Login attempt or request with invalid authentication

[bombaata]

The problem

My router's IP (192.168.1.253 here) is sometimes banned. Using the official Android app on my smartphone.

I think it happens when I arrive home and my phone connects to my wifi network, and the server URL in the app is different in the app config if I'm home.

My ip_bans.yaml also gets filled with many duplicates, as I can see on anoter bug report here.

Source: components/http/ban.py:80
Integration: HTTP (documentation, issues)
First occurred: August 14, 2023 at 10:52:02 AM (202 occurrences)
Last logged: 10:52:41 AM

Login attempt or request with invalid authentication from pop.92-184-100-xx.mobile.abo.orange.fr (92.184.100.xx). Requested URL: '/api/websocket'. (Home Assistant/2023.7.5-10506 (Android 13; SM-G991B))
Banned IP 92.184.100.xx for too many login attempts
Login attempt or request with invalid authentication from 192.168.1.253 (192.168.1.253). Requested URL: '/api/websocket'. (Home Assistant/2023.7.5-10506 (Android 13; SM-G991B))
Banned IP 192.168.1.253 for too many login attempts

What version of Home Assistant Core has the issue?

core-2023.8.2

What was the last working version of Home Assistant Core?

No response

What type of installation are you running?

Home Assistant OS

Integration causing the issue

http

Link to integration documentation on our website

https://www.home-assistant.io/integrations/http

Diagnostics information

No response

Example YAML snippet

No response

Anything in the logs that might be useful for us?

No response

Additional information

No response

[home-assistant]

Hey there @home-assistant/core, mind taking a look at this issue as it has been labeled with an integration (http) you are listed as a code owner for? Thanks!

Code owner commands

Code owners of http can trigger bot actions by commenting:

• @home-assistant close Closes the issue.
• @home-assistant rename Awesome new title Renames the issue.
• @home-assistant reopen Reopen the issue.
• @home-assistant unassign http Removes the current integration label and assignees on the issue, add the integration domain after the command.

_{^{(message by CodeOwnersMention)}}

---

http documentation
http source
_{^{(message by IssueLinks)}}

[snowmangh]

I have a similar issue here. I can log to Home Assistant from any of my Mac computers except one.

HA Core version: 2023.8.1 running in a Docker container on a Synology NAS.

This is the error I am getting and the "ip_bans.yaml"' file is empty.

Login attempt or request with invalid authentication from 172.17.0.1 (172.17.0.1). Requested URL: '/auth/login_flow/7f14743d13e199d3372abf9ac74fbb63'. (Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Safari/605.1.15)
Login attempt or request with invalid authentication from 172.17.0.1 (172.17.0.1). Requested URL: '/auth/login_flow/452ec79f148be3ec0cca6781cbb0071a'. (Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Safari/605.1.15)

[Tobi9111]

Hi,
here the same issue.
I think the error occours when i entry or leave home and is dependend from a bad WLAN signal strength in that moment when the App want access the ha-instance. I have that issue with Android 9 and 13 devices. Furthermore i think the issue exist since a long time.
Today i am on:
Home Assistant 2023.8.4
Supervisor 2023.08.3
Operating System 10.5
installed as VM on proxmox.

Logger: homeassistant.components.http.banhomeassistant.components.http.ban
Source: components/http/ban.py:80
Integration: HTTP (documentation, issues)
First occurred: 18:29:08 (5 occurrences)
Last logged: 18:29:57

Login attempt or request with invalid authentication from xxxxxxxxxxxx

Best regards
Tobi

[akshay7394]

Same problem here, also being triggered by devices on Android 13 - not seeing it occur from any other devices so far.

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:80
Integration: HTTP (documentation, issues)
First occurred: 11:32:52 AM (14 occurrences)
Last logged: 11:44:57 AM

• Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (Home Assistant/2023.8.2-10992 (Android 13; Pixel 6a))
• Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/websocket'. (Mozilla/5.0 (Linux; Android 13; Pixel 6a Build/TQ3A.230805.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/116.0.0.0 Mobile Safari/537.36 Home Assistant/2023.8.2-10992 (Android 13; Pixel 6a))

[ademalidurmus]

I got same error and resolve with the following configurations.

1. I'm using nginx-proxy-manager for the container api routing. Here is my advanced configuration for this tool.

   location / {
           proxy_pass              http://10.0.0.5:8123;
           proxy_set_header        Host            $host;
           proxy_redirect          http://         https://;
           proxy_set_header        Authorization   $http_authorization;
           proxy_pass_header       Authorization;
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection “upgrade”;
    }
   

   

2. Here is my configuration.yml

   http:
     cors_allowed_origins:
       - https://public.domain.tld # my public domain
     use_x_forwarded_for: true
     trusted_proxies:
       - 10.0.0.3 # nginx proxy manager internal IP adress
   

3. Setting -> System -> Network settings

   

I hope it will help to you.

[ivanovd]

I have the same issue. Here is the config and the error:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 10.19.8.4    

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:80
Integration: HTTP ([documentation](https://www.home-assistant.io/integrations/http), [issues](https://github.com/home-assistant/core/issues?q=is%3Aissue+is%3Aopen+label%3A%22integration%3A+http%22))
First occurred: 16:09:46 (5 occurrences)
Last logged: 16:14:43

Login attempt or request with invalid authentication from 10.19.8.1 (10.19.8.1). Requested URL: '/auth/token'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188)
Login attempt or request with invalid authentication from 10.19.8.1 (10.19.8.1). Requested URL: '/auth/token'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36)

[ademalidurmus]

What is the 10.19.8.1? Is it your gateway or proxy IP address? If yes I thing it could be added to the trusted_proxies.

[ivanovd]

@ademalidurmus it is my IP address, the one that I am trying to access HA from.

[Tobi9111]

I think i have solved the Error for me:
Since i have set Up the Feature for permanent Link to my HA Server in the Android App (Android 13 device), there ist no error anymore in notification and Log. Hope that Help for you, too.
Best regards
Tobi

[ademalidurmus]

@ademalidurmus it is my IP address, the one that I am trying to access HA from.

@ivanovd can you try to add your IP address to the trusted_proxies? After configuration update pls restart HA.

[Tobi9111]

@ademalidurmus it is my IP address, the one that I am trying to access HA from.

@ivanovd can you try to add your IP address to the trusted_proxies? After configuration update pls restart HA.

I think it could only help for the moment, until the device get a new puplic-IP from provider/ap. Or i'm wrong?
Best regards
Tobi

[ademalidurmus]

I think it could only help for the moment, until the device get a new puplic-IP from provider/ap. Or i'm wrong?

Yes, you are right, but this is an internal IP address, and if it can be configured manually instead of using DHCP, it will resolve. Let's wait for @ivanovd's response to understand if it will resolve the problem temporarily or permanently.

[ivanovd]

@Tobi9111 @ademalidurmus , it is an internal IP (10.19.8.1). I have added it to the trusted proxies list:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 10.19.8.4
    - 10.19.8.1

However, I am still getting the same error:

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:80
Integration: HTTP (documentation, issues)
First occurred: 15:16:28 (6 occurrences)
Last logged: 15:19:08

Login attempt or request with invalid authentication from 10.19.8.1 (10.19.8.1). Requested URL: '/auth/token'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188)

I have also installed and set up nginx proxy manager and added the host there with the following parameters:

Still no go ...

[ademalidurmus]

@ivanovd

1. Did you configure the following stuff from the Advanced settings?

location / {
        proxy_pass              http://10.19.9.116:8123;
        proxy_set_header        Host            $host;
        proxy_redirect          http://         https://;
        proxy_set_header        Authorization   $http_authorization;
        proxy_pass_header       Authorization;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection “upgrade”;
 }

2. Please check your configuration.yml file contains the following configs.

http:
  cors_allowed_origins:
    - https://wc.dreamix.eu
  use_x_forwarded_for: true
  trusted_proxies:
    - 10.19.8.4
    - 10.19.8.1

3. Please check the "Setting -> System -> Network settings" configuration for the local and remote connection.
4. Please check "Settings > Companion app > Serves and Devices > Connection Informations"
   With this menu, you can configure your Home Assistant URLs for intranet and internet. You need to select Wi-Fi SSIDs for your local connection to decide whether you are connecting from your home internet (intranet) or cellular internet.

[ivanovd]

@ademalidurmus yes, however, since it is an internal test instance, it will not be accessible from outside of the local network, therefore, I didn't force https and won't be forcing it. Here are all the settings that I have set and tried so far:

proxy_redirect http:// https://; was removed

4. I haven't accessed the instance from the mobile app yet and don't have it set up

I am still getting the same error:

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:80
Integration: HTTP (documentation, issues)
First occurred: 15:43:46 (5 occurrences)
Last logged: 15:49:50

Login attempt or request with invalid authentication from 10.19.7.5 (10.19.7.5). Requested URL: '/auth/token'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.69)

[ademalidurmus]

First of all, I'm trying to understand. If you are testing with your local environment and your mobile phone is already connected to your local network, why you are trying to connect over nginxproxy? (maybe your subnet is different, you want to isolate your network from the HA, it's possible, anyway)

Could you please change this configuration to like same as below?

After that, you should configure your mobile app with your HA address like this http://10.19.9.116:8123 for the local connections. If you are already connected to your home wifi you can try to use http://10.19.9.116:8123 instead of FQDN.

[uros76]

I have similar issue with small screen panels logging into HA over wallpanel app. When I manually login (with login saved ticked) it works. But each time after rebooting the panels system (android) I need to login to HA again. The webview component and wallpanel app are updated.
Not sure what else I can do to have login details saved. Any ideas?

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:80
Integration: HTTP ([documentation](https://www.home-assistant.io/integrations/http), [issues](https://github.com/home-assistant/core/issues?q=is%3Aissue+is%3Aopen+label%3A%22integration%3A+http%22))
First occurred: October 1, 2023 at 05:55:01 (4 occurrences)
Last logged: 06:54:01

Login attempt or request with invalid authentication from 192.168.1.211 (192.168.1.211). Requested URL: '/api/websocket'. (Mozilla/5.0 (Linux; Android 8.1.0; px30_evb Build/OPM8.190605.003; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36)
Login attempt or request with invalid authentication from 192.168.1.182 (192.168.1.182). Requested URL: '/api/websocket'. (Mozilla/5.0 (Linux; Android 8.1.0; px30_evb Build/OPM8.190605.003; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36)

[denisivanovdreamix]

@ademalidurmus I am trying to access the instance via URL in the internal network, and there is a record added to the local DNS server that redirects wc.dreamix.eu to 10.19.9.116, however that still doesn't work.

[ademalidurmus]

@denisivanovdreamix as I understand from your previous comments; the 10.19.9.116 is your HA host IP address. If you added a record to your local DNS server for redirecting wc.dreamix.eu to 10.19.9.116 it means when you access the wc.dreamix.eu will try to access the HA IP address. Bur the HA serving web UI from the 8123 port. So If you want to access with the domain name you should add a record for wc.dreamix.eu to your local proxy IP (your proxy will handle your request and will open your HA), or you can access wc.dreamix.eu:8123 from your local network.

BTW, I can access your HA.

[NN-Andrey]

Hi,
I'm a new home assistant user and I faced same issue as uros76 posted recenty. In my case issue was http.ban error saying '/api/websocket/' invalid authentication on every single login. I used my web browser and HA in my local network (kvm virtual machine with forwarded port 8123). So I figured out for me it was caused by Adblock browser plugin. Looks like it blocked some HA scripts for some reason and caused this behavior. As soon as I turned Adblock off for HA page - all started working just fine. If you are using ad blocking in your network (dns based or browser plugin or some sort of general firewall/software) - try to whitelist HA. Hope this helps.

[etiverni]

Same issue here, but not using a reverse proxy. I unchecked "Can only log in from the local network" in HA Settings-People, logged out from HA local server and HA cloud, logged in again and re-entered the connection info in Settings - Companion App - Server (HA cloud URL, Wifi SSID and HA internal URL). Perhaps the "Can only log in from the local network" setting in HA Settings-People prevented access after switching from WLAN to mobile network and would then also cause the access token related warnings in the HA log. Not sure if this assumption is correct, but it appears to work for the time being.

[guy0nabuffalo]

I'm also seeing this error. Not sure exactly when it started or why. My phone (where the error is coming from) only has the nabu casa URL configured in it.

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:129
Integration: HTTP (documentation, issues)
First occurred: 6:13:07 AM (1 occurrences)
Last logged: 6:13:07 AM

Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/websocket'. (Home Assistant/2023.10.2-11484 (Android 14; SM-S918U))

[sergeantbort]

I just started having this issues when I signed up for nabu casa and started using the nabu casa link to access from android devices... very odd. It seems to only be 1 of my android device's doing it, I have removed / reinstalled and all and no fix, goes away mostly when that one device is offline (it does still occasionally happen on the other devices but not as consistently).

I have to keep removing 127.0.0.1 from my ip ban list because it get's blocked.. with that device on it happens multiple times a day, with it off about once a week. Which then prevents access via nabu casa.

[adenoz]

I seem to be having the same issue.

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:80
Integration: HTTP ([documentation](https://www.home-assistant.io/integrations/http), [issues](https://github.com/home-assistant/home-assistant/issues?q=is%3Aissue+is%3Aopen+label%3A%22integration%3A+http%22))
First occurred: 7:40:43 PM (6 occurrences)
Last logged: 7:45:23 PM

Login attempt or request with invalid authentication from pfsense.MYDOMAIN.com (192.168.1.2). Requested URL: '/auth/login_flow/75550043510a4bb4a9ede8fcee143a83'. (Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0)

I've been having this issue from firefox on MacOS. I changed to Safari and it was letting me log on. But just now I was kicked out of my Safari session as soon as it logged me in successfully. So I tried Chrome and it let me in. I only access HA from inside my local network.

I use pfSense as my firewall and have full domain certificates for all my services including HA. There are no issues with any certificates and all of my other services work fine including nextcloud, unifi controller etc. I have HA running in Proxmox, which also has a valid certificate. I do use uMatrix on firefox but not on Safari so that is not the issue. I do use pfBlocker on pfSense however looking through the logs there is nothing related to HA.

I have not had any issues with the mobile app, so far. I am using iOS.

I tried deleting the access tokens in case that was causing the issue but still no joy.

So this issue is not limited to some mobile implementation. This issue seems to be due to the http.ban component in some way. Happy to provide more info if it would be helpful.

[bh56]

I am also receiving this with the cao-tag-manager/wirelesstag integration.
Any further insight would be appreciated. It appears to be working, but I keep getting this warning.
Configuration does not mention anything about using ip_ban_enabled or other setting.
Appreciate any further insight anyone might have.

Log warning below:

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:129
Integration: HTTP (documentation, issues)
First occurred: 1:20:55 PM (15 occurrences)
Last logged: 1:33:50 PM

Login attempt or request with invalid authentication from cao-tag-manager (192.168.8.36). Requested URL: '/api/events/wirelesstag_update_tags'. (None)

[aletzi1]

I also have this issue every day. Any idea what will cause it? Passwords are okay, i can log in with both phones, i have reinstalled apps.

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:129
Integration: HTTP (documentation, issues)
First occurred: 27. tammikuuta 2024 klo 21.52.36 (2 occurrences)
Last logged: 07.17.59

Login attempt or request with invalid authentication from 192.168.100.100 (192.168.100.100). Requested URL: '/api/websocket'. (Mozilla/5.0 (Linux; Android 14; CPH2415 Build/UKQ1.230924.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/120.0.6099.230 Mobile Safari/537.36 Home Assistant/2023.12.4-11898 (Android 14; CPH2415))

Login attempt or request with invalid authentication from 192.168.100.101 (192.168.100.101). Requested URL: '/api/websocket'. (Mozilla/5.0 (Linux; Android 13; KB2003 Build/RKQ1.211119.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/120.0.6099.231 Mobile Safari/537.36 Home Assistant/2023.12.4-11898 (Android 13; KB2003))

[akshay7394]

I just realised - In my case, it was the host device itself (unless I've misunderstood the error). What could cause the localhost itself to trigger this error? In the details it mentions another Android device too but that's why I'm confused about it. I can access it just fine though, from all my devices.

Same problem here, also being triggered by devices on Android 13 - not seeing it occur from any other devices so far.

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:80
Integration: HTTP (documentation, issues)
First occurred: 11:32:52 AM (14 occurrences)
Last logged: 11:44:57 AM

• Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (Home Assistant/2023.8.2-10992 (Android 13; Pixel 6a))
• Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/websocket'. (Mozilla/5.0 (Linux; Android 13; Pixel 6a Build/TQ3A.230805.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/116.0.0.0 Mobile Safari/537.36 Home Assistant/2023.8.2-10992 (Android 13; Pixel 6a))

[guystreeter]

This just start happening to me recently, with the companion apps both on Android and IOs. I removed the app from my Android phone and deleted its entry in the Mobile App integration and it connected properly. Now, with no other changes, it is failing again.

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:129
Integration: HTTP (documentation, issues)
First occurred: 2:18:06 PM (4 occurrences)
Last logged: 2:24:32 PM

Login attempt or request with invalid authentication from 10.0.0.23 (10.0.0.23). Requested URL: '/api/websocket'. (Mozilla/5.0 (Linux; Android 14; Pixel 7 Build/UQ1A.240105.004; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/120.0.6099.230 Mobile Safari/537.36 Home Assistant/2024.1.5-12102 (Android 14; Pixel 7))

I do not have any banning set up.

[DAVIZINH0]

I got same error and resolve with the following configurations.

1. I'm using nginx-proxy-manager for the container api routing. Here is my advanced configuration for this tool.

   location / {
           proxy_pass              http://10.0.0.5:8123;
           proxy_set_header        Host            $host;
           proxy_redirect          http://         https://;
           proxy_set_header        Authorization   $http_authorization;
           proxy_pass_header       Authorization;
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection “upgrade”;
    }
   

   

2. Here is my configuration.yml

   http:
     cors_allowed_origins:
       - https://public.domain.tld # my public domain
     use_x_forwarded_for: true
     trusted_proxies:
       - 10.0.0.3 # nginx proxy manager internal IP adress
   

3. Setting -> System -> Network settings
   

I hope it will help to you.

Hello.
I use this and the problems with the logs are solved.
But apears other problem.
I use HAOS with the nginx in addon, and other addons like studio code server, zigbee2mqtt, and other.
I iuse your configuration in nginx and with the cors line in confing.
I cant see the web inferface of this addons. not apears by the domain, but apears by the local ip of the HAOS.

can i modify some to works?

[a7hybnj2]

I got same error and resolve with the following configurations.

1. I'm using nginx-proxy-manager for the container api routing. Here is my advanced configuration for this tool.

   location / {
           proxy_pass              http://10.0.0.5:8123;
           proxy_set_header        Host            $host;
           proxy_redirect          http://         https://;
           proxy_set_header        Authorization   $http_authorization;
           proxy_pass_header       Authorization;
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection “upgrade”;
    }
   

   

2. Here is my configuration.yml

   http:
     cors_allowed_origins:
       - https://public.domain.tld # my public domain
     use_x_forwarded_for: true
     trusted_proxies:
       - 10.0.0.3 # nginx proxy manager internal IP adress
   

3. Setting -> System -> Network settings
   

I hope it will help to you.

Hello. I use this and the problems with the logs are solved. But apears other problem. I use HAOS with the nginx in addon, and other addons like studio code server, zigbee2mqtt, and other. I iuse your configuration in nginx and with the cors line in confing. I cant see the web inferface of this addons. not apears by the domain, but apears by the local ip of the HAOS.

can i modify some to works?

Same for me. Haven't figured it out yet.

[guystreeter]

I am not using any proxy, and I do not have any kind of banning set up. The problem is happening me only with the android companion app when connected to my own WIFI.

[aletzi1]

I am not using any proxy, and I do not have any kind of banning set up. The problem is happening me only with the android companion app when connected to my own WIFI.

Same setup as i have, with Android companion app.

