Core: Camera access tokens not usable after 0.101.0

Created on 31 Oct 2019  路  12Comments  路  Source: home-assistant/core

Home Assistant release with the issue:
0.101.0

Last working Home Assistant release (if known):
0.100.3

Operating environment (Hass.io/Docker/Windows/etc.):
Hassio

Integration:
https://www.home-assistant.io/integrations/camera/

Description of problem:
I have several devices on my LAN that were using the entity_picture: URL to stream cameras and this has been working really well for over a year. I've always had trusted networks configured (moved to auth some revs ago) but after updating to 0.101.0, three of my devices got instant IP bans so it appears the token URL that was in use is no longer valid.

I've tried taking a current token and streaming this in FF and this works, but only up until the time when the current token is refreshed (HA restart). After that, the token that was being used returns 401: Unauthorized. The tokens used to keep working even after they had been updated. I'm assuming there is some additional auth that is required but it is not clear in the docs what I'd need to do. We can't use a long-lived access token as the token is specific to the camera URL, not a single device logon.

If the token URL only works one time until refreshed, they are unusable.

Rolling back to 0.100.3 allows me to use an expired token after HA has refreshed them.

Problem-relevant configuration.yaml entries and (fill out even if it seems unimportant):

  auth_providers:
    - type: homeassistant
    - type: trusted_networks
      trusted_networks:
        - 127.0.0.1
        - 10.0.1.0/24
        - 10.8.0.0/24

Traceback (if applicable):

Additional information:

auth
Source
picture xbmcnut

Most helpful comment

Camera access tokens work as intended. They only work while they are active, or were the previous active token (in case you don't get the state update with the new token fast enough). They are not intended to work when they are not active. That wouldn't be very secure.

If they are working as intended @balloob - we may need something else to replace the functionality?

Having to put a proxy in front of home assistant with special rules to insert a token, that has to originally be sourced from home assistant just screams over-complicated hack.

Is it HA's position that the old behaviour of being able to use _something_ (a token) to access a camera without authentication should not exist?

It's a disappointing loss of functionality - we used cameras authenticated with URL token with digital signage systems extensively.

picture troykelly on 26 Dec 2019
👍4

All 12 comments

Built a brand new NUC system based on 0.101.2 to test and the same thing is happening with default_config:

Grabbed a camera URL thus http://10.0.1.83:8123/api/camera_proxy/camera.entry_rtsp_direct?token=f18a8629f0ad71af4932e99b4a9e7ad31c3f127819452265fc206cb66c9d05ab and opened in FF. Works.

Wait for token to refresh once, test again, works.

Wait for token to refresh a 2nd time, fails with 401: Unauthorized

Restart HA and then try the URL again, fails with 401: Unauthorized

Under 0.100.3, the historic URL/token always works and survives HA restarts. Is no one else seeing this?

xbmcnut picture xbmcnut on 2 Nov 2019

Hey there @home-assistant/core, mind taking a look at this issue as its been labeled with a integration (auth) you are listed as a codeowner for? Thanks!

probot-home-assistant[bot] picture probot-home-assistant[bot] on 3 Nov 2019

Could this be related to the fact that trusted networks support has been removed in 0.101?

cgtobi picture cgtobi on 3 Nov 2019

It also affects camera widget in AppDaemon. For couple seconds it works and after a while image disappears and Home Assistant logs Login attempt failed.

Skelly82 picture Skelly82 on 4 Nov 2019

era widget in AppDaemon. For couple seconds it works and after a while image disappears and Home Assistant logs Login attempt failed.

This is the exact reason I won't upgrade. Destroys my wall panel camera functionality.

TheAlphaLaw picture TheAlphaLaw on 4 Nov 2019

Yes, camera access is broken for HA<->AppDaemon since 101.2. I have my cameras using URLs from Blue Iris for now until this gets sorted out.

MarkHofmann11 picture MarkHofmann11 on 5 Nov 2019

Camera access tokens work as intended. They only work while they are active, or were the previous active token (in case you don't get the state update with the new token fast enough). They are not intended to work when they are not active. That wouldn't be very secure.

The reason it still worked under 100.3 was because trusted networks was still allowed to authorize access on random URLs. With 101 it can only be used during the login process. I am pretty sure that you have been receiving deprecation warnings for each camera url, for a couple of months!

So you have two options. The recommended option is to use NGINX and attach a long lived access token to each request. Example NGINX config can be found in this thread. You will need to set it up once and you can protect your Home Assistant API exactly as you want.

The second option is to create a signed path of each url that you want to access, and give it a long expires. That way you will get urls that you can put as image sources. The docs on how to do that are here: https://developers.home-assistant.io/docs/en/auth_api.html#signed-paths

balloob picture balloob on 5 Nov 2019
👍2

Well if anyone can tell me how to create a workaround using any one of the two solutions @balloob has suggested above that would be appreciated as it's over my head. The 3rd party systems I'm using also don't like the Unicast URL's created by Synology so can't use those either.

xbmcnut picture xbmcnut on 5 Nov 2019

@xbmcnut I can't help with those workarounds, but as an FYI this will be fixed in AppDaemon 4, which will be released after HA 1.01.

PurelyNicole picture PurelyNicole on 5 Nov 2019
👍1

Well if anyone can tell me how to create a workaround using any one of the two solutions @balloob has suggested above that would be appreciated as it's over my head. The 3rd party systems I'm using also don't like the Unicast URL's created by Synology so can't use those either.

I'm on the same boat, but if AppDaemon 4 supports tokens, there probably wont be a need.

TheAlphaLaw picture TheAlphaLaw on 5 Nov 2019

Sadly I'm not using AD so my three remote displays and Kodi instance are now unusable. Without camera images the WAF has gone to zero so I can't upgrade past 0.100.3. These HA streams were incredibly useful as often getting direct camera streams with mixed hardware was very cumbersome. I don't see the point of having them in HA at all now if they expire after a 2nd token refresh.

xbmcnut picture xbmcnut on 6 Nov 2019

Camera access tokens work as intended. They only work while they are active, or were the previous active token (in case you don't get the state update with the new token fast enough). They are not intended to work when they are not active. That wouldn't be very secure.

If they are working as intended @balloob - we may need something else to replace the functionality?

Having to put a proxy in front of home assistant with special rules to insert a token, that has to originally be sourced from home assistant just screams over-complicated hack.

Is it HA's position that the old behaviour of being able to use _something_ (a token) to access a camera without authentication should not exist?

It's a disappointing loss of functionality - we used cameras authenticated with URL token with digital signage systems extensively.

troykelly picture troykelly on 26 Dec 2019
👍4
Was this page helpful?
0 / 5 - 0 ratings

Related issues

YellowMonster76 picture YellowMonster76  路  3Comments
i-am-shodan picture i-am-shodan  路  3Comments
missedtheapex picture missedtheapex  路  3Comments
arangates picture arangates  路  3Comments
Elmardus picture Elmardus  路  3Comments