hass-aarlo
hass-aarlo copied to clipboard
twrecked
Two Factor Auth - 2FA
Apologies if this is in the documentation anywhere, but is there a way to implement 2FA?
I have a feeling with Arlo's implementation, this may be a tad difficult, but it looks like it may be required in the next few months.
Yeah. I have to look into this but my initial thought is it it will make life difficult. Aarlo logs back into web interface as and when needed so it's going to be complicated getting the second piece of authentication.
Yeah, everytime I login using Web my account not dedicated to Hass.io...it requires a one time use passcode from the phone.
On mobile devices, i'm guessing it uses a certificate or a long auth token for approved devices, but there doesn't appear to be a way to do this on the website.
I have a prototype running - it let my two factor account work. I'm going to tighten the coding up and I'll try and get something out later this week.
If you want to test the CLI version you can try the following:
This installs it.
$ cd ~/tmp
$ virtualenv -p /usr/bin/python3.6 test
$ source test/bin/activate
(test)$ pip install git+https://github.com/twrecked/pyaarlo
Copy this source into your current directory, call it example.py:
#!/usr/bin/env python
#
import os
import sys
import time
import logging
import pyaarlo
USERNAME = os.environ.get('ARLO_USERNAME','[email protected]')
PASSWORD = os.environ.get('ARLO_PASSWORD','test-password')
# Turn on debugging
logging.basicConfig(level=logging.DEBUG)
_LOGGER = logging.getLogger('pyaarlo')
def camera_update_state(device, attr, value):
_LOGGER.debug('callback:' + device.name + ':' + attr + ':' + str(value)[:80])
# Login. If 2FA is needed then choose to send code via SMS and enter it
# directly on the console
ar = pyaarlo.PyArlo( username=USERNAME,password=PASSWORD,
tfa_type='SMS',tfa_source='console',
storage_dir='aarlo',dump=True )
if not ar.is_connected:
print('failed to connect')
sys.exit(-1)
time.sleep( 300 )
Then run it:
(test)$ chmod +x example.py
(test)$ ARLO_USERNAME='[email protected]' ARLO_PASSWORD='your-password' ./example.py
It should stop and ask you for a code.
https://github.com/twrecked/hass-aarlo/releases/tag/v0.6.89-beta.1
Getting late here so docs might have got a bit garbled...
It would be a bit more effort, but 2FA setup would probably be easier (or at least more robust) through a config flow and/or options flow. Having the integration try to access email, as the README points out, is pretty fragile.
I'll have a look at that. But how do you get the secondary code into the config flow?
edit: gotcha, you mean by manually typing it in. I think we can support that too. The backend has the options to ask for SMS, email and read a response from the console and IMAP.
Yeah. When you initially setup the integration with a config flow, you'd give it a username and password through the UI, the integration would do the initial authentication, and then ask the user for a code they should receive by email, which they would also enter through the UI.
You could run through the same flow in an options flow for an existing install if the user ever needed to re-authenticate.
where do I put the imap info? The config below gives me this error: Invalid config for [aarlo]: [imap_host] is an invalid option for [aarlo]. Check: aarlo->aarlo->imap_host. (See /config/configuration.yaml, line 47).
aarlo: username: !secret arlo_username password: !secret arlo_password scan_interval: 1200 imap_host: 'blah.gmail.com' imap_username: '[email protected]' imap_password: 'blahblah'
You needed to be on a beta build but they are going away - the naming was all wrong.
I'll be releasing 0.7.0-alpha this evening and it will have 2fa support. Although the options are now called
tfa_host: 'blah.gmail.com'
tfa_username: '[email protected]'
tfa_password: 'blahblah'
because I'm adding other mechanisms for getting the code.
I just published 0.0.7-alpha if you want to give it a try.
Got it working. I'm pretty new to the lovelace config so I haven't got the custom card working yet. But I was able to use the picture element card to see the camera's last recording and badges for the battery percentage.
I set up a separate gmail account for this but I don't see emails coming in there for the authentication? Am I wrong or shouldn't I see emails coming in from Arlo ?
Thanks for your help BTW
You might not have 2FA authentication turned on. If your not seeing the emails but everything is working you're good to go.
2FA is not mandatory now but will be later in the year.
Just wanted to add, that I have been running this for awhile now and it has been working great.
