home-assistant
Login attempt or request with invalid authentication
iOS device model, version and app version
Model Name: iPhone 15 Pro Software Version: iOS 18.1 App version: 2024.934
Home Assistant Core Version 2024.11.1
Describe the bug Every now and then this notification pops up in Home Assistant:
Login attempt or request with invalid authentication from localhost (127.0.0.1). See the log for details.
When checking the logs, this comes from one of my iOS devices:
Logger: homeassistant.components.http.ban Source: components/http/ban.py:136 integration: HTTP (documentation, issues) First occurred: November 8, 2024 at 23:20:21 (2 occurrences) Last logged: November 8, 2024 at 23:20:22
Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/websocket'. (Home Assistant/2024.10 (io.robbie.HomeAssistant; build:2024.934; iOS 18.1.0))
The iOS version and the TestFlight build number make it clear that it's me and not someone else trying to hack my network.
So far every time I saw the error it was pointing to /api/websocket
To Reproduce Sadly I don't have repro steps, but it seems to affect a large number of people: https://github.com/home-assistant/iOS/issues/2486 https://www.reddit.com/r/homeassistant/comments/1gjhlqt/login_attempt_failed/
Expected behavior
Screenshots
Additional context I use Nabu Casa. No custom networking setup.
Same for me Model Name: iPhone 15 Pro Software Version: iOS 18.1 App version: 2024.934
Home Assistant Core Version 2024.11.1
And using nabu casa
Still happening:
2025-01-14 14:19:17.258 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/websocket'. (Home Assistant/2024.12.2 (io.robbie.HomeAssistant; build:2024.1058; iOS 18.2.1)) 2025-01-14 14:27:57.684 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/websocket'. (Home Assistant/2024.12.2 (io.robbie.HomeAssistant; build:2024.1058; iOS 18.2.1))
I have the sameish thing : 2025-01-14 10:06:08.923 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from iPhone.localdomain (10.10.10.1xx). Requested URL: '/api/template'. (Home Assistant/2024.12.3 (io.robbie.HomeAssistant; build:2024.1066; iOS 18.1.1))
This is my code for my widget - @bgoncal :
first : {% if is_state('switch.norma_bach_jessen_timer', 'on') %} 😴 Sleeping {% else %} Last woke: {{ states.sensor.norma_bach_jessen_last_sleep.attributes.end | timestamp_custom('%H:%M:%S') }} {% endif %} second : {% if is_state('switch.norma_bach_jessen_timer', 'on') %} Started sleeping: {{ as_timestamp(states.sensor.norma_timer_since_start.last_changed) | timestamp_custom('%H:%M:%S') }} {% else %} Last woke: {{ as_timestamp(states.sensor.norma_bach_jessen_last_sleep.attributes.end) | timestamp_custom('%H:%M:%S') }} {% endif %} third field is empty
@bgoncal what i forgot to add is that i run this on both mine and my partners phone, she is not an admin in homeassistant and for her the widget dont work and it's from her device i'm reciveing the failed login, on mine (admin) it's no problem
When she opens the App, can she uses it normally? Could you edit her widget template and put something else there? After 15 minutes if it doesn't display the correct information go to companion app settings >> debugging >> export logs and submit it here https://forms.gle/Uoqz127Phx4mMTpS6 (All of this on her phone of course)
changed it to {{ state_attr('sensor.norma_bach_jessen_last_sleep', 'end')[11:16] }}, will submit in 15 minutes it it's still failing to display, thank you!
@simon-bd I see Failed to render template for details widget: external(HAKit.HAError.ExternalError(code: "401", message: "401: Unauthorized")) in her logs, besides not being admin, does she have any other restriction? Like only being able to login locally for example
No other restrictions. Using nabucasa url when not at home otherwise local ip
I don't see a direct relation to that in the logs, so perhaps, can you try removing the server from the App, force closing it and adding it back? Was it configured a long time ago?
Another one:
2025-01-17 23:09:09.322 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/websocket'. (Home Assistant/2025.1 (io.robbie.HomeAssistant; build:2025.1073; iOS 18.2.0))
Let me know if there is any further info I can gather to figure this out.
