Image files (.png) are still granted unauthorized access, however all other files require that the request be authorized.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
Clients may pass a json web token via the query string's "access_token" argument to authorize requests that do not allow modified headers.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
Replace non-ASCII characters with "?" and add escaped unicode version of the file name to the "Content-Disposition" header to fix problems with thumbnails and downloading for the gcode file with non-ASCII characters in filename.
Signed-off-by: Uladzimir Palekh <visor.rti@gmail.com>
Generally speaking static files do not require authorization, so there should be little harm in bypassing auth checks. This allows clients to retrieve assets without XHRs or requesting tokens.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
Log the current user for each request. Dont' log requests that return with 200, 204, 206, or 304 in release mode.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
CONFIG CHANGE: This deprecates the "enabled" option in the [authorization] section. Authorization will be enabled if the section is included in moonraker.conf, otherwise it will be disabled.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
Force an update to cached file hashes should the modified time change. Re-enable the "should_return_304" check so clients can re-implement caching.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
Some static files, such as logs, can change size during a request. This results in a content length mismatch and error. Cap the amount read based on the original content length.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
This handler provides consistent error reporting in the event that the client attempts to access an unknown endpoint. If the request is unauthorized, an 401 will be returned. Otherwise a 404 will be returned, however if CORS is available the CORS headers will be set.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
Moving log level init to the app module and have it explicitly set the level. This allows the logging level to be toggled with a server restart. Default debug logging to False.
When debug logging is disabled do not log HTTP requests.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
This error is an indication that a JSON body was sent without the content type set to "application/json".
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
This PR is a minimal implementation of the Octoprint REST API that is required
for Cura to be able to establish a connection and send gcode/UFP files to
moonraker without errors.
Currently it only supports the "global apikey authentication" method.
Signed-off-by: Nickolas Grigoriadis <nagrigoriadis@gmail.com>
It is possible for the log files to be registered after a rollover, which can result in the file not existing. Force the log endpoints to register, bypassing the existance check.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
This will make klippy.log available in the event that Klippy has not successfully connected, assuming the log is available at the default location.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
Tornado clears the headers when an error is detected, "set_default_headers" must be overrridden so that errors are properly returned.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
Rather than allow all origins as was the default with "enable_cors", users may not specify the domains allowed. If "*" is specified, all domains are allowed.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
Clients may provide arguments either in the query string or body. Reserved arguments "token" and "connection_id" are excluded from the result.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
Some requests, such "printer/objects/subscribe", require a websocket
for asynchronous updates. Clients may now specify a "connection_id"
in the form data that identifies an associated websocket.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
There is no need to pass the auth, server, or websocket manager objects to request handlers. They can be retreived directly from the application reference.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
Now that the file_manager directly handles DELETE file requests, it is not necessary have the HTTP file handler perform any checks. Thus it is no longer required to pass a "can_delete" parameter.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
This method is now the primary means of deleting files, as it includes checks to make sure that the delete is allowed.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
Websocket APIs are now generated using traditional namespaces, for example "printer.gcode.script" rather than "post_printer_gcode_script". Local endpoints that register multiple requests methods will have the method prefixed (ie:. "server.files.get_directory", "server.files.post_directory", "server.files.delete_directory")
Signed-off-by: Eric Callahan
The make_request() method is now awaitable and returns the result directly vs the previous behavior of returning a request that was awaited.
There is no longer a need to check the result to see if it is an error, exceptions are raised if an error is detected.
Signed-off-by: Eric Callahan <arksine.code@gmail.com>