Thank you for the hard work on this!
Tried both version 0.7.0-alpha.4 and 0.6.19.1.
When adding the TFA options I am getting the following error:
Invalid config for [aarlo]: [tfa_host] is an invalid option for [aarlo].
It definitely shouldn't work on 0.6.xxx, there is no support for TFA in there. But it should work for 0.7.xx, can you paste your config in here?
aarlo:
username: [email protected]
password: mypassword
refresh_devices_every: 2
stream_timeout: 120
tfa_source='imap'
tfa_type='email'
tfa_host='imap.host.com'
tfa_username='gmailacct'
tfa_password='gmailpass'
alarm_control_panel:
- platform: aarlo
away_mode_name: Armed
home_mode_name: Home
Tried it both ways by wrapping the tfa lines in and without ' marks
Just for giggles I went into the init python file and manually edited the lines specifying the variables for the tfa lines with the values from the config then removed them from the config file. From there it worked. Are the lines being called wrong?
This is a documentation error, sorry. I must have left it in when I copied it from the pyaarlo docs, I'll update it now.
The = shouldn't be there, it should be:
aarlo:
username: [email protected]
password: mypassword
refresh_devices_every: 2
stream_timeout: 120
tfa_source: imap
tfa_type: email
tfa_host: imap.host.com
tfa_username: gmailacct
tfa_password: gmailpass
edit: not sure about the quotes...
When I check the configuration I receive the following error message: (Note: I just copied the sources, the aarlo folder in the "custom_component" folder)
aarlo: tfa_host: imap.gmail.com tfa_username: gmailuser tfa_password: gmailpass
These are the 3 lines that I added to the file configured.yaml for 2FA
Configuration invalid
Invalid config for [aarlo]: [tfa_host] is an invalid option for [aarlo]. Check: aarlo->aarlo->tfa_host. (See /config/configuration.yaml, line 132).
@nicolap75 You config looks ok. Can you double check you installed it in the correction location and then check the version.
$ grep version custom_components/aarlo/__init__.py
__version__ = '0.7.0.beta.2'
@nicolap75 You config looks ok. Can you double check you installed it in the correction location and then check the version.
$ grep version custom_components/aarlo/__init__.py __version__ = '0.7.0.beta.2'
Hi, I confirm the version '0.7.0.beta.2'
I assume you restarted after installing
aarlo?
absolutely yes, even more than once ;-)
Sorry, I had to ask.
I just pasted your configuration in to my system and it worked fine so somehow it has to be picking up the wrong version of the code. I just don't include the version number in the debug which I should. I'll push a new version of the code with the version printed out as debug.
Mean while, one thing to try might be a re-install aarlo into custom_components. Start by removing the old version completely to make sure no python compilation files are hanging around.
Sorry, I had to ask.
I just pasted your configuration in to my system and it worked fine so somehow it has to be picking up the wrong version of the code. I just don't include the version number in the debug which I should. I'll push a new version of the code with the version printed out as debug.
Mean while, one thing to try might be a re-install
aarlointocustom_components. Start by removing the old version completely to make sure no python compilation files are hanging around.
Hi, it seems to work, sorry, I left the old folder renamed aarlo_old inside custom_components. Now I removed it and it seems to work.
I'm obsessed with backups, I never 100% trust the IT) ;-)
Now I have some problems with the Insert and Disconnect panel.
Isn't there a more effective way to stop the HA side login? This would allow me to do it on the official my arlo web page, otherwise it will throw me out after 3 seconds of logging in. Now I deliberately make an error in the login user in the secret file and reboot. After that Ha cannot authenticate and I can operate in the official web page with the right credentials.
Thank you very much for your support and sorry for any inconvenience. Good night (switzerland time zone)
You have to create a dedicated account for aarlo, see here and make sure to give it admin access.
This is an Arlo restriction and there isn't much I can do about it.
You have to create a dedicated account for
aarlo, see here and make sure to give it admin access.This is an Arlo restriction and there isn't much I can do about it.
Absolutely yes, I did do a dedicated account, but I had to log in with the account in my arlo to enable 2FA. ;-)
thx
Just to report that I have setup 2FA with dedicated arlo account and gmail and it works. The messages I receive are in italian.
Just to report that I have setup 2FA with dedicated arlo account and gmail and it works. The messages I receive are in italian.
Mi potresti aiutare nella configurazione? a me le OTP arrivano via SMS non via mail. Non ho capito come si fa
@chavez7 I was going to ask @rafuz if he could you but you got here first! Hope you get it working.
I did nothing special. I turned off the integration in home assistant then I started the enrollment to 2FA on the HA Arlo account using the SMS only once. I put the configuration for gmail IMAP and then restarted AArlo. Everything has gone smoothly, I also see the emails with the OTP once every 90 minutes or so. The emails are in italian but AArlo parses them without problem.
I did nothing special. I turned off the integration in home assistant then I started the enrollment to 2FA on the HA Arlo account using the SMS only once. I put the configuration for gmail IMAP and then restarted AArlo. Everything has gone smoothly, I also see the emails with the OTP once every 90 minutes or so. The emails are in italian but AArlo parses them without problem.
I state my ignorance. Forgive me but I cannot understand what to do. Apart from that I don't see from the integration aarlo how to turn it off. Then where do I put the sms code? and how do i get it sent. qunado for example I did it on other devices such as tablets when I open the application I get sms and then enter the code and put it among the trusted devices. here how do you do it?
I have just tried to set it up too. I live in GB and when I log into the Arlo on the web 2FA defaults to SMS and won't send an Email unless you select it manually. Does this plugin automatically request an email 2FA verification to be sent? I cannot work out in any settings on the Arlo website or application how to make it work.
Gmail isn't my usual email provider so I set up a new account specific for this purpose, enabled 2FA on the gmail account and created an app password for the plugin and used that password as the 2fa password for the plugin.
This is the section I created in my configuration json
aarlo:
username: {{Arlo email address for account}}
password: {{Arlo access password}}
refresh_devices_every: 2
stream_timeout: 120
tfa_source: imap
tfa_type: email
tfa_host: imap.host.com
tfa_username: {{Arlo email address for account}}
tfa_password: {{app password generated in gmail account settings}}
I get this error in the home assistant log files:
2020-10-10 14:44:37 ERROR (MainThread) [homeassistant.setup] Error during setup of component aarlo Traceback (most recent call last): File "/usr/src/homeassistant/homeassistant/setup.py", line 213, in _async_setup_component result = await task File "/usr/local/lib/python3.8/concurrent/futures/thread.py", line 57, in run result = self.fn(*self.args, **self.kwargs) File "/config/custom_components/aarlo/init.py", line 234, in setup arlo = PyArlo(username=username, password=password, File "/config/custom_components/aarlo/pyaarlo/init.py", line 143, in init self._be = ArloBackEnd(self) File "/config/custom_components/aarlo/pyaarlo/backend.py", line 44, in init self._logged_in = self._login() File "/config/custom_components/aarlo/pyaarlo/backend.py", line 477, in _login if not self._auth(): File "/config/custom_components/aarlo/pyaarlo/backend.py", line 399, in _auth if not tfa.start(): File "/config/custom_components/aarlo/pyaarlo/tfa.py", line 49, in start self._imap = imaplib.IMAP4_SSL(self._arlo.cfg.tfa_host) File "/usr/local/lib/python3.8/imaplib.py", line 1297, in init IMAP4.init(self, host, port) File "/usr/local/lib/python3.8/imaplib.py", line 198, in init self.open(host, port) File "/usr/local/lib/python3.8/imaplib.py", line 1310, in open IMAP4.open(self, host, port) File "/usr/local/lib/python3.8/imaplib.py", line 303, in open self.sock = self._create_socket() File "/usr/local/lib/python3.8/imaplib.py", line 1300, in _create_socket sock = IMAP4._create_socket(self) File "/usr/local/lib/python3.8/imaplib.py", line 293, in _create_socket return socket.create_connection((host, self.port)) File "/usr/local/lib/python3.8/socket.py", line 787, in create_connection for res in getaddrinfo(host, port, 0, SOCK_STREAM): File "/usr/local/lib/python3.8/socket.py", line 918, in getaddrinfo for res in _socket.getaddrinfo(host, port, family, type, proto, flags): socket.gaierror: [Errno -2] Name does not resolve
The plug will choose email if you set tfa_type: email, you don't have to set anything on the website. Arlo will automatically use the email you set for the account.
