code
diff --git a/‎homeassistant/components/go2rtc/__init__.py‎
Lines changed: 73 additions & 11 deletions b/‎homeassistant/components/go2rtc/__init__.py‎
Lines changed: 73 additions & 11 deletions
diff --git a/‎homeassistant/components/go2rtc/server.py‎
Lines changed: 13 additions & 3 deletions b/‎homeassistant/components/go2rtc/server.py‎
Lines changed: 13 additions & 3 deletions
diff --git a/‎tests/components/go2rtc/snapshots/test_server.ambr‎
Lines changed: 4 additions & 4 deletions b/‎tests/components/go2rtc/snapshots/test_server.ambr‎
Lines changed: 4 additions & 4 deletions
@@ -4,9 +4,10 @@
 
 from dataclasses import dataclass
 import logging
+from secrets import token_hex
 import shutil
 
-from aiohttp import ClientSession, UnixConnector
+from aiohttp import BasicAuth, ClientSession, UnixConnector
 from aiohttp.client_exceptions import ClientConnectionError, ServerConnectionError
 from awesomeversion import AwesomeVersion
 from go2rtc_client import Go2RtcRestClient
@@ -36,15 +37,23 @@
 from homeassistant.components.default_config import DOMAIN as DEFAULT_CONFIG_DOMAIN
 from homeassistant.components.stream import Orientation
 from homeassistant.config_entries import SOURCE_SYSTEM, ConfigEntry
-from homeassistant.const import CONF_URL, EVENT_HOMEASSISTANT_STOP
+from homeassistant.const import (
+    CONF_PASSWORD,
+    CONF_URL,
+    CONF_USERNAME,
+    EVENT_HOMEASSISTANT_STOP,
+)
 from homeassistant.core import Event, HomeAssistant, callback
 from homeassistant.exceptions import ConfigEntryNotReady, HomeAssistantError
 from homeassistant.helpers import (
     config_validation as cv,
     discovery_flow,
     issue_registry as ir,
 )
-from homeassistant.helpers.aiohttp_client import async_get_clientsession
+from homeassistant.helpers.aiohttp_client import (
+    async_create_clientsession,
+    async_get_clientsession,
+)
 from homeassistant.helpers.typing import ConfigType
 from homeassistant.util.hass_dict import HassKey
 from homeassistant.util.package import is_docker_env
@@ -62,14 +71,43 @@
 _LOGGER = logging.getLogger(__name__)
 
 _FFMPEG = "ffmpeg"
+_AUTH = "auth"
+
+
+def _validate_auth(config: dict) -> dict:
+    """Validate that username and password are only set when a URL is configured or when debug UI is enabled."""
+    auth_exists = CONF_USERNAME in config
+    debug_ui_enabled = config.get(CONF_DEBUG_UI, False)
+
+    if debug_ui_enabled and not auth_exists:
+        raise vol.Invalid("Username and password must be set when debug_ui is true")
+
+    if auth_exists and CONF_URL not in config and not debug_ui_enabled:
+        raise vol.Invalid(
+            "Username and password can only be set when a URL is configured or debug_ui is true"
+        )
+
+    return config
+
 
 CONFIG_SCHEMA = vol.Schema(
     {
-        DOMAIN: vol.Schema(
-            {
-                vol.Exclusive(CONF_URL, DOMAIN, DEBUG_UI_URL_MESSAGE): cv.url,
-                vol.Exclusive(CONF_DEBUG_UI, DOMAIN, DEBUG_UI_URL_MESSAGE): cv.boolean,
-            }
+        DOMAIN: vol.All(
+            vol.Schema(
+                {
+                    vol.Exclusive(CONF_URL, DOMAIN, DEBUG_UI_URL_MESSAGE): cv.url,
+                    vol.Exclusive(
+                        CONF_DEBUG_UI, DOMAIN, DEBUG_UI_URL_MESSAGE
+                    ): cv.boolean,
+                    vol.Inclusive(CONF_USERNAME, _AUTH): vol.All(
+                        cv.string, vol.Length(min=1)
+                    ),
+                    vol.Inclusive(CONF_PASSWORD, _AUTH): vol.All(
+                        cv.string, vol.Length(min=1)
+                    ),
+                }
+            ),
+            _validate_auth,
         )
     },
     extra=vol.ALLOW_EXTRA,
@@ -83,12 +121,19 @@
 async def async_setup(hass: HomeAssistant, config: ConfigType) -> bool:
     """Set up WebRTC."""
     url: str | None = None
+    username: str | None = None
+    password: str | None = None
+
     if DOMAIN not in config and DEFAULT_CONFIG_DOMAIN not in config:
         await _remove_go2rtc_entries(hass)
         return True
 
