread
threads: 4
worker_connections: 1000
max_requests: 0
max_requests_jitter: 0
timeout: 30
graceful_timeout: 30
keepalive: 2
limit_request_line: 4094
limit_request_fields: 100
limit_request_field_size: 8190
reload: False
reload_engine: auto
reload_extra_files: []
spew: False
check_config: False
print_config: False
preload_app: False
sendfile: None
reuse_port: False
chdir: /app/babybuddy
daemon: False
raw_env: []
pidfile: None
worker_tmp_dir: /dev/shm
user: 0
group: 0
umask: 0
initgroups: False
tmp_upload_dir: None
secure_scheme_headers: {'X-FORWARDED-PROTOCOL': 'ssl', 'X-FORWARDED-PROTO': 'https', 'X-FORWARDED-SSL': 'on'}
forwarded_allow_ips: ['127.0.0.1', '::1']
accesslog: None
disable_redirect_access_to_syslog: False
access_log_format: %(h)s %(l)s %(u)s %(t)s "%(r)s" %(s)s %(b)s "%(f)s" "%(a)s"
errorlog: -
loglevel: debug
capture_output: False
logger_class: gunicorn.glogging.Logger
logconfig: None
logconfig_dict: {}
logconfig_json: None
syslog_addr: udp://localhost:514
syslog: False
syslog_prefix: None
syslog_facility: user
enable_stdio_inheritance: False
statsd_host: None
dogstatsd_tags:
statsd_prefix:
proc_name: None
default_proc_name: babybuddy.wsgi
pythonpath: None
paste: None
on_starting: <function OnStarting.on_starting at 0x7f8a9e5120>
on_reload: <function OnReload.on_reload at 0x7f8a9e5260>
when_ready: <function WhenReady.when_ready at 0x7f8a9e53a0>
pre_fork: <function Prefork.pre_fork at 0x7f8a9e5580>
post_fork: <function Postfork.post_fork at 0x7f8a9e56c0>
post_worker_init: <function PostWorkerInit.post_worker_init at 0x7f8a9e5800>
worker_int: <function WorkerInt.worker_int at 0x7f8a9e5940>
worker_abort: <function WorkerAbort.worker_abort at 0x7f8a9e5a80>
pre_exec: <function PreExec.pre_exec at 0x7f8a9e5bc0>
pre_request: <function PreRequest.pre_request at 0x7f8a9e5d00>
post_request: <function PostRequest.post_request at 0x7f8a9e5da0>
child_exit: <function ChildExit.child_exit at 0x7f8a9e5ee0>
worker_exit: <function WorkerExit.worker_exit at 0x7f8a9e6020>
nworkers_changed: <function NumWorkersChanged.nworkers_changed at 0x7f8a9e6160>
on_exit: <function OnExit.on_exit at 0x7f8a9e62a0>
ssl_context: <function NewSSLContext.ssl_context at 0x7f8a9e6480>
proxy_protocol: False
proxy_allow_ips: ['127.0.0.1', '::1']
keyfile: None
certfile: None
ssl_version: 2
cert_reqs: 0
ca_certs: None
suppress_ragged_eofs: True
do_handshake_on_connect: False
ciphers: None
raw_paste_global_conf: []
permit_obsolete_folding: False
strip_header_spaces: False
permit_unconventional_http_method: False
permit_unconventional_http_version: False
casefold_http_method: False
forwarder_headers: ['SCRIPT_NAME', 'PATH_INFO']
header_map: drop
[2025-02-13 13:26:44 -0700] [203] [INFO] Starting gunicorn 23.0.0
[2025-02-13 13:26:44 -0700] [203] [DEBUG] Arbiter booted
[2025-02-13 13:26:44 -0700] [203] [INFO] Listening at: http://0.0.0.0:8000 (203)
[2025-02-13 13:26:44 -0700] [203] [INFO] Using worker: gthread
[2025-02-13 13:26:44 -0700] [244] [INFO] Booting worker with pid: 244
[13:26:44] INFO: Starting NGINX...
