Core: Enable Abode 2FA breaks Home Assistant Integration

Created on 12 Jun 2020  路  6Comments  路  Source: home-assistant/core

The problem

Abode recently added support for two-factor authentication (2FA). This now breaks the Abode integration in Home Assistant as there's no opportunity to enter the 2FA code, the authentication just fails.

Environment

  • Home Assistant Core release with the issue: 0.111
  • Last working Home Assistant Core release (if known): 0.110
  • Operating environment (Home Assistant/Supervised/Docker/venv): Home Assistant
  • Integration causing this issue: Abode
  • Link to integration documentation on our website: https://www.home-assistant.io/integrations/abode/

Problem-relevant configuration.yaml

Not applicable as there is no yaml config. This is related to the integration component.

Traceback/Error logs

Logger: aiohttp.server
Source: components/abode/config_flow.py:44
First occurred: 3:35:43 PM (1 occurrences)
Last logged: 3:35:43 PM

Error handling request
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/aiohttp/web_protocol.py", line 418, in start
    resp = await task
  File "/usr/local/lib/python3.7/site-packages/aiohttp/web_app.py", line 458, in _handle
    resp = await handler(request)
  File "/usr/local/lib/python3.7/site-packages/aiohttp/web_middlewares.py", line 119, in impl
    return await handler(request)
  File "/usr/src/homeassistant/homeassistant/components/http/real_ip.py", line 39, in real_ip_middleware
    return await handler(request)
  File "/usr/src/homeassistant/homeassistant/components/http/ban.py", line 73, in ban_middleware
    return await handler(request)
  File "/usr/src/homeassistant/homeassistant/components/http/auth.py", line 127, in auth_middleware
    return await handler(request)
  File "/usr/src/homeassistant/homeassistant/components/http/view.py", line 129, in handle
    result = await result
  File "/usr/src/homeassistant/homeassistant/components/config/config_entries.py", line 145, in post
    return await super().post(request, flow_id)
  File "/usr/src/homeassistant/homeassistant/components/http/data_validator.py", line 60, in wrapper
    result = await method(view, request, *args, **kwargs)
  File "/usr/src/homeassistant/homeassistant/helpers/data_entry_flow.py", line 106, in post
    result = await self._flow_mgr.async_configure(flow_id, data)
  File "/usr/src/homeassistant/homeassistant/data_entry_flow.py", line 153, in async_configure
    result = await self._async_handle_step(flow, cur_step["step_id"], user_input)
  File "/usr/src/homeassistant/homeassistant/data_entry_flow.py", line 201, in _async_handle_step
    result: Dict = await getattr(flow, method)(user_input)
  File "/usr/src/homeassistant/homeassistant/components/abode/config_flow.py", line 44, in async_step_user
    Abode, username, password, True, True, True, cache
  File "/usr/local/lib/python3.7/concurrent/futures/thread.py", line 57, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/local/lib/python3.7/site-packages/abodepy/__init__.py", line 99, in __init__
    self.login()
  File "/usr/local/lib/python3.7/site-packages/abodepy/__init__.py", line 144, in login
    self._token = response_object['token']
KeyError: 'token'

Additional information

abode
Source
picture tmchow

Most helpful comment

This is still an issue. Keep open.

picture tmchow on 12 Oct 2020
👍3

All 6 comments

abode documentation
abode source
(message by IssueLinks)

probot-home-assistant[bot] picture probot-home-assistant[bot] on 12 Jun 2020

I worked around this by creating a separate user for Home Assistant (with a super long random password that I threw away).

ghost picture ghost on 11 Jul 2020

I worked around this by creating a separate user for Home Assistant (with a super long random password that I threw away).

Not sure if that鈥檚 any better than using my own account without 2FA. The attack vector is still there with your secondary account.

tmchow picture tmchow on 11 Jul 2020

There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates.
Please make sure to update to the latest Home Assistant version and check if that solves the issue. Let us know if that works for you by adding a comment 馃憤
This issue now has been marked as stale and will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 12 Oct 2020

This is still an issue. Keep open.

tmchow picture tmchow on 12 Oct 2020
👍3

In the enterprise world it's not uncommon to use "app passwords" for legacy things that do not support 2FA or modern authentication methods beyond user/password. As long as you use a complex password and you do not use that password anywhere else except for Home Assistant you will be safe. Set yourself a reminder to change the password every 90 days if you prefer extra caution. Make it 16 characters, random letters numbers and symbols.

The ways a password are stolen include brute force using common passwords, a data leak that included login info and hackers use that info on other sites, man-in-the-middle if using a network that has been compromised, or keylogger. A strong password will prevent against brute force. Unique passwords will prevent a data-leak from compromising other accounts. MITM is becoming less common due to everything running HTTPS but your own network can be trusted just don't log into this account from Starbucks. If there's a keylogger on the machine you used to setup Home Assistant you have bigger issues than Abode.

bryanmec picture bryanmec on 15 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Konstigt picture Konstigt  路  3Comments
kirichkov picture kirichkov  路  3Comments
neonandu picture neonandu  路  3Comments
sibbl picture sibbl  路  3Comments
arangates picture arangates  路  3Comments