Every day I get notification in HA that a client from a certain IP could not login, the IP belongs to the mobile phone with the app and the app works just fine, login with fingerprints, HA is not open in any browser. This looks bizarre, any guesses why this may be happening?
Do you regularly leave the app on a page that has camera views? If so it is a known bug.
(something to do with caching the auth token for the camera views which subsequently expires)
The workaround is to make sure your cameras are on a different page and always go back to the home page before exiting the app.
ah yeah, there is a camera. Thanks for the explanation, the notification is not that much of a problem when I know why I am getting it.
Are there any updates on this, or main thread to follow? 12/feb/2021: Looks like it’s solved!
No idea tbh, but I still occasionally get them when my other half forgets to move off the camera page before closing the app so I guess it’s not been fixed yet
Does this behavior happen in the browser on the device too?
It’s only on mobile devices. When you close a browser/tab on a computer and then reopen your browser it opens a fresh instance. On a mobile the browser just ‘sleeps’ and the problem occurs when you wake it up.
It’s less of an issue on android because one naturally swipes/presses ‘back’ which exits the browser. But on ios they just press the ‘home’ button to close the browser, the next time they open the browser it tries to resume from where it left off, but if it was left on a page with camera feeds the tokens have expired.
(we presume that’s what causes it as it’s fairly reliable to reproduce and the number of failed login attempts seems to match the number of camera feeds on the page)
I don’t use iOS, but my wife does. She is constantly and innocently locking us out of Home Assistant forcing me to scrub ip_bans almost weekly. Now that I understand the issue is from expired tokens from repeated viewing video feeds in Lovelace, what do I ask her to do to exit the video feed other than the Home button?
Is this problem solvable, or just something we have to live with?
Put your camera feeds on a different tab than your homepage. Ask your wife to click back to the homepage before exiting the app.
If she’s anything like my other half it won’t eradicate the problem, but it will reduce it significantly.
Thanks Marc! Our 5 camera security feeds are on a separate static 5 picture element page (with the 10-second refresh), where each one can be tapped to open a live stream.
This live stream has an obvious X to close it so I don’t know for sure what she is doing to exit the view, if anything. She may just be leaving the view by going to another app causing the token to expire. At least now I know what to look for and ask her to do (and not to do).
The 5 static pictures will do it too. In fact, when this happens if you check the log it will likely show 5 failed logins one after the other, one for each of the cameras on the page. So what she needs to do is completely come away from any camera feeds and ‘leave’ the app from one of the other pages.
Oh! it’s a worse situation that I had thought. Thanks for the clarity this issue wasn’t limited to live view only.
This is getting out of hand over here, over 1700 ocurrences lately. I don’t have any camera feeds in my HA installation.
Any ideas what could be triggering it? Not a single problem on Windows/Android. Just the iPhone.
Upgraded to 2021.4.1 today and deleted some old tokens that weren’t used for weeks.
Up until now I only got the occasional failed login attempt.
Logger: homeassistant.components.http.ban
Source: components/http/ban.py:116
Integration: HTTP (documentation, issues)
First occurred: 17:57:32 (1792 occurrences)
Last logged: 18:20:46
Login attempt or request with invalid authentication from xxxiPhone.lan (192.168.1.105). (Mozilla/5.0 (iPhone; CPU iPhone OS 14_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2021.3 (io.robbie.HomeAssistant; build:2021.77; iOS 14.4.1) Mobile/HomeAssistant, like Safari)