docs: update authorization documentation

Authorization APIs are a now available over the websocket.

Signed-off-by:  Eric Callahan <arksine.code@gmail.com>
This commit is contained in:
Eric Callahan 2023-01-20 10:41:18 -05:00
parent d8941b3fb2
commit 3dbc99fd84
No known key found for this signature in database
GPG Key ID: 5A1EB336DFB4C71B
2 changed files with 190 additions and 29 deletions

View File

@ -60,6 +60,9 @@ klippy_uds_address: /tmp/klippy_uds
# Default is /tmp/klippy_uds. # Default is /tmp/klippy_uds.
max_upload_size: 1024 max_upload_size: 1024
# The maximum size allowed for a file upload (in MiB). Default is 1024 MiB. # The maximum size allowed for a file upload (in MiB). Default is 1024 MiB.
max_websocket_connections:
# The maximum number of concurrently open websocket connections.
# The default is 50.
enable_debug_logging: False enable_debug_logging: False
# ***DEPRECATED*** # ***DEPRECATED***
# Verbose logging is enabled by the '-v' command line option. # Verbose logging is enabled by the '-v' command line option.
@ -332,11 +335,18 @@ authorization module.
# moonraker.conf # moonraker.conf
[authorization] [authorization]
enable_api_key: True
# Enables API Key authentication. The default is True.
login_timeout: login_timeout:
# The time, in days, after which a user is forced to re-enter their # The time, in days, after which a user is forced to re-enter their
# credentials to log in. This period begins when a logged out user # credentials to log in. This period begins when a logged out user
# first logs in. Successive logins without logging out will not # first logs in. Successive logins without logging out will not
# renew the timeout. The default is 90 days. # renew the timeout. The default is 90 days.
max_login_attempts:
# Maximum number of consecutive failed login attempts before an IP address
# is locked out. Failed logins are tracked per IP and are reset upon a
# successful login. Locked out IPs are reset when Moonraker restarts.
# By default there is no maximum number of logins.
trusted_clients: trusted_clients:
192.168.1.30 192.168.1.30
192.168.1.0/24 192.168.1.0/24

