Propagate user state changes to open websockets and unix sockets.
If a websocket's user is logged out require re-authentication.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
Don't raise an exception if the authorization header contains an
invalid value, such as Basic auth. Ignore it and move on to the
next step in authentication.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
Register all of the "access" endpoints with the websocket. Front
ends may now connect to the websocket without an oneshot token
and login. If the front end already has a JWT for the user it
can be passed to the "identify" endpoint to authenticate directly.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
In the future, an `Access-Control-Request-Private-Network` header will be sent with
these requests, and servers must respond with `Access-Control-Allow-Private-Network`.
This will start with the next Chrome version (104), and Mozilla has marked the
standard as "worth prototyping", which often leads to final implementation.
Signed-off-by: Franklyn Tackitt <git@frank.af>
Since the User DB is not going to be large cache the users
in local memory and sync with the DB when changes are
made to the local user store.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
This provides corrective action in the event that an
invalid user entry makes its way into the database.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
Raise an exception when a request with Basic Auth is received, however do not log the username/password.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
This allows eligible components to register themselves as API transports. By default the WebsocketManager is registered.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
This removes the cryptography dependency in favor of libsodium. Also removed is python-jose, as we must generate our own JWTs for use with EdDSA.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
use libnacl instead of pynacl
Clients can use this in situations where a browser may
prompt the user to take action prior to sending the
request. After the user accepts, Moonraker will redirect the user to the url provided in the request.
SIgned-off-by: Eric Callahan <arksine.code@gmail.com>
Clients may pass a json web token via the query string's "access_token" argument to authorize requests that do not allow modified headers.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
When "force_logins" is enabled a user login is required if at least one user is registered, overriding the "trusted_clients" configuration.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
It is now possible for any authorized request to delete a user, however a logged in user cannot delete its own account.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
