Use Captcha for BMW North America

[rikroe]

Proposed change

BMW have implemented a captcha solution for the North America region when loggin in using username & password.
Once logged in and using refresh tokens, the captcha is not required anymore.

This PR adds an external step to the config flow for North America and just shows the required captcha widget from a HomeAssistantView.

If during normal operation, the refresh token flow fails, a reauthentication flow with a captcha-specific error message will be triggered.

Type of change

• Dependency upgrade
• Bugfix (non-breaking change which fixes an issue)
• New integration (thank you!)
• New feature (which adds functionality to an existing integration)
• Deprecation (breaking change to happen in the future)
• Breaking change (fix/feature causing existing functionality to break)
• Code quality improvements to existing code or addition of tests

Additional information

• This PR fixes or closes issue: fixes BMW login failure #128598
• This PR is related to issue:
• Link to documentation pull request:

Checklist

• The code change is tested and works locally.
• Local tests pass. Your PR cannot be merged unless tests pass
• There is no commented out code in this PR.
• I have followed the development checklist
• I have followed the perfect PR recommendations
• The code has been formatted using Ruff (ruff format homeassistant tests)
• Tests have been added to verify that the new code works.

If user exposed functionality or configuration variables are added/changed:

• Documentation added/updated for www.home-assistant.io

If the code communicates with devices, web services, or third-party tools:

• The manifest file has all fields filled out correctly.
  Updated and included derived files by running: python3 -m script.hassfest.
• New or updated dependencies have been added to requirements_all.txt.
  Updated by running python3 -m script.gen_requirements_all.
• For the updated dependencies - a link to the changelog, or at minimum a diff between library versions is added to the PR description.

To help with the load of incoming pull requests:

• I have reviewed two other open pull requests in this repository.

[home-assistant]

Hey there @gerard33, mind taking a look at this pull request as it has been labeled with an integration (bmw_connected_drive) you are listed as a code owner for? Thanks!

Code owner commands

Code owners of bmw_connected_drive can trigger bot actions by commenting:

• @home-assistant close Closes the pull request.
• @home-assistant rename Awesome new title Renames the pull request.
• @home-assistant reopen Reopen the pull request.
• @home-assistant unassign bmw_connected_drive Removes the current integration label and assignees on the pull request, add the integration domain after the command.
• @home-assistant add-label needs-more-information Add a label (needs-more-information, problem in dependency, problem in custom component) to the pull request.
• @home-assistant remove-label needs-more-information Remove a label (needs-more-information, problem in dependency, problem in custom component) on the pull request.

[zweckj]

I'd move that to view.py

[rikroe]

I kept it in config_flow.py as I got many ideas from the Plex integration.

There, the views related to the config flow are in config_flow.py and only views that are used after component initialization are in views.py.

Maybe someone from the core team can give some feedback here as well because it seems this is the first time an actual HTML page is rendered from HA - I was only able to find images/API-like functionality.

[epenet]

Can we bump the library in a preliminary PR?
Then we can iterate over the extra changes without triggering a full CI every time

[home-assistant]

Please take a look at the requested changes, and use the Ready for review button when you are done, thanks 👍

Learn more about our pull request process.

[rikroe]

Can we bump the library in a preliminary PR?

Sure thing, done in #129838 (including the now required additional exception handling).

[rikroe]

Merged in current dev (including dependency bump) and looking forward to your comments.

[epenet]

Thanks for splitting out the dependency bump.
I am not familiar with this area of the code, so I will let other reviewers chip in.

(note: you can remove the links to the dep bump in the description now)

Comments addressed

[frenck]

External javascript included into the Home Assistant frontend.

[frenck]

So, we have discussed this PR extensively with the team, and concluded we cannot accept this pull request. The main reason, is that it includes external javascript into the Home Assistant frontend. This means, this piece of javascript can access anything, all login/session tokens of the current user, giving access to all Home Assistant APIs.

We are aware that this decision will impact all users of the BMW integration (as the Captcha at this point has been rolled out worldwide), but the security of Home Assistant as a whole is more important and should be guarded for.

I've been discussing options with @rikroe and we are going to explorer further. I'm also going to ask if the partnership folks @ NabuCasa can help out and see if we can reach out to BMW regarding all of this.

So, for now, I'm closing this PR for the above mentioned (and also hightlighed/marked) reasoning.

To be continued...

../Frenck