Core: Lovelace: Login attempt or request with invalid authentication

Experiencing the same problem with some cameras from a ZoneMinder instance with the config below.

Home Assistant 0.92.0 running within Docker on a Raspberry Pi

zoneminder:
  - host: 192.168.***.***
    ssl: true
    username: !secret zoneminder_username
    password: !secret zoneminder_password
camera:
  - platform: zoneminder

Checking the device states shows the following. In this instance, indoor_01 is the camera throwing the error.

Entity | State | Attributes
--- | --- | ---
camera.indoor_01 | unavailable | friendly_name: indoor-01
entity_picture: /api/camera_proxy/camera.indoor_01?token=...
supported_features: 0
camera.indoor_02 | idle | access_token: ...
friendly_name: indoor-02
entity_picture: /api/camera_proxy/camera.indoor_02?token=...
supported_features: 0

Same here with Zoneminder running Home Assistant 0.93.2 in Docker on Ubuntu 18.04 and Zoneminder on another server.

I've run HA through a proxy to see why this occurs. For some reason the picture-* cards will make requests to the camera even when it's just an icon on the card and not acting as a picture/stream:

Example HTTP call made when loading the view that contains one of the above cards:

GET /api/camera_proxy/camera.my_camera?token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 401

For some reason 1) the card requests data from the camera when it shouldn't and 2) this request fails with a 401 auth error somewhat consistently.

I think I found a solution for my issue. I added the use_x_forwarded_for and trusted_proxies variables to the http integration... as I'm using a proxy.

So it looks like this:

http:
  base_url: https://xxxxxxx.duckdns.org
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.x.x

Just chiming in here, having the same issue with my iPhone getting IP banned using beta companion app. Running in docker with trusted proxies and use_x_forwarded_for both on.

http:
    base_url: https://ha.xxxxxxx.com
    ip_ban_enabled: true
    login_attempts_threshold: 5
    use_x_forwarded_for: true
    trusted_proxies:
      - 172.17.0.0/16

Just looking at my config, I am using the docker ip address range given that's what I had to use before when using trusted networks. Would it make more sense to use my local subnet for proxies instead?

Same here. Homeassistant runs in docker. I use a mjpeg camera and floorplans.

2019-09-09 06:01:13 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 192.168.208.1

192.168.208.1 is the docker host that proxyes requests from IPv6. This error also occurs with IPv4. The traceback then contains the IP address of the requesting device.

The error only occurs when my Android device (Google Chrome) reloads the page.

Same here on 100.3, no proxy, HA in a venv on Ubuntu 18.04 with UniFi cameras as well as generic camera entities passing the rtmp feed from the UniFi NVR (so I can cast them). Have to ssh in, delete the ban file, and restart to get back in. The NVR and HA are running on the same machine.

+1 :/

+1

+1

Same here. Been like this for a while. I had to disable IP Bans.

Same here. Been like this for a while. I had to disable IP Bans.

How do you disable IP Bans please?

Just remove the line from your yaml.

https://www.home-assistant.io/integrations/http

Um... I don't have any line in my yaml.
Yet outside IP's are banned.
I even tried adding ip_ban_enabled: false and still no luck.
Something amiss somewhere.....

I'm having exactly the same problem since the last version, can this be addressed? All my cameras stopped working with HA.
Thanks

ha 101.2 here Hassio on Rpi4, getting constant 192.168.1.1 login bans, while my config uses:

  auth_providers:
   - type: homeassistant
   - type: trusted_networks
     trusted_networks:
       - 127.0.0.1
       - 192.168.1.0/24

__edit/update__

appeared that my long-lived-acces-token got wiped during update, so one of my rest sensors tried to initialize but didn't get authenticated....

how that happend I don't know, but reinstalling an acces-token solved it.

Got my cameras working again by downgrading to 0.99.3
Wondering if it's got anything to do with the demise of JSON?

Mine is fixed, totally forgot that Node-RED was using legacy auth method.
Warning message should include details about where the request is coming from.

This is related with Lovelace @yaba . Also, you didn't provided the steps to fix it which doesn't help much.

@joaoasilva Sorry. I've came to this thread because lovelace/HA was giving _Login attempt or request with invalid authentication from_ every 2 seconds.
Since I've also have a camera entity like the top user, I've tried to disable it and restart HA. Same problem.
Disabled every camera and possible integrations that could be using legacy auth and problem persisted.
Later I've remembered that Node-RED was using _node-red-contrib-home-assistant_ instead of _node-red-contrib-home-assistant-websocket_, removed the old integration and installed the new one which supports tokens. Fixed.

No idea what Node Red is so pretty sure that's not my problem.
Mine is still camera related though and is to do with my triggers calling via web requests.......

URL = http://xxxxxxxx.noip.me:8123/api/services/media_player/play_media?api_password=<password>

Method - POST

Content Type = Application/JSON

Body = { "entity_id" : "media_player.lounge_display" , "media_content_id" : "http://xxxxxxxx.noip.me:xxxxx/mjpg/Front/video.mjpg" , "media_content_type" : "image/jpg"}

API password is set and correct yet they still kept getting blocked.
As I said above, wondering is it's anything to do with the demise of JSON on 0.100.x because of the Content Type = Application/JSON ?

Anyone? Any ideas?

Happy with 0.99.3 for now, works for me with no problems whatsoever.

Authenticating via ?api_password is no longer supported. This is mentioned prominently in the release notes:

https://www.home-assistant.io/blog/2019/10/30/release-101/#api-password-and-trusted-networks

You will have to switch to authentication tokens.

I did read that but it still works with version 0.99.3 yet it was supposed to have been depreciated long since?

So if I used tokens, how do I call it? I mean, instead of ?api_password what do I use?

Yes, it has long been marked as deprecated, but support for it was only removed in 0.101.

Using authentication tokens is described in the dev docs:

https://developers.home-assistant.io/docs/en/external_api_rest.html

It boils down to setting the an HTTP header like this: Authorization: Bearer ABCDEFG.

Thank you.
I'll give it a whirl in the morning.

Hmmmm. I'm obviously not doing something right. More help needed please?

So, instead of
http://xxxxxxxx.noip.me:8123/api/services/media_player/play_media?api_password=<password>
what should it be? I've tried things like
http://xxxxxxxx.noip.me:8123/api/services/media_player/play_media?Authorization: Bearer <token>
which doesn't work, tried without the ? replacing with a space, still no go. In fact, I must have tried about 20 different ways and now I'm getting into a muddle.
Sorry to be a pain. I'm useless.

@Legsmaniac The HTTP Header is not part of the URL

You need to set it somewhere else.

For CURL see https://curl.haxx.se/docs/manpage.html#-H
For Postman see https://learning.getpostman.com/docs/postman/sending-api-requests/requests/#headers

Found out where an invalid auth was coming from thanks for this issue. Removed my "picture entity" card, that referenced a generic rtsp Unifi camera, and no longer get invalid auths on HASS restarts and some page reloads.

Found out where an invalid auth was coming from thanks for this issue. Removed my "picture entity" card, that referenced a generic rtsp Unifi camera, and no longer get invalid auths on HASS restarts and some page reloads.

So removing stuff is the solution? You no longer use that camera now? I don't understand this fix. Plese detail it more.

Found out where an invalid auth was coming from thanks for this issue. Removed my "picture entity" card, that referenced a generic rtsp Unifi camera, and no longer get invalid auths on HASS restarts and some page reloads.

So removing stuff is the solution? You no longer use that camera now? I don't understand this fix. Plese detail it more.

I removed the Lovelace card from my view tab. The camera itself is still an entity in HomeAssistant. As soon as I have the card on my Lovelace page, it randomly throws the invalid login error. Not sure what you need from me, but as someone who doesn't code - This was what I did to "resolve" the issue. Thanks!

I did some research. Camera resources are available at:

http://<hostname>:8123/api/camera_proxy_stream/camera.<entity_id>?token=<some long token>

I may be wrong, but I think some browsers tend to cache this url including the token. So after some time they try to access the camera resource with an outdated token, which causes the invalid authentication error.

The camera preview uses a different link, but the underlying mechanics are the same:

http://<hostname>:8123/api/camera_proxy/camera.<entity_id>?authSig=<some very long string>

I did some research. Camera resources are available at:

http://<hostname>:8123/api/camera_proxy_stream/camera.<entity_id>?token=<some long token>

I may be wrong, but I think some browsers tend to cache this url including the token. So after some time they try to access the camera resource with an outdated token, which causes the invalid authentication error.

The camera preview uses a different link, but the underlying mechanics are the same:

http://<hostname>:8123/api/camera_proxy/camera.<entity_id>?authSig=<some very long string>

That would make total sense. It does seem to happen the most in Chrome for me.

@Legsmaniac The HTTP Header is not part of the URL

You need to set it somewhere else.

For CURL see https://curl.haxx.se/docs/manpage.html#-H
For Postman see https://learning.getpostman.com/docs/postman/sending-api-requests/requests/#headers

Thanks for reply but sorry, that went over my head. I've been tinkering and trying to understand it but still no go.
If I created a Curl file, what do I call it? Where do I put it? How do I include it?
So lost.

@Legsmaniac curl is a commandline program, that can be used for making http requests. If you are unconfortable with the commandline use Postman, it is really easy to use. Just remember to set the HTTP Authorization header.

@Legsmaniac curl is a commandline program, that can be used for making http requests. If you are unconfortable with the commandline use Postman, it is really easy to use. Just remember to set the HTTP Authorization header.

Um.... Thank you for your reply but as I said above, even Postman went over my head. It might seem really easy to you but I honestly couldn't fathom it out. I was only able to get HA up and running because there are plenty step-by-step tutes out there, both in text and YouTube but sadly, there's no tute on how to slot in the call for Token API, particularly from BlueIris. If there was I'd be able to follow that. :-(

I did some research. Camera resources are available at:

http://<hostname>:8123/api/camera_proxy_stream/camera.<entity_id>?token=<some long token>

I may be wrong, but I think some browsers tend to cache this url including the token. So after some time they try to access the camera resource with an outdated token, which causes the invalid authentication error.

The camera preview uses a different link, but the underlying mechanics are the same:

http://<hostname>:8123/api/camera_proxy/camera.<entity_id>?authSig=<some very long string>

I think the same. Same scenario with Chrome. I have checked the browser cache, and it keep the old token, so probably there something wrong when the lovelace card show camera entity. No idea if its possible force the cache update in Chrome with no manual intervention.

I think I've got this issue. See here if interested.

I've got the same problem. I'm using motionEye and I'm pointing my picture entities to streams running off the motionEye Home Assistant add-on. As soon as I click on "Overview," I get the "WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication"

yeah I've had to give up on the picture entity for now!

I managed to solve my problem by installing MQTT. For this I chose to use Mosquitto. Obviously there's some setting up to do with Mosquitto and MQTT but there's plenty into available online for this. It's how I discovered it after all. This, and the following code, is not my own. Alas, I'm not that clever. I can't remember where I found it all now but basically, here's what I did.....

I added to configuration.yaml.....

mqtt:
  broker: 192.168.1.xxx
  port: xxxx
  client_id: <my client ID name>
  username: !secret <my MQTT Username>
  password:  !secret <my MQTT Password>

Also in configuration.yaml, I added a binary sensor for (for example) my door camera.....

binary_sensor:
  - platform: mqtt
    name: "Door Motion"
    state_topic: "blue_iris/binary_sensor/door_motion/state"
    payload_on: "ON"
    payload_off: "OFF"
    device_class: "motion"

In automation.yaml, I added.......

bi_door:
  sequence:
  - data:
      entity_id: media_player.mini_display
      media_content_id: http://192.168.1.xxx:xxxxx/mjpg/door/video.mjpg
      media_content_type: image/jpg
    service: media_player.play_media
  - alias: ''
    data:
      entity_id: media_player.lounge_display
      media_content_id: http://192.168.1.xxx:xxxxx/mjpg/door/video.mjpg
      media_content_type: image/jpg
    service: media_player.play_media
  - delay: 00:00:30
  - data:
      entity_id: media_player.mini_display
    service: media_player.turn_off
  - data:
      entity_id: media_player.lounge_display
    service: media_player.turn_off

The above was my own choice preference to cast to both of my displays for 30 seconds only. Obviously, you can alter the code to your own preference.

Then in BlueIris, on the camera Settings, Alerts tab - Configure Web or MQTT Alert - I selected MQTT in the dropdown then typed

MQTT Topic: blue_iris/binary_sensor/door_motion/state
Post/Payload: ON

Now, whenever motion is detected on the door camera via BlueIris, up pops the live stream on both of my Google displays for 30 seconds then revert back to normal until next motion detection. And it's pretty quick too.

I've also followed the instructions to add Google Assistant to Home Assistant whereupon you can ask whichever display you want for whatever Blue Iris camera stream you want but I haven't quite managed to get that fully working as yet as I have a problem with my "Stream" component, something about my needing to add AV 6.1.2 to Python which I haven't managed to do as yet. I'm running my server (and Python) on Windows 10 and all suggestions on various forums say to ditch Windows and use Linux. Not very helpful when I want to continue using Windows. There seems to be very little help out there for Windows users and plenty for Hassio users on Linux.

However, I am able to use IFTTT now that I have MQTT installed and use that to call for cameras. For now.

As for the Picture Entity, that's easy.

Add to configuration.yaml.......

#camera:
  - platform: mjpeg
    mjpeg_url: http://<BlueIris server address and Port>/mjpg/Front/video.mjpg
    name: Front

Add as many cameras as you like just by repeating the - platforms. Restart HA.

Then in Lovelace in your Picture Entity Card just select camera.front as your entity and you have a live stream right there in Lovelace.

@Legsmaniac I did exactly as you did. And I got stream working. But the stream was useless and slow. So I removed it..
Then i opted for a different approach.
Make a home assistant script that runs the same services as your motion detection automation to push images to displays.
Then expose that to Google assistant.
So you can say, ok Google activate "alias name of your script"

You might be able to just make a script that triggers your motion automation. And call it that way via Google to

@Legsmaniac I did exactly as you did. And I got stream working. But the stream was useless and slow. So I removed it..

Hmmmm, thanks for that confirmation. I read someone else said the same thing, that the stream was so behind because it has to be re-encoded via ffmpeg so I don't think I'll bother faffing around trying to get it working then.

And thanks for the script idea. Why didn't you think of that?! LOL I already have a script set up actually but never thought of linking it to Google. I'll certainly have to have a go with that. Cheers.

I managed to solve my problem by installing MQTT. For this I chose to use Mosquitto. Obviously there's some setting up to do with Mosquitto and MQTT but there's plenty into available online for this. It's how I discovered it after all. This, and the following code, is not my own. Alas, I'm not that clever. I can't remember where I found it all now but basically, here's what I did.....

I added to configuration.yaml.....

mqtt:
  broker: 192.168.1.xxx
  port: xxxx
  client_id: <my client ID name>
  username: !secret <my MQTT Username>
  password:  !secret <my MQTT Password>

Also in configuration.yaml, I added a binary sensor for (for example) my door camera.....

binary_sensor:
  - platform: mqtt
    name: "Door Motion"
    state_topic: "blue_iris/binary_sensor/door_motion/state"
    payload_on: "ON"
    payload_off: "OFF"
    device_class: "motion"

In automation.yaml, I added.......

bi_door:
  sequence:
  - data:
      entity_id: media_player.mini_display
      media_content_id: http://192.168.1.xxx:xxxxx/mjpg/door/video.mjpg
      media_content_type: image/jpg
    service: media_player.play_media
  - alias: ''
    data:
      entity_id: media_player.lounge_display
      media_content_id: http://192.168.1.xxx:xxxxx/mjpg/door/video.mjpg
      media_content_type: image/jpg
    service: media_player.play_media
  - delay: 00:00:30
  - data:
      entity_id: media_player.mini_display
    service: media_player.turn_off
  - data:
      entity_id: media_player.lounge_display
    service: media_player.turn_off

The above was my own choice preference to cast to both of my displays for 30 seconds only. Obviously, you can alter the code to your own preference.

Then in BlueIris, on the camera Settings, Alerts tab - Configure Web or MQTT Alert - I selected MQTT in the dropdown then typed

MQTT Topic: blue_iris/binary_sensor/door_motion/state
Post/Payload: ON

Now, whenever motion is detected on the door camera via BlueIris, up pops the live stream on both of my Google displays for 30 seconds then revert back to normal until next motion detection. And it's pretty quick too.

I've also followed the instructions to add Google Assistant to Home Assistant whereupon you can ask whichever display you want for whatever Blue Iris camera stream you want but I haven't quite managed to get that fully working as yet as I have a problem with my "Stream" component, something about my needing to add AV 6.1.2 to Python which I haven't managed to do as yet. I'm running my server (and Python) on Windows 10 and all suggestions on various forums say to ditch Windows and use Linux. Not very helpful when I want to continue using Windows. There seems to be very little help out there for Windows users and plenty for Hassio users on Linux.

However, I am able to use IFTTT now that I have MQTT installed and use that to call for cameras. For now.

in your automation the "bi_door" what is this calling? I'm trying to do that same setup but can't see what this is linking to?

Good question!!! LOL
I had to scratch my head over then one for a minute until I checked my automation.yaml file again. The correct script is......

