Invalid Authentication

[PierreScerri]

The problem

When I open the companion app on my iPhone, I sometimes get a 'Login attempt or request with invalid authentication from...' error (see log below), which forces me to go through the onboarding sequence in the app (as if I have just installed the app)

What is version of Home Assistant Core has the issue?

2021.9.7

What was the last working version of Home Assistant Core?

unknown

What type of installation are you running?

Home Assistant OS

Integration causing the issue

http

Link to integration documentation on our website

https://www.home-assistant.io/integrations/http

Example YAML snippet

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24
  ip_ban_enabled: true
  login_attempts_threshold: 5

Anything in the logs that might be useful for us?

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:124
Integration: HTTP (documentation, issues)
First occurred: 8:08:39 AM (1 occurrences)
Last logged: 8:08:39 AM

Login attempt or request with invalid authentication from fe80::8af:a02c:71c5:1f7e (fe80::8af:a02c:71c5:1f7e). (Mozilla/5.0 (iPhone; CPU iPhone OS 15_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2021.8 (io.robbie.HomeAssistant; build:2021.216; iOS 15.0.0) Mobile/HomeAssistant, like Safari)

Additional information

No response

[probot-home-assistant[bot]]

http documentation http source _{^{(message by IssueLinks)}}

[probot-home-assistant[bot]]

Hey there @home-assistant/core, mind taking a look at this issue as it has been labeled with an integration (http) you are listed as a code owner for? Thanks! _{^{(message by CodeOwnersMention)}}

[zacwest]

The User-Agent here for the invalid token is the frontend (we stuff the "Safari" word in there only for that case) -- makes me think this is likely a case where cameras in the frontend are triggering it.

[PierreScerri]

When it happens I can access HA via Safari and Chrome using either http://homeassistant.local:8123 (on wifi) or https://mydomain.duckdns.org (on 4G) without problems. it is the companion app on the iPhone that is triggering this behaviour.

I do not have any cameras.

[zacwest]

I'm not saying the app isn't the source; what I am saying the particular part of the app provoking this error is the frontend, which I can tell from the User-Agent. The way authentication works in the app for the frontend is slightly different than in other browsers on iOS.

[lordmortis]

I’m getting this as well, since upgrading to iOS 15 (not sure if that’s spurious) I’m running 2021.8.3 and didn’t change home assistant versions and it started happening.

[lordmortis]

iOS 15 is spurious, my partner got this error this morning and she’s still on 14

[PierreScerri]

So how do we resolve this issue which has only recently started manifesting itself.

This morning I launched the app on my iPhone and it was not logged in. I went through all the steps to login.

I left the house and when I came back home it was logged out again.

[lordmortis]

Yeah, what kind of logging do you need?

[zacwest]

Login with a username and password and not local network auth. You can verify the log out reason in App Configuration > Debugging > Event Log.

[lordmortis]

Okay, so I’m seeing a Webhook failed with status code 403 and then a Refresh token is invalid, showing onboarding in the same second. Then another web hook failed. And many webhook failures after that.

the refresh token invalid has the following extra detail:

{
  "error" : "serverError(statusCode: 403, errorCode: nil, error: Optional(\"403: Forbidden\"))"
}

checking my hass.io logs now

[lordmortis]

This seems related:

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:124 
Integration: HTTP (documentation, issues) 
First occurred: September 22, 2021, 11:29:36 (34 occurrences) 
Last logged: 19:21:06

Login attempt or request with invalid authentication from a172-225-156-61.deploy.static.akamaitechnologies.com (172.225.156.61). (Mozilla/5.0 (iPhone; CPU iPhone OS 15_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.0 Mobile/15E148 Safari/604.1)
Login attempt or request with invalid authentication from 104.28.28.14 (104.28.28.14). (Mozilla/5.0 (iPhone; CPU iPhone OS 15_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.0 Mobile/15E148 Safari/604.1)
Login attempt or request with invalid authentication from rev-proxy (172.16.235.60). (Mozilla/5.0 (iPhone; CPU iPhone OS 15_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2021.8 (io.robbie.HomeAssistant; build:2021.216; iOS 15.0.0) Mobile/HomeAssistant, like Safari)
Login attempt or request with invalid authentication from a172-225-156-19.deploy.static.akamaitechnologies.com (172.225.156.19). (Mozilla/5.0 (iPhone; CPU iPhone OS 15_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.0 Mobile/15E148 Safari/604.1)
Login attempt or request with invalid authentication from 172.16.236.206 (172.16.236.206). (Mozilla/5.0 (iPhone; CPU iPhone OS 14_7_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2021.8 (io.robbie.HomeAssistant; build:2021.216; iOS 14.7.1) Mobile/HomeAssistant, like Safari)

(I’m using apple’s new vpn stuff, so I’m guessing that’s why the request is coming in from that host?)

[zacwest]

That does sound like Apple's proxy stuff, yup. It comes through a list of effectively CDN providers, so Akamai being one of them makes sense. The other I'm aware of is Cloudflare.

I think the following are:

(Mozilla/5.0 (iPhone; CPU iPhone OS 15_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.0 Mobile/15E148 Safari/604.1) (Mozilla/5.0 (iPhone; CPU iPhone OS 15_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.0 Mobile/15E148 Safari/604.1) (Mozilla/5.0 (iPhone; CPU iPhone OS 15_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.0 Mobile/15E148 Safari/604.1)

These are all Safari.app, not the Home Assistant app.

(Mozilla/5.0 (iPhone; CPU iPhone OS 15_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2021.8 (io.robbie.HomeAssistant; build:2021.216; iOS 15.0.0) Mobile/HomeAssistant, like Safari) (Mozilla/5.0 (iPhone; CPU iPhone OS 14_7_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2021.8 (io.robbie.HomeAssistant; build:2021.216; iOS 14.7.1) Mobile/HomeAssistant, like Safari)

This is the Home Assistant app's frontend. Two different devices (one on iOS 15, one on iOS 14).

---

Best I can tell, the 403 error with that description (just "403: Forbidden") happens in the following situations:

• You're (already) banned under the IP banning strategy.
• You're using a login method which has made your access token become invalid.

Depending on your login method, the reasons for it differ, but if you're using trusted_networks being off the trusted network will definitely do it. If the app doesn't immediately give up on this scenario, it'll fill your logs with invalid login attempts and (for most people) get itself banned as the trusted_networks flow was changed at the beginning of 2021 to reject auth attempts outside those trusted networks.

[lordmortis]

where is this trusted_networks setting?

[zacwest]

How do you log into your Home Assistant, when you get logged out? Do you pick a username out of a dropdown list, or do you enter a username/password? If it's the former, it'll be the trusted_networks in configuration.yaml somewhere.

[PierreScerri]

I login via username/password.

[lordmortis]

same here, I’ve always used a username/password

[zacwest]

Do either of you have http bans set up? The frontend can errantly use an old token which will cause the invalid auth log, which can then cause the app to see itself as banned and log out.

[PierreScerri]

I have this in configuration.yaml:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24
  ip_ban_enabled: true
  login_attempts_threshold: 5

After my post of 3 days ago, I logged out of every browser/app/ on every device and removed all the refresh tokens from HA. The error has not come up again - for now.

[lordmortis]

So this is 100% connected to the ip_ban enabled for me. I suspect it's not directly related to the iOS app, but rather something else going on. I might dig into it over my christmas holidays. From my perspective this can be closed.

[ultimate-tester]

Just wanted to share my experience. I am experiencing the same behavior (spontaneous logout) which especially triggers if I switch from WiFi to 4G (yet not all the time). I have IP banning disabled and am using Cloudflare but with Proxy off (I just use it as a simple DNS and my own SSL certificate). Furthermore, I have the same internal and external url. My router makes sure that my external ip loops back to my internal network.

In the logs I just see: Login attempt or request with invalid authentication from xxxxxx

EDIT: Tried setting up Google Assistant today. It appears to be triggering the same errors: Login attempt or request with invalid authentication from rate-limited-proxy-108-177-64-32.google.com (108.177.64.32). (OpenAuth)

I therefore think this issue is not related to iOS but is just triggered more often on iOS compared to Android (or desktop for that matter) due to some unknown reason. (please keep in mind I have IP banning disabled)

EDIT2: I have just tried to setup a reverse proxy in front of home assistant. Strangely enough now the problem does not appear anymore. I can use either WiFi or 4G and it works fine. The error as described in the first EDIT still appears though. Google home cannot login. Maybe this finding brings us closer to the issue.

[lowrisk75]

same issue here, I'm using cloudflare for team for DNS filtering (although the Home assistant is on the IoT VLAN which use normal cloudflare / malware DNS without filtering)

client side (iOS 15.3) I can see that some domains are blocked so that might

my domain is also using cloudflare, and I have very restrictive firewall setting (I just removed Cloudflare access for troubleshooting) -- I removed most of the user agents in the firewall rules though although in my deny rules I have some :

user agent does not contain " Home Assistant/2", "Mozilla/5.0 (iPhone; CPU iPhone OS 1", "Mozilla/5.0 (Macintosh; Intel Mac OS X"

here is my HTTP setup

`http:
  ip_ban_enabled: true
  login_attempts_threshold: 5
  use_x_forwarded_for: true
  trusted_proxies: 
    - 127.0.0.1
    - ::1
    - 172.16.0.0/12    
    - 172.30.33.0/24
    - 172.30.0.0/16
    - 10.0.30.0/30
   # - 192.168.1.0/24
    - 10.0.0.200      # Add the IP address of the proxy server ##CloudFlare
    - 173.245.48.0/20
    - 103.21.244.0/22
    - 103.22.200.0/22
    - 103.31.4.0/22
    - 141.101.64.0/18
    - 108.162.192.0/18
    - 190.93.240.0/20
    - 188.114.96.0/20
    - 197.234.240.0/22
    - 198.41.128.0/17
    - 162.158.0.0/15
    - 104.16.0.0/13
    - 104.24.0.0/14
    - 172.64.0.0/13
    - 131.0.72.0/22`

