* Fix genai callbacks in MQTT
* Cleanup cursor pointer for classification cards
* Cleanup
* Handle unknown SOCs for RKNN converter by only using known SOCs
* don't allow "none" as a classification class name
* change internal port user to admin and default unspecified username to viewer
* keep 5000 as anonymous user
* suppress tensorflow logging during classification training
* Always apply base log level suppressions for noisy third-party libraries even if no specific logConfig is provided
* remove decorator and specifically suppress TFLite delegate creation messages
---------
Co-authored-by: Josh Hawkins <32435876+hawkeye217@users.noreply.github.com>
* Wait for config to load before evaluating route access
Fix race condition where custom role users are temporarily denied access after login while config is still loading. Defer route rendering in DefaultAppView until config is available so the complete role list is known before ProtectedRoute evaluates permissions
* Use batching for state classification generation
* Ignore incorrect scoring images if they make it through the deletion
* Delete unclassified images
* mitigate tensorflow atexit crash by pre-importing tflite/tensorflow on main thread
Pre-import Interpreter in embeddings maintainer and add defensive lazy imports in classification processors to avoid worker-thread tensorflow imports causing "can't register atexit after shutdown"
* don't require old password for users with admin role when changing passwords
* don't render actions menu if no options are available
* Remove hwaccel arg as it is not used for encoding
* change password button text
---------
Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com>
* Fix Safari popover issue in classification wizard
* use name for key instead of title
prevents duplicate key warnings when users mix vaapi and qsv
* update auth api endpoint descriptions and docs
* tweak headings
* fix note
* clarify classification docs
* Fix cuda birdseye
---------
Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com>
* jwt permissions
* add old password to body req
* add model and migration
need to track the datetime that passwords were changed for the jwt
* auth api backend changes
- use os.open to create jwt secret with restrictive permissions (0o600: read/write for owner only)
- add backend validation for password strength
- add iat claim to jwt so the server can determine when a token was issued and reject any jwts issued before a user's password_changed_at timestamp, ensuring old tokens are invalidated after a password change
- set logout route to public to avoid 401 when logging out
- issue new jwt for users who change their own password so they stay logged in
* improve set password dialog
- add field to verify old password
- add password strength requirements
* frontend tweaks for password dialog
* i18n
* use verify endpoint for existing password verification
avoid /login side effects (creating a new session)
* public logout
* only check if password has changed on jwt refresh
* fix tests
Fix migration 030 by using raw sql to select usernames (avoid ORM selecting nonexistent columns)
* add multi device warning to password dialog
* remove password verification endpoint
Just send old_password + new password in one request, let the backend handle verification in a single operation
* Don't add to history when opening search dialog
* Update caniuse
* Revamp the history handling for dialog components
* clarify audio transcription docs
* Use titlecase helper
* Allow running object clasasification on stationary objects
* small spacing tweaks for tablets
* require admin role to delete users
* explicitly prevent deletion of admin user
---------
Co-authored-by: Josh Hawkins <32435876+hawkeye217@users.noreply.github.com>
* update config for roles and add validator
* ensure admin and viewer are never overridden
* add class method to user to retrieve all allowed cameras
* enforce config roles in auth api endpoints
* add camera access api dependency functions
* protect review endpoints
* protect preview endpoints
* rename param name for better fastapi injection matching
* remove unneeded
* protect export endpoints
* protect event endpoints
* protect media endpoints
* update auth hook for allowed cameras
* update default app view
* ensure anonymous user always returns all cameras
* limit cameras in explore
* cameras is already a list
* limit cameras in review/history
* limit cameras in live view
* limit cameras in camera groups
* only show face library and classification in sidebar for admin
* remove check in delete reviews
since admin role is required, no need to check camera access. fixes failing test
* pass request with camera access for tests
* more async
* camera access tests
* fix proxy auth tests
* allowed cameras for review tests
* combine event tests and refactor for camera access
* fix post validation for roles
* don't limit roles in create user dialog
* fix triggers endpoints
no need to run require camera access dep since the required role is admin
* fix type
* create and edit role dialogs
* delete role dialog
* fix role change dialog
* update settings view for roles
* i18n changes
* minor spacing tweaks
* docs
* use badges and camera name label component
* clarify docs
* display all cameras badge for admin and viewer
* i18n fix
* use validator to prevent reserved and empty roles from being assigned
* split users and roles into separate tabs in settings
* tweak docs
* clarify docs
* change icon
* don't memoize roles
always recalculate on component render
When an IPv6 address that doesn't map to an IPv4 address was checked
against an IPv4 trusted proxy, we'd hit an exception because
ip.ipv4_mapped was None. Fix this by verifying ipv4_mapped is not None
Co-authored-by: me <me@me>
* Fix showing review items that span over multiple days
* Simplify
* Fix tests
* Fix unchanged value
* Allow admin as default role and viewer as passed header for proxy auth
---------
Co-authored-by: Josh Hawkins <32435876+hawkeye217@users.noreply.github.com>
* face library i18n fixes
* face library i18n fixes
* add ability to use ctrl/cmd S to save in the config editor
* Use datetime as ID
* Update metrics inference speed to start with 0 ms
* fix android formatted thumbnail
* ensure role is comma separated and stripped correctly
* improve face library deletion
- add a confirmation dialog
- add ability to select all / delete faces in collections
* Implement lazy loading for video previews
* Force GPU for large embedding model
* GPU is required
* settings i18n fixes
* Don't delete train tab
* webpush debugging logs
* Fix incorrectly copying zones
* copy path data
* Ensure that cache dir exists for Frigate+
* face docs update
* Add description to upload image step to clarify the image
* Clean up
---------
Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com>
* frigate+ pane i18n fix
* catch more exceptions
* explore search result tooltip i18n fix
* i18n fix
* remove comments about deprecated strftime_fmt
* Catch producers exists but is None
* Formatting
* fix live camera view i18n
* Add default role config for proxy users
This allows users to specify a default role for users when using a proxy for auth. This can be useful for users who can't/don't want to define a header mapping for the remote-role header.
* update reference config and auth docs
* clarify face rec camera level config
* clarify auth docs
* Fix onnx not working with openvino
* Update openvino to fix failed npu plugin check
---------
Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com>
* Move database and config from homeassistant /config to addon /config
* Re-implement config migration for the add-on
* Align some terms
* Improve function name
* Use local variables
* Add model.path migration
* Fix homeassistant config path
* Ensure migration scripts run before go2rtc and frigate
* Migrate all files I know
* Add ffmpeg.path migration
* Update docker/main/rootfs/etc/s6-overlay/s6-rc.d/prepare/run
Co-authored-by: Josh Hawkins <32435876+hawkeye217@users.noreply.github.com>
* Improve some variable names and organization
* Update docs to reflect addon config dir
* Update live.md with /addon_configs
* Move addon config section to configuration doc
* Align several terminologies and improve text
* Fix webrtc example config title
* Capitalize Add-on in more places
* Improve specific add-on config dir docs
* Align bash and python scripts to prefer config.yml over config.yaml
* Support config.json in migration shell scripts
* Change docs to reflect config.yml is preferred over config.yaml
* If previous config was yaml, migrate to yaml
* Fix typo in edgetpu.md
* Fix formatting of Python files
* Remove HailoRT Beta add-on variant from docs
* Add migration for labelmap and certs
* Fix variable name
* Fix new_config_file var unset
* Fix addon config directories table
* Improve db migration to avoid migrating files like .db.bak
* Fix echo location
---------
Co-authored-by: Josh Hawkins <32435876+hawkeye217@users.noreply.github.com>
* db migration
* db model
* assign admin role on password reset
* add role to jwt and api responses
* don't restrict api access for admins yet
* use json response
* frontend auth context
* update auth form for profile endpoint
* add access denied page
* add protected routes
* auth hook
* dialogs
* user settings view
* restrict viewer access to settings
* restrict camera functions for viewer role
* add password dialog to account menu
* spacing tweak
* migrator default to admin
* escape quotes in migrator
* ui tweaks
* tweaks
* colors
* colors
* fix merge conflict
* fix icons
* add api layer enforcement
* ui tweaks
* fix error message
* debug
* clean up
* remove print
* guard apis for admin only
* fix tests
* fix review tests
* use correct error responses from api in toasts
* add role to account menu
* Organize api files
* Add more API definitions for events
* Add export select by ID
* Typing fixes
* Update openapi spec
* Change type
* Fix test
* Fix message
* Fix tests
* POC: Added FastAPI with one endpoint (get /logs/service)
* POC: Revert error_log
* POC: Converted preview related endpoints to FastAPI
* POC: Converted two more endpoints to FastAPI
* POC: lint
* Convert all media endpoints to FastAPI. Added /media prefix (/media/camera && media/events && /media/preview)
* Convert all notifications API endpoints to FastAPI
* Convert first review API endpoints to FastAPI
* Convert remaining review API endpoints to FastAPI
* Convert export endpoints to FastAPI
* Fix path parameters
* Convert events endpoints to FastAPI
* Use body for multiple events endpoints
* Use body for multiple events endpoints (create and end event)
* Convert app endpoints to FastAPI
* Convert app endpoints to FastAPI
* Convert auth endpoints to FastAPI
* Removed flask app in favour of FastAPI app. Implemented FastAPI middleware to check CSRF, connect and disconnect from DB. Added middleware x-forwared-for headers
* Added starlette plugin to expose custom headers
* Use slowapi as the limiter
* Use query parameters for the frame latest endpoint
* Use query parameters for the media snapshot.jpg endpoint
* Use query parameters for the media MJPEG feed endpoint
* Revert initial nginx.conf change
* Added missing even_id for /events/search endpoint
* Removed left over comment
* Use FastAPI TestClient
* severity query parameter should be a string
* Use the same pattern for all tests
* Fix endpoint
* Revert media routers to old names. Order routes to make sure the dynamic ones from media.py are only used whenever there's no match on auth/etc
* Reverted paths for media on tsx files
* Deleted file
* Fix test_http to use TestClient
* Formatting
* Bind timeline to DB
* Fix http tests
* Replace filename with pathvalidate
* Fix latest.ext handling and disable uvicorn access logs
* Add cosntraints to api provided values
* Formatting
* Remove unused
* Remove unused
* Get rate limiter working
---------
Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com>
* reload the window on 401
* backend apis for auth
* add login page
* re-enable web linter
* fix login page routing
* bypass csrf for internal auth endpoint
* disable healthcheck in devcontainer target
* include login page in vite build
* redirect to login page on 401
* implement config for users and settings
* implement JWT actual secret
* add brute force protection on login
* add support for redirecting from auth failures on api calls
* return location for redirect
* default cookie name should pass regex test
* set hash iterations to current OWASP recommendation
* move users to database instead of config
* config option to reset admin password on startup
* user management UI
* check for deleted user on refresh
* validate username and fixes
* remove password constraint
* cleanup
* fix user check on refresh
* web fixes
* implement auth via new external port
* use x-forwarded-for to rate limit login attempts by ip
* implement logout and profile
* fixes
* lint fixes
* add support for user passthru from upstream proxies
* add support for specifying a logout url
* add documentation
* Update docs/docs/configuration/authentication.md
Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com>
* Update docs/docs/configuration/authentication.md
Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com>
---------
Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com>
