From 00b75ce58d485efa50c1775032b3336aa8931dcb Mon Sep 17 00:00:00 2001 From: Florian Bachmann <834350+baflo@users.noreply.github.com> Date: Tue, 22 Aug 2023 10:14:21 +0200 Subject: [PATCH] Allows the supervisor to send a session's user to addon with header X-Remote-User (#88472) * Working draft for x-remote-user * Adds comment * Submits user id instead of its name * Move lines out of try-catch block * Updates payload attribute * Removes unnecessary user data from user info API * revert changes --- homeassistant/components/hassio/const.py | 1 + homeassistant/components/hassio/websocket_api.py | 14 ++++++++++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/homeassistant/components/hassio/const.py b/homeassistant/components/hassio/const.py index 0735f2645cc..5712f5d1bea 100644 --- a/homeassistant/components/hassio/const.py +++ b/homeassistant/components/hassio/const.py @@ -9,6 +9,7 @@ ATTR_ADMIN = "admin" ATTR_COMPRESSED = "compressed" ATTR_CONFIG = "config" ATTR_DATA = "data" +ATTR_SESSION_DATA_USER_ID = "user_id" ATTR_DISCOVERY = "discovery" ATTR_ENABLE = "enable" ATTR_ENDPOINT = "endpoint" diff --git a/homeassistant/components/hassio/websocket_api.py b/homeassistant/components/hassio/websocket_api.py index c8fefe65e1f..ac0395ebd9f 100644 --- a/homeassistant/components/hassio/websocket_api.py +++ b/homeassistant/components/hassio/websocket_api.py @@ -22,6 +22,7 @@ from .const import ( ATTR_ENDPOINT, ATTR_METHOD, ATTR_RESULT, + ATTR_SESSION_DATA_USER_ID, ATTR_TIMEOUT, ATTR_WS_EVENT, DOMAIN, @@ -115,12 +116,21 @@ async def websocket_supervisor_api( ): raise Unauthorized() supervisor: HassIO = hass.data[DOMAIN] + + command = msg[ATTR_ENDPOINT] + payload = msg.get(ATTR_DATA, {}) + + if command == "/ingress/session": + # Send user ID on session creation, so the supervisor can correlate session tokens with users + # for every request that is authenticated with the given ingress session token. + payload[ATTR_SESSION_DATA_USER_ID] = connection.user.id + try: result = await supervisor.send_command( - msg[ATTR_ENDPOINT], + command, method=msg[ATTR_METHOD], timeout=msg.get(ATTR_TIMEOUT, 10), - payload=msg.get(ATTR_DATA, {}), + payload=payload, source="core.websocket_api", )