From b8cf0d7fd236308236eb1d2884c8c720b42feff8 Mon Sep 17 00:00:00 2001 From: Arksine Date: Wed, 19 May 2021 19:18:23 -0400 Subject: [PATCH] authorization: check the query string for jwts Clients may pass a json web token via the query string's "access_token" argument to authorize requests that do not allow modified headers. Signed-off-by: Eric Callahan --- moonraker/app.py | 2 +- moonraker/components/authorization.py | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/moonraker/app.py b/moonraker/app.py index 58ba9b9..fc68cfd 100644 --- a/moonraker/app.py +++ b/moonraker/app.py @@ -55,7 +55,7 @@ RESERVED_ENDPOINTS = [ # 50 MiB Max Standard Body Size MAX_BODY_SIZE = 50 * 1024 * 1024 -EXCLUDED_ARGS = ["_", "token", "connection_id"] +EXCLUDED_ARGS = ["_", "token", "access_token", "connection_id"] DEFAULT_KLIPPY_LOG_PATH = "/tmp/klippy.log" class MutableRouter(tornado.web.ReversibleRuleRouter): diff --git a/moonraker/components/authorization.py b/moonraker/components/authorization.py index a5b0d53..895456d 100644 --- a/moonraker/components/authorization.py +++ b/moonraker/components/authorization.py @@ -450,6 +450,11 @@ class Authorization: auth_token = request.headers.get("X-Access-Token") if auth_token and auth_token.startswith("Bearer "): auth_token = auth_token[7:] + else: + qtoken = request.query_arguments.get('access_token', None) + if qtoken is not None: + auth_token = qtoken[-1].decode() + if auth_token: try: return self._decode_jwt(auth_token) except Exception as e: