Feautue "Can only log in from the local network"

wupperbra · August 20, 2022, 7:38am

Hi,
what is that feature for (settings - people). I cannot find anything in the documentation. And google is not veryhelpful too (proxy-feature?, outdated posts?).
Need information / help
thank you so much
wupperbra

tom_l · August 20, 2022, 7:50am

Seems pretty self explanatory. If set, then a user can only log in to Home Assistant when connected to the local network. Not if connected remotely, from outside your local network by some means, be it DuckDNS Nabu Casa or other method.

wupperbra · August 20, 2022, 7:52am

Thank you, sometimes it’s too easy.

mateuszdrab · August 23, 2022, 8:05pm

Well, actually, not that easy - there are always technical aspects behind such features and lots of what-ifs and etc.
I can’t find any documentation talking about how this actual feature works.
I am logged into an instance of HASS with my credentials saved so I don’t have to login everytime I close the browser. My friend enabled the ‘can only log in from the local network’ setting on my user yet I’m still allowed in.
I suspect this only takes effect at logon time - rendering it useless.

megatrooooon · November 21, 2022, 10:13am

I encounter same issue, Once you login in once locally and try the app/browser will save the token for the login!, then you can login from anywhere

This definitely kind of useless!

owendelong · November 28, 2023, 7:27am

My more basic question is how is the “local network” determined? Is it by IP/Netmask? (If so, that’s a problem in a house like mine with multiple subnets). Is it by Private vs. Public address assumptions? (If so, that’s a problem in a house like mine where some (most) of the subnets, including the one where HA server lives have public addresses). Is it by use of a proxy service or not? (If so, that seems to be somewhat inherently identical to the previous assumption with a twist, so also not very helpful.).

Other mechanisms I can think of are variants of the above themes (e.g. in the same broadcast domain, within range of an ff02:: multicast from he HA server, etc.)

Honestly, I’m stumped as to how this could be meaningfully implemented across all likely (let alone all possible) environments.

lscarneiro · January 25, 2024, 6:04am

Welp, definitely not a “self explanatory” feature.
I just enabled that for a new user, and tried to login from my local network on a incognito window and saw “Error: Login blocked: User cannot authenticate remotely” right away.

I wonder if Home Assistant running on a Docker Container (with “host” network) might be enough to trigger a “remote environment”, even if I hit the local URL…

EDIT: Turns out if I try accessing by IP (not via homeassistant.local or equivalent) the user can in fact log in. If anyone reading this is interested in understanding how HA decides if it’s local or not, just search for async_user_not_allowed_do_auth function on homeassistant/components/http/auth.py on the core GitHub repository

bratanon · January 26, 2024, 11:28pm

Also, what does it mean in terms of connectivity when using the companion app?

I mean, can you be logged out and still send location and other sensor data to the server?

My use case is: I want my bonus children to be able to disarm the alarm and toggle their own lights using the companion app, but only every second week when we have care for them, and only when they are “near” the house (ie on our LAN).