authorization: check the query string for jwts

Clients may pass a json web token via the query string's "access_token" argument to authorize requests that do not allow modified headers. Signed-off-by: Eric Callahan <arksine.code@gmail.com>
2021-05-19 19:18:23 -04:00
parent dca7bd51cd
commit b8cf0d7fd2
2 changed files with 6 additions and 1 deletions
--- a/moonraker/components/authorization.py
+++ b/moonraker/components/authorization.py
@@ -450,6 +450,11 @@ class Authorization:
            auth_token = request.headers.get("X-Access-Token")
        if auth_token and auth_token.startswith("Bearer "):
            auth_token = auth_token[7:]
+        else:
+            qtoken = request.query_arguments.get('access_token', None)
+            if qtoken is not None:
+                auth_token = qtoken[-1].decode()
+        if auth_token:
            try:
                return self._decode_jwt(auth_token)
            except Exception as e: