deCONZ: failed logins registered when only surfing Phoscon part in ingress

harnik · May 26, 2024, 8:02am

Hi,

Yesterday I noticed that I can no longer log into Phoscon via the home assistant deCONZ addon. I get “Login failed” error.
I only get this error if I use my domain to access the home assistant through the cloudflare tunnel.
If I access home assistant locally, this problem does not exist.

I found this via google search:

github.com/home-assistant/addons

deCONZ: failed logins registered when only surfing Phoscon part in ingress (no need to provide password)

opened 04:07PM - 10 May 24 UTC

bcutter

### Describe the issue you are experiencing Only surfing `/core_deconz/ingres…s` and selecting "Phoscon" ("deCONZ" works just fine) creates failed logins for the client. When using HTTP security (ban module on frequent failed logins) this immediately leads to a blocked client in `ip_bans.yaml` which hurts quite a bit (need to clean the file and restart HA Core): ``` xxx.xxx.xxx.xxx: banned_at: '2024-05-10T15:38:43.146448+00:00' ``` I can reproduce this issue with different clients (Win 11 in Firefox, iOS with HA Companion app, doesn't really matter). It is sufficient to only load the Phoscon part, no need to enter any password at all. Some automatic API request seem to fail. Assumption: As probably most users don't use HTTP security this issue has not been discovered so far. ### What type of installation are you running? Home Assistant OS ### Which operating system are you running on? Home Assistant Operating System ### Which add-on are you reporting an issue with? deCONZ ### What is the version of the add-on? 6.23.0 ### Steps to reproduce the issue 1. Load deCONZ in ingress (`/core_deconz/ingress`) 2. Select "Phoscon" 3. Wait and see the failed logins ### System Health information ## System Information version | core-2023.4.6 -- | -- installation_type | Home Assistant OS dev | false hassio | true docker | true user | root virtualenv | false python_version | 3.10.10 os_name | Linux os_version | 6.1.73-haos-raspi arch | aarch64 timezone | Europe/Berlin config_dir | /config <details><summary>Home Assistant Community Store</summary> GitHub API | ok -- | -- GitHub Content | ok GitHub Web | ok GitHub API Calls Remaining | 5000 Installed Version | 1.32.1 Stage | running Available Repositories | 1478 Downloaded Repositories | 85 HACS Data | ok </details> <details><summary>Home Assistant Cloud</summary> logged_in | false -- | -- can_reach_cert_server | ok can_reach_cloud_auth | ok can_reach_cloud | ok </details> <details><summary>Home Assistant Supervisor</summary> host_os | Home Assistant OS 12.2 -- | -- update_channel | stable supervisor_version | supervisor-2024.05.1 agent_version | 1.6.0 docker_version | 25.0.5 healthy | true supported | true board | rpi4-64 supervisor_api | ok version_api | ok </details> ### Anything in the Supervisor logs that might be useful for us? ```txt No, nothing specially related to deCONZ. But see HA logs below. I see one entry which might be related to "a0d7b954_vscode" used at the same time and having some more log entries before (please check with port and URL if this is deCONZ or VS Code related): 2024-05-10 17:38:26.680 ERROR (MainThread) [supervisor.api.ingress] Stream error with http://172.30.33.2:8099/pwa/language/de/index-de.json: Cannot write to closing transport ``` ### Anything in the add-on logs that might be useful for us? ```txt Unfortunately I could not grab addon logs, as the productive log data was too much so the ones from around the last incident was not visible anymore. Anyway, this is what is logged in HA log: 2024-05-10 17:38:27.691 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from client-name.local (xxx.xxx.xxx.xxx). Requested URL: '/api/config?_=1715355507074'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0) 2024-05-10 17:38:32.428 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from client-name.local (xxx.xxx.xxx.xxx). Requested URL: '/api/config?_=1715355507075'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0) 2024-05-10 17:38:38.146 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from client-name.local (xxx.xxx.xxx.xxx). Requested URL: '/api/config?_=1715355507076'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0) 2024-05-10 17:38:42.462 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from client-name.local (xxx.xxx.xxx.xxx). Requested URL: '/api/config?_=1715355507077'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0) 2024-05-10 17:38:43.126 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from client-name.local (xxx.xxx.xxx.xxx). Requested URL: '/api/config?_=1715355507078'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0) 2024-05-10 17:38:43.129 WARNING (MainThread) [homeassistant.components.http.ban] Banned IP xxx.xxx.xxx.xxx for too many login attempts ``` ### Additional information Possibly related to the Phoscon bug introduced with addon version 6.21.0 (https://github.com/home-assistant/addons/pull/3226#issuecomment-1737293462), being reverted in 6.22.0 and "somehow" fixed (worked around?) in 6.23.0. During that adventure the Phoscon page was in the spotlight of issues already. Maybe this issue is a leftover or a side effect of the fix. ![grafik](https://github.com/home-assistant/addons/assets/13799156/3eb181d1-bf67-4fa7-be36-cf07803fb34b)

I had no problems with this before. Is this happening to anyone else?

harnik · May 26, 2024, 5:29pm

What is a this sign for?

If I open home assistant locally:
https://i.imgur.com/6nAUhEI.png

If I open home assistant from my external domain:
https://i.imgur.com/YzUCgeN.png