Auth! (#11347)

* reload the window on 401

* backend apis for auth

* add login page

* re-enable web linter

* fix login page routing

* bypass csrf for internal auth endpoint

* disable healthcheck in devcontainer target

* include login page in vite build

* redirect to login page on 401

* implement config for users and settings

* implement JWT actual secret

* add brute force protection on login

* add support for redirecting from auth failures on api calls

* return location for redirect

* default cookie name should pass regex test

* set hash iterations to current OWASP recommendation

* move users to database instead of config

* config option to reset admin password on startup

* user management UI

* check for deleted user on refresh

* validate username and fixes

* remove password constraint

* cleanup

* fix user check on refresh

* web fixes

* implement auth via new external port

* use x-forwarded-for to rate limit login attempts by ip

* implement logout and profile

* fixes

* lint fixes

* add support for user passthru from upstream proxies

* add support for specifying a logout url

* add documentation

* Update docs/docs/configuration/authentication.md

Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com>

* Update docs/docs/configuration/authentication.md

Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com>

---------

Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com>

docs/docs/integrations/api.md

@@ -164,7 +164,7 @@ Accepts the following query string parameters:
 | `motion`    | int  | Draw blue boxes for areas with detected motion (0 or 1)            |
 | `regions`   | int  | Draw green boxes for areas where object detection was run (0 or 1) |
 
-You can access a higher resolution mjpeg stream by appending `h=height-in-pixels` to the endpoint. For example `http://localhost:5000/api/back?h=1080`. You can also increase the FPS by appending `fps=frame-rate` to the URL such as `http://localhost:5000/api/back?fps=10` or both with `?fps=10&h=1000`.
+You can access a higher resolution mjpeg stream by appending `h=height-in-pixels` to the endpoint. For example `http://localhost:8080/api/back?h=1080`. You can also increase the FPS by appending `fps=frame-rate` to the URL such as `http://localhost:8080/api/back?fps=10` or both with `?fps=10&h=1000`.
 
 ### `GET /api/<camera_name>/latest.jpg[?h=300]`
 

docs/docs/integrations/home-assistant.md

@@ -47,7 +47,55 @@ that card.
 
 ## Configuration
 
-When configuring the integration, you will be asked for the `URL` of your Frigate instance which is the URL you use to access Frigate in the browser. This may look like `http://<host>:5000/`. If you are using HassOS with the addon, the URL should be one of the following depending on which addon version you are using. Note that if you are using the Proxy Addon, you do NOT point the integration at the proxy URL. Just enter the URL used to access Frigate directly from your network.
+When configuring the integration, you will be asked for the `URL` of your Frigate instance which needs to be pointed at the internal unauthenticated port (`5000`) for your instance. This may look like `http://<host>:5000/`.
+
+### Docker Compose Examples
+
+If you are running Home Assistant Core and Frigate with Docker Compose on the same device, here are some examples.
+
+#### Home Assistant running with host networking
+
+It is not recommended to run Frigate in host networking mode. In this example, you would use `http://172.17.0.1:5000` when configuring the integration.
+
+```yaml
+services:
+  homeassistant:
+    container_name: hass
+    image: ghcr.io/home-assistant/home-assistant:stable
+    network_mode: host
+    ...
+
+  frigate:
+    image: ghcr.io/blakeblackshear/frigate:stable
+    ...
+    ports:
+      - "172.17.0.1:5000:5000"
+      ...
+```
+
+#### Home Assistant _not_ running with host networking or in a separate compose file
+
+In this example, you would use `http://frigate:5000` when configuring the integration. There is no need to map the port for the Frigate container.
+
+```yaml
+services:
+  homeassistant:
+    container_name: hass
+    image: ghcr.io/home-assistant/home-assistant:stable
+    # network_mode: host
+    ...
+
+  frigate:
+    image: ghcr.io/blakeblackshear/frigate:stable
+    ...
+    ports:
+      # - "172.17.0.1:5000:5000"
+      ...
+```
+
+### HassOS Addon
+
+If you are using HassOS with the addon, the URL should be one of the following depending on which addon version you are using. Note that if you are using the Proxy Addon, you do NOT point the integration at the proxy URL. Just enter the URL used to access Frigate directly from your network.
 
 | Addon Version                  | URL                                    |
 | ------------------------------ | -------------------------------------- |
@@ -56,7 +104,37 @@ When configuring the integration, you will be asked for the `URL` of your Frigat
 | Frigate NVR Beta               | `http://ccab4aaf-frigate-beta:5000`    |
 | Frigate NVR Beta (Full Access) | `http://ccab4aaf-frigate-fa-beta:5000` |
 
-<a name="options"></a>
+### Frigate running on a separate machine
+
+If you run Frigate on a separate device within your local network, Home Assistant will need access to port 5000.
+
+#### Local network
+
+Use `http://<frigate_device_ip>:5000` as the URL for the integration. If you want to protect access to port 5000, you can use firewall rules to limit access to the device running Home Assistant.
+
+```yaml
+services:
+  frigate:
+    image: ghcr.io/blakeblackshear/frigate:stable
+    ...
+    ports:
+      - "5000:5000"
+      ...
+```
+
+#### Tailscale or other private networking
+
+Use `http://<frigate_device_tailscale_ip>:5000` as the URL for the integration.
+
+```yaml
+services:
+  frigate:
+    image: ghcr.io/blakeblackshear/frigate:stable
+    ...
+    ports:
+      - "<tailscale_ip>:5000:5000"
+      ...
+```
 
 ## Options
 

docs/docs/integrations/third_party_extensions.md

@@ -4,7 +4,7 @@ title: Third Party Extensions
 ---
 
 Being open source, others have the possibility to modify and extend the rich functionality Frigate already offers.
-This page is meant to be an overview over additions one can make to the home NVR setup. The list is not exhaustive and can be extended via PR to the Frigate docs.
+This page is meant to be an overview over additions one can make to the home NVR setup. The list is not exhaustive and can be extended via PR to the Frigate docs. Most of these services are designed to interface with Frigate's unauthenticated api over port 5000.
 
 :::warning