Daily log off and issues with IOS companion app

Raspberry pi 4 (8gb ram)
Home Assistant 2021.12.4
iOS 15.3 / Home Assistant V 2021.12.1 (iOS)
Test Flight 2021/12.1 (2021.327)

I’m not sure what to do, I have many issue with the companion app on iPhone (prod version and TestFlight)

  1. I’m get logout very often (when I open the app I’m in the "welcome to home assistant iOS! page)

  2. when entering my username and password I often have to click “start over” a few time even though I entered my password correctly

Screenshot 2021-12-27 at 12.08.47

  1. when I connect I often have a error 403 (but not always)
    Screenshot 2021-12-27 at 12.09.31

  2. since the last few days I have new issues, sometime I have a message "connection lost. Reconnecting or I have to keep closing the app many time before the page load
    Dec-27-2021 12-31-45

I’m using NRM and Cloudflare (Cloudflare domain, SSL enabled) but I don’t think this is an issue, although I get a lot of warning with Cloudflare’s IP:

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:124
Integration: HTTP (documentation, issues)
First occurred: 24 December 2021, 14:38:23 (32 occurrences)
Last logged: 26 December 2021, 17:18:58

Login attempt or request with invalid authentication from 172.70.91.94 (172.70.91.94). (Mozilla/5.0 (iPhone; CPU iPhone OS 15_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2021.12.1 (io.robbie.HomeAssistant; build:2021.327; iOS 15.3.0) Mobile/HomeAssistant, like Safari)
Login attempt or request with invalid authentication from 172.70.85.219 (172.70.85.219). (Mozilla/5.0 (iPhone; CPU iPhone OS 15_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2021.12.1 (io.robbie.HomeAssistant; build:2021.327; iOS 15.3.0) Mobile/HomeAssistant, like Safari)
Login attempt or request with invalid authentication from 172.70.85.205 (172.70.85.205). (Mozilla/5.0 (iPhone; CPU iPhone OS 15_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1)
Login attempt or request with invalid authentication from 172.70.162.65 (172.70.162.65). (Mozilla/5.0 (iPhone; CPU iPhone OS 15_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1)
Login attempt or request with invalid authentication from 162.158.159.111 (162.158.159.111). (Mozilla/5.0 (iPhone; CPU iPhone OS 15_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1)

my configuration have cloudflare IP’s in the trusted proxies

http:
  ip_ban_enabled: true
  login_attempts_threshold: 5
  use_x_forwarded_for: true
  trusted_proxies: 
    - 127.0.0.1
    - ::1
    - 172.16.0.0/12    
    - 172.30.33.0/24
    - 172.30.0.0/16
    - 10.0.30.0/30
   # - 192.168.1.0/24
    - 10.0.0.200      # Add the IP address of the proxy server ##CloudFlare
    - 173.245.48.0/20
    - 103.21.244.0/22
    - 103.22.200.0/22
    - 103.31.4.0/22
    - 141.101.64.0/18
    - 108.162.192.0/18
    - 190.93.240.0/20
    - 188.114.96.0/20
    - 197.234.240.0/22
    - 198.41.128.0/17
    - 162.158.0.0/15
    - 104.16.0.0/13
    - 104.24.0.0/14
    - 172.64.0.0/13
    - 131.0.72.0/22

here is my NPM config



to be honest I’m not sure about this last config, I copy past what I found on the web, but to be fair I have the same config for months:

When the app logs you out, it adds an entry to its event log in App Configuration > Debugging. You can tap into the event to see the reason for the logout. Unfortunately I do not know enough about your reverse proxy configuration to diagnose the particular issue, but receiving errant 403s is unexpected.

1 Like

Thank you, I didn’t think about this, it’s seems like there is a lot of invalid token



{
  "error" : "serverError(statusCode: 403, errorCode: nil, error: Optional(\"403: Forbidden\"))"
}

Somehow, I don’t think that my wife / kids have this issue (iPhones) though.

Also I’m also logged in safari and when I’m disconnected from the iOS app I’m still logged on safari (but that probably normal?)

Whatever the issue is - it’s probably the same thing that happens to me on my Chromebook.
If I open the Chromebook and it has Home Assistant web interface open before it has managed to connect to the WiFi - I will generally get logged out 9 out of 10 times, when it connects to WiFi. If I minimise the Web Interface BEFORE I close the Chromebook lid, and don’t open the web interface until it has fully connected to WiFi - then it works as expected.

It’s like it tries to refresh the token when it opens, but it can’t reach the server, and then it either drops the token or invalidates it. So when it does finally connect to the server, the token is not valid.


I wonder if my issues come from some DNS filtering like firebase-settings.crashlytics.com

I’d like to report that I’m having the exact same issue, but can offer a bit of information to replicate it better. It seems that a sudden IP switch triggers the logout. This becomes apparent when I switch from WiFi to 4G (e.g. when I walk out of my house while still using Home Assistant).

Problem description

  • When switching from WiFi to 4G, I get pushed back to the login screen
  • Logging in will present the exact screen(s) as the OP shows (note the “Start Over” button which gets me stuck)

My setup:

  • I have IP banning disabled
  • I am also using Cloudflare but with proxy disabled and my own SSL certificate. Cloudflare is simply acting as a DNS and nothing more.
  • Logs only show the message Login attempt or request with invalid authentication from xxxxxx

After some searching, I believe that this Github issue might be related:

1 Like

I think I’ve gotten to the bottom of this issue in my own instance. In my case, the same issue started with getting a new phone. Basically, I’d successfully log in using WiFi, it would work. I’d switch to Cellular and Nabu Casa would work for a while. Then it would stop.

As was mentioned above, I saw errors about expired/invalid token in the debug log.

It appears the root cause was, in my case, that I was connecting to HA with “trusted credentials” that are only available on my LAN. This would create a token that would remain valid for a period of time, even via Nabu Casa when I was on cellular. Once that token expired, there was no way to renew it if I wasn’t on the LAN

The simple solution was to log out and log in using my actual username and password rather than the trusted connection that doesn’t prompt me.

Apparently, the program saves those credentials and uses them to renew the token if there’s no trusted authentication mechanism available.

FEATURE REQUEST: if there are no stored credentials, force the user to log in at least once with their username and password rather than allowing a trusted login. Or, at least warn the user that none are stored and prompt them with the ability to use them.

In order to fix this, I had to set bypass_login to false in my configuration.yaml to even be prompted.

1 Like

Thank you @ratsputin so much for this post that’s clarified the exact problem we were having.