[2025-02-13 13:26:44 -0700] [247] [INFO] Booting worker with pid: 247
[2025-02-13 13:26:44 -0700] [203] [DEBUG] 2 workers
[2025-02-13 20:26:46 +0000] [244] [DEBUG] Ignored premature client disconnection. No more data after: b'\n'
[2025-02-13 20:26:46 +0000] [244] [DEBUG] GET /
[2025-02-13 20:26:46 +0000] [244] [DEBUG] GET /login/
[2025-02-13 20:26:47 +0000] [244] [DEBUG] GET /static/babybuddy/css/app.bf0cda6f5417.css
[2025-02-13 20:26:47 +0000] [244] [DEBUG] GET /static/babybuddy/js/vendor.4d98f8555468.js
[2025-02-13 20:26:47 +0000] [247] [DEBUG] GET /static/babybuddy/js/app.0e79b2a38e49.js
[2025-02-13 20:26:47 +0000] [244] [DEBUG] GET /static/babybuddy/logo/icon-brand.32cbedf6aee3.png
[2025-02-13 20:26:47 +0000] [244] [DEBUG] GET /static/babybuddy/font/babybuddy.282820350933.woff2
[2025-02-13 20:26:47 +0000] [244] [DEBUG] GET /static/babybuddy/root/favicon.ee5ebcd40fb9.ico
[2025-02-13 20:27:00 +0000] [244] [DEBUG] POST /login/
[2025-02-13 20:27:02 +0000] [244] [DEBUG] GET /
[2025-02-13 20:27:02 +0000] [244] [DEBUG] GET /dashboard/
[2025-02-13 20:27:02 +0000] [244] [DEBUG] GET /welcome/
[2025-02-13 20:27:15 +0000] [247] [DEBUG] GET /users/
[2025-02-13 20:27:19 +0000] [247] [DEBUG] GET /users/2/edit/
[2025-02-13 20:27:32 +0000] [247] [DEBUG] POST /users/2/edit/
[2025-02-13 20:27:32 +0000] [247] [DEBUG] GET /users/
[2025-02-13 20:27:39 +0000] [244] [DEBUG] GET /users/2/edit/
[2025-02-13 20:27:42 +0000] [244] [DEBUG] GET /users/
[2025-02-13 20:27:50 +0000] [244] [DEBUG] POST /logout/
[2025-02-13 20:27:50 +0000] [244] [DEBUG] GET /login/
[2025-02-13 20:28:03 +0000] [247] [DEBUG] POST /login/
AXES: New login failure by {username: "********************", ip_address: "********************", user_agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/132.0.0.0", path_info: "/login/"}. Created new record in the database.
[2025-02-13 20:28:14 +0000] [244] [DEBUG] POST /login/
AXES: Repeated login failure by {username: "********************", ip_address: "********************", user_agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/132.0.0.0", path_info: "/login/"}. Updated existing record in the database.
[2025-02-13 20:28:22 +0000] [247] [DEBUG] POST /login/
AXES: Repeated login failure by {username: "********************", ip_address: "********************", user_agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/132.0.0.0", path_info: "/login/"}. Updated existing record in the database.
[2025-02-13 20:28:26 +0000] [247] [DEBUG] POST /login/
AXES: Repeated login failure by {username: "********************", ip_address: "********************", user_agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/132.0.0.0", path_info: "/login/"}. Updated existing record in the database.
[2025-02-13 20:28:34 +0000] [247] [DEBUG] GET /reset/
[2025-02-13 20:28:38 +0000] [247] [DEBUG] POST /reset/
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: Password reset on home.site.name:8889
From: webmaster@localhost
To: [email protected]
Date: Thu, 13 Feb 2025 20:28:38 -0000
Message-ID:
<173947851807.247.12947215529308716876@68152197-baby-buddy.local.hass.io>
You're receiving this email because you requested a password reset for your user account at home.site.name:8889.
