Fix Pi-hole v6 app password authentication#169706
Fix Pi-hole v6 app password authentication#169706headdirt wants to merge 1 commit intohome-assistant:devfrom
Conversation
![home-assistant[bot]](https://avatars.githubusercontent.com/in/97978?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hello @headdirt,
When attempting to inspect the commits of your pull request for CLA signature status among all authors we encountered commit(s) which were not linked to a GitHub account, thus not allowing us to determine their status(es).
The commits that are missing a linked GitHub account are the following:
cc72f945d402f970b2ec84afc9461d32c79c80fb- This commit has something that looks like an email address (elle@rosyredglasses.local). Maybe try linking that to GitHub?.
Unfortunately, we are unable to accept this pull request until this situation is corrected.
Here are your options:
-
If you had an email address set for the commit that simply wasn't linked to your GitHub account you can link that email now and it will retroactively apply to your commits. The simplest way to do this is to click the link to one of the above commits and look for a blue question mark in a blue circle in the top left. Hovering over that bubble will show you what email address you used. Clicking on that button will take you to your email address settings on GitHub. Just add the email address on that page and you're all set. GitHub has more information about this option in their help center.
-
If you didn't use an email address at all, it was an invalid email, or it's one you can't link to your GitHub, you will need to change the authorship information of the commit and your global Git settings so this doesn't happen again going forward. GitHub provides some great instructions on how to change your authorship information in their help center.
- If you only made a single commit you should be able to run
(substituting "Author Name" and "
git commit --amend --author="Author Name <email@address.com>"email@address.com" for your actual information) to set the authorship information. - If you made more than one commit and the commit with the missing authorship information is not the most recent one you have two options:
- You can re-create all commits missing authorship information. This is going to be the easiest solution for developers that aren't extremely confident in their Git and command line skills.
- You can use this script that GitHub provides to rewrite history. Please note: this should be used only if you are very confident in your abilities and understand its impacts.
- Whichever method you choose, I will come by to re-check the pull request once you push the fixes to this branch.
- If you only made a single commit you should be able to run
We apologize for this inconvenience, especially since it usually bites new contributors to Home Assistant. We hope you understand the need for us to protect ourselves and the great community we all have built legally. The best thing to come out of this is that you only need to fix this once and it benefits the entire Home Assistant and GitHub community.
Thanks, I look forward to checking this PR again soon! ❤️
|
Please take a look at the requested changes, and use the Ready for review button when you are done, thanks 👍 |
|
Hey there @shenxn, mind taking a look at this pull request as it has been labeled with an integration ( Code owner commandsCode owners of
|
headdirt
force-pushed
the
fix-pihole-v6-app-password
branch
from
cc72f94 to
c280915
Compare
There was a problem hiding this comment.
Pull request overview
Fixes Pi-hole v6 app password authentication failures in the Home Assistant Pi-hole integration by changing how v6 is detected and by isolating v6 authentication from cookie-based sessions.
Changes:
- Switch Pi-hole v6 detection to probe
/api/info/version(handling both 200 and 401 JSON shapes) instead of attempting an auth with an intentionally invalid password. - Create Pi-hole v6 API clients with a
DummyCookieJarto avoid session cookies interfering with SID-header-based v6 authentication. - Add/extend tests covering v6 detection responses and v6 config-flow authentication using an app password.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
homeassistant/components/pi_hole/__init__.py |
Updates v6 detection logic and introduces v6-specific client session creation. |
tests/components/pi_hole/test_init.py |
Adds tests validating v6 detection via /api/info/version for 401/200 responses. |
tests/components/pi_hole/test_config_flow.py |
Adds config flow test for v6 app-password authentication behavior. |
tests/components/pi_hole/__init__.py |
Updates test helpers/mocks to support v6 detection patching and cookie-jar-sensitive auth behavior. |
| if version == 6: | ||
| session = _async_create_v6_session(hass, entry[CONF_VERIFY_SSL]) | ||
| else: | ||
| session = async_get_clientsession(hass, entry[CONF_VERIFY_SSL]) |
| url = f"{protocol}://{entry[CONF_HOST]}/api/info/version" | ||
|
|
||
| async with asyncio.timeout(5): | ||
| async with session.get(url, ssl=entry[CONF_VERIFY_SSL]) as response: |
| "Success connecting to Pi-hole at %s without auth, API version is : %s", | ||
| holeV6.base_url, | ||
| 6, | ||
| "Response 'unauthorized' from API without auth, Pi-hole API version 6 probably detected at %s", |
| """Determine the API version of the Pi-hole instance without requiring authentication. | ||
|
|
||
| Neither API v5 or v6 provides an endpoint to check the version without authentication. | ||
| Version 6 provides other enddpoints that do not require authentication, so we can use those to determine the version | ||
| version 5 returns an empty list in response to unauthenticated requests. | ||
| Version 6 returns a distinct unauthorized error from its API endpoints, so we can use those to determine the version. | ||
| Version 5 returns an empty list in response to unauthenticated requests. |
home-assistant
Bot
added
cla-recheck
cla-signed
and removed
cla-recheck
cla-needed
labels
headdirt
force-pushed
the
fix-pihole-v6-app-password
branch
from
c280915 to
cf98156
Compare
headdirt
force-pushed
the
fix-pihole-v6-app-password
branch
from
cf98156 to
39b2be9
Compare
| @callback | ||
| def _async_get_v6_session( | ||
| hass: HomeAssistant, verify_ssl: bool | ||
| ) -> aiohttp.ClientSession: | ||
| """Get a session with an isolated cookie jar for the Pi-hole v6 API.""" | ||
| sessions: dict[bool, aiohttp.ClientSession] = hass.data.setdefault( | ||
| DATA_V6_CLIENTSESSIONS, {} | ||
| ) | ||
| if verify_ssl not in sessions: | ||
| sessions[verify_ssl] = async_create_clientsession( | ||
| hass, verify_ssl, cookie_jar=DummyCookieJar() | ||
| ) | ||
| return sessions[verify_ssl] |
headdirt
force-pushed
the
fix-pihole-v6-app-password
branch
from
c6edbda to
ce614ea
Compare
Proposed change
Pi-hole v6 app passwords can successfully authenticate against
/api/auth, but Home Assistant could still reject them during config flow because API version detection intentionally authenticated with an invalid password immediately before validating the real credential.This changes Pi-hole v6 detection to use
/api/info/versioninstead of an invalid/api/authattempt. The detection accepts both v6 response shapes:401 unauthorizedJSON when authentication is enabled200version JSON when authentication is disabledThis also creates Pi-hole v6 client sessions with an isolated
DummyCookieJar, so Pi-hole session cookies do not interfere with SID-header-based v6 authentication.Type of change
Additional information
Checklist
ruff format homeassistant tests)If user exposed functionality or configuration variables are added/changed:
If the code communicates with devices, web services, or third-party tools:
Updated and included derived files by running:
python3 -m script.hassfest.requirements_all.txt.Updated by running
python3 -m script.gen_requirements_all.To help with the load of incoming pull requests: