I have an always-on iPad mounted on my wall with the home assistant companion app running.
I’ve noticed that I get logged out automatically something like once an hour with an error notification that says:
Login attempt or request with invalid authentication from localhost (127.0.0.1). See the log for details.
When looking at the logs I see this warning:
2023-02-01 00:24:38.263 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (Home Assistant/2022.10.1 (io.robbie.HomeAssistant; build:2022.424; iOS 14.6.0) Alamofire/5.4.4)
This has been going on for a while and I’ve tried a bunch of things but haven’t been able to find the problem yet:
I switched authentication over to a trusted_network and gave the iPad a static IP. I hoped this would cut out the authentication process altogether, but it didn’t seem to change anything (config below).
# Attempt to workaround logout problem on ipad by giving a trusted static ip.
homeassistant:
auth_providers:
- type: homeassistant
- type: trusted_networks
trusted_networks:
# Trust the ipad's IP address
- 192.168.86.105
trusted_users:
# Specify which user is allowed to access from ipad.
192.168.86.105: user_id_blob_redacted
I zeroed out my dashboard in case there was some custom card doing something.
I cranked logging up to the ‘debug’ level and stared at logs for a while.
At this point I worry that I’m missing something silly, so I wanted to ask a couple questions:
Is there any normal reason why logouts would happen so frequently? A setting somewhere?
Any other logging I could look at to get more information on why this is happening?
Background:
Home Assistant running on a Raspberry Pi
Some custom cards installed and a couple of custom integrations via HACS but nothing crazy
Rather vanilla network setup. Just a Google WiFi and a plugged in iPad.
In the HA Settings > Companion App > Debugging > Event Log, search for “invalid” – it’ll log when the token is invalidated and you can tap into it to see why it was logged out.
Given the IP address you’re seeing as ‘invalid’ is 127.0.0.1, it’s cataloging all external requests on 127.0.0.1 instead of the real source IP. That’s likely your reverse proxy. I’m guessing another client is getting the original ban and that client is along for the ride.
I’ve seen ‘reverse proxy’ come up in other discussions on related topics. What exactly is a reverse proxy in this context?
Good call on tapping the companion app’s log. It’s full of: "serverError(statusCode: 403, errorCode: Optional(\"access_denied\"), error: Optional(\"User is local only\"))"
A reverse proxy is a server that forwards requests to Home Assistant and returns them. For example: nginx, Apache, caddy, HAProxy. These things act as an intermediary for your server, and so you need to tell Home Assistant that their IP address is a trusted source for knowing it’s being forwarded.
Since it doesn’t know the proxy exists, and you’ve tagged that user as “local only”, it thinks they are trying to access the server remotely and it’s not allowing the app access which the app considers to be an event worth logging out for.
Ok so when we talk about a reverse proxy we’re really talking about making my home assistant accessible over the internet, right?
If I have an iPad connected to a WiFi router and I have HA on a Raspberry Pi connected via eithernet to that same router … how does a reverse proxy get into the mix? How is a request from a local 192.168 IP address showing up as 127.0.0.1?
Is my iPad somehow going over the internet to get to my HA install!?
So I think I can work around this by simply turning off the requirement that the device only login locally. But I’m curious to investigate further if anyone has any tips.
Huh, I’m not sure why that thinks it’s 127.0.0.1. This part is a bit out of my wheelhouse to figure out. I think an addon might be, if you weren’t connecting to HA directly on 8123.
If I have some extra time I might try setting up a proxy to see all the HTTP traffic going to/from the iPad. I might also just uninstall addons and add them back one by one to find the offender.
In any case, I’m in good shape for the moment. Thanks for your help.
I have HA running on a windows pc through a HyperV virtual machine. The computer IP is 192.168.178.25. But Hyper V creates a bridge with IP .251.
For some reason when I select login local only, the iPad will login but will get logged out within 1-5 minutes. I have tried everything to solve it but can’t