Please go to the following page and choose a new password:
http://home.site.name:8889/reset/Mg/gibberish
Your username, in case you’ve forgotten: username
Thanks for using Baby Buddy!
-------------------------------------------------------------------------------
[2025-02-13 20:28:38 +0000] [247] [DEBUG] GET /reset/done/
[2025-02-13 20:28:46 +0000] [247] [DEBUG] GET /login/
[2025-02-13 20:30:28 +0000] [247] [DEBUG] POST /login/
[2025-02-13 20:30:30 +0000] [247] [DEBUG] GET /
[2025-02-13 20:30:30 +0000] [247] [DEBUG] GET /dashboard/
[2025-02-13 20:30:30 +0000] [247] [DEBUG] GET /welcome/
[2025-02-13 20:30:45 +0000] [244] [DEBUG] GET /user/password/
[2025-02-13 20:31:06 +0000] [247] [DEBUG] POST /user/password/
[2025-02-13 20:31:39 +0000] [247] [DEBUG] GET /dashboard/
[2025-02-13 20:31:39 +0000] [247] [DEBUG] GET /welcome/
[2025-02-13 20:31:41 +0000] [247] [DEBUG] GET /timeline/
[2025-02-13 20:31:46 +0000] [247] [DEBUG] GET /settings/
[2025-02-13 20:31:49 +0000] [247] [DEBUG] GET /users/
[2025-02-13 20:31:52 +0000] [247] [DEBUG] GET /admin/
[2025-02-13 20:31:52 +0000] [247] [DEBUG] GET /static/admin/css/base.08e8df8c3104.css
[2025-02-13 20:31:52 +0000] [244] [DEBUG] GET /static/admin/css/nav_sidebar.dd925738f4cc.css
[2025-02-13 20:31:52 +0000] [247] [DEBUG] GET /static/admin/js/theme.91cf832f559e.js
[2025-02-13 20:31:52 +0000] [244] [DEBUG] GET /static/admin/css/dark_mode.f9ffd47267af.css
[2025-02-13 20:31:52 +0000] [244] [DEBUG] GET /static/admin/css/dashboard.e90f2068217b.css
[2025-02-13 20:31:52 +0000] [244] [DEBUG] GET /static/admin/css/responsive.ae7b57af01c8.css
[2025-02-13 20:31:52 +0000] [244] [DEBUG] GET /static/admin/js/nav_sidebar.3b9190d420b1.js
[2025-02-13 20:31:52 +0000] [244] [DEBUG] GET /static/admin/img/icon-changelink.7eddb320e61f.svg
[2025-02-13 20:31:52 +0000] [244] [DEBUG] GET /static/admin/img/icon-addlink.073aeb1feda7.svg
[2025-02-13 20:31:52 +0000] [244] [DEBUG] GET /favicon.ico
[2025-02-13 20:31:54 +0000] [244] [DEBUG] GET /admin/auth/user/
[2025-02-13 20:31:54 +0000] [244] [DEBUG] GET /static/admin/css/changelists.59465e72d1ef.css
[2025-02-13 20:31:54 +0000] [247] [DEBUG] GET /static/admin/js/core.7e257fdf56dc.js
[2025-02-13 20:31:54 +0000] [244] [DEBUG] GET /static/admin/js/vendor/jquery/jquery.min.2c872dbe60f4.js
[2025-02-13 20:31:54 +0000] [247] [DEBUG] GET /static/admin/js/admin/RelatedObjectLookups.874743a87811.js
[2025-02-13 20:31:54 +0000] [244] [DEBUG] GET /admin/jsi18n/
[2025-02-13 20:31:54 +0000] [247] [DEBUG] GET /static/admin/js/urlify.ae970a820212.js
[2025-02-13 20:31:54 +0000] [244] [DEBUG] GET /static/admin/js/jquery.init.b7781a0897fc.js
[2025-02-13 20:31:54 +0000] [247] [DEBUG] GET /static/admin/img/search.7cf54ff789c6.svg
[2025-02-13 20:31:54 +0000] [244] [DEBUG] GET /static/admin/js/prepopulate.bd2361dfd64d.js
[2025-02-13 20:31:54 +0000] [247] [DEBUG] GET /static/admin/js/vendor/xregexp/xregexp.min.f1ae4617847c.js
[2025-02-13 20:31:54 +0000] [244] [DEBUG] GET /static/admin/js/actions.f1d5653edb59.js
[2025-02-13 20:31:54 +0000] [247] [DEBUG] GET /static/admin/img/icon-yes.d2f9f035226a.svg
[2025-02-13 20:31:54 +0000] [244] [DEBUG] GET /static/admin/js/filters.0e360b7a9f80.js
[2025-02-13 20:31:54 +0000] [244] [DEBUG] GET /static/admin/img/sorting-icons.3a097b59f104.svg
[2025-02-13 20:31:54 +0000] [244] [DEBUG] GET /static/admin/img/tooltag-add.e59d620a9742.svg
[2025-02-13 20:31:54 +0000] [244] [DEBUG] GET /static/admin/img/icon-viewlink.41eb31f7826e.svg
[2025-02-13 20:31:56 +0000] [244] [DEBUG] GET /admin/auth/user/1/change/
[2025-02-13 20:31:57 +0000] [244] [DEBUG] GET /static/admin/css/forms.86203f0362cc.css
[2025-02-13 20:31:57 +0000] [244] [DEBUG] GET /admin/jsi18n/
[2025-02-13 20:31:57 +0000] [247] [DEBUG] GET /static/admin/js/SelectFilter2.b20260d34877.js
[2025-02-13 20:31:57 +0000] [247] [DEBUG] GET /static/admin/js/inlines.22d4d93c00b4.js
[2025-02-13 20:31:57 +0000] [244] [DEBUG] GET /static/admin/js/admin/DateTimeShortcuts.9f6e209cebca.js
[2025-02-13 20:31:57 +0000] [247] [DEBUG] GET /static/admin/js/SelectBox.7d3ce5a98007.js
[2025-02-13 20:31:57 +0000] [247] [DEBUG] GET /static/admin/js/calendar.d64496bbf46d.js
[2025-02-13 20:31:57 +0000] [247] [DEBUG] GET /static/admin/css/widgets.355d088349f3.css
[2025-02-13 20:31:57 +0000] [247] [DEBUG] GET /static/admin/js/prepopulate_init.6cac7f3105b8.js
[2025-02-13 20:31:57 +0000] [244] [DEBUG] GET /static/admin/js/change_form.9d8ca4f96b75.js
[2025-02-13 20:31:57 +0000] [247] [DEBUG] GET /static/admin/img/selector-icons.b4555096cea2.svg
[2025-02-13 20:31:57 +0000] [244] [DEBUG] GET /static/admin/img/icon-unknown.a18cb4398978.svg
[2025-02-13 20:31:57 +0000] [247] [DEBUG] GET /static/admin/img/icon-unknown-alt.81536e128bb6.svg
[2025-02-13 20:31:57 +0000] [247] [DEBUG] GET /static/admin/img/icon-clock.e1d4dfac3f2b.svg
[2025-02-13 20:31:57 +0000] [247] [DEBUG] GET /static/admin/img/icon-calendar.ac7aea671bea.svg
[2025-02-13 20:32:03 +0000] [247] [DEBUG] GET /admin/auth/user/
[2025-02-13 20:32:03 +0000] [247] [DEBUG] GET /admin/jsi18n/
[2025-02-13 20:32:04 +0000] [247] [DEBUG] GET /admin/auth/user/2/change/
[2025-02-13 20:32:04 +0000] [247] [DEBUG] GET /admin/jsi18n/
[2025-02-13 20:32:05 +0000] [247] [DEBUG] GET /admin/auth/user/2/password/
[2025-02-13 20:32:05 +0000] [247] [DEBUG] GET /static/admin/css/unusable_password_field.b433f2a95fba.css