I have very random result, at one stage I was getting IP ban every few minutes on different cloudflare IPs

in my case I'm using NPM but honestly I'm not to sure about the config template.

also I'm probably doing something wrong but when I'm using trusted users, I'm booting in safe mode

  auth_providers:
    - type: trusted_networks
      trusted_networks:
        - 172.16.0.1/24
 ¯    trusted_users:
        172.16.0.199:
          -  ###############
      allow_bypass_login: true
    - type: homeassistant
 end

more details and screenshot on the community post here : https://community.home-assistant.io/t/daily-log-off-and-issues-with-ios-companion-app/371681

[zacwest]

If you use a trusted network/user and leave the trusted network, you will be signed out; log in with a username/password instead.

For the rest, it would be useful to see if the app is logging the underlying error in its event log. Go to App Configuration > Debugging > Event Log; when logging out it'll put the reason there. You can tap in for more details.

It is also worth seeing if you can grab the access/error logs from your proxy/cloudflare. Any 403 in the middle (which it may be doing) will log you out.

[ultimate-tester]

If you use a trusted network/user and leave the trusted network, you will be signed out; log in with a username/password instead.

For the rest, it would be useful to see if the app is logging the underlying error in its event log. Go to App Configuration > Debugging > Event Log; when logging out it'll put the reason there. You can tap in for more details.

It is also worth seeing if you can grab the access/error logs from your proxy/cloudflare. Any 403 in the middle (which it may be doing) will log you out.

Thanks for replying. So for my case Cloudflares features have been disabled, I just use the dns. Therefore I won't have any logs on cloudflare, this makes troubleshooting easier I think.

This is the log message I found:

{ "error" : "serverError(statusCode: 403, errorCode: Optional(\"access_denied\"), error: Optional(\"User cannot authenticate remotely\"))" }

Based on the below image you can see I'm getting this quite often making home assistant completely untrustworthy when I leave the house:

Is there a way to disable the trusted network stuff? I'd like to be able to easily access my home assistant from anywhere in the world.

[zacwest]

Choose the username & password login method rather than trusted user when signing in. It will be a link at the bottom.

[ultimate-tester]

Choose the username & password login method rather than trusted user when signing in. It will be a link at the bottom.

I think you misunderstand. I have never setup anything related to trusted users or trusted networks and I always have logged in using username + password combination and never before with anything else. My configuration is very plain if you look at my "homeassistant" and "http" sections of the config:

homeassistant:
  external_url: "<REDACTED>"
  auth_providers:
    - type: homeassistant

http:
  ssl_certificate: <REDACTED>
  ssl_key: <REDACTED>
  ip_ban_enabled: false

I have, compared to when I made my previous post, removed the reverse proxy setup again as it seems to have been a fluke to say that it works better with the proxy. My first post about reporting the issue was also without a reverse proxy setup, so the issue exists regardless.

[zacwest]

"User cannot authenticate remotely" appears to be an error message which exclusively exists for "local only" users, which was a new feature in 2021.11. See here for the toggle you'll need to turn off: https://www.home-assistant.io/blog/2021/12/11/release-202112/#users-that-can-only-log-in-from-the-local-network

[ultimate-tester]

"User cannot authenticate remotely" appears to be an error message which exclusively exists for "local only" users, which was a new feature in 2021.11. See here for the toggle you'll need to turn off: https://www.home-assistant.io/blog/2021/12/11/release-202112/#users-that-can-only-log-in-from-the-local-network

And there we go, that setting was enabled on my users! Disabling it and testing a few times back and forth shows it's working right now. Also my Google Assistant connected right away now. Thanks a lot, this seems to solve the problem completely for me.

Now, not to be an asshole but this Github issue should then actually be exactly the opposite as I was able to login several times with this "local only" user even though I was on 4G (i.e. outside my local network). It seems that retrying to login a few times will bypass the local check. Though I'm not bothered by that..

[Don-Swanson]

Unfortunately I do not believe this is the resolution. I have the same exact errors in my logs, however my user did not have that setting enabled.

[zacwest]

This "login attempt or…" log is now additionally showing up I believe due to a workarounds for iOS 15's issues with the frontend becoming stale, there's a few different things occurring in this ticket.