[a7hybnj2]

@DAVIZINH0 I found this article which talks specifically about it and includes some nginx config info but I don't know how to implement it:

https://smarthomeaddict.co.uk/2022/10/home-assistant-remote-access-using-nginx/

location /api {
    proxy_connect_timeout 60;
    proxy_read_timeout 60;
    proxy_send_timeout 60;
    proxy_intercept_errors off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    proxy_set_header Host $host:8126;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass <http://homeassistant.local.hass.io:8123/api>;
}

[a7hybnj2]

OKAY here it is! This fixes the login and the add-ons. This is the entirety of the advanced tab in the proxy. I also have the trusted proxies set and the url set in HA.

client_body_buffer_size 512k;
proxy_read_timeout 86400s;
client_max_body_size 0;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header User-Agent $http_user_agent;

I have no idea what it does but it works for me. Thanks vague@#homeassistant(irc).

[brentfamily51]

I am not using any proxy, and I do not have any kind of banning set up. The problem is happening me only with the android companion app when connected to my own WIFI.

Same setup as i have, with Android companion app.

Same no proxy, I do use nabu casa, and it did only start when I started using that, so if you guys are running nabu casa as well maybe it is related to a proxy issue in the core, although we are not using proxy specifically, nabu casa is likely running proxy to work properly in the back end.

[akshay7394]

Same no proxy, I do use nabu casa, and it did only start when I started using that, so if you guys are running nabu casa as well maybe it is related to a proxy issue in the core, although we are not using proxy specifically, nabu casa is likely running proxy to work properly in the back end.

Yeah, same here, using the nabu casa subscription. It seems to have reduced of late, but it still happens occasionally.

[matwho]

I seem to be having similar problems with just one iPhone all other work ok. I get this error many times "Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (Home Assistant/2024.4 (io.robbie.HomeAssistant; build:2024.612; iOS 17.3.1) Alamofire/5.8.0)"

I then have to re add server to iOS app and log in again.

Any suggestions I have "ip_ban_enabled: false", I don't have "Can only log in from the local network" set and I have checked everything to do with network.

It seems to happen when the iPhone moves away from the local wi-fi and then returns to it.

Thanks

[bkbartk]

same issue here

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:138
integration: HTTP (documentation, issues)
First occurred: 16:16:25 (1 occurrences)
Last logged: 16:16:25

Login attempt or request with invalid authentication from pi.hole (192.168.180.10). Requested URL: '/api/websocket'. (Mozilla/5.0 (Linux; Android 13; SM-G780F Build/TP1A.220624.014; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/123.0.6312.120 Mobile Safari/537.36 Home Assistant/2024.4.1-12576 (Android 13; SM-G780F))

but only for android devices, I installed wireguard vpn on my pi hole
So I think this happens when turning on/off wireguard on the phone

[dhoeben]

Same issue for me, I get the following error:
[homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/websocket'. (Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36)

using Home Assistant Cloud subscription and Home Assistant (2024.5.4) on a Docker on Synology NAS.

configuration.yaml:

http:
  ip_ban_enabled: false
  login_attempts_threshold: 10

Edit: I use MFA using Telegram

[ausfas]

Are these the same issue
#114575 (comment)

[Pedroka90]

Yesterday my cell phone started with this problem, it doesn't access private pages, VPNs or anything. I use an updated iPhone 13 iOS and updated HA. My wife's cell phone also accesses an iPhone normally! Only my cell phone has this error. I use nabucasa.

Registrador: homeassistant.components.http.ban
Fonte: components/http/ban.py:135
integração: HTTP (documentação, problemas)
Ocorreu pela primeira vez: 16:19:43 (1987 ocorrências)
Último registro: 16:22:24

Login attempt or request with invalid authentication from 192.168.0.241 (192.168.0.241). Requested URL: '/api/websocket'. (Home Assistant/2024.9 (io.robbie.HomeAssistant; build:2024; iOS 16.7.2))
Login attempt or request with invalid authentication from 192.168.0.241 (192.168.0.241). Requested URL: '/api/mobile_app/registrations'. (Home Assistant/2024.9 (io.robbie.HomeAssistant; build:2024; iOS 16.7.2))
Login attempt or request with invalid authentication from 192.168.0.241 (192.168.0.241). Requested URL: '/auth/token'. (Home Assistant/2024.9 (io.robbie.HomeAssistant; build:2024; iOS 16.7.2) Alamofire/5.8.0)
Login attempt or request with invalid authentication from 192.168.0.241 (192.168.0.241). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2024.9 (io.robbie.HomeAssistant.PushProvider; build:2024; iOS 16.7.2) Alamofire/5.8.0)
Login attempt or request with invalid authentication from DellG15-PedroJr (192.168.0.87). Requested URL: '/api/websocket'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Edg/128.0.0.0) 

