[Bug]: Watchdog restart loop when a Bearer Token is set — /api/health is behind auth

[circa1665]

App Version

0.2.10

Home Assistant Version

2026.6.2

Installation Type

Home Assistant OS (HAOS)

Hardware

Raspberry Pi 5

What happened?

With a Bearer Token configured, the add-on enters a permanent Supervisor watchdog
restart loop (~every 4 minutes), even though the agent itself is completely healthy.

The agent wraps its entire mux — including /api/health — in the auth middleware
whenever a token is set (agent/main.go):

    var handler http.Handler = mux
    if cfg.Token != "" {
        handler = authMiddleware(cfg.Token, mux)   // /api/health now requires the token
    }

The add-on's watchdog probe (config.yaml) targets that same endpoint:

watchdog: "http://[HOST]:[PORT:9099]/api/health"

But Supervisor's watchdog sends an unauthenticated GET and only treats status < 300
as alive (supervisor/apps/app.py → watchdog_application):

    async with self.sys_websession.get(url, timeout=WATCHDOG_TIMEOUT, ssl=False) as req:
        if req.status < 300:
            return True
    return False

So the probe gets 401 {"error":"unauthorized"}, Supervisor logs "missing application
response", and after two consecutive failures restarts a perfectly healthy container.
The trigger is purely setting a token; with the token empty the middleware isn't
installed, /api/health returns 200, and the watchdog passes.

Note the code fix lives in the agent (smart-sniffer repo, agent/main.go), but I'm
filing here since the watchdog URL is declared in this repo's config.yaml.

Suggested fix: exempt the liveness endpoint from auth — e.g. let r.URL.Path ==
"/api/health" through before the token check in authMiddleware, or register
/api/health on a bare mux and only wrap the data routes. (A weaker one-line
alternative without touching the agent: change config.yaml to a TCP check,
watchdog: "tcp://[HOST]:[PORT:9099]", though that only confirms the port is open,
not that the HTTP app is serving.)

Steps to Reproduce

1. Install the SMART Sniffer App, and integration and set a matching Bearer Token in both.
2. Leave the add-on's Watchdog toggle on (default).
3. Start the add-on.
4. Supervisor log loops every ~4 min: "Watchdog missing application response" →
   "Watchdog found a problem ... application!" → Stopping/Cleaning/Starting.
5. The add-on's own log shows the agent healthy the whole time (listening on
   0.0.0.0:9099, polling every 60s), killed only by the watchdog-triggered stop.

App Logs

# --- Add-on log: one full cycle. Agent is healthy start to finish. ---
[19:42:37] INFO: Running preflight checks...
[19:42:37] INFO: smartctl version: 7.5
[19:42:37] INFO: Drives detected by smartctl: 1
[19:42:37] INFO: Drive access: OK (/dev/nvme0)
2026/06/09 19:42:38 SMART Sniffer Agent v0.5.14
2026/06/09 19:42:38 Listening on: 0.0.0.0:9099
2026/06/09 19:42:38 Auth: enabled
2026/06/09 19:42:38 first poll: using --scan-open for protocol detection, waking drives for SMART baseline
2026/06/09 19:42:38 cache refreshed: 1 drive(s)
2026/06/09 19:43:38 cache refreshed: 1 drive(s)
2026/06/09 19:44:38 cache refreshed: 1 drive(s)
2026/06/09 19:45:38 cache refreshed: 1 drive(s)
2026/06/09 19:46:36 Shutting down…          # <-- stopped by Supervisor, not a crash
2026/06/09 19:46:36 shutdown complete elapsed=1.374062ms

# --- Supervisor log: the watchdog driving the restart ---
WARNING [supervisor.misc.tasks] Watchdog missing application response from 0449a086_smart_sniffer_agent
WARNING [supervisor.misc.tasks] Watchdog found a problem with 0449a086_smart_sniffer_agent application!
INFO    [supervisor.docker.manager] Stopping addon_0449a086_smart_sniffer_agent application
INFO    [supervisor.docker.app] Starting Docker app 0449a086/aarch64-addon-smart_sniffer_agent with version 0.2.10

Additional Context

• Single NVMe boot drive (/dev/nvme0), smartctl 7.5, bundled agent v0.5.14.
• Loop ran ~180 times over 12 hours until the token was removed.
• Workarounds confirmed: (a) clear the Bearer Token, or (b) disable the add-on's
  Watchdog toggle. Both stop the loop; (a) also restores a passing watchdog.

[DAB-LABS]

Welcome aboard, @circa1665!

First issue and you nailed a real bug that affects every token user. Nice work! 🕵️‍♂️

Your diagnosis is spot on, the auth middleware wraps the entire mux, so /api/health returns 401 to the Supervisor watchdog's unauthenticated probe. Two consecutive failures and Supervisor restarts the container. Rinse and repeat.

We're shipping fixes on both sides:

Agent fix (v0.5.16): /api/health is now exempt from the bearer token auth middleware. The health endpoint only returns operational status (version, uptime, drive count) -- no sensitive data -- so skipping auth is safe and follows the standard pattern for liveness/readiness probes.

App fix: The App will also switch the watchdog from HTTP to TCP as a belt-and-suspenders measure. This way users on the current agent binary stop getting restart-looped immediately, even before they update the agent. Once the App bumps to the fixed agent binary, we'll revert the watchdog back to HTTP (the stronger health check).

Both should be out shortly. Thanks again for the detailed report , citing the relevant code on both repos made this a fast turnaround.

~DAB

---

Field Brief: Watchdog Restart Loop When Bearer Token Is Set

Subject: Supervisor watchdog restart loop caused by auth middleware blocking unauthenticated health probes
Classification: Bug fix (agent + App workaround)

Situation: When a bearer token is configured, the agent's authMiddleware wraps the entire HTTP mux, including /api/health. The HAOS App's Supervisor watchdog sends unauthenticated GET requests to /api/health and treats any status >= 300 as failure. Two consecutive 401 responses (~4 min) trigger a container restart. The loop continues indefinitely -- reporter observed ~180 restarts over 12 hours. Affects all App users with a bearer token configured. Standalone agent users are unaffected (nothing externally health-checks them).

Resolution: Two-part fix shipping simultaneously.

Component	Version	Change	Effect
Agent (agent/main.go)	v0.5.16	Exempt /api/health from authMiddleware	Health probes return 200 without a token. All other endpoints remain protected.
App (config.yaml)	v0.2.11	Switch watchdog from http:// to tcp://	Unblocks users still on the old agent binary. TCP confirms port is open.

Security exposure: /api/health returns version, uptime, drive count, and endpoint list. No SMART data, no drive identifiers, no host information beyond what mDNS already advertises.

Reporter: circa1665 (first-time contributor). Identified root cause on both sides, cited relevant code, suggested both fixes.