Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Cloudflare Access expired cookie flow #4160

Closed
wants to merge 2 commits into from
Closed

Support Cloudflare Access expired cookie flow #4160

wants to merge 2 commits into from

Conversation

mcuelenaere
Copy link

@mcuelenaere mcuelenaere commented Jan 25, 2024
edited
Loading

Summary

If the user is hosting their HA instance behind Cloudflare Access, then at some point in the future their session will expire and they will need to reauthenticate with Cloudflare.

Currently, this results in a web browser being opened (because of how the URL intercepting is implemented). After the user has re-authenticated in the browser, it has these new cookies and not the HA companion app.

This PR changes this flow so that the Cloudflare authentication happens in the webview (and thus the cookies are accessible by the companion app and can be used at any further point in the flow).

Screenshots

n/a

Link to pull request in Documentation repository

n/a

Any other notes

This should mostly resolve issues like #2650 and others. The solution is still not foolproof, as the browser is still being opened after the auth process, due to how the current shouldLaunchWebBrowser logic is implemented (eg app wanted to navigate to https://yourhainstance.com, got redirected to https://yourhainstance.com/cdn-cgi/access/xxx and after login it goes back to https://yourhainstance.com, which no longer matches https://yourhainstance.com/cdn-cgi/access/xxx).

A better solution would be to check if the domain of the to-be-navigated-to-page matches a domain of internalUrl or externalUrl of any of the registered servers (in serverManager.defaultServers). I did not implement this change as I wanted to make this PR as small as possible, to increase the chances of it getting accepted.

home-assistant[bot]
home-assistant bot previously requested changes Jan 25, 2024
View reviewed changes
Copy link

@home-assistant home-assistant bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @mcuelenaere

It seems you haven't yet signed a CLA. Please do so here.

Once you do that we will be able to review and accept this pull request.

Thanks!

@home-assistant home-assistant bot marked this pull request as draft January 25, 2024 23:03
@home-assistant
Copy link

Please take a look at the requested changes, and use the Ready for review button when you are done, thanks 👍

Learn more about our pull request process.

@mcuelenaere mcuelenaere marked this pull request as ready for review January 25, 2024 23:04
@mcuelenaere mcuelenaere changed the title Support Cloudflare Access cookie expiration flow Support Cloudflare Access expired cookie flow Jan 25, 2024
@mcuelenaere
Handle Cloudflare Access URLs in the webview, not the browser.
d5671d5 
We need to handle this in the webview, as certain cookies will be set after a
successful authentication. Cloudflare will only allow access to the underlying
server if these cookies are present. If the user would authenticate in the browser,
the cookies would be stored there and we would not be able to read them.
@mcuelenaere mcuelenaere force-pushed the feature/cloudflare-access-reauthentication-support branch from 408ecb8 to d5671d5 Compare January 25, 2024 23:08
@mathix420
Copy link

There is maybe an issue with this PR, the whole time between cookie expiration time and user refreshing it via the web ui none of the HA sensors will be updated, and the HA client could not receive any notifications.
I found this solution (#3510) more practical, but yours is still a good step toward allowing the use of cf tunnels on HA android!

@mcuelenaere
Copy link
Author

There is maybe an issue with this PR, the whole time between cookie expiration time and user refreshing it via the web ui none of the HA sensors will be updated, and the HA client could not receive any notifications. I found this solution (#3510) more practical, but yours is still a good step toward allowing the use of cf tunnels on HA android!

That is indeed a limitation (which is fine for my particular usecase). This approach should be minimal and I believe upstream might be more likely to accept this than #3510, which has user-facing changes.

@Meister1977
Copy link

As the owner of the PR #3510 , my solution can use service cookies, which is an accepted solution for services running without user interaction instead of login session cookies.
I don't really know why they do not accept my PR. But I gave it up, I made a fork, and if I have time, I rebase, and release.

1 similar comment
@Meister1977
Copy link

As the owner of the PR #3510 , my solution can use service cookies, which is an accepted solution for services running without user interaction instead of login session cookies.
I don't really know why they do not accept my PR. But I gave it up, I made a fork, and if I have time, I rebase, and release.

@balloob
Copy link
Member

balloob commented Feb 5, 2024

Supporting these kind of remote connections require hacks, workaround and complicates the maintenance of our codebase. Therefore we will not be able to accept this pull request. Users can continue to use a browser to access their Home Assistant instance if they are using CloudFlare or other similar solutions.

@balloob balloob closed this Feb 5, 2024
@Caligo82
Copy link

Caligo82 commented Feb 7, 2024

Not trying to hate here, but it seems this "feature" is purposely reserved for the premium plan of homeassistant. I mean not exactly the same feature, but the logic of having an encrypted tunnel to a cloud shield, which serves as login platform for homeassistant for people using the app. It sounds granular, but it seems everyone and his mum is literally using this. I see where nabucasa is protecting its business model of sorts, but since the setup requires some technical expertise I would not assume it having a relevant impact there... who knows.

@ericmedina024
Copy link

Not trying to hate here, but it seems this "feature" is purposely reserved for the premium plan of homeassistant. I mean not exactly the same feature, but the logic of having an encrypted tunnel to a cloud shield, which serves as login platform for homeassistant for people using the app. It sounds granular, but it seems everyone and his mum is literally using this. I see where nabucasa is protecting its business model of sorts, but since the setup requires some technical expertise I would not assume it having a relevant impact there... who knows.

Balloob is right - I tried to implement a PR for this myself (#3593) and it just ended up not making sense for a variety of technical reasons, including some which were limitations imposed by the Android API. It's still possible to use zero trust with the app (see #3593 (comment)), and honestly the solution described there is even better than what my and this PR added.

@home-assistant home-assistant locked as resolved and limited conversation to collaborators Feb 9, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@home-assistant home-assistant[bot] home-assistant[bot] left review comments

Assignees
No one assigned
Labels
cla-signed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@mcuelenaere @mathix420 @Meister1977 @balloob @Caligo82 @ericmedina024