There has always been a problem with Home Assistant (even if you never noticed it) and using HTTP basic authentication in regard to the Javascript Service Worker. Basically the whole idea of service workers (not just in Home Assistant) is half-baked with HTTP AUTH. It is broken in both Chrome and Firefox with both not having any intention of fixing them. Basically this used to work by accident in Home Assistant and now that the authentication scheme has been changed it no longer works. I have had issues with the service worker Basic HTTP Auth and Chrome for much longer than 0.77 which required me to go to the service worker page in Chrome ( chrome://serviceworker-internals ) and delete the Home Assistant service worker before the page would render (or you can delete all data stored in Chrome) (weird side note, if I opened the dev tools in Chrome and did a shift-refresh it also seemed to work but only if I had the dev tools open). Firefox also appears to work after you delete all stored data. Of course all of this deleting works with Home Assistant 0.76, not 0.77.
For the interim I have downgraded to 0.76 and I think that many people using Basic HTTP Auth have done the same. I guess I will re-evaluate when 0.78 rolls out but I do not think there is anything planned to address this specifically.
If you are removing the HTTP Basic Auth from NGINX then you should not need to downgrade from 0.77. I wanted to keep the authentication in NGINX so I had to downgrade for now (with the limitations that I already noted). I have not had a chance to see if the changes between 0.77.2 and 0.77.3 fixed the problem I had where I was stuck in an authentication loop.
Issue #6184 documents the web socket not handling the 401 response code as far back as Home Assistant 0.38.3. The problem then manifests as the Home Assistant UI layer displaying its own login dialog (I believe this may be different starting with 0.77) when it encounters an error. I doubt this is something that will change as balloob has stated “Home Assistant will not decrease the experience of the 99% to cover an edge case.”
I had some time today to sit down and try to work through this and ended up with something I can live with for the time being using 0.77.3. The solution is not ideal and I do not believe that it will work for everyone but it is making the best of the situation.
I set up the Home Assistant trusted_network auth provider and set the trusted network to include the IP of my NGINX reverse proxy. Yes, I know that this is essentially disabling the Home Assistant security as Home Assistant is receiving the IP of the reverse proxy and not of the actual client accessing the page. I am still using HTTP Basic Auth in NGINX so I am not concerned about this.
NOTE - Temporarily, you will need to also add the Home Assistant homeassistant auth provider as well. There appears to be a bug (I plan to write this up in GitHub shortly) where the initial onboarding process where you create the first user cannot complete without the homeassistant auth provider being configured.
From here I am able to use the browser to select the trusted network login and then save this as my preference (this was broken in 0.77.2 and fixed in 0.77.3). I do still have the limitations I noted earlier about problems with the service worker and needing to clear the local data which also deletes the authentication selection preference.
The issue I was having with the authentication loop appears to be a bug in Chrome that has been fixed at some point. I was using an Android emulator to test my scenarios and was running into the authentication loop. I tried a newer emulator image and the problem went away so I am not going to chase down that ghost.
In the end I wrote a thin wrapper Android app that just navigates to my Home Assistant page. Every time the app starts it deletes its’ stored service workers which circumvents the problems I noted earlier with using HTTP Basic Auth. Maybe there are Chrome or Firefox extensions that do something similar?
Yes, I did see this as it was posted in right in the release announcement for 0.77. It is not the same issue that we are discussing here. The problem that we are having is related to the usage of HTTP Basic Auth in NGINX and the problems it causes with the service worker and websockets not re-authenticating properly.
Just going to add a “me too” here. Read a bunch of threads here and github on this problem, many of which are over my head, and don’t see a solution. Overview page loads, but getting things like history results in continual auth prompts.
I just jumped to 0.95.4 and primarily testing from chrome on android.
It’s a shame as I really don’t plan on relying on HASS built in auth to protect from the outside world, and don’t want to rely on yet another cloud service for auth (defeats the point of local HASS).
My partial workaround is to run a PPTP VPN on my android, but it would be nice if I could easily use ANY device, and not just my phone where the VPN is configured.
I can’t tell if it’s a HASS problem, a chrome problem, an NGINX problem, or something in between. Does anyone have a solid explanation of where the problem is, so I can stop looking for a solution and give up in peace?