@bgoncal tried multiple times to uninstall reconfigure server etc. but still get the same result
From her phone logs: 2025-01-18 19:33:17.000 [Error] [com.apple.root.user-initiated-qos.cooperative] [WidgetDetailsAppIntentTimelineProvider.swift:77] entry(for:in:) > Failed to render template for details widget: external(HAKit.HAError.ExternalError(code: "401", message: "401: Unauthorized"))
From HA logs: 2025-01-18 19:33:16.973 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/template'. (Home Assistant/2025.1 (io.robbie.HomeAssistant; build:2025.1073; iOS 18.1.1))
@simon-bd Can you temporaly make your wife admin to see if thats the problem? As fast as I was aware, Home Assistant didn't have user access level linked o the API
@Nezz no chance that you have the App setup on another device that is leading to this log? Like a secondary phone for example. If you update the testflight version now does it also reflect in the logs? Also, are you able to execute scripts from a home assistant widget for example? (it uses the websocket connection)
after i have updated her account to admin the widget is rendering, she is on the testflight version on her phone, can try to update it if you included some new logging in 2025.1.1 (2025.1007), but seems like he account was restriced when she was not an admin. can i use the same url for the logs if you need them?
@bgoncal I only use the TestFlight version on my personal phone, so I know that the websocket auth errors come from there. Could this error be related to using notifications with actions?
- metadata: {}
data:
message: Did you forget to turn the lights off?
data:
actions:
- action: "{{ action_on }}"
title: Leave the lights on
icon: sfsymbols:lightbulb
- action: "{{ action_off }}"
title: Turn the lights off
icon: sfsymbols:lightbulb.slash
action: notify.mobile_app_adam_s_iphone_15_pro
- alias: Wait for a response
wait_for_trigger:
- event_type: mobile_app_notification_action
event_data:
action: "{{ action_on }}"
trigger: event
- event_type: mobile_app_notification_action
event_data:
action: "{{ action_off }}"
trigger: event
@simon-bd I just checked with Core developers and indeed, templating is restricted to admin users, I had no idea, for now all I can do is to add a warning in the App, meanwhile I will take that in consideration for future implementations, there is a "widget builder" coming which will facilitate all this process.
@bgoncal Good to know, she'll have the priviliage of being admin until you are ready with more, the builder sounds amazing! thank you
@Nezz well, it shouldn't be the root cause... maybe it is the trigger but the issue must be somewhere else, can you try what I asked in the previous comment?
Yes, the scripts work from iOS widgets (although I did not use them previously). The invalid auth error appears every couple of days and using widgets did not trigger it.
My widgets stopped working the day after I set them up (I get a notification that it was executed, but it wasn't really). However, there are no authentication errors coming from them.
Still happening:
2025-01-28 09:41:02.556 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/websocket'. (Home Assistant/2025.1 (io.robbie.HomeAssistant; build:2025.1073; iOS 18.2.1))
I am also getting failed login attempts each time I close and open the companion app (causing my ip to be banned). Experienced the same behavior on both the TestFlight version of the app and the 2025.2 version. Home-assistant core version is 2025.3, but also experienced this on 2025.2. I am using a Cloudflare tunnel to connect externally to my homeassistant instance and these failed authentication log entries only appear when I connect externally. Also, I don't have any HA widgets on my phone.
Log entry:
Logger: homeassistant.components.http.ban
Source: components/http/ban.py:136
integration: HTTP (documentation, issues)
First occurred: 08:14:20 (4 occurrences)
Last logged: 08:19:32
Login attempt or request with invalid authentication from 84.241.206.240 (84.241.206.240). Requested URL: '/api/states'. (Home Assistant/2025.2 (io.robbie.HomeAssistant; build:2025.1177; iOS 18.3.1))
Login attempt or request with invalid authentication from 84.241.206.240 (84.241.206.240). Requested URL: '/api/states'. (Home Assistant/2025.2 (io.robbie.HomeAssistant; build:2025.1178; iOS 18.3.1))
The websocket one is still happening for me:
2025-03-07 21:44:14.261 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/websocket'. (Home Assistant/2025.2 (io.robbie.HomeAssistant; build:2025.1152; iOS 18.3.1))
2025-03-07 21:44:16.304 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/websocket'. (Home Assistant/2025.2 (io.robbie.HomeAssistant; build:2025.1152; iOS 18.3.1))
2025-03-07 21:44:27.581 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/websocket'. (Home Assistant/2025.2 (io.robbie.HomeAssistant; build:2025.1152; iOS 18.3.1))