3diy
/
moonraker
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

authorization: check the query string for jwts 

Clients may pass a json web token via the query string's "access_token" argument to authorize requests that do not allow modified headers.

Signed-off-by:  Eric Callahan <arksine.code@gmail.com>
This commit is contained in:
Arksine 2021-05-19 19:18:23 -04:00
parent dca7bd51cd
commit b8cf0d7fd2
2 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
moonraker/app.py
View File

@ -55,7 +55,7 @@ RESERVED_ENDPOINTS = [
# 50 MiB Max Standard Body Size # 50 MiB Max Standard Body Size
MAX_BODY_SIZE = 50 * 1024 * 1024 MAX_BODY_SIZE = 50 * 1024 * 1024
EXCLUDED_ARGS = ["_", "token", "connection_id"] EXCLUDED_ARGS = ["_", "token", "access_token", "connection_id"]
DEFAULT_KLIPPY_LOG_PATH = "/tmp/klippy.log" DEFAULT_KLIPPY_LOG_PATH = "/tmp/klippy.log"
class MutableRouter(tornado.web.ReversibleRuleRouter): class MutableRouter(tornado.web.ReversibleRuleRouter):

5
moonraker/components/authorization.py
View File

@ -450,6 +450,11 @@ class Authorization:
auth_token = request.headers.get("X-Access-Token") auth_token = request.headers.get("X-Access-Token")
if auth_token and auth_token.startswith("Bearer "): if auth_token and auth_token.startswith("Bearer "):
auth_token = auth_token[7:] auth_token = auth_token[7:]
else:
qtoken = request.query_arguments.get('access_token', None)
if qtoken is not None:
auth_token = qtoken[-1].decode()
if auth_token:
try: try:
return self._decode_jwt(auth_token) return self._decode_jwt(auth_token)
except Exception as e: except Exception as e: