From c3abf6df59f2489b8a2e85e1ed6264127e22a9d8 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 10 Dec 2025 03:33:18 +0000 Subject: [PATCH] Redirect invalid ingress sessions to validate-session endpoint When a non-websocket request has an invalid ingress session, redirect to /ingress/validate-session?url= instead of returning 401 Unauthorized. This allows the frontend to handle session validation and re-authentication gracefully. Websocket requests still return 401 as they cannot follow redirects. --- supervisor/api/ingress.py | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/supervisor/api/ingress.py b/supervisor/api/ingress.py index bf2d56ffe..f3a1579a0 100644 --- a/supervisor/api/ingress.py +++ b/supervisor/api/ingress.py @@ -14,6 +14,7 @@ from aiohttp.web_exceptions import ( ) from multidict import CIMultiDict, istr import voluptuous as vol +from yarl import URL from ..addons.addon import Addon from ..const import ( @@ -150,7 +151,17 @@ class APIIngress(CoreSysAttributes): session = request.cookies.get(COOKIE_INGRESS, "") if not self.sys_ingress.validate_session(session): _LOGGER.warning("No valid ingress session %s", session) - raise HTTPUnauthorized() + # For websocket requests, raise unauthorized + if _is_websocket(request): + raise HTTPUnauthorized() + # For other requests, redirect to validate-session endpoint + token = request.match_info["token"] + path = request.match_info.get("path", "") + ingress_url = f"/api/hassio_ingress/{token}/{path}" + if request.query_string: + ingress_url = f"{ingress_url}?{request.query_string}" + redirect_url = URL("/ingress/validate-session").with_query(url=ingress_url) + raise web.HTTPFound(redirect_url) # Process requests addon = self._extract_addon(request)