Don't raise an exception if the default source is incorrect as this
disables authorization. Fallback to moonraker. When supplied an
invalid CORS domain warn the user and skip adding it to the list.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
Add "login_required" and "trusted" fields. The "login_required"
field indicates that force_logins is enabled and at least one
user has been created. The "trusted" field indicates that the
connection is configured as trusted.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
If the upstream DNS server is not available the call to socket.getfqdn()
will block until a timeout occurs. This blocks Moonraker's event loop,
resulting in carnage.
Call getfqdn() in a thread with a timeout of 5 seconds. In addition,
only request the fqdn if the user has one or more trusted domains
configured. Finally, cache resolved FQDNs for 24 hours to limit
repeated DNS queries.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
Allow expired JWTs for HTTP endpoints that do not require authentication.
This is technically an error by the client, as it should not provide
invalid JWTs for an endpoint, however Moonraker previously allowed
this as the token was not verified on unathenticated endpoints.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
Track authentication requirements in the API Definition. This
eliminates the need to look up the authentication component
to disable auth on an endpoint.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
Propagate user state changes to open websockets and unix sockets.
If a websocket's user is logged out require re-authentication.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
Don't raise an exception if the authorization header contains an
invalid value, such as Basic auth. Ignore it and move on to the
next step in authentication.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
Register all of the "access" endpoints with the websocket. Front
ends may now connect to the websocket without an oneshot token
and login. If the front end already has a JWT for the user it
can be passed to the "identify" endpoint to authenticate directly.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
In the future, an `Access-Control-Request-Private-Network` header will be sent with
these requests, and servers must respond with `Access-Control-Allow-Private-Network`.
This will start with the next Chrome version (104), and Mozilla has marked the
standard as "worth prototyping", which often leads to final implementation.
Signed-off-by: Franklyn Tackitt <git@frank.af>
Since the User DB is not going to be large cache the users
in local memory and sync with the DB when changes are
made to the local user store.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
This provides corrective action in the event that an
invalid user entry makes its way into the database.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
Raise an exception when a request with Basic Auth is received, however do not log the username/password.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
This allows eligible components to register themselves as API transports. By default the WebsocketManager is registered.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
This removes the cryptography dependency in favor of libsodium. Also removed is python-jose, as we must generate our own JWTs for use with EdDSA.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
use libnacl instead of pynacl
Clients can use this in situations where a browser may
prompt the user to take action prior to sending the
request. After the user accepts, Moonraker will redirect the user to the url provided in the request.
SIgned-off-by: Eric Callahan <arksine.code@gmail.com>
Clients may pass a json web token via the query string's "access_token" argument to authorize requests that do not allow modified headers.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
When "force_logins" is enabled a user login is required if at least one user is registered, overriding the "trusted_clients" configuration.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