View File

@ -614,8 +614,8 @@ This method provides a way for persistent clients to identify
themselves to Moonraker. This information may be used by Moonraker themselves to Moonraker. This information may be used by Moonraker
perform an action or present information based on if a specific perform an action or present information based on if a specific
client is connected. Currently this method is only available client is connected. Currently this method is only available
to websocket and unix socket connections. This endpoint should only to websocket and unix socket connections. Once this endpoint returns
be called once per session, repeated calls will result in an error. success it cannot be called again, repeated calls will result in an error.
HTTP request: `Not Available` HTTP request: `Not Available`
@ -628,25 +628,35 @@ JSON-RPC request (Websocket/Unix Socket Only):
"client_name": "moontest", "client_name": "moontest",
"version": "0.0.1", "version": "0.0.1",
"type": "web", "type": "web",
"url": "http://github.com/arksine/moontest" "url": "http://github.com/arksine/moontest",
"access_token": "<base64 encoded token>",
"api_key": "<system API key>"
}, },
"id": 4656 "id": 4656
} }
``` ```
All parameters are required. Below is an explanation of each parameter. Parameters:
- `client_name`: The name of your client, such as `Mainsail`, `Fluidd`, - `client_name`: (required) The name of your client, such as `Mainsail`,
`KlipperScreen`, `MoonCord`, etc. `Fluidd`, `KlipperScreen`, `MoonCord`, etc.
- `version`: The current version of the connected client - `version`: (required) The current version of the connected client
- `type`: Application type. May be one of `web`, `mobile`, `desktop`, - `type`: (required) Application type. May be one of `web`, `mobile`,
`display`, `bot`, `agent` or `other`. These should be self explanatory, `desktop`, `display`, `bot`, `agent` or `other`. These should be self
use `other` if your client does not fit any of the prescribed options. explanatory, use `other` if your client does not fit any of the prescribed
- `url`: The url for your client's homepage options.
- `url`: (required) The url for your client's homepage
- `access_token`: (optional) A JSON Web Token that may be used to assign a
logged in user to the connection. See the [authorization](#authorization)
section for APIs used to create and refresh the access token.
- `api_key`:. (optional) The system API Key. This key may be used to grant
access to clients that do not wish to implement user authentication. Note
that if the `access_token` is also supplied then this parameter will be
ignored.
!!! Note !!! Note
When identifying as an `agent`, only one instance should be connected When identifying as an `agent`, only one instance should be connected
to moonraker at a time. If multiple agents of the same `client_name` to Moonraker at a time. If multiple agents of the same `client_name`
attempt to identify themselves this endpoint will return an error. attempt to identify themselves this endpoint will return an error.
See the [extension APIs](#extension-apis) for more information about See the [extension APIs](#extension-apis) for more information about
`agents`. `agents`.
@ -2214,11 +2224,22 @@ Moonraker's HTTP APIs. JWTs should be included in the `Authorization`
header as a `Bearer` type for each HTTP request. If using an API Key it header as a `Bearer` type for each HTTP request. If using an API Key it
should be included in the `X-Api-Key` header for each HTTP Request. should be included in the `X-Api-Key` header for each HTTP Request.
Websocket authentication can be achieved via the request itself or
post connection. Unlike HTTP requests it is not necessasry to pass a
token and/or API Key to each request. The
[identify connection](#identify-connection) endpoint takes optional
`access_token` and `api_key` parameters that may be used to authentiate
a user already logged in, otherwise the `login` API may be used for
authentication. Websocket connections will stay authenticated until
the connection is closed or the user logs out.
!!! note !!! note
For requests in which clients cannot modify headers it is acceptable ECMAScript imposes limitations on certain requests that prohibit the
to pass the JWT via the query string's `access_token` argument. developer from modifying the HTTP headers (ie: The request to open a
Alternatively client developers may request a `oneshot_token` and websocket, "download" requests that open a dialog). In these cases
send the result via the `token` query string argument. it is recommended for the developer to request a `oneshot_token`, then
send the result via the `token` query string argument in the desired
request.
!!! warning !!! warning
It is strongly recommended that arguments for the below APIs are It is strongly recommended that arguments for the below APIs are
@ -2236,7 +2257,20 @@ Content-Type: application/json
"source": "moonraker" "source": "moonraker"
} }
``` ```
JSON-RPC request: Not Available
JSON-RPC request:
```json
{
"jsonrpc": "2.0",
"method": "access.login",
"params": {
"username": "my_user",
"password": "my_password",
"source": "moonraker"
},
"id": 1323
}
```
Arguments: Arguments:
- `username`: The user login name. This argument is required. - `username`: The user login name. This argument is required.
@ -2271,7 +2305,15 @@ HTTP Request:
```http ```http
POST /access/logout POST /access/logout
``` ```
JSON-RPC request: Not Available
JSON-RPC request:
```json
{
"jsonrpc": "2.0",
"method": "access.logout",
"id": 1323
}
```
Returns: An object containing the logged out username and action summary. Returns: An object containing the logged out username and action summary.
```json ```json
@ -2287,7 +2329,15 @@ HTTP Request:
```http ```http
GET /access/user GET /access/user
``` ```
JSON-RPC request: Not Available
JSON-RPC request:
```json
{
"jsonrpc": "2.0",
"method": "access.get_user",
"id": 1323
}
```
Returns: An object containing the currently logged in user name, the source and Returns: An object containing the currently logged in user name, the source and
the date on which the user was created (in unix time). the date on which the user was created (in unix time).
@ -2310,7 +2360,19 @@ Content-Type: application/json
"password": "my_password" "password": "my_password"
} }
``` ```
JSON-RPC request: Not Available
JSON-RPC request:
```json
{
"jsonrpc": "2.0",
"method": "access.post_user",
"params": {
"username": "my_user",
"password": "my_password"
},
"id": 1323
}
```
Returns: An object containing the created user name, an auth token, Returns: An object containing the created user name, an auth token,
a refresh token, the source, and an action summary. Creating a user also a refresh token, the source, and an action summary. Creating a user also
@ -2347,7 +2409,18 @@ Content-Type: application/json
"username": "my_username" "username": "my_username"
} }
``` ```
JSON-RPC request: Not Available
JSON-RPC request:
```json
{
"jsonrpc": "2.0",
"method": "access.delete_user",
"params": {
"username": "my_username"
},
"id": 1323
}
```
Returns: The username of the deleted user and an action summary. This Returns: The username of the deleted user and an action summary. This
effectively logs the user out, as all outstanding tokens will be invalid. effectively logs the user out, as all outstanding tokens will be invalid.
@ -2363,7 +2436,15 @@ HTTP Request:
```http ```http
GET /access/users/list GET /access/users/list
``` ```
JSON-RPC request: Not Available
JSON-RPC request:
```json
{
"jsonrpc": "2.0",
"method": "access.users.list",
"id": 1323
}
```
Returns: A list of created users on the system Returns: A list of created users on the system
```json ```json
@ -2394,7 +2475,19 @@ Content-Type: application/json
"new_password": "my_new_pass" "new_password": "my_new_pass"
} }
``` ```
JSON-RPC request: Not Available
JSON-RPC request:
```json
{
"jsonrpc": "2.0",
"method": "access.user.password",
"params": {
"password": "my_current_password",
"new_password": "my_new_pass"
},
"id": 1323
}
```
Returns: The username and action summary. Returns: The username and action summary.
```json ```json
@ -2419,7 +2512,17 @@ Content-Type: application/json
} }
``` ```
JSON-RPC request: Not Available JSON-RPC request:
```json
{
"jsonrpc": "2.0",
"method": "access.refresh_jwt",
"params": {
"refresh_token": "eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJpc3MiOiAiTW9vbnJha2VyIiwgImlhdCI6IDE2MTg4Nzc0ODUuNzcyMjg5OCwgImV4cCI6IDE2MjY2NTM0ODUuNzcyMjg5OCwgInVzZXJuYW1lIjogInRlc3R1c2VyIiwgInRva2VuX3R5cGUiOiAicmVmcmVzaCJ9.Y5YxGuYSzwJN2WlunxlR7XNa2Y3GWK-2kt-MzHvLbP8"
},
"id": 1323
}
```
Returns: The username, new auth token, the source and action summary. Returns: The username, new auth token, the source and action summary.
```json ```json
@ -2447,7 +2550,15 @@ HTTP request:
```http ```http
GET /access/oneshot_token GET /access/oneshot_token
``` ```
JSON-RPC request: Not Available
JSON-RPC request:
```json
{
"jsonrpc": "2.0",
"method": "access.oneshot_token",
"id": 1323
}
```
Returns: Returns:
@ -2462,7 +2573,15 @@ HTTP Request:
```http ```http
GET /access/info GET /access/info
``` ```
JSON-RPC request: Not Available
JSON-RPC request:
```json
{
"jsonrpc": "2.0",
"method": "access.info",
"id": 1323
}
```
Returns: An object containing information about authorization endpoints, such as Returns: An object containing information about authorization endpoints, such as
default_source and available_sources. default_source and available_sources.
@ -2481,7 +2600,15 @@ HTTP request:
```http ```http
GET /access/api_key GET /access/api_key
``` ```
JSON-RPC request: Not Available
JSON-RPC request:
```json
{
"jsonrpc": "2.0",
"method": "access.get_api_key",
"id": 1323
}
```
Returns: Returns:
@ -2492,13 +2619,22 @@ HTTP request:
```http ```http
POST /access/api_key POST /access/api_key
``` ```
JSON-RPC request: Not Available
JSON-RPC request:
```json
{
"jsonrpc": "2.0",
"method": "access.post_api_key",
"id": 1323
}
```
Returns: Returns:
The newly generated API key. This overwrites the previous key. Note that The newly generated API key. This overwrites the previous key. Note that
the API key change is applied immediately, all subsequent HTTP requests the API key change is applied immediately, all subsequent HTTP requests
from untrusted clients must use the new key. from untrusted clients must use the new key. Changing the API Key will
not affect open websockets authenticated using the previous API Key.
### Database APIs ### Database APIs
The following endpoints provide access to Moonraker's lmdb database. The The following endpoints provide access to Moonraker's lmdb database. The
@ -5715,6 +5851,21 @@ sent when an existing user is deleted.
} }
``` ```
#### Authorized User Logged Out
If the `[authorization]` module is enabled the following notification is
sent when an existing user is logged out.
```json
{
"jsonrpc": "2.0",
"method": "notify_user_logged_out",
"params": [
{
"username": "<username>"
}
]
}
```
#### Service State Changed #### Service State Changed
Moonraker monitors the state of systemd services it is authorized to track. Moonraker monitors the state of systemd services it is authorized to track.
When the state of a service changes the following notification is sent: When the state of a service changes the following notification is sent: