What happened?
After updating Home Assistant Core to 2026.6.1, the camera_proxy authentication mechanism appears to have changed, causing AppDaemon camera widgets to instantly trigger IP bans (homeassistant.components.http.ban) on wall-mounted tablets.
Steps to Reproduce (Repro):
Setup: HASS Core 2026.6.1 + AppDaemon + Dashboard with active camera widgets.
Action: Restart Home Assistant Core.
Observation: Immediately after startup, the dashboard attempts to pull camera streams using expired/cached tokens. Home Assistant rejects these requests with invalid auth warnings and bans the tablet IPs.
Workaround: Disabling ip_bans or manually refreshing the dashboard on the tablet forces a token renewal, and the stream recovers instantly.
It seems that upon HASS restart, the long-lived or cached tokens used by HAD for camera_proxy are immediately invalidated by the Core HTTP component. The dashboard component does not gracefully handle the 403 Forbidden response to trigger an immediate token refresh, resulting in consecutive failed requests that trip the HASS brute-force protection.
Version
4.5.13
Installation type
Home Assistant add-on
Relevant log output
WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 192.168.88.64. Requested URL: '/api/camera_proxy/camera.garage_cam?token=...&time=1780806600'
Relevant code in the app or config file that caused the issue
camera_outdoor:
widget_type: camera
entity: camera.reolink_doorbell_fluent
base_url: http://192.168.88.69:8123
refresh: 1
Anything else?
No response
What happened?
After updating Home Assistant Core to 2026.6.1, the camera_proxy authentication mechanism appears to have changed, causing AppDaemon camera widgets to instantly trigger IP bans (homeassistant.components.http.ban) on wall-mounted tablets.
Steps to Reproduce (Repro):
Setup: HASS Core 2026.6.1 + AppDaemon + Dashboard with active camera widgets.
Action: Restart Home Assistant Core.
Observation: Immediately after startup, the dashboard attempts to pull camera streams using expired/cached tokens. Home Assistant rejects these requests with invalid auth warnings and bans the tablet IPs.
Workaround: Disabling ip_bans or manually refreshing the dashboard on the tablet forces a token renewal, and the stream recovers instantly.
It seems that upon HASS restart, the long-lived or cached tokens used by HAD for camera_proxy are immediately invalidated by the Core HTTP component. The dashboard component does not gracefully handle the 403 Forbidden response to trigger an immediate token refresh, resulting in consecutive failed requests that trip the HASS brute-force protection.
Version
4.5.13
Installation type
Home Assistant add-on
Relevant log output
WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 192.168.88.64. Requested URL: '/api/camera_proxy/camera.garage_cam?token=...&time=1780806600'Relevant code in the app or config file that caused the issue
Anything else?
No response