Core: Authentication is not used for files in <config>/www
Home Assistant release with the issue:
0.84.6
Last working Home Assistant release (if known):
N/A
Operating environment (Hass.io/Docker/Windows/etc.):
Official Docker Image, Ubuntu 18.04 LTS.
Component/platform:
auth component
Description of problem:
If I am NOT logged in to Home Assistant, I am still able to view files located in my /config/www/ folder. I would assume this is a bug, since any file hosted by Home Assistant's web server should be behind the login screen. It's a security issue for those of us storing photos from cameras inside /config/www as some components direct you to do.
Problem-relevant configuration.yaml entries and (fill out even if it seems unimportant):
image_processing:
- platform: tensorflow
scan_interval: 4
source:
- entity_id: camera.front_door
file_out:
- "/config/www/images/{{ camera_entity.split('.')[1] }}_latest.jpg"
- "/config/www/images/{{ now().strftime('%Y_%m_%d') }}/{{ camera_entity.split('.')[1] }}_{{ now().strftime('%H%M%S') }}.jpg"
model:
graph: /config/tensorflow/ssd_mobilenet_v2_coco_2018_03_29/frozen_inference_graph.pb
Traceback (if applicable):
N/A
Additional information:
Kirchoff
All 7 comments
I was under the impression that this was a feature and not a bug. That is how the I read the documentation of the http component but I suppose it's not totally clear.
For example, I use this path for storing audio files that I send to my Google Home devices. I need those files to be accessible without authentication otherwise the Google Home devices cannot access them because they cannot be logged in to Home Assistant.
It sounds like what's needed here is a different place for storing files that should be secured behind Home Assistant authentication.
rohankapoorcom
on 4 Jan 2019
That makes perfect sense as well, I suppose I didn't realize there was a use case for wanting that space without authentication. With that being said, I wonder if there's a way to make it configurable or have separate folders for authenticated/unauthenticated.
Kirchoff
on 4 Jan 2019
@Kirchoff you may use Local Camera to view your image processing result. You can write them to any local path, not necessary to insecure config/www folder.
Therefore, I am going to close this issue with "won't fix"
awarecan
on 11 Jan 2019
I was following this issue to see how it would be resolved. I use a floor plan image in lovelace and the z-wave mesh view (from forum) which I don't want accessible without auth either, but as far as I know this is not possible. Thoughts?
marnovdm
on 17 Jan 2019
Looks like @awarecan is adding a new /secure path for storing files that should be behind auth (#21104)!
rohankapoorcom
on 16 Feb 2019
@rohankapoorcom Why has this issue been closed? The PR you referenced did not get merged. This is still an issue in Home Assistant and not precisely a small one.
rkkoszewski
on 30 Apr 2020
Closed per @balloob's comments on the linked PR: https://github.com/home-assistant/core/pull/21104#issuecomment-464797841
rohankapoorcom
on 30 Apr 2020
Related issues
Elmardus
路
3Comments
moskovskiy82
路
3Comments
piitaya
路
3Comments
kirichkov
路
3Comments
bdraco
路
3Comments
Most helpful comment
I was under the impression that this was a feature and not a bug. That is how the I read the documentation of the http component but I suppose it's not totally clear.
For example, I use this path for storing audio files that I send to my Google Home devices. I need those files to be accessible without authentication otherwise the Google Home devices cannot access them because they cannot be logged in to Home Assistant.
It sounds like what's needed here is a different place for storing files that should be secured behind Home Assistant authentication.