For the last issue, try tfa_host: imap.gmail.com.
The plug will choose email if you set
tfa_type: email, you don't have to set anything on the website. Arlo will automatically use the email you set for the account.For the last issue, try
tfa_host: imap.gmail.com.
Im an idiot... I didnt realise the subtle difference in your response. 'gmail' being the key.
Google just blocked the request so I know its now working just need to sort out my google security access!
@HumanSkunk You get that working?
Yes I did thanks. Set up what I had done originally and it all works fine.
Is it possible to have this check both the Inbox and the Spam folder (in Gmail)? The emails randomly started going to my spam folder and I didn't notice until HA had tried to log in every minute for 300 attempts.
That is possible, the only problem is not all IMAP servers use the same naming so I'd have to provide a mechanism to allow folders to be searched.
In the meantime I'd recommend creating a filter to never mark those as spam.
Hi, I have posted something in the forum, but thought of getting more info here as it looks to me like a isolated bug? I could be wrong though.
Had the component working fine until recently so pretty sure the rest of the configuration is correct. My HA installation has been on a separate installation from Debian since day 1.
Core: core-2021.8.6 Supervisor: supervisor-2021.06.8 Host: Debian GNU/Linux 11 (bullseye) Docker: 20.10.8
configuration.yaml
aarlo:
username: myemail[@]gmail
password: mypassword
refresh_devices_every: 1
stream_timeout: 60
reconnect_every: 1
save_session: false
tfa_source: push
tfa_type: PUSH
#tfa_host: imap.gmail.com
#tfa_username: myemail[@]gmail
#tfa_password: myapppassword
camera:
platform: aarlo
I have tried replacing the source to tfa_source: email and type to tfa_type: imap and then uncomment the account I used for email 2fa while ensuring the Arlo android app 2fa method is selected accordingly beforehand; i.e. when i used push, i select the target device as primary option and when i used imap, i have selected my email. Both method failed. Each time HA started, I’ll get a notification that it failed auth.
For email:
- Setup dedicated email and created app password
- Verified login was successful through the "Last Used" in manage my account > security > app password section
- 2FA email recevied from Arlo
- Email was read
For app:
- Received push notification to Approve or Reject login from someone else - which is HA
- Choose Approve
Either way, tried multiple time. I even went through uninstalling, rebooting HA core and supervisor, updated (had several updates on fhis component, supervisor and core). The problem only occurred when 2fa was turned on. Error details below - hopefully it gives some ideas as to where went wrong.
HA Notification
aarlo Component Setup
Error: authentication failed
If error persists you might need to change config and restart.
HA Log
This error originated from a custom integration.
Logger: custom_components.aarlo
Source: custom_components/aarlo/init.py:449
Integration: Arlo Camera Support (documentation, issues)
First occurred: 2:02:43 PM (17 occurrences)
Last logged: 3:09:32 PM
unable to connect to Arlo: attempt=13,sleep=300,error=authentication failed
unable to connect to Arlo: attempt=14,sleep=300,error=authentication failed
unable to connect to Arlo: attempt=15,sleep=300,error=2fa finishAuth failed
unable to connect to Arlo: attempt=16,sleep=300,error=2fa finishAuth failed
unable to connect to Arlo: attempt=17,sleep=300,error=authentication failed
Syslog
Aug 13 05:09:28 rpi3-20210629 cab3816d3653[615]: #033[33m2021-08-13 15:09:28 WARNING (SyncWorker_4) [pyaarlo] request-error=CloudflareChallengeError#033[0m
Aug 13 05:09:29 rpi3-20210629 cab3816d3653[615]: #033[33m2021-08-13 15:09:29 WARNING (SyncWorker_4) [pyaarlo] request-error=CloudflareChallengeError#033[0m