[JAGS77]

Same for me with iPhone15. I run Hassio in a MiniPC (exclusively for it). I can access from my wifi at anytime but I am sometimes banned from NabuCasa App (127.0.0.1):

• I stopped Ngynx but still banned.
• I tried to add trusted_proxies to http: in configuration.yaml but it causes an error that makes hassio runs in secure mode.

I have installed an VPN (Tailscale) on a Raspberry pi4 to access from outside and delete the ip_bans.yaml file when 127.0.0.1 is banned. I pay the NabuCasa subscription to support the project but it has no sense to have my own VPN and continue paying NabuCasa.
Any suggestions?

[Pedroka90]

My problem was solved with the iOS updates (my phone was enabled for beta versions and was not updating the new iOS versions).

Homeassistant also updated.

I am also a nabucasa subscriber and my HA is installed directly on a Dell optiplex i5 12th, 8gb ram, 250gb ssd computer.

[barrycraig]

I'm seeing the exact same problem. Only happening on one device, a Pixel 9. Have been successfully logging in without issue for months then suddenly start getting auth errors and IP bans without changing a single setting.

[Tan-tan-san]

Im seeing the same problem with an iphone 15 pro max with a pi running a dedicated HAOS instance. Trying to do a simple proxy through kubernets nginx controller and it just keeps spewing the /auth/token above. I've tried adding extra websocket settings in the proxy with the same error message despite logging in properly. Seems to ONLY be an issue if its going through the proxy. If I use the IP+port in a browser instead of the app, it logs in just fine. Same on a desktop.

[MrBolts]

I dont know if this helps someone but i had the same issue and i found that i needed to enable websocket support in Nginx for the HomeAssistant proxy host i set up.

https://medium.com/@life-is-short-so-enjoy-it/homeassistant-reverse-proxy-with-nginx-two-issues-i-faced-c7772ad0446c

[jtauscher]

I have the same problem connecting via IPv6 without any VPN. Sometimes I need to de-/activate Wifi on my phone and after that I'm able the reconnect to HA without an issue again.

"Login attempt or request with invalid authentication from Android.fritz.box (2a02:8070:8a83:xxxx:94c5:cb78:xxx:xxxx). See the log for details."

[amalafrozalam]

Sharing my experience as well. I am running HA on a Proxmox server. Used to have a different instance with Nabu Casa that had the domain home.mydomain.com. Now that I switched HA instances, I thought I'd use the same domain, and I get this log:

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:136
integration: HTTP (documentation, issues)
First occurred: November 25, 2024 at 8:55:47 PM (91939 occurrences)
Last logged: 12:02:46 AM

Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/websocket'. (Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) QtWebEngine/6.7.1 Chrome/118.0.5993.220 Safari/537.36)

When I use a different URL, like house.mydomain.com, it seems to go way though. I have an Android phone fwiw, but I think the issue might be more on the HA side of things.

EDIT: I should also mention that when I remove my custom domain home.mydomain the log goes away. I still have remote access via Nabu Casa, but not with my domain.
If I then setup a new domain with house.mydomain or something else, works with no logs.

[DarthSonic]

There is an ongoing discussion about that issue here: #114575

[jtauscher]

There is an ongoing discussion about that issue here: #114575

Its not the same thing. Im not working with cloud/vpn/whatever.

[DarthSonic]

There is an ongoing discussion about that issue here: #114575

Its not the same thing. Im not working with cloud/vpn/whatever.

Well, it is if you follow the discussion. It does not depend on cloud, VPN, tunnel or similar. The common denominator is that the error occurs with mobile/remote connections. It does not depend on the way in which they are set up.

[amalafrozalam]

There is an ongoing discussion about that issue here: #114575

Ah got it, thanks!