application: fix cors check

It is necessary to perform a cors check before authenticating the user to make sure that the headers are set if authentication fails. Signed-off-by: Eric Callahan <arksine.code@gmail.com>
2024-01-27 16:44:49 -05:00 · 2024-01-27 16:44:49 -05:00 · 52ebc2b404
parent f44fc4b85b
commit 52ebc2b404
1 changed files with 7 additions and 7 deletions
--- a/moonraker/components/application.py
+++ b/moonraker/components/application.py
@ -495,13 +495,13 @@ class AuthorizedRequestHandler(tornado.web.RequestHandler):
    async def prepare(self) -> None:
        auth: AuthComp = self.server.lookup_component('authorization', None)
        if auth is not None:
-            self.current_user = await auth.authenticate_request(
-                self.request, self.auth_required
-            )
            origin: Optional[str] = self.request.headers.get("Origin")
            self.cors_enabled = await auth.check_cors(origin)
            if self.cors_enabled:
                _set_cors_headers(self)
+            self.current_user = await auth.authenticate_request(
+                self.request, self.auth_required
+            )

    def options(self, *args, **kwargs) -> None:
        # Enable CORS if configured
@ -552,13 +552,13 @@ class AuthorizedFileHandler(tornado.web.StaticFileHandler):
    async def prepare(self) -> None:
        auth: AuthComp = self.server.lookup_component('authorization', None)
        if auth is not None:
-            self.current_user = await auth.authenticate_request(
-                self.request, self._check_need_auth()
-            )
            origin: Optional[str] = self.request.headers.get("Origin")
            self.cors_enabled = await auth.check_cors(origin)
            if self.cors_enabled:
                _set_cors_headers(self)
+            self.current_user = await auth.authenticate_request(
+                self.request, self._check_need_auth()
+            )

    def options(self, *args, **kwargs) -> None:
        # Enable CORS if configured
@ -1042,7 +1042,7 @@ class FileUploadHandler(AuthorizedRequestHandler):
 # Default Handler for unregistered endpoints
 class AuthorizedErrorHandler(AuthorizedRequestHandler):
    async def prepare(self) -> None:
-        ret = super(AuthorizedRequestHandler, self).prepare()
+        ret = super(AuthorizedErrorHandler, self).prepare()
        if ret is not None:
            await ret
        self.set_status(404)