Allow non-authenticated calls to snapshots during onboarding (#40582)

homeassistant/components/hassio/http.py

@@ -12,6 +12,7 @@ from aiohttp.web_exceptions import HTTPBadGateway
 import async_timeout
 
 from homeassistant.components.http import KEY_AUTHENTICATED, HomeAssistantView
+from homeassistant.components.onboarding import async_is_onboarded
 from homeassistant.const import HTTP_UNAUTHORIZED
 
 from .const import X_HASS_IS_ADMIN, X_HASS_USER_ID, X_HASSIO
@@ -54,7 +55,8 @@ class HassIOView(HomeAssistantView):
         self, request: web.Request, path: str
     ) -> Union[web.Response, web.StreamResponse]:
         """Route data to Hass.io."""
-        if _need_auth(path) and not request[KEY_AUTHENTICATED]:
+        hass = request.app["hass"]
+        if _need_auth(hass, path) and not request[KEY_AUTHENTICATED]:
             return web.Response(status=HTTP_UNAUTHORIZED)
 
         return await self._command_proxy(path, request)
@@ -145,8 +147,10 @@ def _get_timeout(path: str) -> int:
     return 300
 
 
-def _need_auth(path: str) -> bool:
+def _need_auth(hass, path: str) -> bool:
     """Return if a path need authentication."""
+    if not async_is_onboarded(hass) and path.startswith("snapshots"):
+        return False
     if NO_AUTH.match(path):
         return False
     return True

tests/components/hassio/test_http.py

@@ -3,6 +3,8 @@ import asyncio
 
 import pytest
 
+from homeassistant.components.hassio.http import _need_auth
+
 from tests.async_mock import patch
 
 
@@ -147,3 +149,12 @@ async def test_snapshot_upload_headers(hassio_client, aioclient_mock):
 
     req_headers = aioclient_mock.mock_calls[0][-1]
     req_headers["Content-Type"] == content_type
+
+
+def test_need_auth(hass):
+    """Test if the requested path needs authentication."""
+    assert not _need_auth(hass, "addons/test/logo")
+    assert _need_auth(hass, "snapshots/new/upload")
+
+    hass.data["onboarding"] = False
+    assert not _need_auth(hass, "snapshots/new/upload")