Given the login security vulnerability introduced by the new user login method, pertinent to some advanced environments, we need a way to enable/disable the use of the new login method.
Let us decide which login method we prefer. Legacy or New.
Edwinner
December 10, 2023, 8:02am
2
This new login page is a disgrace to security.
Please fix this ASAP. In my eyes this is not a feature request but a security flaw. If this page would be there when I started home assistant, i would have been choosing another solution.
This is not a feature request. This is a MAJOR security issue. That this flagrant flaw in security is “only” in the internal network is not up for debate. Internal network security issues are well-known to be the most exploited and underestimated issues. UNBELIEVABLE we have to put up with this mandatory security reduction. And even more blatant is the fact that this is packaged as a “beautiful new login page”.
The login page should be even more anonymized that the fact that it is a home-assistant page is not even visible.
9 Likes
thecode
December 11, 2023, 1:23pm
3
I do not support the suggestion here, I think the new login method should be reverted as soon as possible , not made optional, later when there is an evaluation of the impact it can be made optional to be enabled (default disabled).
I will not disclose here, but I have did a quick test and found an impacted system (a system that is accessible from the internet which now shows the user), while it is 100% a user misconfiguration fault, a project that put “privacy” as one of it’s most important subjects should not create an impact on security just because it is the user fault.
6 Likes
odwide
December 12, 2023, 5:53am
4
Not only are the user display names and the profile pictures exposed but also the internal user ids. Open a private window and hit the new public endpoint /api/person/list:
http://<home assistant URL>:<port>/api/person/list
3 Likes
thecode
December 14, 2023, 8:44pm
5
Just got an update that the login screen is now disabled, more info in
home-assistant:dev ← home-assistant:frenck-2023-1506
opened 05:56PM - 14 Dec 23 UTC
<!--
You are amazing! Thanks for contributing to our project!
Please, DO N… OT DELETE ANY TEXT from this template! (unless instructed).
-->
## Proposed change
<!--
Describe the big picture of your changes here to communicate to the
maintainers why we should accept this pull request. If it fixes a bug
or resolves a feature request, be sure to link to that issue in the
additional information section.
-->
This PR disables the ability to log in using the user profile on the login page.
More details with reasoning behind this will be published separately from this PR in a blog post.
Before & after screenshot:
ℹ️ This PR focusses on the minimal change set to make this happen while making the linters and tests happy.
## Type of change
<!--
What type of change does your PR introduce to Home Assistant?
NOTE: Please, check only 1! box!
If your PR requires multiple boxes to be checked, you'll most likely need to
split it into multiple PRs. This makes things easier and faster to code review.
-->
- [ ] Dependency upgrade
- [ ] Bugfix (non-breaking change which fixes an issue)
- [ ] New integration (thank you!)
- [ ] New feature (which adds functionality to an existing integration)
- [ ] Deprecation (breaking change to happen in the future)
- [x] Breaking change (fix/feature causing existing functionality to break)
- [ ] Code quality improvements to existing code or addition of tests
## Additional information
<!--
Details are important, and help maintainers processing your PR.
Please be sure to fill out additional details, if applicable.
-->
- This PR fixes or closes issue: fixes #
- This PR is related to issue:
- Link to documentation pull request:
## Checklist
<!--
Put an `x` in the boxes that apply. You can also fill these out after
creating the PR. If you're unsure about any of them, don't hesitate to ask.
We're here to help! This is simply a reminder of what we are going to look
for before merging your code.
-->
- [x] The code change is tested and works locally.
- [x] Local tests pass. **Your PR cannot be merged unless tests pass**
- [x] There is no commented out code in this PR.
- [x] I have followed the [development checklist][dev-checklist]
- [x] I have followed the [perfect PR recommendations][perfect-pr]
- [x] The code has been formatted using Ruff (`ruff format homeassistant tests`)
- [x] Tests have been added to verify that the new code works.
If user exposed functionality or configuration variables are added/changed:
- [ ] Documentation added/updated for [www.home-assistant.io][docs-repository]
If the code communicates with devices, web services, or third-party tools:
- [ ] The [manifest file][manifest-docs] has all fields filled out correctly.
Updated and included derived files by running: `python3 -m script.hassfest`.
- [ ] New or updated dependencies have been added to `requirements_all.txt`.
Updated by running `python3 -m script.gen_requirements_all`.
- [ ] For the updated dependencies - a link to the changelog, or at minimum a diff between library versions is added to the PR description.
- [ ] Untested files have been added to `.coveragerc`.
<!--
This project is very active and we have a high turnover of pull requests.
Unfortunately, the number of incoming pull requests is higher than what our
reviewers can review and merge so there is a long backlog of pull requests
waiting for review. You can help here!
By reviewing another pull request, you will help raise the code quality of
that pull request and the final review will be faster. This way the general
pace of pull request reviews will go up and your wait time will go down.
When picking a pull request to review, try to choose one that hasn't yet
been reviewed.
Thanks for helping out!
-->
To help with the load of incoming pull requests:
- [x] I have reviewed two other [open pull requests][prs] in this repository.
[prs]: https://github.com/home-assistant/core/pulls?q=is%3Aopen+is%3Apr+-author%3A%40me+-draft%3Atrue+-label%3Awaiting-for-upstream+sort%3Acreated-desc+review%3Anone+-status%3Afailure
<!--
Thank you for contributing <3
Below, some useful links you could explore:
-->
[dev-checklist]: https://developers.home-assistant.io/docs/development_checklist/
[manifest-docs]: https://developers.home-assistant.io/docs/creating_integration_manifest/
[quality-scale]: https://developers.home-assistant.io/docs/integration_quality_scale_index/
[docs-repository]: https://github.com/home-assistant/home-assistant.io
[perfect-pr]: https://developers.home-assistant.io/docs/review-process/#creating-the-perfect-pr
1 Like
johnBoy
December 14, 2023, 9:40pm
7
It would be nice to get rid of the daft squiggly blue lines aswell.
tom_l
December 14, 2023, 11:08pm
8
Closed as feature removed in 2023.12.3
3 Likes