Login method: select from legacy or new

Given the login security vulnerability introduced by the new user login method, pertinent to some advanced environments, we need a way to enable/disable the use of the new login method.

Let us decide which login method we prefer. Legacy or New.

This new login page is a disgrace to security.

Please fix this ASAP. In my eyes this is not a feature request but a security flaw. If this page would be there when I started home assistant, i would have been choosing another solution.

This is not a feature request. This is a MAJOR security issue. That this flagrant flaw in security is “only” in the internal network is not up for debate. Internal network security issues are well-known to be the most exploited and underestimated issues. UNBELIEVABLE we have to put up with this mandatory security reduction. And even more blatant is the fact that this is packaged as a “beautiful new login page”.

The login page should be even more anonymized that the fact that it is a home-assistant page is not even visible.

9 Likes

I do not support the suggestion here, I think the new login method should be reverted as soon as possible, not made optional, later when there is an evaluation of the impact it can be made optional to be enabled (default disabled).

I will not disclose here, but I have did a quick test and found an impacted system (a system that is accessible from the internet which now shows the user), while it is 100% a user misconfiguration fault, a project that put “privacy” as one of it’s most important subjects should not create an impact on security just because it is the user fault.

6 Likes

Not only are the user display names and the profile pictures exposed but also the internal user ids. Open a private window and hit the new public endpoint /api/person/list:

http://<home assistant URL>:<port>/api/person/list

3 Likes

Just got an update that the login screen is now disabled, more info in

1 Like

↑ Best news ↑

It would be nice to get rid of the daft squiggly blue lines aswell.

Closed as feature removed in 2023.12.3

3 Likes