From 36aec50bceeab6dd16ed75c6629f3ae918c11b4e Mon Sep 17 00:00:00 2001 From: Arksine Date: Wed, 19 May 2021 19:59:06 -0400 Subject: [PATCH] docs: update authorization documentation Document the "force_logins" option and the ability to accept JSON Web Tokens via the query string. Signed-off-by: Eric Callahan --- docs/configuration.md | 5 +++++ docs/web_api.md | 11 ++++++++--- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/docs/configuration.md b/docs/configuration.md index 76d8948..a4579ee 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -98,6 +98,11 @@ cors_domains: # When CORS is enabled by adding an entry to this option, all origins # matching the "trusted_clients" option will have CORS headers set as # well. If this option is not specified then CORS is disabled. +force_logins: False +# When set to True a user login is required for authorization if at least +# one user has been created, overriding the "trusted_clients" configuration. +# If no users have been created then trusted client checks will apply. +# The default is False. ``` ## `[octoprint_compat]` diff --git a/docs/web_api.md b/docs/web_api.md index 1768877..6c3ab81 100644 --- a/docs/web_api.md +++ b/docs/web_api.md @@ -1541,10 +1541,15 @@ Moonraker's HTTP APIs. JWTs should be included in the `Authorization` header as a `Bearer` type for each HTTP request. If using an API Key it should be included in the `X-Api-Key` header for each HTTP Request. +!!! note + For requests in which clients cannot modify headers it is acceptable + to pass the JWT via the query string's `access_token` argument. + Alternatively client developers may request a `oneshot_token` and + send the result via the `token` query string argument. + !!! warning - Clients should not use the query string to pass arguments to these - APIs. Arguments may be passed as part of the body either in JSON - format or as form-data. + It is strongly recommended that arguments for the below APIs are + passed in the request's body. #### Login User HTTP Request: