Skip to content

Use Unix socket for Supervisor communication #163907

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
edenhaus merged 25 commits into from
Mar 25, 2026
Merged

Use Unix socket for Supervisor communication #163907

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
275374e
Add Unix socket listener for Supervisor to Core communication
agners Feb 23, 2026
68d94ba
Use SUPERVISOR_CORE_API_SOCKET env var for unix socket path
agners Feb 23, 2026
c588908
Authenticate Unix socket requests as the Supervisor user
agners Feb 23, 2026
72db92b
Restrict Unix socket permissions before accepting connections
agners Feb 24, 2026
b6be7a1
Patch loop instance instead of private asyncio class in tests
agners Feb 24, 2026
c3be74c
Merge branch 'dev' into use-unix-socket-for-supervisor
agners Mar 9, 2026
95d76e8
Merge branch 'dev' into use-unix-socket-for-supervisor
agners Mar 11, 2026
f499a0b
Extend docs and add comments to Unix socket authentication logic
agners Mar 11, 2026
ea556d6
Improve removing Unix socket on shutdown
agners Mar 11, 2026
cccb252
Add comment about why we delay start serving
agners Mar 11, 2026
da29f06
Move potentially blocking I/O into executor
agners Mar 11, 2026
fdde931
Handle missing refresh token id gracefully
agners Mar 11, 2026
88b9e6c
Move Unix socket websocket auth bypass into AuthPhase
agners Mar 11, 2026
d93b45f
Create Unix socket only after hassio is loaded
agners Mar 11, 2026
58d8824
Fail hard if Supervisor user does not exist
agners Mar 11, 2026
f0c56d7
Use get_running_loop() in tests
agners Mar 11, 2026
03817cc
Check for Supervisor user existence before starting Unix socket
agners Mar 11, 2026
63bc456
Merge branch 'dev' into use-unix-socket-for-supervisor
agners Mar 17, 2026
0888dcc
Fix test_unix_socket_started_with_supervisor pytest
agners Mar 17, 2026
4ce712b
Rename unix_socket to supervisor_unix_socket for clarity
agners Mar 24, 2026
b975a89
Merge branch 'dev' into use-unix-socket-for-supervisor
agners Mar 24, 2026
2d67754
Add Supervisor to message strings
agners Mar 24, 2026
8f886ae
Move chmod inside of try/except block
agners Mar 24, 2026
4bd744f
Check for refresh token in async_sign_path
agners Mar 24, 2026
d4e71ab
Fix auth/delete_all_refresh_tokens endpoint for Supervisor
agners Mar 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 34 additions & 1 deletion homeassistant/components/http/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
from ipaddress import IPv4Network, IPv6Network, ip_network
import logging
import os
from pathlib import Path
import socket
import ssl
from tempfile import NamedTemporaryFile
Expand Down Expand Up @@ -69,7 +70,7 @@
from .request_context import setup_request_context
from .security_filter import setup_security_filter
from .static import CACHE_HEADERS, CachingStaticResource
from .web_runner import HomeAssistantTCPSite
from .web_runner import HomeAssistantTCPSite, HomeAssistantUnixSite

CONF_SERVER_HOST: Final = "server_host"
CONF_SERVER_PORT: Final = "server_port"
Expand Down Expand Up @@ -235,6 +236,16 @@ async def async_setup(hass: HomeAssistant, config: ConfigType) -> bool:

source_ip_task = create_eager_task(async_get_source_ip(hass))

unix_socket_path: Path | None = None
if socket_env := os.environ.get("SUPERVISOR_CORE_API_SOCKET"):
socket_path = Path(socket_env)
if socket_path.is_absolute():
unix_socket_path = socket_path
else:
_LOGGER.error(
"Invalid unix socket path %s: path must be absolute", socket_env
)

server = HomeAssistantHTTP(
hass,
server_host=server_host,
Expand All @@ -244,6 +255,7 @@ async def async_setup(hass: HomeAssistant, config: ConfigType) -> bool:
ssl_key=ssl_key,
trusted_proxies=trusted_proxies,
ssl_profile=ssl_profile,
unix_socket_path=unix_socket_path,
)
await server.async_initialize(
cors_origins=cors_origins,
Expand Down Expand Up @@ -366,6 +378,7 @@ def __init__(
server_port: int,
trusted_proxies: list[IPv4Network | IPv6Network],
ssl_profile: str,
unix_socket_path: Path | None = None,
) -> None:
"""Initialize the HTTP Home Assistant server."""
self.app = HomeAssistantApplication(
Expand All @@ -384,8 +397,10 @@ def __init__(
self.server_port = server_port
self.trusted_proxies = trusted_proxies
self.ssl_profile = ssl_profile
self.unix_socket_path = unix_socket_path
self.runner: web.AppRunner | None = None
self.site: HomeAssistantTCPSite | None = None
self.unix_site: HomeAssistantUnixSite | None = None
self.context: ssl.SSLContext | None = None

async def async_initialize(
Expand Down Expand Up @@ -623,6 +638,20 @@ async def start(self) -> None:
)
await self.runner.setup()

if self.unix_socket_path is not None:
self.unix_site = HomeAssistantUnixSite(self.runner, self.unix_socket_path)
try:
await self.unix_site.start()
except OSError as error:
_LOGGER.error(
"Failed to create HTTP server on unix socket %s: %s",
self.unix_socket_path,
error,
)
self.unix_site = None
else:
_LOGGER.info("Now listening on unix socket %s", self.unix_socket_path)

self.site = HomeAssistantTCPSite(
self.runner, self.server_host, self.server_port, ssl_context=self.context
)
Expand All @@ -637,6 +666,10 @@ async def start(self) -> None:

async def stop(self) -> None:
"""Stop the aiohttp server."""
if self.unix_site is not None:
await self.unix_site.stop()
if self.unix_socket_path is not None:
self.unix_socket_path.unlink(missing_ok=True)
if self.site is not None:
await self.site.stop()
if self.runner is not None:
Expand Down
39 changes: 35 additions & 4 deletions homeassistant/components/http/auth.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,14 +20,20 @@
from homeassistant.auth.const import GROUP_ID_READ_ONLY
from homeassistant.auth.models import User
from homeassistant.components import websocket_api
from homeassistant.const import HASSIO_USER_NAME
from homeassistant.core import HomeAssistant, callback
from homeassistant.helpers.http import current_request
from homeassistant.helpers.json import json_bytes
from homeassistant.helpers.network import is_cloud_connection
from homeassistant.helpers.storage import Store
from homeassistant.util.network import is_local

from .const import KEY_AUTHENTICATED, KEY_HASS_REFRESH_TOKEN_ID, KEY_HASS_USER
from .const import (
KEY_AUTHENTICATED,
KEY_HASS_REFRESH_TOKEN_ID,
KEY_HASS_USER,
is_unix_socket_request,
)

_LOGGER = logging.getLogger(__name__)

Expand Down Expand Up @@ -117,7 +123,7 @@ def async_user_not_allowed_do_auth(
return "User cannot authenticate remotely"


async def async_setup_auth(
async def async_setup_auth( # noqa: C901
hass: HomeAssistant,
app: Application,
) -> None:
Expand Down Expand Up @@ -207,14 +213,39 @@ def async_validate_signed_request(request: Request) -> bool:
request[KEY_HASS_REFRESH_TOKEN_ID] = refresh_token.id
return True

supervisor_user_id: str | None = None

async def async_authenticate_unix_socket(request: Request) -> bool:
"""Authenticate a request from a Unix socket as the Supervisor user."""
nonlocal supervisor_user_id

# Fast path: use cached user ID
if supervisor_user_id is not None:
if user := await hass.auth.async_get_user(supervisor_user_id):
request[KEY_HASS_USER] = user
return True
supervisor_user_id = None
Comment on lines +237 to +241
Copy link

Copilot AI Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unix-socket authentication currently accepts the cached Supervisor user even if it is inactive. Other authentication paths explicitly reject inactive users, so this could allow an unexpectedly disabled Supervisor user to still access the API over the unix socket. Consider verifying user.is_active in both the cached and lookup paths (and failing the request if inactive) to keep behavior consistent with the rest of the auth system.

Copilot uses AI. Check for mistakes.

# Slow path: find the Supervisor user by name
for user in await hass.auth.async_get_users():
if user.system_generated and user.name == HASSIO_USER_NAME:
supervisor_user_id = user.id
request[KEY_HASS_USER] = user
Comment on lines +225 to +249
Copy link

Copilot AI Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unix-socket authentication sets request[KEY_HASS_USER] but never sets request[KEY_HASS_REFRESH_TOKEN_ID]. Some authenticated endpoints assume a refresh token ID is always present (for example, onboarding uses request[KEY_HASS_REFRESH_TOKEN_ID] directly), which can lead to runtime errors or incorrect signing/audit behavior for unix-socket requests. Consider associating the Supervisor system user with a refresh token ID (creating one if missing) and setting KEY_HASS_REFRESH_TOKEN_ID alongside KEY_HASS_USER for this auth path.

Suggested change
async def async_authenticate_unix_socket(request: Request) -> bool:
"""Authenticate a request from a Unix socket as the Supervisor user."""
nonlocal supervisor_user_id
# Fast path: use cached user ID
if supervisor_user_id is not None:
if user := await hass.auth.async_get_user(supervisor_user_id):
request[KEY_HASS_USER] = user
return True
supervisor_user_id = None
# Slow path: find the Supervisor user by name
for user in await hass.auth.async_get_users():
if user.system_generated and user.name == HASSIO_USER_NAME:
supervisor_user_id = user.id
request[KEY_HASS_USER] = user
supervisor_refresh_token_id: str | None = None
async def async_authenticate_unix_socket(request: Request) -> bool:
"""Authenticate a request from a Unix socket as the Supervisor user."""
nonlocal supervisor_user_id, supervisor_refresh_token_id
# Fast path: use cached user and refresh token IDs
if supervisor_user_id is not None and supervisor_refresh_token_id is not None:
user = await hass.auth.async_get_user(supervisor_user_id)
refresh_token = hass.auth.async_get_refresh_token(
supervisor_refresh_token_id
)
if user is not None and refresh_token is not None:
request[KEY_HASS_USER] = user
request[KEY_HASS_REFRESH_TOKEN_ID] = refresh_token.id
return True
supervisor_user_id = None
supervisor_refresh_token_id = None
# Slow path: find the Supervisor user by name and associate a refresh token
for user in await hass.auth.async_get_users():
if user.system_generated and user.name == HASSIO_USER_NAME:
# Reuse an existing refresh token for this user if available
refresh_token = next(iter(user.refresh_tokens.values()), None)
if refresh_token is None:
# Without a refresh token ID, we cannot safely authenticate
return False
supervisor_user_id = user.id
supervisor_refresh_token_id = refresh_token.id
request[KEY_HASS_USER] = user
request[KEY_HASS_REFRESH_TOKEN_ID] = refresh_token.id

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Member Author

@agners agners Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd prefer if we can avoid setting KEY_HASS_REFRESH_TOKEN_ID. From what I can tell, the two possible locations seem safe for the Supervisor case:

  1. onboarding/views.py:286 — IntegrationOnboardingView.post() — requires auth, only called by the frontend during onboarding. Would KeyError on a Unix socket request, but Supervisor has no reason to call this.
  2. auth.py:71 — async_sign_path() — uses KEY_HASS_REFRESH_TOKEN_ID in request (with an in check, not direct access), so it gracefully falls back to the content user if the key isn't present. Safe.

Copy link
Copy Markdown
Contributor

@emontnemery emontnemery Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the reason we want to avoid setting KEY_HASS_REFRESH_TOKEN_ID?
I'd suggest to add a comment here explaining we intentionally don't set KEY_HASS_REFRESH_TOKEN_ID.

WRT to the IntegrationOnboardingView it seems there's some missing error handling there and it should check that there's a KEY_HASS_REFRESH_TOKEN_ID in the request? Could it be added to the schema, or is that wrong?

Copy link
Copy Markdown
Member Author

@agners agners Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the reason we want to avoid setting KEY_HASS_REFRESH_TOKEN_ID?

Really only to avoid having to maintain a "fake" authentication and refresh token. I've added a comment.

WRT to the IntegrationOnboardingView it seems there's some missing error handling there and it should check that there's a KEY_HASS_REFRESH_TOKEN_ID in the request? Could it be added to the schema, or is that wrong?

The schema is for payload, but KEY_HASS_REFRESH_TOKEN_ID is data added to the request by our authentication system. So no, we can't add this to schema. The Supervisor should never use this view though, and the view is only active during onboarding. I've added a check for completeness.

return True
return False

@middleware
async def auth_middleware(
request: Request, handler: Callable[[Request], Awaitable[StreamResponse]]
) -> StreamResponse:
"""Authenticate as middleware."""
authenticated = False

if hdrs.AUTHORIZATION in request.headers and async_validate_auth_header(
if is_unix_socket_request(request):
authenticated = await async_authenticate_unix_socket(request)
auth_type = "unix socket"

elif hdrs.AUTHORIZATION in request.headers and async_validate_auth_header(
request
):
authenticated = True
Expand All @@ -233,7 +264,7 @@ async def auth_middleware(
if authenticated and _LOGGER.isEnabledFor(logging.DEBUG):
_LOGGER.debug(
"Authenticated %s for %s using %s",
request.remote,
request.remote or "unknown",
request.path,
auth_type,
)
Expand Down
6 changes: 5 additions & 1 deletion homeassistant/components/http/ban.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@
from homeassistant.helpers.hassio import get_supervisor_ip, is_hassio
from homeassistant.util import dt as dt_util, yaml as yaml_util

from .const import KEY_HASS
from .const import KEY_HASS, is_unix_socket_request
from .view import HomeAssistantView

_LOGGER: Final = logging.getLogger(__name__)
Expand Down Expand Up @@ -72,6 +72,10 @@ async def ban_middleware(
request: Request, handler: Callable[[Request], Awaitable[StreamResponse]]
) -> StreamResponse:
"""IP Ban middleware."""
# Unix socket connections are trusted, skip ban checks
if is_unix_socket_request(request):
return await handler(request)

if (ban_manager := request.app.get(KEY_BAN_MANAGER)) is None:
_LOGGER.error("IP Ban middleware loaded but banned IPs not loaded")
return await handler(request)
Expand Down
12 changes: 12 additions & 0 deletions homeassistant/components/http/const.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,22 @@
"""HTTP specific constants."""

import socket
from typing import Final

from aiohttp.web import Request

from homeassistant.helpers.http import KEY_AUTHENTICATED, KEY_HASS # noqa: F401

DOMAIN: Final = "http"

KEY_HASS_USER: Final = "hass_user"
KEY_HASS_REFRESH_TOKEN_ID: Final = "hass_refresh_token_id"


def is_unix_socket_request(request: Request) -> bool:
Copy link
Copy Markdown

@abb848 abb848 Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I'm reading this right, it trusts all Unix socket requests - this means any request would be assumed to be supervisor and treated as such. Can we add some validation to this to check it's actually supervisor traffic?

Copy link
Copy Markdown
Member Author

@agners agners Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I'm reading this right, it trusts all Unix socket requests - this means any request would be assumed to be supervisor and treated as such.

That is correct.

Can we add some validation to this to check it's actually supervisor traffic?

Since these are regular http/WS requests the request themself don't have any specific pattern we could check. If you want to be sure it's Supervisor. Making sure it is Supervisor on application layer would call for authentication, since authentication is all about that: Asking the source to authenticate that it is who it says it is.

But the idea is to remove the token based authentication. Today, the hassio integration in Core creates an admin user and hands the token to Supervisor:

core/homeassistant/components/hassio/__init__.py

Lines 413 to 432 in 81a8dee

refresh_token = None
if (hassio_user := config_store.data.hassio_user) is not None:
user = await hass.auth.async_get_user(hassio_user)
if user and user.refresh_tokens:
refresh_token = list(user.refresh_tokens.values())[0]
# Migrate old Hass.io users to be admin.
if not user.is_admin:
await hass.auth.async_update_user(user, group_ids=[GROUP_ID_ADMIN])
# Migrate old name
if user.name == "Hass.io":
await hass.auth.async_update_user(user, name=HASSIO_USER_NAME)
if refresh_token is None:
user = await hass.auth.async_create_system_user(
HASSIO_USER_NAME, group_ids=[GROUP_ID_ADMIN]
)
refresh_token = await hass.auth.async_create_refresh_token(user)
config_store.update(hassio_user=user.id)

We then send this token to (hopfully) the Supervisor:

core/homeassistant/components/hassio/__init__.py

Line 474 in 81a8dee

await supervisor_client.homeassistant.set_options(options)

We hand it out to whoever is answering to the IP address learned from the SUPERVISOR environment variable. So in other words, today, whoever controls the environment, has the power to learn the authentication token to be "Supervisor". This authentication token is just like any regular Home Assistant (admin) user can be used to authenticate remotely (via http) too.

By creating a new environment variable SUPERVISOR_CORE_API_SOCKET, which offers a local only way to connect Supervisor to Core, we essentially don't increase the attack surface: Controlling environment still means you have the means to be "Supervisor". But since its a Unix socket which only works locally per-se, and there is no authentication token which works via TCP/IP remotely too, the overall attack surface is lowered.

Note that in general Unix security, controlling environment means anyways game over: Via LD_PRELOAD one can load external code into a process, and hence control the process anyways.

The only risk here is that some other process connects to the SUPERVISOR_CORE_API_SOCKET Unix socket. But this will be mitigated by pointing it to a location which is only available to the host OS and the Supervisor container (see the current implementation on Supervisor side https://github.com/home-assistant/supervisor/blob/bffc3e80a044b4226800277a108a65d05fed3de5/supervisor/docker/homeassistant.py#L187-L188).

In the end this is a bit a chicken-egg problem: We want to systems to talk to each other, how do we make sure they can trust each other? There will always be some inherent trust required, be it Core "trusts" that Supervisor is at the other end of SUPERVISOR env IP, or Core trusts whoever connects to the SUPERVISOR_CORE_API_SOCKET socket to be Supervisor. What this is really doing is simplifying this inherit trust, and with Unix socket use a local only communication channel, which his essentially best practice for this type of communication (Docker socket does a similar thing, it is an unauthenticated Unix socket typically at /var/run/docker.socket, which allows to control any container on the system).

Copy link
Copy Markdown
Member

@edenhaus edenhaus Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a way to check if the request belongs to the unix socket specified in SUPERVISOR_CORE_API_SOCKET?
I don't like that we have a generic function checking for a Unix socket, and then we imply that only the supervisor is using it. That's true for the moment, but it can change in the future.

Copy link
Copy Markdown
Member Author

@agners agners Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm, yeah that is a good idea, in fact yes, transport.get_extra_info("sockname") returns the Unix socket path. So we can definitely say this request came from that (Supervisor) Unix socket. Since we only have one Unix socket today, this does not really give us much. But we might add Unix sockets for other use cases later, or a custom components might do things... So agreed, worth doing. I'll add that extra check to the renamed is_(supervisor_)unix_socket_request.

"""Check if request arrived over a Unix socket."""
if (transport := request.transport) is None:
return False
if (sock := transport.get_extra_info("socket")) is None:
return False
return bool(sock.family == socket.AF_UNIX)
44 changes: 44 additions & 0 deletions homeassistant/components/http/web_runner.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
from __future__ import annotations

import asyncio
from pathlib import Path
from ssl import SSLContext

from aiohttp import web
Expand Down Expand Up @@ -68,3 +69,46 @@ async def start(self) -> None:
reuse_address=self._reuse_address,
reuse_port=self._reuse_port,
)


class HomeAssistantUnixSite(web.BaseSite):
"""HomeAssistant specific aiohttp UnixSite.

Listens on a Unix socket for local inter-process communication,
used for Supervisor to Core communication.
"""

__slots__ = ("_path",)

def __init__(
self,
runner: web.BaseRunner,
path: Path,
*,
backlog: int = 128,
) -> None:
"""Initialize HomeAssistantUnixSite."""
super().__init__(
runner,
backlog=backlog,
)
self._path = path

@property
def name(self) -> str:
"""Return server URL."""
return f"http://unix:{self._path}:"

async def start(self) -> None:
"""Start server."""
await super().start()
self._path.parent.mkdir(parents=True, exist_ok=True)
self._path.unlink(missing_ok=True)
loop = asyncio.get_running_loop()
server = self._runner.server
assert server is not None
self._server = await loop.create_unix_server(
server,
self._path,
backlog=self._backlog,
)
Comment on lines +129 to +131
Copy link

Copilot AI Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If loop.create_unix_server(...) raises after _create_unix_socket() successfully bound the path, the socket FD and filesystem entry can be leaked (and the stale socket path may prevent later restarts). Wrap the create_unix_server call in error handling that closes the created socket and unlinks the path on failure.

Suggested change
self._server = await loop.create_unix_server(
server, sock=sock, backlog=self._backlog
)
try:
self._server = await loop.create_unix_server(
server, sock=sock, backlog=self._backlog
)
except Exception:
sock.close()
self._path.unlink(missing_ok=True)
raise

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Member Author

@agners agners Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

_create_unix_socket() handles stale entries gracefully. This seems unnecessary to me.

78 changes: 77 additions & 1 deletion tests/components/http/test_auth.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
import pytest
import yarl

from homeassistant.auth.const import GROUP_ID_READ_ONLY
from homeassistant.auth.const import GROUP_ID_ADMIN, GROUP_ID_READ_ONLY
from homeassistant.auth.models import User
from homeassistant.auth.providers import trusted_networks
from homeassistant.auth.providers.homeassistant import HassAuthProvider
Expand All @@ -32,6 +32,7 @@
current_request,
setup_request_context,
)
from homeassistant.const import HASSIO_USER_NAME
from homeassistant.core import HomeAssistant, callback
from homeassistant.helpers.http import KEY_AUTHENTICATED, KEY_HASS
from homeassistant.setup import async_setup_component
Expand Down Expand Up @@ -658,3 +659,78 @@ async def test_create_user_once(hass: HomeAssistant) -> None:

# test it did not create a user
assert len(await hass.auth.async_get_users()) == cur_users + 1


async def test_unix_socket_auth_with_supervisor_user(
hass: HomeAssistant,
app: web.Application,
aiohttp_client: ClientSessionGenerator,
) -> None:
"""Test that Unix socket requests are authenticated as Supervisor user."""
supervisor_user = await hass.auth.async_create_system_user(
HASSIO_USER_NAME, group_ids=[GROUP_ID_ADMIN]
)
await hass.auth.async_create_refresh_token(supervisor_user)

await async_setup_auth(hass, app)
client = await aiohttp_client(app)

with patch(
"homeassistant.components.http.auth.is_unix_socket_request", return_value=True
):
req = await client.get("/")
assert req.status == HTTPStatus.OK
data = await req.json()
assert data["user_id"] == supervisor_user.id


async def test_unix_socket_auth_without_supervisor_user(
hass: HomeAssistant,
app: web.Application,
aiohttp_client: ClientSessionGenerator,
) -> None:
"""Test that Unix socket requests fail when no Supervisor user exists."""
await async_setup_auth(hass, app)
client = await aiohttp_client(app)

with patch(
"homeassistant.components.http.auth.is_unix_socket_request", return_value=True
):
req = await client.get("/")
assert req.status == HTTPStatus.UNAUTHORIZED


async def test_unix_socket_auth_caches_user_id(
hass: HomeAssistant,
app: web.Application,
aiohttp_client: ClientSessionGenerator,
) -> None:
"""Test that Unix socket auth caches the Supervisor user ID."""
supervisor_user = await hass.auth.async_create_system_user(
HASSIO_USER_NAME, group_ids=[GROUP_ID_ADMIN]
)
await hass.auth.async_create_refresh_token(supervisor_user)

await async_setup_auth(hass, app)
client = await aiohttp_client(app)

with patch(
"homeassistant.components.http.auth.is_unix_socket_request", return_value=True
):
# First request triggers user lookup
req = await client.get("/")
assert req.status == HTTPStatus.OK

# Second request should use cached user ID
with (
patch(
"homeassistant.components.http.auth.is_unix_socket_request",
return_value=True,
),
patch.object(
hass.auth, "async_get_users", wraps=hass.auth.async_get_users
) as mock_get_users,
):
req = await client.get("/")
assert req.status == HTTPStatus.OK
mock_get_users.assert_not_called()
Loading
Loading