Can't connect via internal url in newest version

[Cyberbeni]

After the newest update, my iPad decided to not connect to HA. I only had internal url setup, after copy pasting the url to external url, it successfully connects.

All permissions besides Local Network, Push and Background App Refresh are off.

iOS device model, version and app version

Model Name:
Software Version:
App version:

Home Assistant Core Version

Describe the bug

To Reproduce

Expected behavior

Screenshots

Additional context

[bgoncal]

Thats correct, starting on 2024.12 the App will only use the internal URL when an SSID (or hardware address in case of macOS) is defined and location permission is granted, the App will not fallback to the internal URL in case the external URL is not available unless those options are defined.

Background: This is to protect most users which have internal URL configured with an unsecure connection (http) to expose their tokens in public networks.

Options:

• As you mentioned, set the external URL instead (not recommended due to the security concerns above)
• Give the App the permissions needed and define your local network (SSID) so the App knows when it's safe to use the internal URL.

[Cyberbeni]

I don't understand why it was so important to break half the people's setup, seemingly without any notice. There was no notice about the breaking change at the top of the iOS release notes, there was no alert in HA that my current setup will stop working at a specified date/version.

If people can't connect to my internal network then they can't do anything with the token.

the App will not fallback to the internal URL in case the external URL is not available

The external URL wasn't even set, my setup is only accessible internally.

Why not just create an SSL cert on the server (and automatically create and distribute new ones overlapping with the current cert's validity) and use that to connect via https when the user adds HA with an http address? And if the device doesn't have the most up to date SSL cert that the server uses, then ask for user confirmation that we are on the home network. Could also use the Local Push connectivity managed by iOS to detect which server we are connected to via an internal address (being able to set up the SSID on the server would also be nice instead of having to add it to every device manually)

[Lancelot-Enguerrand]

Hello,

This choice, and more specifically its implementation, is causing me some issues.
I speak from the perspective of someone who only uses Home Assistant through internal access.
I have users with no technical background, and their iOS app is the only point of access to their connected devices.

No warning

This update was pushed with a breaking change without any warning, neither in the app nor in the patch notes.
Upon launching the app, we are just faced with a blank page.

1. A somewhat resourceful user will eventually figure it out by tinkering and copying the internal URL into the external URL but will not being certain it's the correct solution.
2. A regular user will simply be stuck. (This is what brought me here and, honestly, it frustrates me a little.)

Enabling precise location

I understand that this request for full location access just to see the Wi-Fi name is an implementation constraint imposed by Apple, but :

1. How is a user supposed to understand this?
2. Additionally, what are the guarantee of an restricted and appropriate use of this data?
3. I also have some concerns about the battery usage this implies.

Security

Maybe I am being too skeptical about this, but if I don't expose my Home Assistant, someone intercepting my token on another network would probably not do anything with it.
I wouldn't say this protection is unnecessary, but again, it’s the sudden implementation that feels clumsy.

The fact that this update was delivered with a breaking change without any warning is really problematic in my opinion.
I suppose this could be improved by rewording some aspects and communicating about this change in an appropriate way.
As it stands, I remain uncomfortable about enabling location and doubtful about the best course of action.

[bgoncal]

@Cyberbeni When the app doesn't find a URL it can use, a message is displayed with instructions, was it not shown for you?

[bgoncal]

@Lancelot-Enguerrand thanks for the feedback, I agree the communication could be better and I'll take that into consideration in a patch release.

About security, even though your server is not exposed to the internet, the token is a private sensitive information, imagine that today you device to expose your instance to the web? Someone could already have intercepted your token, that's just one scenario.

[bgoncal]

@Cyberbeni About the SSL certificate, this is a solution also in consideration but it will require a way bigger cross platform implementation, don't expect it soon, but it's in our radar.

[bgoncal]

Just double checking, you did see a warning like this right?

[bgoncal]

I just paused the 7-day phased release to improve the communication

[Cyberbeni]

@Cyberbeni When the app doesn't find a URL it can use, a message is displayed with instructions, was it not shown for you?

To be honest, I read the error title and looked at the action offered (open settings), but I don't think I know many people who would do more than that when something that is supposed to be a one time setup breaks, especially if someone else helped them set it up.

[bgoncal]

@Cyberbeni fair enough, tomorrow I'll have more information to share regarding this.

Meanwhile would be very nice to have you in our beta loops, so we can get feedback in advance of releases, is this something you want? https://testflight.apple.com/join/1AlPbnLZ

Also an invite for you @Lancelot-Enguerrand

[Cyberbeni]

Sure, I joined the beta.

[bgoncal]

While a better migration/communication is being developed, I will revert to always fallback to internal URL and release it as 2024.12.1
#3265

[bgoncal]

@Cyberbeni can you help me check build 2024.1041?

[Cyberbeni]

2024.1041 works fine when only the internal url is set.

[bgoncal]

2024.12.1 released in App Store.

Soon in TestFlight there will be a new screen communication the change and offering options to the user, keep an eye on it and feel free to tag me.

[tache]

Along with this change why do we have to do these settings ?

[bgoncal]

@tache whats exactly your doubt?

The App can only determine if you can access your local URL (internal URL) if the app knows your are in your local network, for that we need to check your SSID configured and ti have access to that we need the permission explained in your screenshot.

The app CURRENTLY fallbacks to internal URL when no external URL is available, but this should change soon, we are not working on the proper communication + migration screen, we will also include an option to "ignore everything and always fallback to internal URL"

[tache]

Thanks for the reply. So this would be the first app that I have ever seen that would require that you specifiy a local wifi SSID to connect locally, that would then require you to provide IOS permission to allow always-on and precise location. The app should only rely on trying to access the local URL via DNS name reolution. If it does not resolve then it should fail to connect. If it fails to resolve the internal URL, it should fall back to external URL attempt

[tache]

I guess I should had posted this under #3255

[bgoncal]

I saw your other reply first, so I replied on that thread, linking it here #3255 (comment)

And let's keep the conversation here

[bgoncal]

Reposting here to be easier to continue reading:

@tache what if you are on a public network and someone hosted a fake home assistant to hijack your token?

You can imagine that people usually have internal URL such as:
192.168.0.xxx:8123

So my example above could easily happen. Resolution would succeed. But it is not your HA server.

SSID is not perfect but it is the solution in place app-wide right now, and again, we will provide an option to ignore that and just fallback to internal URL if you need/want.