Recurrent Login attempt or request with invalid authentication

[maniackcrudelis]

The problem

Since the upgrade from 2023.2.3 to 2023.3.4, I have recurrent errors saying Login attempt or request with invalid authentication when using the API.

The errors, so far, happened with the custom card mini graph card and with the automations themselves, as soon as I go to config/automation/dashboard.

Each time, an error appears saying

Login attempt or request with invalid authentication from 192.168.1.48 (192.168.1.48). See the log for details.

The IP is from my main computer visiting the web interface.

I managed to solve temporarily the issue by cleaning up completely the Local storage of my Firefox. But the issue reappears soon afterwards.

The error is fatal, with the custom card mini graph card, I don't have any graph showing, and with the automation, en error message says This automation can not be edited from the UI, because it is not stored in the automations.yaml file, or doesn't have an ID.
If I try to migrate, as suggested, I have en error Response error: 401 and the same log about the login attempt.

The issue does not happen with Chromium (so far...) and didn't happened with the version 2023.2.3.

What version of Home Assistant Core has the issue?

2023.3.4

What was the last working version of Home Assistant Core?

2023.2.3

What type of installation are you running?

Home Assistant Core

Integration causing the issue

No response

Link to integration documentation on our website

No response

Diagnostics information

No response

Example YAML snippet

No response

Anything in the logs that might be useful for us?

WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 192.168.1.48 (192.168.1.48). Requested URL: '/api/history/period/2023-03-22T13:13:12.526Z?filter_entity_id=sensor.global_temperature&end_time=2023-03-22T16:20:16.450Z&skip_initial_state&minimal_response'. (Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0)

WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 192.168.1.48 (192.168.1.48). Requested URL: '/api/config/automation/config/1676544820763'. (Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0)

Additional information

No response

[maniackcrudelis]

Update on that issue, still relevant.

I've tried to purge all Refresh Tokens I had, without any success.
Also tried to add trusted_networks: - 192.168.1.48 and trusted_proxies: - 192.168.1.48 but nothing solved the issue.
No problem have arisen from Chromium, the issue only exist with Firefox.

I have no idea what really cause the issue, since it was perfectly working until the upgrade.

[maniackcrudelis]

After an upgrade to 2023.3.6, the issue is still there.

I've seen a lot of reports on the forum about the same issue, would be really appreciated if someone can have a look at it.

[vicfalls]

I do have the same issue:

Home Assistant 2023.4.2
Supervisor 2023.04.0
Operating System 9.5
Frontend 20230406.1 - latest

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:80
Integration: HTTP ([documentation](https://www.home-assistant.io/integrations/http), [issues](https://github.com/home-assistant/home-assistant/issues?q=is%3Aissue+is%3Aopen+label%3A%22integration%3A+http%22))
First occurred: 11:31:20 (135 occurrences)
Last logged: 12:08:16

Login attempt or request with invalid authentication from x.x.x.x (x.x.x.x). Requested URL: '/auth/token'. (Home Assistant/2023.2.1 (io.robbie.HomeAssistant; build:2023.452; macOS(Catalyst) 13.2.1) Alamofire/5.6.2)
Login attempt or request with invalid authentication from 192.168.1.197 (192.168.1.197). Requested URL: '/api/websocket'. (Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2023.2.1 (io.robbie.HomeAssistant; build:2023.452; macOS 13.2.1) Mobile/HomeAssistant, like Safari)

Does anyone knows what I can do?

Thanks Vic

[blackwood821]

I'm experiencing the same issue when attempting to link the home assistant alexa skill from the alexa app. I can log in using my public home assistant URL in the browser with the exact same credentials without issue.

[tomg1970]

I do have the same issue:

Home Assistant 2023.4.2

Supervisor 2023.04.0

Operating System 9.5

Frontend 20230406.1 - latest

Logger: homeassistant.components.http.ban

Source: components/http/ban.py:80

Integration: HTTP ([documentation](https://www.home-assistant.io/integrations/http), [issues](https://github.com/home-assistant/home-assistant/issues?q=is%3Aissue+is%3Aopen+label%3A%22integration%3A+http%22))

First occurred: 11:31:20 (135 occurrences)

Last logged: 12:08:16

Login attempt or request with invalid authentication from x.x.x.x (x.x.x.x). Requested URL: '/auth/token'. (Home Assistant/2023.2.1 (io.robbie.HomeAssistant; build:2023.452; macOS(Catalyst) 13.2.1) Alamofire/5.6.2)

Login attempt or request with invalid authentication from 192.168.1.197 (192.168.1.197). Requested URL: '/api/websocket'. (Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2023.2.1 (io.robbie.HomeAssistant; build:2023.452; macOS 13.2.1) Mobile/HomeAssistant, like Safari)

Does anyone knows what I can do?

Thanks Vic

same error

[Ufinexa]

Had the same issue after attempting to call for my lights using my stream deck today, I am assuming a new update has broken something?

[fabulouss56]

Hi, I have the same issue 20230503.3 : 2023.5.4

i don't have any file named : ip_bans in my config folder.

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:80
Integration: HTTP (documentation, issues)
First occurred: 01:34:33 (12 occurrences)
Last logged: 01:54:32

Login attempt or request with invalid authentication from 192.168.1.254 (192.168.1.254). Requested URL: '/auth/token'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36)
Login attempt or request with invalid authentication from 192.168.1.254 (192.168.1.254). Requested URL: '/auth/login_flow/a3e1420b9bec3970a4dd1aa58f35ab16'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36)

Some news on it ?

[maniackcrudelis]

Currently on 2023.5.4, the error is still there.
It doesn't seems to have been any fix on this issue...

[MikOsle]

I have the same error. I cannot access from LAN, only from WAN. And not ip_ban:yaml file is generated. It seems like all local IPs are banned.

[kaylamillerdev]

Currently have this issue on 2023.7.1 :(

[Haeusele]

I have the same problem while trying to authorize the alexa skill. Login in the browser works well.
2023-07-09 21:49:35.304 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from dynamic-xxx-114-093-083.46.114.pool.telefonica.de (46.114.93.xx). Requested URL: '/auth/login_flow/7a7251da7304e66f2b3eed5033afb2xx'. (Mozilla/5.0 (Android 13; Mobile; rv:109.0) Gecko/115.0 Firefox/115.0)

[yersoncontacto]

Same error here :( [homeassistant.components.http.ban] Login attempt or request with invalid authentication from customer.sntochl1.pop.starlinkisp.net Requested URL: '/auth/token'. (Home Assistant/2023.4 (io.robbie.HomeAssistant; build:2023.460; iOS 16.5.1) Alamofire/5.6.4)

[edwin19861218]

same error in 20230705.1:
2023-07-11 22:02:55.744 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from edwinsmacmini (10.0.0.5). Requested URL: '/auth/login_flow/966547c93ddf3d00bd6e7306ab5d8a9b'. (Mozilla/5.0 (iPhone; CPU iPhone OS 17_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1)

[blackwood821]

In case this helps anyone else, my issue was that I was using a password manager (LastPass) when linking the skill in the Alexa app and even though it filled in the username and password on the home assistant login form, it must not have been triggering a changed event because it was not submitting any credentials. As soon as I focused on the password field, added a space and deleted a space and resubmitted the form, it worked.