github noiwid/HAFamilySafety v1.1.0
v1.1.0 - Auth fix, API-key hardening & new features
on GitHub

2 days ago

Full changelog: v1.0.2...v1.1.0

Important

Two components, both bumped to 1.1.0 - the integration (HACS) and the Microsoft Family Safety Auth add-on. Update both. On HA OS/Supervised, leave the add-on API key blank to auto-generate one in /share/familysafety/.api_key; the integration picks it up automatically.

✨ New

  • Connection-state sensor (#23) - a sensor.microsoft_family_safety_connection (🔌) exposing connected / degraded / disconnected plus mobile / web / cookie status, so you can see at a glance whether the auth session is healthy.

  • Screen-time-limits switch (#24) - a per-child switch.<child>_screen_time_limits mirroring the Family Safety app: ON = limits enforced, OFF = unlimited time. Saves and restores the schedule so toggling never destroys it.

  • Standalone Docker support (#25) - the auth service can now run as a standalone Docker container for HA Core / Container installs (no Supervisor), via Dockerfile.standalone, docker-compose.yml and a migration guide. A new auth URL option points the integration at the external container.

🔐 Security

  • API key required on cookie & screen-time endpoints - closes a LAN exposure where GET /api/cookies returned the parent's Microsoft session cookies (full account takeover) and the screen-time endpoints accepted limit changes, both with no authentication. The add-on now always resolves a key (env > persisted /share/familysafety/.api_key > freshly generated), compares it in constant time, and the integration sends it automatically. The query-string key path and empty-key bypass are removed.

🐛 Fixed

  • ClientSession auth crash (#22) - TypeError: 'ClientSession' object is not callable when another component (e.g. Family Link) replaced the aiohttp.ClientSession symbol. A compat shim now reuses Home Assistant's shared session and decodes JSON defensively, so Microsoft HTML error pages no longer crash the refresh (also fixes the recurring 400 in #23).

  • approve_request granted ~1/10th of the requested time (#20) - the allowance is now pre-multiplied, so approving 60 min actually grants 60 min.

  • Unstable lock / "schedule data disappeared" (#23) - lock_account no longer zeroes the schedule when the current policy is unreadable and nothing was previously saved, preventing irrecoverable loss of the child's schedule.

  • Re-authentication redirect - stale cookies and the Chromium profile are wiped before a new auth session, so Microsoft no longer redirects to an expired session before login completes.

  • Allowed-interval end time - interval conversion now ceils the end time, so 23:59 covers the 23:30-24:00 slot instead of drifting back to 23:30.

🚀 Performance

  • Shared warm browser context - reused across fetch/post calls and closed after 180s idle, so bursts (a multi-child refresh, the 14 POSTs of a lock/unlock) skip the Chromium launch + navigation entirely, with automatic recycle-and-retry on auth-like errors.

  • Cached web API session - the web client reuses one aiohttp session instead of creating one per request; dropped the raw_policy / raw_keys debug attributes that bloated the recorder.

🧹 Cleanup

  • Unified the duplicated fetch/post and persistent-context paths into one _browser_call; FastAPI lifespan replaces the deprecated on_event hooks.
  • A service-registration table replaces 17 copy-pasted handlers; a single FamilySafetyRequestButton class handles approve/deny; day-of-week lists centralized in const.py. datetime.utcnow() replaced with timezone-aware equivalents; removed dead code and unused config fields.
Check out latest releases or
releases around noiwid/HAFamilySafety v1.1.0

Don't miss a new HAFamilySafety release

NewReleases is sending notifications on new releases.

Get notifications