Age | Commit message (Collapse) | Author |
|
Fix handling of `stale` reauthRequired in UI and
document it. Also send it in case of an `auth`
message with an unknown session.
Closes #4653
|
|
* 🔒️ Protect against CSRF attacks
CORS and the JSON API heavily reduced the
attack surface here, but especially the upload
endpoints were still vulnerable to CSRF attacks.
All endpoints on the API that use methods
beyond GET, HEAD or OPTIONS now require
the presence of a csrf token (generated
by the UI on first load) AND a X-CSRF-Token
header with a matching value (Double Submit
Cookie), unless authorization is done through
an API-Key instead of a browser session.
Additionally, the SameSite attribute now is
set to "Strict" by default.
* 🔒️ Expand CSRF protection to plugins
Plugins are currently by default *opted out* of CSRF protection, to ensure
backwards compatibility with third party plugins in the field. However,
in a future OctoPrint version this will become a default *opt in*. Plugin
authors are advised to adjust the implementation with an explicit decision
via a logged warning generated in the default implementation. Additionally,
plugins that have opted out their whole plugin will generate a warning in
the startup messages.
A decorator to exempt individual endpoints from CSRF protection as certain
workflows require (see for example the auth request in the appkeys plugin)
is provided.
The general rule of thumb should be to opt in and only exempt those non
GET/HEAD/OPTIONS endpoints that really need to be usable without an
API key or CSRF cookie/header combo. In practice, that should be pretty
much non.
* 🐛 Fix a left-over from a local test
* 🐛 Fix wrong setting in E2E test config.yaml
* 🧑💻 Set CSRF header for $.ajax as well
We already ensure the header is set in the client lib and on the
file upload widgets, but many third party plugins don't use the
client lib but rather $.ajax directly and thus break without this.
* 📝 Improve docs on CSRF protection
|
|
- users.yaml is now versioned, and a backup is made
on version change. Thus, before any of the new
hashes are being saved to it, a backup with the
old ones will be made, here users.v1.yaml.
- The no longer needed salt is removed from the
config if no legacy hashes are left in
users.yaml. Prior to this removal however, a
backup of config.yaml is made,
config.cleanup_legacy_hashes.yaml.
When rolling back to an earlier version of
OctoPrint, moving both backups back over to
config.yaml and users.yaml respectively and
restarting will restore the ability to login
again.
|
|
Admins may still change existing user account passwords without
having to enter the current one, however the regular user oriented
password change dialog has been adjusted to require entry of the
current password. The API has been locked down accordingly and
the password change endpoint has seen a small change due to that,
please refer to the updated documentation.
|
|
|
|
|
|
|
|
|
|
* Spelling Correction
supplyting -> supplying
* Update AUTHORS.md
|
|
|
|
|
|
|
|
Fixes the documentation, testing this endpoint `server` is not returned from this endpoint.
|
|
* Add support for changing hook order
Default hook value changed from None to 1000
* ♻️ Refactor sorting override logic
* fetch settings during platform initialization instead of in plugin core
* rename from hook order to sorting order as it's also used for the
sorting context of implementations
* make sure settings are initialized empty in defaults
* 📝 Add missing docs for sorting order overrides
* ✨ Fully support reordering of implementations too
Co-authored-by: Gina Häußge <gina@octoprint.org>
|
|
|
|
|
|
|
|
Implements #4353
|
|
* Added FileMove- and FolderMove-Event
* fixing the code formatting rules
* 📝 Set version number
Co-authored-by: Gina Häußge <gina@octoprint.org>
|
|
* Adding shutdown action command.
* Add myself
* Add error handling.
* First attempt at systemcommands module
* Fix pre-commit issues
* Fix pre-commit issues
* Add log message.
* Update src/octoprint/systemcommands/__init__.py
* Renamed __call, simplified code.
* Inject systemcommands into plugins
* Use underscore between words in dict.
* ♻️ systemcommands -> system_command_manager
* ♻️ Switch places that make sense to system_commands_manager
Also switch SCM to use CommandlineCaller instead of
reinventing the wheel, same for other places.
* 🔒️ Don't enable support for action:shutdown by default
It could be abused by malicious firmware and/or GCODE
somehow tricked on the user, so let's play it safe
and make it something the user has to consciously enable.
* 📝 Add missing documentation
Co-authored-by: Gina Häußge <gina@octoprint.org>
|
|
|
|
|
|
... at least not yet. to_str is currently a (deprecated)
synonym for to_bytes, and changing that behaviour
would be a breaking change. Better leave it to 2.0.
|
|
|
|
* pyupgrade
* various new codemods
* manual removal of Py2/3 compat imports
* manual adjustment of docs, examples, tests
* to_str is now the new to_unicode, deprecated
redirection to to_bytes has been removed
* to_native_str has been redirected to point to
to_str
* to_unicode has been redirected to point to
to_str
* atomic_write refactored to use
NamedTemporaryDirectory
* various other fixes/refactorings all over the
place
|
|
|
|
Instead of silently ignoring a select/print
on file upload if the necessary preconditions
(printer is online and free to take new jobs) aren't
met, include the effective print/select flags
on the upload API and in the triggered UPLOAD event.
Cleaner would be to simply abort such an API request
with a 409, but that will cause issues with
existing third party plugins and clients and thus
we leave it at simply making the necessary data
available without changing behaviour.
cc @jneilliii
|
|
* Improve timelapse documentation
* Update with suggestinos
* Add thumbnail filed
|
|
If set to true, will perform a double install,
once normal (to gather required dependencies), once
with --force-reinstall and --no-deps (to force a
reinstall of the package itself).
See #4363
|
|
|
|
|
|
on my recently installed rpi 4b device with the latest octopi image, `localhost` resolves to `::1`, which I hadn't thought to add to the `localNetworks` list in the config. With this change people following this guide as I did will end up adding the ipv6 version so that `localhost` will correctly resolve regardless of which network stack is active and primary.
|
|
|
|
Plugins get on_plugin_enabled called *before* injection.
Closes #4251
|
|
Adds a `subscribe` message to allow clients to reduce websocket traffic. Docs updated accordingly.
Co-authored-by: Gina Häußge <gina@octoprint.org>
|
|
|
|
- changed backslashes to normal slashes for the creation of the venv.
|
|
|
|
|
|
|
|
|
|
|
|
Will be called by the plugin manager when a plugin
is about to be uninstalled through it. Useful for
any cleanup tasks a plugin might want to do when it
gets uninstalled.
Note that this method does not HAVE to be called if
the plugin is uninstalled outside of OctoPrint by
deleting/pip uninstall'ing the plugin.
|
|
RST can be so annoying sometimes...
|
|
|
|
|
|
|
|
|
|
Closes #3603
|
|
Closes #2682
|