[2025-02-13 20:32:05 +0000] [247] [DEBUG] GET /static/admin/js/unusable_password_field.017ea86b6ae4.js
[2025-02-13 20:32:05 +0000] [244] [DEBUG] GET /static/admin/img/icon-alert.034cc7d8a67f.svg
[2025-02-13 20:32:49 +0000] [244] [DEBUG] POST /admin/auth/user/2/password/
[2025-02-13 20:32:51 +0000] [244] [DEBUG] GET /admin/auth/user/2/change/
[2025-02-13 20:32:51 +0000] [244] [DEBUG] GET /admin/jsi18n/
[2025-02-13 20:33:17 +0000] [247] [DEBUG] GET /admin/auth/user/2/password/
[2025-02-13 20:33:17 +0000] [247] [DEBUG] GET /admin/auth/user/2/change/
[2025-02-13 20:33:18 +0000] [247] [DEBUG] GET /admin/auth/user/
[2025-02-13 20:33:19 +0000] [247] [DEBUG] GET /admin/auth/user/1/change/
[2025-02-13 20:33:19 +0000] [247] [DEBUG] GET /admin/auth/user/
[2025-02-13 20:33:20 +0000] [247] [DEBUG] GET /admin/
[2025-02-13 20:33:20 +0000] [247] [DEBUG] GET /users/
[2025-02-13 20:33:23 +0000] [247] [DEBUG] POST /logout/
[2025-02-13 20:33:23 +0000] [247] [DEBUG] GET /login/
[2025-02-13 20:33:31 +0000] [244] [DEBUG] POST /login/
[2025-02-13 20:33:33 +0000] [244] [DEBUG] GET /
[2025-02-13 20:33:33 +0000] [244] [DEBUG] GET /dashboard/
[2025-02-13 20:33:33 +0000] [244] [DEBUG] GET /welcome/
[2025-02-13 20:33:35 +0000] [244] [DEBUG] GET /children/add/
[2025-02-13 20:34:20 +0000] [247] [DEBUG] POST /children/add/
[2025-02-13 20:34:20 +0000] [247] [DEBUG] GET /children/
[2025-02-13 20:34:21 +0000] [247] [DEBUG] GET /media/CACHE/images/child/picture/IMG_5316/f26c1da555248f480f2be601f3ca4e5e.JPG
[2025-02-13 20:34:23 +0000] [247] [DEBUG] GET /children/Child-Name/
[2025-02-13 20:34:24 +0000] [247] [DEBUG] GET /media/CACHE/images/child/picture/IMG_5316/a2305a81a8917b3d90421a29159a8d43.JPG
[2025-02-13 20:34:36 +0000] [247] [DEBUG] GET /children/
[2025-02-13 20:34:36 +0000] [247] [DEBUG] GET /media/CACHE/images/child/picture/IMG_5316/f26c1da555248f480f2be601f3ca4e5e.JPG
[2025-02-13 20:34:41 +0000] [247] [DEBUG] GET /children/Child-Name/edit/
[2025-02-13 20:34:42 +0000] [247] [DEBUG] GET /media/child/picture/IMG_5316.JPG
[2025-02-13 20:34:42 +0000] [247] [DEBUG] GET /static/babybuddy/logo/logo-sad.47c3d5c2d397.png
[2025-02-13 20:34:44 +0000] [247] [DEBUG] GET /children/Child-Name/edit/
[2025-02-13 20:34:48 +0000] [247] [DEBUG] POST /children/Child-Name/edit/
[2025-02-13 20:34:48 +0000] [247] [DEBUG] GET /children/
[2025-02-13 20:34:48 +0000] [247] [DEBUG] GET /static/babybuddy/img/core/child-placeholder.7c0a81f0d7f0.png
[2025-02-13 20:34:49 +0000] [247] [DEBUG] GET /children/Child-Name/
[2025-02-13 20:34:55 +0000] [244] [DEBUG] GET /children/add/
[2025-02-13 20:34:58 +0000] [247] [DEBUG] GET /children/
[2025-02-13 20:34:59 +0000] [247] [DEBUG] GET /children/Child-Name/edit/
[2025-02-13 20:35:02 +0000] [247] [DEBUG] GET /children/
[2025-02-13 20:35:13 +0000] [247] [DEBUG] GET /user/add-device/
[2025-02-13 20:35:16 +0000] [247] [DEBUG] GET /
[2025-02-13 20:35:16 +0000] [247] [DEBUG] GET /dashboard/
[2025-02-13 20:35:16 +0000] [247] [DEBUG] GET /children/Child-Name/dashboard/
[2025-02-13 20:35:23 +0000] [247] [DEBUG] GET /children/Child-Name/dashboard/
[2025-02-13 20:35:27 +0000] [247] [DEBUG] GET /children/Child-Name/
[2025-02-13 20:35:28 +0000] [247] [DEBUG] GET /children/
[2025-02-13 20:35:30 +0000] [247] [DEBUG] GET /children/
[2025-02-13 20:35:32 +0000] [247] [DEBUG] GET /children/add/
[2025-02-13 20:35:35 +0000] [247] [DEBUG] GET /notes/
[2025-02-13 20:35:37 +0000] [247] [DEBUG] GET /children/
[2025-02-13 20:35:38 +0000] [247] [DEBUG] GET /timeline/
[2025-02-13 20:35:38 +0000] [247] [DEBUG] GET /children/Child-Name/
[2025-02-13 20:35:40 +0000] [247] [DEBUG] GET /bmi/
[2025-02-13 20:35:43 +0000] [247] [DEBUG] GET /
[2025-02-13 20:35:43 +0000] [247] [DEBUG] GET /dashboard/
[2025-02-13 20:35:43 +0000] [247] [DEBUG] GET /children/Child-Name/dashboard/
[2025-02-13 20:35:46 +0000] [247] [DEBUG] GET /head-circumference/add/
[2025-02-13 20:35:46 +0000] [247] [DEBUG] GET /static/babybuddy/js/tags_editor.cf5018f5a70a.js
[2025-02-13 20:35:56 +0000] [247] [DEBUG] POST /head-circumference/add/
[2025-02-13 20:35:56 +0000] [247] [DEBUG] GET /head-circumference/
[2025-02-13 20:35:59 +0000] [244] [DEBUG] GET /head-circumference/1/
[2025-02-13 20:36:08 +0000] [247] [DEBUG] POST /head-circumference/1/
[2025-02-13 20:36:08 +0000] [247] [DEBUG] GET /head-circumference/
[2025-02-13 20:36:11 +0000] [247] [DEBUG] GET /height/add/
[2025-02-13 20:36:22 +0000] [247] [DEBUG] POST /height/add/
[2025-02-13 20:36:22 +0000] [247] [DEBUG] GET /height/
[2025-02-13 20:36:26 +0000] [247] [DEBUG] GET /weight/
[2025-02-13 20:36:29 +0000] [247] [DEBUG] GET /weight/add/
[2025-02-13 20:36:50 +0000] [247] [DEBUG] POST /weight/add/
[2025-02-13 20:36:50 +0000] [247] [DEBUG] GET /weight/
[2025-02-13 20:37:00 +0000] [244] [DEBUG] GET /children/
[2025-02-13 20:37:02 +0000] [244] [DEBUG] GET /children/Child-Name/
[2025-02-13 20:37:03 +0000] [244] [DEBUG] GET /children/Child-Name/dashboard/
[2025-02-13 20:38:03 +0000] [244] [DEBUG] GET /children/Child-Name/dashboard/
[2025-02-13 20:38:18 +0000] [244] [DEBUG] GET /children/Child-Name/dashboard/
[2025-02-13 20:38:26 +0000] [247] [DEBUG] GET /children/Child-Name/dashboard/
[2025-02-13 20:38:41 +0000] [247] [DEBUG] GET /children/Child-Name/dashboard/
[2025-02-13 20:38:41 +0000] [244] [DEBUG] GET /children/Child-Name/
[2025-02-13 20:38:42 +0000] [247] [DEBUG] Closing connection.
