Urgent: Option NOT to Show Users on Logon Screen

megalotee · December 13, 2023, 4:42pm

Security fix:
Add option NOT to show the list of users on the logon screen.
In some cases, users should not even be shown locally.
E.g. in my setup, HA is accessed via a proxy, so it considers ALL access internal,
showing the user list to EVERYBODY trying the URL from the Internet.

A serious security risk.

freshcoast · December 13, 2023, 4:54pm

Add option NOT to show the list of users on the logon screen.

Already requested by

And it looks like an option is being added for release 2024.1.

This is a configuration problem. You need to properly configure X-Forwarded-For header in the proxy, and enable both detection of the header and trusted proxies in the HA configuration.

For example, I have this configured for my Traefik proxy in the docker network:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.18.0.0/24

steriku · December 13, 2023, 4:55pm

I can’t really help with the disablement of this feature, but if it is really that critical maybe you should roll back to the previous version.

Sir_Goodenough · December 13, 2023, 5:01pm

github.com/home-assistant/core

Add option for exposing users on local networks

home-assistant:dev ← home-assistant:edenhaus-auth-expose-option

opened 09:30AM - 12 Dec 23 UTC

edenhaus

+116 -6

## Breaking change  ## Proposed change  Extend homeassistant auth provider config by `expose_users_on_local_network` with the default value `True` to control if users should be exposed on local networks for the new login screen (added with #103906) When `expose_users_on_local_network=False`: - No username will be returned by `auth/providers` - `/api/person/list` will not be registered and therefore not available In addition, the `/api/person/list` endpoint will only be registred if homeassistant auth provider is configured. ## Type of change  - [ ] Dependency upgrade - [x] Bugfix (non-breaking change which fixes an issue) - [ ] New integration (thank you!) - [x] New feature (which adds functionality to an existing integration) - [ ] Deprecation (breaking change to happen in the future) - [ ] Breaking change (fix/feature causing existing functionality to break) - [ ] Code quality improvements to existing code or addition of tests ## Additional information  - This PR fixes or closes issue: fixes # - This PR is related to issue: - Link to documentation pull request: ## Checklist  - [ ] The code change is tested and works locally. - [x] Local tests pass. **Your PR cannot be merged unless tests pass** - [x] There is no commented out code in this PR. - [x] I have followed the [development checklist][dev-checklist] - [x] I have followed the [perfect PR recommendations][perfect-pr] - [x] The code has been formatted using Ruff (`ruff format homeassistant tests`) - [x] Tests have been added to verify that the new code works. If user exposed functionality or configuration variables are added/changed: - [ ] Documentation added/updated for [www.home-assistant.io][docs-repository] If the code communicates with devices, web services, or third-party tools: - [ ] The [manifest file][manifest-docs] has all fields filled out correctly. Updated and included derived files by running: `python3 -m script.hassfest`. - [ ] New or updated dependencies have been added to `requirements_all.txt`. Updated by running `python3 -m script.gen_requirements_all`. - [ ] For the updated dependencies - a link to the changelog, or at minimum a diff between library versions is added to the PR description. - [ ] Untested files have been added to `.coveragerc`.  To help with the load of incoming pull requests: - [x] I have reviewed two other [open pull requests][prs] in this repository. [prs]: https://github.com/home-assistant/core/pulls?q=is%3Aopen+is%3Apr+-author%3A%40me+-draft%3Atrue+-label%3Awaiting-for-upstream+sort%3Acreated-desc+review%3Anone+-status%3Afailure  [dev-checklist]: https://developers.home-assistant.io/docs/development_checklist/ [manifest-docs]: https://developers.home-assistant.io/docs/creating_integration_manifest/ [quality-scale]: https://developers.home-assistant.io/docs/integration_quality_scale_index/ [docs-repository]: https://github.com/home-assistant/home-assistant.io [perfect-pr]: https://developers.home-assistant.io/docs/review-process/#creating-the-perfect-pr

frenck · December 13, 2023, 6:14pm

All discussion around the new login page aside, if that is the case, you already have a security issue caused by a misconfigured/improper reverse proxy setup.

Make sure you pass along the X-Forwarded-For headers and set up the http integration as documented.

…/Frenck

tom_l · December 13, 2023, 10:57pm

Closing as a duplicate. See the second post in this topic for the place to vote and comment.