Login attempt failed from my Phone high occunces

Hi all,
I had the message this morning:

Login attempt or request with invalid authentication from 192.168.0.XY (192.168.0.XY). See the log for details.

The log says the following:
Logger: homeassistant.components.http.ban
Source: components/http/ban.py:116
Integration: HTTP (documentation, issues)
First occurred: 08:30:32 (2516 occurrences)
Last logged: 08:54:52

Login attempt or request with invalid authentication from 192.168.0.XY (192.168.0.XY). (okhttp/4.9.0)

The IP belongs to my cell phone running the Homeassistant app.
Should I be worried? I find the number 2516 of access attempts very high.
Banning the IP does not make sense, because it is my cell phone.

Currently iam using Homeassistant with no external access.

I get that alot from my phone as well. Ill open the app (Android) and see the yellow bubble saying there is a notification which says “invalid log from blah blah blah…a few seconds ago” even though the app works fine.

No “solution” for this? Everyone still accepting it? :frowning:

I get this too, not from the app, but from the HA websocket API (which I use on my phone UI). The reason seems to be that while the phone is sleeping, a temporary access token expires. Since the phone / app is not running, it cannot renew it right away. Once you wake the phone to access HA again, it will try with the temp token it still has. Since it is expired, HA will log an invalid attempt. But the auth system simply proceeds in requesting a new temporary token and continues to run normally. Does the HA app use the websocket API too ? If so, it could be a similar problem.

It’s very annoying. I’m using Fully Kiosk to display my HA UI on my phone, and I created a custom user agent string. At least then I know that the failed attempt was me (HA shows the user agent string in the notification).

That´s the first description I read about that makes pretty much sense to me :+1:
So… what to do next? Any way to use play around with long life tokens or a bad idea?

Just another issue I´m wondering so much why HA core team does not care about.

Long lived access tokens solve the problem entirely, but they should only be used for devices on your LAN. So they’re great for things like wall mount tablets. But for remote access they’re a bad idea, for obvious security reasons.

Welp, your post reminded my how annoying this issue was. I ended up fixing it for my use case with an ugly (but pretty effective) workaround hack. I patched HA and added a filter to suppress the notification under certain circumstances. If the IP originated from a local subnet, for example (this should work for the OP). Or if the user agent string contains a specific UID that identifies a device owned by me. For security reasons, only the first occurrance is suppressed, as the auth token will be renewed after the device wakes up. If more than one failed attempt occurred in a row, then it probably is an actual intrusion attempt.

The relevant code is in components/http/ban.py, process_wrong_login(). You can easily filter on remote_addr or user_agent. The IP banning that follows the notification should probably be left intact even for filtered cases, in case someone gets into your local network.