Aug 13 05:09:31 rpi3-20210629 cab3816d3653[615]: #033[33m2021-08-13 15:09:31 WARNING (SyncWorker_4) [pyaarlo] request-error=CloudflareChallengeError#033[0m
Aug 13 05:09:32 rpi3-20210629 cab3816d3653[615]: #033[31m2021-08-13 15:09:32 ERROR (SyncWorker_4) [pyaarlo] authentication failed#033[0m
Aug 13 05:09:32 rpi3-20210629 cab3816d3653[615]: #033[31m2021-08-13 15:09:32 ERROR (SyncWorker_4) [custom_components.aarlo] unable to connect to Arlo: attempt=17,sleep=300,error=authentication failed#033[0m
Aug 13 05:14:37 rpi3-20210629 cab3816d3653[615]: #033[33m2021-08-13 15:14:37 WARNING (SyncWorker_4) [pyaarlo] error in new response={‘meta’: {‘code’: 400, ‘error’: 9233, ‘message’: ‘Authentication is not finished yet’}}#033[0m
Aug 13 05:14:37 rpi3-20210629 cab3816d3653[615]: #033[33m2021-08-13 15:14:37 WARNING (SyncWorker_4) [pyaarlo] 2fa finishAuth - tries 1#033[0m
Aug 13 05:14:44 rpi3-20210629 cab3816d3653[615]: #033[33m2021-08-13 15:14:44 WARNING (SyncWorker_4) [pyaarlo] error in new response={‘meta’: {‘code’: 400, ‘error’: 9233, ‘message’: ‘Authentication is not finished yet’}}#033[0m
Aug 13 05:14:44 rpi3-20210629 cab3816d3653[615]: #033[33m2021-08-13 15:14:44 WARNING (SyncWorker_4) [pyaarlo] 2fa finishAuth - tries 2#033[0m
Aug 13 05:14:50 rpi3-20210629 cab3816d3653[615]: #033[33m2021-08-13 15:14:50 WARNING (SyncWorker_4) [pyaarlo] error in new response={‘meta’: {‘code’: 400, ‘error’: 9233, ‘message’: ‘Authentication is not finished yet’}}#033[0m
Aug 13 05:14:50 rpi3-20210629 cab3816d3653[615]: #033[33m2021-08-13 15:14:50 WARNING (SyncWorker_4) [pyaarlo] 2fa finishAuth - tries 3#033[0m
Aug 13 05:16:56 rpi3-20210629 cab3816d3653[615]: #033[31m2021-08-13 15:16:56 ERROR (MainThread) [homeassistant.components.websocket_api.http.connection] [3841824080] Received invalid command: aarlo_library#033[0m
Aug 13 05:16:56 rpi3-20210629 cab3816d3653[615]: #033[31m2021-08-13 15:16:56 ERROR (MainThread) [homeassistant.components.websocket_api.http.connection] [3841824080] Received invalid command: aarlo_library#033[0m
Thanks
The problem here is the CloudflareChallengeFailure. It means we're not getting by Cloudfare's antibot check. I run into this problem occasionally and I don't know of a full fix yet. One thing to try is to force the check to use a specific IP address.
Try adding the following line to the host's /etc/hosts file.
104.18.30.98 ocapi-app.arlo.com
#104.18.31.98 ocapi-app.arlo.com
Try starting HA again, if this doesn't work move the # about and try again.
#104.18.30.98 ocapi-app.arlo.com
104.18.31.98 ocapi-app.arlo.com
And revert you aarlo config.
aarlo:
..
tfa_source: imap
tfa_type: email
@twrecked thanks for the prompt response. Really appreciate it.
Just to clarify - you meant CloudflareChallengeError or CloudflareChallengeFailure? Are they the same or it have different meaning?
Nevertheless, I had tried your suggestion but still received the same error. Maybe it is time to temporarily disable the plugin and hoping CloudFare will not see my IP as requiring the challenge.
@hongkiatsim I meant CloudChallengeError sorry.
One more thing to try, use a different user agent:
aarlo:
...
user_agent: linux
You can also try mac or firefox or ipad or iphone.
@twrecked I tried adding the user_agent as suggested, along with swapping the entry in host file.
The user agent I tried include those you have given and also lookup the actual user agent for Chrome, Firefox etc and tried various version. It just gives me the same error each time.
@twrecked - in my last ditch attempt, i decided to use Android as user agent and it works
mine was working fine for weeks and now: 2021-10-11 15:21:58 ERROR (MainThread) [homeassistant.components.websocket_api.http.connection] [140639282623104] Received invalid command: aarlo_library
I am not getting any emails for 2FA and the google 2-step app password website says no activity. It seems HA is not making the call to arlo at all. I can see battery and signal strength but no camera feed. I can log in to MyArlo website without issue.