+    domain_config = config.get(DOMAIN, {})
+    username = domain_config.get(CONF_USERNAME)
+    password = domain_config.get(CONF_PASSWORD)
+
     if not (configured_by_user := DOMAIN in config) or not (
-        url := config[DOMAIN].get(CONF_URL)
+        url := domain_config.get(CONF_URL)
     ):
         if not is_docker_env():
             if not configured_by_user:
@@ -101,13 +146,26 @@ async def async_setup(hass: HomeAssistant, config: ConfigType) -> bool:
             _LOGGER.error("Could not find go2rtc docker binary")
             return False
 
+        # Generate random credentials when not provided to secure the server
+        if not username or not password:
+            username = token_hex()
+            password = token_hex()
+            _LOGGER.debug("Generated random credentials for go2rtc server")
+
+        auth = BasicAuth(username, password)
         # HA will manage the binary
-        session = ClientSession(connector=UnixConnector(path=HA_MANAGED_UNIX_SOCKET))
+        # Manually created session (not using the helper) needs to be closed manually
+        # See on_stop listener below
+        session = ClientSession(
+            connector=UnixConnector(path=HA_MANAGED_UNIX_SOCKET), auth=auth
+        )
         server = Server(
             hass,
             binary,
             session,
-            enable_ui=config.get(DOMAIN, {}).get(CONF_DEBUG_UI, False),
+            enable_ui=domain_config.get(CONF_DEBUG_UI, False),
+            username=username,
+            password=password,
         )
         try:
             await server.start()
@@ -122,6 +180,10 @@ async def on_stop(event: Event) -> None:
         hass.bus.async_listen(EVENT_HOMEASSISTANT_STOP, on_stop)
 
         url = HA_MANAGED_URL
+    elif username and password:
+        # Create session with BasicAuth if credentials are provided
+        auth = BasicAuth(username, password)
+        session = async_create_clientsession(hass, auth=auth)
     else:
         session = async_get_clientsession(hass)
 
 
@@ -24,6 +24,7 @@
 
 # Default configuration for HA
 # - Unix socket for secure local communication
+# - Basic auth enabled, including local connections
 # - HTTP API only enabled when UI is enabled
 # - Enable rtsp for localhost only as ffmpeg needs it
 # - Clear default ice servers
@@ -37,6 +38,9 @@
   listen: "{listen_config}"
   unix_listen: "{unix_socket}"
   allow_paths: {api_allow_paths}
+  local_auth: true
+  username: {username}
+  password: {password}
 
 # ffmpeg needs the exec module
 # Restrict execution to only ffmpeg binary
@@ -118,7 +122,7 @@ def _format_list_for_yaml(items: tuple[str, ...]) -> str:
     return f"[{formatted_items}]"
 
 
-def _create_temp_file(enable_ui: bool) -> str:
+def _create_temp_file(enable_ui: bool, username: str, password: str) -> str:
     """Create temporary config file."""
     app_modules: tuple[str, ...] = _APP_MODULES
     api_paths: tuple[str, ...] = _API_ALLOW_PATHS
@@ -142,6 +146,8 @@ def _create_temp_file(enable_ui: bool) -> str:
                 unix_socket=HA_MANAGED_UNIX_SOCKET,
                 app_modules=_format_list_for_yaml(app_modules),
                 api_allow_paths=_format_list_for_yaml(api_paths),
+                username=username,
+                password=password,
             ).encode()
         )
         return file.name
@@ -157,15 +163,19 @@ def __init__(
         session: ClientSession,
         *,
         enable_ui: bool = False,
+        username: str,
+        password: str,
     ) -> None:
         """Initialize the server."""
         self._hass = hass
         self._binary = binary
         self._session = session
+        self._enable_ui = enable_ui
+        self._username = username
+        self._password = password
         self._log_buffer: deque[str] = deque(maxlen=_LOG_BUFFER_SIZE)
         self._process: asyncio.subprocess.Process | None = None
         self._startup_complete = asyncio.Event()
-        self._enable_ui = enable_ui
         self._watchdog_task: asyncio.Task | None = None
         self._watchdog_tasks: list[asyncio.Task] = []
 
@@ -180,7 +190,7 @@ async def _start(self) -> None:
         """Start the server."""
         _LOGGER.debug("Starting go2rtc server")
         config_file = await self._hass.async_add_executor_job(
-            _create_temp_file, self._enable_ui
+            _create_temp_file, self._enable_ui, self._username, self._password
         )
 
         self._startup_complete.clear()
 
@@ -1,20 +1,20 @@
 # serializer version: 1
-# name: test_server_run_success[False]
+# name: test_server_run_success[False-d2a0b844f4cdbe773702176c47c9a675eb0c56a0779b8f880cdb3b492ed3b1c1-bc495d266a32e66ba69b9c72546e00101e04fb573f1bd08863fe4ad1aac02949]
   _CallList([
     _Call(
       tuple(
-        b'# This file is managed by Home Assistant\n# Do not edit it manually\n\napp:\n  modules: ["api","exec","ffmpeg","http","mjpeg","onvif","rtmp","rtsp","srtp","webrtc","ws"]\n\napi:\n  listen: ""\n  unix_listen: "/run/go2rtc.sock"\n  allow_paths: ["/","/api","/api/frame.jpeg","/api/schemes","/api/streams","/api/webrtc","/api/ws"]\n\n# ffmpeg needs the exec module\n# Restrict execution to only ffmpeg binary\nexec:\n  allow_paths:\n    - ffmpeg\n\nrtsp:\n  listen: "127.0.0.1:18554"\n\nwebrtc:\n  listen: ":18555/tcp"\n  ice_servers: []\n',
+        b'# This file is managed by Home Assistant\n# Do not edit it manually\n\napp:\n  modules: ["api","exec","ffmpeg","http","mjpeg","onvif","rtmp","rtsp","srtp","webrtc","ws"]\n\napi:\n  listen: ""\n  unix_listen: "/run/go2rtc.sock"\n  allow_paths: ["/","/api","/api/frame.jpeg","/api/schemes","/api/streams","/api/webrtc","/api/ws"]\n  local_auth: true\n  username: d2a0b844f4cdbe773702176c47c9a675eb0c56a0779b8f880cdb3b492ed3b1c1\n  password: bc495d266a32e66ba69b9c72546e00101e04fb573f1bd08863fe4ad1aac02949\n\n# ffmpeg needs the exec module\n# Restrict execution to only ffmpeg binary\nexec:\n  allow_paths:\n    - ffmpeg\n\nrtsp:\n  listen: "127.0.0.1:18554"\n\nwebrtc:\n  listen: ":18555/tcp"\n  ice_servers: []\n',
       ),
       dict({
       }),
     ),
   ])
 # ---
-# name: test_server_run_success[True]
+# name: test_server_run_success[True-user-pass]
   _CallList([
     _Call(
       tuple(
-        b'# This file is managed by Home Assistant\n# Do not edit it manually\n\napp:\n  modules: ["api","exec","ffmpeg","http","mjpeg","onvif","rtmp","rtsp","srtp","webrtc","ws","debug"]\n\napi:\n  listen: ":11984"\n  unix_listen: "/run/go2rtc.sock"\n  allow_paths: ["/","/api","/api/frame.jpeg","/api/schemes","/api/streams","/api/webrtc","/api/ws","/api/config","/api/log","/api/streams.dot"]\n\n# ffmpeg needs the exec module\n# Restrict execution to only ffmpeg binary\nexec:\n  allow_paths:\n    - ffmpeg\n\nrtsp:\n  listen: "127.0.0.1:18554"\n\nwebrtc:\n  listen: ":18555/tcp"\n  ice_servers: []\n',
+        b'# This file is managed by Home Assistant\n# Do not edit it manually\n\napp:\n  modules: ["api","exec","ffmpeg","http","mjpeg","onvif","rtmp","rtsp","srtp","webrtc","ws","debug"]\n\napi:\n  listen: ":11984"\n  unix_listen: "/run/go2rtc.sock"\n  allow_paths: ["/","/api","/api/frame.jpeg","/api/schemes","/api/streams","/api/webrtc","/api/ws","/api/config","/api/log","/api/streams.dot"]\n  local_auth: true\n  username: user\n  password: pass\n\n# ffmpeg needs the exec module\n# Restrict execution to only ffmpeg binary\nexec:\n  allow_paths:\n    - ffmpeg\n\nrtsp:\n  listen: "127.0.0.1:18554"\n\nwebrtc:\n  listen: ":18555/tcp"\n  ice_servers: []\n',
       ),
       dict({
       }),