Validate local_only user for signed requests

[edenhaus]

Breaking change

Proposed change

Validate local_only user for signed requests so local_only users can't use signed resources on remote requests

Type of change

• Dependency upgrade
• Bugfix (non-breaking change which fixes an issue)
• New integration (thank you!)
• New feature (which adds functionality to an existing integration)
• Deprecation (breaking change to happen in the future)
• Breaking change (fix/feature causing existing functionality to break)
• Code quality improvements to existing code or addition of tests

Additional information

• This PR fixes or closes issue: fixes #
• This PR is related to issue:
• Link to documentation pull request:
• Link to developer documentation pull request:
• Link to frontend pull request:

Checklist

• I understand the code I am submitting and can explain how it works.
• The code change is tested and works locally.
• Local tests pass. Your PR cannot be merged unless tests pass
• There is no commented out code in this PR.
• I have followed the development checklist
• I have followed the perfect PR recommendations
• The code has been formatted using Ruff (ruff format homeassistant tests)
• Tests have been added to verify that the new code works.
• Any generated code has been carefully reviewed for correctness and compliance with project standards.

If user exposed functionality or configuration variables are added/changed:

• Documentation added/updated for www.home-assistant.io

If the code communicates with devices, web services, or third-party tools:

• The manifest file has all fields filled out correctly.
  Updated and included derived files by running: python3 -m script.hassfest.
• New or updated dependencies have been added to requirements_all.txt.
  Updated by running python3 -m script.gen_requirements_all.
• For the updated dependencies a diff between library versions and ideally a link to the changelog/release notes is added to the PR description.

To help with the load of incoming pull requests:

• I have reviewed two other open pull requests in this repository.

[home-assistant]

Hey there @home-assistant/core, mind taking a look at this pull request as it has been labeled with an integration (http) you are listed as a code owner for? Thanks!

Code owner commands

Code owners of http can trigger bot actions by commenting:

• @home-assistant close Closes the pull request.
• @home-assistant mark-draft Mark the pull request as draft.
• @home-assistant ready-for-review Remove the draft status from the pull request.
• @home-assistant rename Awesome new title Renames the pull request.
• @home-assistant reopen Reopen the pull request.
• @home-assistant unassign http Removes the current integration label and assignees on the pull request, add the integration domain after the command.
• @home-assistant update-branch Update the pull request branch with the base branch.
• @home-assistant add-label needs-more-information Add a label (needs-more-information, problem in dependency, problem in custom component, problem in config, problem in device, feature-request) to the pull request.
• @home-assistant remove-label needs-more-information Remove a label (needs-more-information, problem in dependency, problem in custom component, problem in config, problem in device, feature-request) on the pull request.

[Copilot]

Pull request overview

This PR tightens HTTP signed-request authentication by applying the same “user allowed to authenticate” constraints (inactive users and local_only users on remote requests) that already apply to bearer-token auth.

Changes:

• Enforce async_user_not_allowed_do_auth(...) when validating signed requests.
• Add tests ensuring signed URLs fail for local_only users on external IPs.
• Add tests ensuring signed URLs fail for inactive users.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
homeassistant/components/http/auth.py	Rejects signed requests when the issuing user is inactive or not permitted to authenticate from the request origin (e.g., local_only remotely).
tests/components/http/test_auth.py	Adds coverage for signed URL access behavior for local_only users and inactive users.

[Copilot]

Pull request overview

This PR closes a security gap in the HTTP component by applying the existing “inactive/local-only user” restrictions to signed URL authentication, preventing local-only users from using signed resources from remote addresses.

Changes:

• Add async_user_not_allowed_do_auth(...) enforcement to signed-request validation.
• Add test coverage to confirm signed URLs are allowed locally but rejected remotely for local_only users.
• Add test coverage to confirm signed URLs are rejected for inactive users.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
homeassistant/components/http/auth.py	Rejects signed-request authentication when the associated user is inactive or local-only on remote/cloud connections.
tests/components/http/test_auth.py	Adds regression tests for signed URL access with local_only and inactive users.