core: Lovelace: Login attempt or request with invalid authentication

For (the upcoming) Home Assistant 2022.8, we’ve extended the logging to log the actual request that has been done (the requested URL/path). This helps with determining what actually is causing this (to get a better view at the root causes).

I’ve had the same issue for a couple years now. A fix would be great.

I think this issue should be looked at more seriously as it is a potential security risk, due to people possibly disabling brute force protection and ignoring the login warnings from irritation.

I personally haven’t had any issues anymore since a lovelace-valetudo-map-card contributor replaced fetch with this._hass.fetchWithAuth in the Lovelace Valetudo Map Card here: https://github.com/TheLastProject/lovelace-valetudo-map-card/pull/93/files

So, the solution for the picture entity card may be similar.

I had a lot of these failed login attempts messages because of camera streams in lovelace cards. As a workaround I created a toggle helper called camera_feeds and use this helper in a conditional card before showing the camera feed. This creates a tiny delay which is enough to prevent the login attempt fail errors (at least in my case). Maybe you could try it out?

This issue has been occurring to me pretty much forever after I have setup cameras years ago, and the only “solution” has been to disable ip bans, which is, well, extremely un-wanted to be honest so I have never done it and got used to login via VPN, change the bans file, and reboot HA. Is anyone able to look at a resolution?

Available to troubleshoot if that helps.

This issue is the same as https://github.com/home-assistant/frontend/issues/3379

I had this issue also and I found a workaround to it.

My Issue and Tests:

My camera’s feeds freezed every 5 minutes exactly when the cameras’ token are refreshed, and most of the time, in that exact moment the error Login attempt or request with invalid authentication shows up in notification.

If I see the camera’s feed from HADashboard or see the cameras from Motioneye, this doesn’t happen ever. I have tested on several browsers and this exact same problem occurs (chrome on PC, chrome on android, fully kiosk on android, and others). On Chrome, if pressing F12, there is no error.

The config I use in my lovelace is:

   - type: picture-glance
     title: Patio
     camera_image: camera.patio
     entity: camera.patio
     camera_view: live
     aspect_ratio: 0%

If using F12 on Chrome, I see that the cameras’ feed are not receiving the updated token. As the example of the following image, at start, the 3 cameras receive their token and they work fine, but after 5 minutes (in this case), only one camera receive it and that was the only one that continue working. The other 2 got freezed. After some more 5 minutes, some of these cameras receive the new token and they re-start the feed.

And when moving from one tab to another, I have the following with the Login attempt or request with invalid authentication issue:

When using HADashboard of APPDAEMON on Chrome and pressing F12, we can see the exact same transaction for camera’s tokens and it happens every 5 minutes as expected with all cameras. The HA Dashboard uses Knockout.js for that and lovelace uses parts.ts

Why parts.ts misses some calling for token renewals? When it misses one, it might call for the renew after another 5 minutes. So the feed is not reliable on lovelace. Sometimes it works but after some time, some of the feeds freezes and we have to reload the page or wait for another 5 minutes for the new token renewal.

My Workaround:

As in my case, HADashboard works fine (the camera feed never freezes and there is no login error) but this error occurs on a camera feed in a picture-glance of lovelace, so I tried to use instead the camera feed but in a custom:button-card, and surprisingly it works fine. So, I have now a workaround to this issue.

          - type: 'custom:button-card'
            entity: camera.portero
            label: Portero
            show_name: false
            show_label: true
            show_icon: false        
            show_entity_picture: true
            show_live_stream: true
            size: 100%
            styles:          
              entity_picture:
                - position: absolute
                - top: 0%
                - margin: none
              card:             
                - margin: 0px 0px 0px 0px
                - padding: 0px 0px

With the custom:button-card the token is refreshed every 5 minutes as expected and the camera feed never freezes. Also, the Login attempt or request with invalid authentication issue is gone.

So, it seems that there is an issue for tokens but just in the default picture-glance card of lovelace.

I would like to help on finding the bug on picture-glance. What else can I test?

@TeaRexJack would you mind elaborating on your solution? How did you implement it.

On which part do you need more information? First I created a toggle helper (input_boolean) which I named camera_feeds because I want to use it for all my camera’s. Then instead of directly using the picture entity lovelace card I used the Conditional Card which checks the state of the boolean. If the state is on, the card will be shown.

My card would look like this:

type: conditional
conditions:
  - entity: input_boolean.camera_feeds
    state: 'on'
card:
  type: picture-entity
  camera_image: camera.camera1
  show_state: false
  show_name: false
  aspect_ratio: '1:1'
  entity: camera.camera1

I’m by no means a professional programmer but from reading online and in this topic my guess is that by doing it this way a connection to home assistant is forced to retrieve the state of the helper before the camera lovelace card can give the login attempt error.

I think this issue should be looked at more seriously as it is a potential security risk, due to people possibly disabling brute force protection and ignoring the login warnings from irritation.

I agree 100% and I know many people have from random postings. I noticed this behavior long time ago and issues i had opened were closed. I just couldn’t articulate the problem and provide the right logs. Hopefully this around of energy translates to acknowledgement and future remediation!

I did some research. Camera resources are available at:

http://<hostname>:8123/api/camera_proxy_stream/camera.<entity_id>?token=<some long token>

I may be wrong, but I think some browsers tend to cache this url including the token. So after some time they try to access the camera resource with an outdated token, which causes the invalid authentication error.

The camera preview uses a different link, but the underlying mechanics are the same:

http://<hostname>:8123/api/camera_proxy/camera.<entity_id>?authSig=<some very long string>

For me, it’s always the stale camera tokens that are triggering this issue.

As a work-around, I’ve been using the following automation to dismiss these notifications for a week:

- id: '1658082820704'
  alias: Dismiss failed login notification
  description: ''
  trigger:
  - platform: event
    event_type: state_changed
    event_data:
      entity_id: persistent_notification.http_login
  condition:
  - condition: template
    value_template: '{{ trigger.event.data.new_state and trigger.event.data.new_state.attributes.title
      == ''Login attempt failed'' }}'
  action:
  - service: persistent_notification.dismiss
    data:
      notification_id: http_login
  mode: single

Looks like this won’t be needed anymore once https://github.com/home-assistant/core/pull/75870 is merged and released 🎉

@TeaRexJack’s workaround is not working for me.

Yes, this issue is on the picture glance card. Please, check my comment for a workaround. With this workaround I have never had this issue again. #23055 (comment)

Thank you, it seems I have missed this info… Now I have removed my picture-glance cards and replaced them with custom: button-card as directed. At this point all works fine. Will see if I have those error any more.

@barrymossel - I have the same challenge and I could not find the way to make those in custom: button-card. So, what I did, I have created horizontal-stack card with all my “icons/buttons” as buttons in one raw. This card is just below camera picture so it “almost” looks the same and it does the job for me. I am thinking of creating versitcal-stack card with first raw camera picture and second raw horicontal-stack with buttons. But this shoudl be probably separate topic.

Yes, this issue is on the picture glance card. Please, check my comment for a workaround. With this workaround I have never had this issue again. https://github.com/home-assistant/core/issues/23055#issuecomment-620309182

Getting the login error message when opening HA in app or browser on a view with camera’s in picture-glance card. Only happens when tab/app is out of sight (not closed I believe) for a set amount of time (5mins?). Happens for Android, iOS and Windows (all browsers).

Please let me know if I have to test something…

I managed to solve my problem by installing MQTT. For this I chose to use Mosquitto. Obviously there’s some setting up to do with Mosquitto and MQTT but there’s plenty into available online for this. It’s how I discovered it after all. This, and the following code, is not my own. Alas, I’m not that clever. I can’t remember where I found it all now but basically, here’s what I did…

I added to configuration.yaml…

mqtt:
  broker: 192.168.1.xxx
  port: xxxx
  client_id: <my client ID name>
  username: !secret <my MQTT Username>
  password:  !secret <my MQTT Password>

Also in configuration.yaml, I added a binary sensor for (for example) my door camera…

binary_sensor:
  - platform: mqtt
    name: "Door Motion"
    state_topic: "blue_iris/binary_sensor/door_motion/state"
    payload_on: "ON"
    payload_off: "OFF"
    device_class: "motion"

In automation.yaml, I added…

bi_door:
  sequence:
  - data:
      entity_id: media_player.mini_display
      media_content_id: http://192.168.1.xxx:xxxxx/mjpg/door/video.mjpg
      media_content_type: image/jpg
    service: media_player.play_media
  - alias: ''
    data:
      entity_id: media_player.lounge_display
      media_content_id: http://192.168.1.xxx:xxxxx/mjpg/door/video.mjpg
      media_content_type: image/jpg
    service: media_player.play_media
  - delay: 00:00:30
  - data:
      entity_id: media_player.mini_display
    service: media_player.turn_off
  - data:
      entity_id: media_player.lounge_display
    service: media_player.turn_off

The above was my own choice preference to cast to both of my displays for 30 seconds only. Obviously, you can alter the code to your own preference.

Then in BlueIris, on the camera Settings, Alerts tab - Configure Web or MQTT Alert - I selected MQTT in the dropdown then typed

MQTT Topic: blue_iris/binary_sensor/door_motion/state
Post/Payload: ON

Now, whenever motion is detected on the door camera via BlueIris, up pops the live stream on both of my Google displays for 30 seconds then revert back to normal until next motion detection. And it’s pretty quick too.

I’ve also followed the instructions to add Google Assistant to Home Assistant whereupon you can ask whichever display you want for whatever Blue Iris camera stream you want but I haven’t quite managed to get that fully working as yet as I have a problem with my “Stream” component, something about my needing to add AV 6.1.2 to Python which I haven’t managed to do as yet. I’m running my server (and Python) on Windows 10 and all suggestions on various forums say to ditch Windows and use Linux. Not very helpful when I want to continue using Windows. There seems to be very little help out there for Windows users and plenty for Hassio users on Linux.

However, I am able to use IFTTT now that I have MQTT installed and use that to call for cameras. For now.

Mine is fixed, totally forgot that Node-RED was using legacy auth method. Warning message should include details about where the request is coming from.

Experiencing the same problem with some cameras from a ZoneMinder instance with the config below.

Home Assistant 0.92.0 running within Docker on a Raspberry Pi

zoneminder:
  - host: 192.168.***.***
    ssl: true
    username: !secret zoneminder_username
    password: !secret zoneminder_password
camera:
  - platform: zoneminder

Checking the device states shows the following. In this instance, indoor_01 is the camera throwing the error.

Entity	State	Attributes
camera.indoor_01	unavailable	friendly_name: indoor-01 entity_picture: /api/camera_proxy/camera.indoor_01?token=… supported_features: 0
camera.indoor_02	idle	access_token: … friendly_name: indoor-02 entity_picture: /api/camera_proxy/camera.indoor_02?token=… supported_features: 0