Skip to content

Internal http://supervisor/auth doesn't support Bearer tokens (long lived) #6313

New issue
New issue
Open
Open
Internal http://supervisor/auth doesn't support Bearer tokens (long lived)#6313
@slords

Description

@slords
slords
opened on Nov 14, 2025

Describe the issue you are experiencing

I'm trying to write a tool to manage node-red. Node-red has an endpoint (https://server:1880) that I can hit and authenticate with my home assistant username:password. I've tried configuring a long term token to access this endpoint and am getting a 500 error back.

Tracing the auth through it appears that node-red is attempting to pass the authentication along to http://supervisor/auth to handle the authentication. This in turn is calling the /usr/src/supervisor/supervisor/api/auth.py to do the authentication which only supports basic authentication. When passing a Bearer token to authenticate I'm seeing the following on the docker logs for the supervisor:

Traceback (most recent call last):
  File "/usr/local/lib/python3.13/site-packages/aiohttp/web_protocol.py", line 510, in _handle_request
    resp = await request_handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.13/site-packages/aiohttp/web_app.py", line 569, in _handle
    return await handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.13/site-packages/aiohttp/web_middlewares.py", line 117, in impl
    return await handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/supervisor/supervisor/api/middleware/security.py", line 198, in block_bad_requests
    return await handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/supervisor/supervisor/api/middleware/security.py", line 208, in system_validation
    return await handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/supervisor/supervisor/api/middleware/security.py", line 276, in token_validation
    return await handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/supervisor/supervisor/api/middleware/security.py", line 289, in core_proxy
    return await handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/supervisor/supervisor/api/utils.py", line 71, in wrap_api
    answer = await method(api, *args, **kwargs)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/supervisor/supervisor/api/auth.py", line 88, in auth
    if not await self._process_basic(request, addon):
                 ~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^
  File "/usr/src/supervisor/supervisor/api/auth.py", line 52, in _process_basic
    auth = BasicAuth.decode(request.headers[AUTHORIZATION])
  File "/usr/local/lib/python3.13/site-packages/aiohttp/helpers.py", line 150, in decode
    raise ValueError("Unknown authorization method %s" % auth_type)
ValueError: Unknown authorization method Bearer

What is the possibility of adding support for authenticating with Bearer tokens to internal auth endpoints so the same authentication methods that work externally will work internally?

What type of installation are you running?

Home Assistant OS

Which operating system are you running on?

Home Assistant Operating System

Steps to reproduce the issue

...

Anything in the Supervisor logs that might be useful for us?

See above

System information

See above

Supervisor diagnostics

No response

Additional information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions