Recently, I started noticing that all my client applications (Android & web) are throwing errors like the following upon opening after a period of time (guessing past the length of the original token). This happens on both the internal network, direct access, as well as through my remote proxy.
Internal request from web (requesting ip in my subnet):
2021-07-24 08:05:25 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx). (Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36)
External request from Android (requesting ip is my phone’s public ip from wireless provider:
2021-07-23 13:37:40 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx). (Mozilla/5.0 (Linux; Android 11; SM-G981U1 Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/91.0.4472.164 Mobile Safari/537.36)
I’m running HA behind Traefik, and have the following http configuration:
http:
use_x_forwarded_for: true
trusted_proxies:
- 172.18.0.0/24 # Docker network
I found a bunch of other similar topics in search, but nothing really fit the exact conditions, and also none of the resolutions worked. On the devices, I don’t actually see any login errors; the apps just show the initialization screen for a second and then load fine. Also, as noted above, it definitely seems related to stale sessions that need to be refreshed, as it doesn’t happen on first login after a clean install, and only happens after opening the app/webapp after a period of inactivity (not sure of the exact timeout offhand).