authorization: check the query string for jwts

Clients may pass a json web token via the query string's "access_token" argument to authorize requests that do not allow modified headers. Signed-off-by: Eric Callahan <arksine.code@gmail.com>
2021-05-19 19:18:23 -04:00 · 2021-05-19 19:18:23 -04:00 · b8cf0d7fd2
parent dca7bd51cd
commit b8cf0d7fd2
2 changed files with 6 additions and 1 deletions
--- a/moonraker/app.py
+++ b/moonraker/app.py
@ -55,7 +55,7 @@ RESERVED_ENDPOINTS = [

 # 50 MiB Max Standard Body Size
 MAX_BODY_SIZE = 50 * 1024 * 1024
-EXCLUDED_ARGS = ["_", "token", "connection_id"]
+EXCLUDED_ARGS = ["_", "token", "access_token", "connection_id"]
 DEFAULT_KLIPPY_LOG_PATH = "/tmp/klippy.log"

 class MutableRouter(tornado.web.ReversibleRuleRouter):
--- a/moonraker/components/authorization.py
+++ b/moonraker/components/authorization.py
@ -450,6 +450,11 @@ class Authorization:
            auth_token = request.headers.get("X-Access-Token")
        if auth_token and auth_token.startswith("Bearer "):
            auth_token = auth_token[7:]
+        else:
+            qtoken = request.query_arguments.get('access_token', None)
+            if qtoken is not None:
+                auth_token = qtoken[-1].decode()
+        if auth_token:
            try:
                return self._decode_jwt(auth_token)
            except Exception as e: