Recently both my pixel phones are continually banned with the message – even though until the ban, everything seems to function. I don’t know where that URL is coming from. Any idea where to look?
Login attempt or request with invalid authentication from Pixel-8.home (192.168.1.164). Requested URL: '/api/template'. (Mozilla/5.0 (Linux; Android 14; Pixel 8 Build/AP2A.240805.005.B1; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/127.0.6533.143 Mobile Safari/537.36 Home Assistant/2024.7.3-13278 (Android 14; Pixel 8))
I’m am not importing anything into the dashboard. Trawling through the code on my server, I don’t see that URL anywhere thought it could be built up. Only happens on my android mobile app – no other devices get banned. I have upped the ip_ban limit to over 100 and it will still happen. Does not seem to matter if I am on the internal or external network. I confirmed no windows / tabs open on the phone browsers.
Things I tried: completely uninstalling and reinstalling mobile app, deleting all tokens, and relogging in, re-setup of sensors, deleting cache/data … I’ve tried other solutions posted as well.
My configuration is:
http:
ip_ban_enabled: true
login_attempts_threshold: 100
use_x_forwarded_for: true
trusted_proxies:
- 192.168.1.0/24 # Local Lan
- 192.168.66.0/24 # VPN Lan
- 172.16.0.0/12 # Docker network
- 127.0.0.1 # local machine
- ::1
Invalid authentication usually means you have the incorrect username/password when logging in with the mobile app. Did you double check it?
If you need to, you can reset your password here (with an already logged in device) to see if that works:
@Scoop2389 this ONLY happens when the mobile app is logged in … Everything is working fine and then all of a sudden it fails. When I look in the logs, I see that error message above.
I don’t think I understand…
So, you are able to login with the mobile app?
Is it that you login with the mobile app successfully, then you randomly get logged out and the logs show that message?
You said “everything is working fine and then it fails”
Could you please clarify what is “everything” and what “it” is?
Thanks
I login succesfully with the mobile app and all dashboards, controls, cards, etc work fine (and have been so for a couple of years). Then seemingly randomly, the IP of my mobile device will be banned and when I look in the logs, I see the aforementioned errors.
Now if I try the mobile app I will just get 403/Forbidden.
Next, I deleted the ip from ip_bans and restarted HA
Now if I try the mobile app, it works correctly, without needing me to login again, indicating the token is still good.
I see the same thing on occasion with the mobile apps for literally years. I’ve posted about it before and have gotten no response or acknowledgement that there is a problem.
I’ve disabled banning IP’s so I don’t get banned. Not a great solution but I’ve kind of been forced into it. Luckily I haven’t been negatively affected by it security-wise.
@parautenbach, the mobile app works for a limited amount currently – previously it had been running fora year plus without any bans. Currently the IP is banned with the errors above after a couple of hours. If i unban the IP, without reauthenticating, the mobile app will work again, so I believe the token is and always was valid.