[2025-02-13 20:42:39 +0000] [247] [DEBUG] GET /changes/
[2025-02-13 20:42:43 +0000] [247] [DEBUG] GET /changes/add/
[2025-02-13 20:42:55 +0000] [247] [DEBUG] GET /settings/
[2025-02-13 20:43:18 +0000] [247] [DEBUG] GET /dashboard/
[2025-02-13 20:43:18 +0000] [247] [DEBUG] GET /children/Child-Name/dashboard/
[2025-02-13 20:43:20 +0000] [247] [DEBUG] GET /children/
[2025-02-13 20:43:21 +0000] [247] [DEBUG] GET /
[2025-02-13 20:43:21 +0000] [247] [DEBUG] GET /dashboard/
[2025-02-13 20:43:21 +0000] [247] [DEBUG] GET /children/Child-Name/dashboard/
[2025-02-13 20:43:25 +0000] [247] [DEBUG] GET /user/settings/
[2025-02-13 20:43:34 +0000] [247] [DEBUG] GET /api/
[2025-02-13 20:43:37 +0000] [247] [DEBUG] GET /user/settings/
Is there, or will there be, a possibility to make the BabyBuddy add-on (ingress page) work with the Nabucasa cloud option?
Locally, I got it working using the local IP (by adding the HA port and BabyBuddy port to the CSRF accept list). However, with the Nabucasa cloud, only the login page works. After logging in, I get the well-known 403 forbidden CSRF error.
I would really appreciate your help… I only have a few weeks left before my firstborn arrives! 
Can you explain how you set-up multiple hostnames for the same cloudflare tunnel? Any specific add-on?
In the same boat. For the time being, I’ve set the local SSID and local IP:Port for the HA Companion App as we’ll mostly be home during that time. If we need to record something while out of the home, I’ve exposed the random port number and random URL to at least get something.
I have home assistant running on the “home assistant green” device, it also hosts baby buddy.
When trying to add entries or change settings using browser from pc on the same local network i get the CSRF error.
I know there is a problem using the app… but shouldn’t using another pc on the same network work just fine?
Add-on version: 2.7.1
You are running the latest version of this add-on.
System: Home Assistant OS 15.2 (aarch64 / green)
Home Assistant Core: 2025.4.2
Home Assistant Supervisor: 2025.04.0
Hi @clownfish, welcome to the forums!
When you set up Cloudflare Tunnel in HA, you connect it to your Cloudflare account with your Cloudflare Tunnel Token.
You can view your Tunnel configuration in the Cloudflare Zero Trust dashboard under Networks > Tunnels. The Public Hostname tab for a tunnel lets you add as many hostnames as you like. I have one for Home Assistant and one for Baby Buddy now, both pointing to the same server IP, but in my case the Baby Buddy hostname is using a different port - the same port that I configured Baby Buddy to listen on in its HA addon configuration.
So the net result is that I have my HA hostname going to Home Assistant and my Baby Buddy hostname going to Baby Buddy directly, and they share the same tunnel and server IP but route to their respective ports.
It should go without saying that if you are doing this, you absolutely should not be exposing HA nor Baby Buddy to the internet in this manner without configuring additional security like Cloudflare Access authentication or mTLS beforehand.
There is a great summary of the issue in this comment on GitHub.
The proposed solution would have the Baby Buddy addon expose a configuration option for CSRF_TRUSTED_ORIGINS so Home Assistant Ingress, which presents Baby Buddy to the user via the addon, can identify itself as a trusted origin to Baby Buddy.
Anyway, progress against this issue will continue to be tracked in #81: CSRFv verification failed.