- id: blueiris_cast_door
  alias: Blue Iris Cast Door
  trigger:
  - entity_id: binary_sensor.door_motion
    from: 'off'
    platform: state
    to: 'on'
  action:
  - data:
      entity_id: media_player.mini_display
      media_content_id: http://192.168.1.150:21010/mjpg/door/video.mjpg
      media_content_type: image/jpg
    service: media_player.play_media
  - alias: ''
    data:
      entity_id: media_player.lounge_display
      media_content_id: http://192.168.1.150:21010/mjpg/door/video.mjpg
      media_content_type: image/jpg
    service: media_player.play_media
  - delay: 00:00:30
  - data:
      entity_id: media_player.mini_display
    service: media_player.turn_off
  - data:
      entity_id: media_player.lounge_display
    service: media_player.turn_off

The original script listed above was placed in Scripts.yaml actually, and was called for as bi_door for something else I was doing. Sorry about that.
Hope this clears up any confusion.

@Legsmaniac Thanks that helped.

If you have set a camera, check that the correct config has been set as described in https://www.home-assistant.io/integrations/generic_ip_camera/#image-from-http-only-camera

Remember to add the correct

verify_ssl: false

Remember to add the correct

verify_ssl: false

I had forgotten about that.
Yet my cameras are indeed HTTP and Home Assistant is HTTPS.
But still, I can see all my cameras no problem.

Thanks for that but I have tried that many times and sadly, it has never worked. I've searched for help no end of times on various forums on this subject and I discovered that I'm not alone in this matter. It seems that Trusted Networks doesn't work for a good many users. I also read that it's being (if not already has?) discontinued? Perhaps that's why?

Anyhow, I don't really need it anymore as my cameras are all working exactly how I want/need them to. So far. I do get a warning that the IP address of my router has accessed the network, only when I use Configurator, nothing else. Even so, Trusted Networks still doesn't stop that. Configurator works anyway so I just ignore it for now.

Any solution to this? it's obviously not working as expected.

This issue is the same as https://github.com/home-assistant/frontend/issues/3379

I had this issue also and I found a workaround to it.

My Issue and Tests:

My camera's feeds freezed every 5 minutes exactly when the cameras' token are refreshed, and most of the time, in that exact moment the error _Login attempt or request with invalid authentication_ shows up in notification.

If I see the camera's feed from HADashboard or see the cameras from Motioneye, this doesn't happen ever. I have tested on several browsers and this exact same problem occurs (chrome on PC, chrome on android, fully kiosk on android, and others). On Chrome, if pressing F12, there is no error.

The config I use in my lovelace is:

   - type: picture-glance
     title: Patio
     camera_image: camera.patio
     entity: camera.patio
     camera_view: live
     aspect_ratio: 0%

If using F12 on Chrome, I see that the cameras' feed are not receiving the updated token. As the example of the following image, at start, the 3 cameras receive their token and they work fine, but after 5 minutes (in this case), only one camera receive it and that was the only one that continue working. The other 2 got freezed. After some more 5 minutes, some of these cameras receive the new token and they re-start the feed.

And when moving from one tab to another, I have the following with the Login attempt or request with invalid authentication issue:

When using HADashboard of APPDAEMON on Chrome and pressing F12, we can see the exact same transaction for camera's tokens and it happens every 5 minutes as expected with all cameras. The HA Dashboard uses _Knockout.js_ for that and lovelace uses _parts.ts_

Why _parts.ts_ misses some calling for token renewals? When it misses one, it might call for the renew after another 5 minutes. So the feed is not reliable on lovelace. Sometimes it works but after some time, some of the feeds freezes and we have to reload the page or wait for another 5 minutes for the new token renewal.

My Workaround:

As in my case, HADashboard works fine (the camera feed never freezes and there is no login error) but this error occurs on a camera feed in a picture-glance of lovelace, so I tried to use instead the camera feed but in a custom:button-card, and surprisingly it works fine. So, I have now a workaround to this issue.

          - type: 'custom:button-card'
            entity: camera.portero
            label: Portero
            show_name: false
            show_label: true
            show_icon: false        
            show_entity_picture: true
            show_live_stream: true
            size: 100%
            styles:          
              entity_picture:
                - position: absolute
                - top: 0%
                - margin: none
              card:             
                - margin: 0px 0px 0px 0px
                - padding: 0px 0px

With the custom:button-card the token is refreshed every 5 minutes as expected and the camera feed never freezes. Also, the Login attempt or request with invalid authentication issue is gone.

_So, it seems that there is an issue for tokens but just in the default picture-glance card of lovelace._

I would like to help on finding the bug on picture-glance. What else can I test?

I see this issue elsewhere as well. Below is a lovelace component that uses the camera integration to display a *.gif. I have automation that changes the file path to a location hass has access to. A few times a day i'll get the errors below. Note the IP address in question is my router. I've tried whitelisting and changing permissions a million times with no luck. It has gotten better since i chown homeassistant:homeassistant across all files/directories but I still get this 5-10 times a day depending how often we login to hass. We do have google authenticator enabled. This smells something to do with the token because as soon as I refresh a second later, it goes away and the image below in question displays properly. Hope this helps!

Lovelace Card

cards:
  - aspect_ratio: 35%
    camera_image: camera.mail_usps
    camera_view: live
    entity: sensor.mail_usps_mail
    name: Today's Mail
    type: picture-entity
  - entities:
      - entity: sensor.mail_usps_delivered
        icon: 'mdi:package-variant'
        name: USPS Packages Delivered
      - entity: sensor.mail_fedex_delivered
        icon: 'mdi:package-variant'
        name: FedEx Packages Delivered
      - entity: sensor.mail_usp_delivered
        icon: 'mdi:package-variant'
        name: UPS Packages Delivered
      - entity: sensor.mail_usps_delivering
        icon: 'mdi:package-variant-closed'
        name: USPS Packages in Transit
      - entity: sensor.mail_fedex_delivering
        icon: 'mdi:package-variant-closed'
        name: FedEx Packages in Transit
      - entity: sensor.mail_ups_delivering
        icon: 'mdi:package-variant-closed'
        name: UPS Packages in Transit
      - entity: sensor.mail_updated
        name: Mail Updated
    state_filter:
      - operator: '>'
        value: '0'
    type: entity-filter
title: Mail Today
type: 'custom:vertical-stack-in-card'

yaml

# Camera Platforms
camera:
  #Mail and Packages custom component
  - platform: local_file
    file_path: /home/homeassistant/.homeassistant/custom_components/mail_and_packages/mail_none.gif
    name: mail_usps

Error 1 of 2

Log Details (WARNING)
Logger: homeassistant.components.local_file.camera
Source: components/local_file/camera.py:92
Integration: local_file (documentation, issues)
First occurred: 2:25:29 PM (59 occurrences)
Last logged: 9:23:26 PM

Could not read camera mail_usps image from file: /home/homeassistant/.homeassistant/images/mail_and_packages/fc726191-7e18-434e-b16b-2996bd0d22e2.gif

Error 2 of 2

Log Details (WARNING)
Logger: homeassistant.components.http.ban
Source: components/http/ban.py:74
Integration: http (documentation, issues)
First occurred: 5:02:32 PM (4 occurrences)
Last logged: 7:48:44 PM

Login attempt or request with invalid authentication from 192.168.50.1

I am experiencing the same issue. I even tried the solution above by @ascillato but still repeatedly get invalid authentication notices when displaying a local file as a camera entity. The issue appears more often if I am coming through my reverse proxy but seems to appear either way.

I have the same issue with ESP32 CAM module. Running 0.111.1, HassOS 4.10, supervisor 227.
Whenever camera is on and I am viewing the picture the Login problem appears once a while (few time per hour).
ESP32 CAM yaml configuration:
esp32_camera: external_clock: pin: GPIO0 frequency: 20MHz i2c_pins: sda: GPIO26 scl: GPIO27 data_pins: [GPIO5, GPIO18, GPIO19, GPIO21, GPIO36, GPIO39, GPIO34, GPIO35] vsync_pin: GPIO25 href_pin: GPIO23 pixel_clock_pin: GPIO22 power_down_pin: GPIO32 name: test_camera resolution: 800x600

I had the problem
Login attempt or request with invalid authentication
But the reason of this was that camera had no authentication.
And the camera.yaml config had
authentication: basic
Now both (camera and config) have basic authentication and the error almost gone. (Become very rare)

I had this as a "one off" I guess, while editing an automation, the save button wasn't working, and I was getting this same error message every time I clicked "Save". This caused me to lose my work. After a full HA restart, things worked fine again :/ 0.109.6

Getting the login error message when opening HA in app or browser on a view with camera's in picture-glance card. Only happens when tab/app is out of sight (not closed I believe) for a set amount of time (5mins?). Happens for Android, iOS and Windows (all browsers).

Please let me know if I have to test something...

edit:
Nevermind

I am getting this error once a while but at this point my ESP32-CAM module is not used so it must be related to other reason.
Most often I get it when I use mobile app from phone connected to different networks.