search

gdombiak / OctoPod

Free open source client for OctoPrint
Apache License 2.0
225 stars 42 forks source link

Header Support #671

Closed kadaan closed 7 months ago

kadaan commented 7 months ago

Support specifying headers for OctoPrint connections so that then can be secured behind a Cloudflare Zero Trust Service Token

gdombiak commented 7 months ago

Hi @kadaan ,

I incorporated this PR into a local branch and been doing some testing. Backwards compatibility is passing. However, I'm facing some challenges with Cloudflare Zero Trust. It seems to be tunneling POST requests as GET requests for some reason. I saw a recent post from someone else that also saw this. Let me know if you know of a configuration that I missed. The other thing that it's still not working is websocket connection. I have not analyzed that one yet to know what is going on.

BTW, I noticed that you were expecting a "=" character in the header. I'm setting this format in the header

CF-Access-Client-Id: myblah.access, CF-Access-Client-Secret: mysecretblah

were you using something different? I changed the code to accept both = or : as a separator. Ideally we should fetch the JWT once we sent the client id/secret but except for seeing a big number of logins in Cloudflare's analytics I do not see any other side effect. BTW, I fixed a few minor things I found as I was testing.

Thanks for this great contribution. Gaston

kadaan commented 7 months ago

@gdombiak Yeah, I expected Key1=Value1,...,KeyN=ValueN. It is probably better to change the = to :.

kadaan commented 7 months ago

@gdombiak No, I am not experiencing a POST -> GET issue.

A couple questions:

  1. The websocket connection, what is it requesting? AFAICT the whole app is working for me?
  2. What POST request are you making that is failing?

My configuration is as follows:

  1. Tunnel
    1. Public hostname for octoprint
    2. Public hostname for camera streamer
  2. Service token for OctoPod
  3. Access Group for OctoPod
  4. Application for Octoprint
    1. Policy for regular login
    2. Policy for login using OctoPod service group (must be set to Action = ServiceAuth
  5. Application for Camera Streamer
    1. Policy for regular login
    2. Policy for login using OctoPod service group (must be set to Action = ServiceAuth
kadaan commented 7 months ago

@gdombiak I checked the code and bed target temp setting seems to be a POST. That works perfectly for me.

gdombiak commented 7 months ago

Found it! I was using HTTP instead of HTTPS. Using HTTPS in the printer hostname I have no issues with websockets or with POST requests. The other thing I found is that connecting to my dev env worked fine but connecting to the real OctoPi required enabling CORS. I will create a wiki page with all settings so others can follow for future setups.

I will do some more testing before closing this PR and creating one from the branch I created.

Thanks, Gaston

gdombiak commented 7 months ago

@kadaan , I created this wiki page to help with the setup. Let me know if you see incorrect or missed things.

Thanks, Gaston

gdombiak commented 7 months ago

PR has been included in new PR https://github.com/gdombiak/OctoPod/pull/674