frigate-hass-card: Card reuses old camera token, generates failed login attempts
Checklist:
- I updated to the latest version available
- I cleared the cache of my browser
Release with the issue: main
Last working release (if known):
Browser and Operating System:
Firefox 97.0, Ubuntu 20.04 HA Companion 2022.2, iOS 15.3.1
Description of problem:
There was a PR #372 which allows to use image from HA camera entity. I really like this because now I don’t need to use reverse proxy -> Frigate for fetching snapshots, and with frequently changing token it’s more secure than fixed URL.
After testing this PR functionality with multiple Frigate cards in one view, I encountered issue where HA bans my IP. I already got banned like 3 times in 2 days from Home Assistant with http.ip_ban_enabled: true and http.login_attempts_threshold: 15 in HA main configuration.
It seems like when camera token changes, Frigate card will try reuse old token which will cause failed login attempts. It’s happening occasionally so I couldn’t find a pattern, but failed attempts occurs in both Web browser and HA Companion App.
Also, I investigated that sometimes if you restart your Home Assistant instance and keep Browser tab/tabs open with Frigate card, it will try to refresh image with old camera token. In Network tab of Browser Developers tools there will be at least one request(sometimes more) with 404 Not Found status code and 401 Unauthorized(which cause failed login attempt). After HA is fully started it will start to use correct token again.
For now I switched back to my old image retrieving solution.
Javascript errors shown in the web inspector (if applicable):
Additional information:
Used image block in configuration:
image:
mode: camera
refresh_seconds: 5
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 21 (11 by maintainers)
Yes, it was before.
Anyway, I didn’t notice them for past few days.
@peledzius HA is extremely fragile in this regard, a single rogue request causes this to happen. It’s a bit like plugging a damn, so there absolutely could be other ways this could happen that we’ll need to defend against.
However, I guess we’ll take the win for now and we can re-open if we find a specific way to reproduce the issue. Thank you again, for all the testing.
OK – made it happen once! Now lets see if I can make it not happen…
It’s hard to tell. Maybe more than 15 minutes. When I go back, page refreshes and failed attempt login notification appears.
I was able to reproduce in Samsung tablet with Android 11. Kept app in background and switched back after about 10 minutes, received failed login attempt notification.
Possible steps to reproduce:
Also, I received failed attempt login on HA instance restart that I described in my first post.
OK – let me re-use your exact
http.ip_ban*configuration and see if I can reproduce. All cases sound like they involve the browser being in the background rather than the foreground, so perhaps the browser is re-fetching the same content… (which has since expired).@peledzius
With your configuration the image view was caching your camera image for 5 seconds, if during that time the Home Assistant state updated (which is typically very frequent), the image would be re-rendered with the same URL. As the security token on camera images is updated every 5 minutes, this creates a window in which the wrong token could be used.
The attached PR will eject the cached value if the HA attributes for the camera changes, so I hope it will address your issue.
Yeah, completely stopped.