Skip to content

fix(v6): raise HoleAuthenticationError for invalid password on HTTP 200#38

Open
qnorsten wants to merge 1 commit into
home-assistant-ecosystem:masterfrom
qnorsten:fix/v6-configurable-timeout-and-version-detection
Open

fix(v6): raise HoleAuthenticationError for invalid password on HTTP 200#38
qnorsten wants to merge 1 commit into
home-assistant-ecosystem:masterfrom
qnorsten:fix/v6-configurable-timeout-and-version-detection

Conversation

@qnorsten

Copy link
Copy Markdown

Pi-hole v6 returns HTTP 200 with {"session":{"valid":false}} when a wrong
password is supplied, rather than HTTP 401. The previous code raised a plain
HoleError("Authentication unsuccessful: Invalid session") for this path,
inconsistent with the HTTP 401 path which raises HoleAuthenticationError
("Authentication failed: Invalid password").

This inconsistency breaks Home Assistant's determine_api_version() helper,
which calls authenticate() with a deliberately wrong password to probe
whether the instance is v6. It catches HoleError and checks the message
string for "Authentication failed: Invalid password" to confirm v6. The
mismatched message caused version detection to always fall through to the v5
path, making the integration fail to set up entirely.

Fix by raising HoleAuthenticationError with the same message as the 401
path (status=200) so all "wrong password" cases are handled uniformly
regardless of which HTTP status Pi-hole returns.

Confirmed on a Pi-hole v6 instance running on a Raspberry Pi 1 Model A.

Pi-hole v6 returns HTTP 200 with {"session":{"valid":false}} when a wrong
password is supplied, rather than HTTP 401. The previous code raised a plain
HoleError("Authentication unsuccessful: Invalid session") for this path,
inconsistent with the HTTP 401 path which raises HoleAuthenticationError
("Authentication failed: Invalid password").

This inconsistency breaks Home Assistant's determine_api_version() helper,
which calls authenticate() with a deliberately wrong password to probe whether
the instance is v6. It catches HoleError and checks the message string for
"Authentication failed: Invalid password" to confirm v6. The mismatched
message caused version detection to always fall through to the v5 path,
making the integration fail to set up on any instance where the HTTP 200
response completes faster than the timeout (including after the timeout was
fixed in recent versions).

Change the HTTP 200 / valid=false path to raise HoleAuthenticationError with
the same message as the 401 path (status=200) so all "wrong password" cases
are handled uniformly regardless of the HTTP status code Pi-hole returns.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant