Android: Save HTTP Basic Auth Credentials

Created on 23 Mar 2020 · 10Comments · Source: home-assistant/android

Is your feature request related to a problem? Please describe.
I am using HTTP basic auth on my reverse proxy and although the client prompts for credentials and can log in it doesn't save the credentials so they need to be entered each time I open the app.

Describe the solution you'd like
The client to automatically log in using saved username/password so that device tracking and notifications will work and I don't need to enter them every time.

Describe alternatives you've considered, if any
Removing HTTP basic auth from my reverse proxy setup; Not willing to do this for security reasons.

Additional context
Add any other context or screenshots about the feature request here.

enhancement

Source

Loki321

👍4

Most helpful comment

Is it really too complicated? Why can't I just add the username and password to the the Home Assistant URL like I can with every thing else? the app supports basic auth.

Entering https://httpuser:[email protected] as the Home Assistant URL should really work but it seems the app tries to sanitize the URL by stripping it out.

Loki321 on 23 Mar 2020

👍5

All 10 comments

This is out of scope for the Android app. Too complicated to add and it solves a very special use case.

balloob on 23 Mar 2020

👎3

Is it really too complicated? Why can't I just add the username and password to the the Home Assistant URL like I can with every thing else? the app supports basic auth.

Entering https://httpuser:[email protected] as the Home Assistant URL should really work but it seems the app tries to sanitize the URL by stripping it out.

Loki321 on 23 Mar 2020

👍5

Just came here to post the same issue. Agreed that there's no need to implement BasicAuth and memorising the credentials. Just allowing user:pass@ in the URL field would be enough for my use case.

ptersilie on 25 Sep 2020

Can just confirm this behaviour. Any browser can do basic auth, but the HA app can't. Would be really nice to have this feature.

bas89 on 7 Nov 2020

Same here. The app keeps requesting username and password with a popup dialog and even if I press "Remember" the dialog appears again.

carpikes on 22 Nov 2020

I can just agree that this should be supported for much-improved security. It'd be very effective protection against potential bugs in the HA authentication system. Here's the feature request for the iOS app: https://github.com/home-assistant/iOS/issues/193. Afaik, the only reason it's not implemented in the iOS app yet is because iOS doesn't seem to support basic auth for websockets. What's the problem implementing this in the Android app?

gucki on 3 Dec 2020

👍1

In the meantime I'm using a workaround thay may be useful to you:
it consists in: (1) Not using the app, (2) Using Firefox, (3) Setting nginx in this way:
if the Cookie FooBar does not exists, nginx requires a basic auth and once passes, it stores the cookie FooBar in the browser.
if the Cookie FooBar exists, it does not require basic auth, updates the cookie and forwards the connection to home assistant.
in this way both / and /api work perfectly with a basic auth.

carpikes on 3 Dec 2020

👍1

@carpikes Thanks, sounds interesting.Would you mind sharing your nginx config?

Edit: found a config here https://stackoverflow.com/questions/10718895/very-simple-authentication-using-one-time-cookie-on-nginx

gucki on 14 Dec 2020

@gucki like that one, exactly.
another advantage of this approach is that your home-assistant instance will never be logged into services like shodan.io, which is a good thing: if someone finds a zero day on the authentication, he can hack all instances found online in some previous scans.

my config is like:

map $cookie_foobar $hass_authmsg {                                            
  "RandomString"    "off";                                     
  default           "Restricted access";                                               
} 

server {
    [...]

    location / {
        auth_basic $hass_authmsg;
        auth_basic_user_file /etc/nginx/my_htpasswd;
        proxy_set_header Authorization "";
        add_header Set-Cookie "foobar=RandomString;max-age=3153600000;path=/"; 

        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_pass http://10.0.1.2:8123;
    } 

    location /api/ {
        auth_basic $hass_authmsg;
        auth_basic_user_file /etc/nginx/my_htpasswd;
        add_header Set-Cookie "foobar=RandomString;max-age=3153600000;path=/"; 

        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_pass http://10.0.1.2:8123;
    }

    location /grafana/ {
        auth_basic $hass_authmsg;
        auth_basic_user_file /etc/nginx/my_htpasswd;
        add_header Set-Cookie "foobar=RandomString;max-age=3153600000;path=/"; 
        proxy_set_header Authorization ""; # needed by grafana

        rewrite ^/grafana/(.*)$ /$1 break;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_pass http://10.0.1.2:3000;
    }                       

}

carpikes on 17 Dec 2020

In the meantime I'm using a workaround thay may be useful to you:
it consists in: (1) Not using the app, (2) Using Firefox, (3) Setting nginx in this way:
if the Cookie FooBar does not exists, nginx requires a basic auth and once passes, it stores the cookie FooBar in the browser.
if the Cookie FooBar exists, it does not require basic auth, updates the cookie and forwards the connection to home assistant.
in this way both / and /api work perfectly with a basic auth.

It works! The app uses Android's main WebView, right? Doesen't it store cookies too?