Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
[Request] Make anonymous API and sockjs usage easier #1681
What were you doing?
I am creating a "printer aggregation" page which allows me to view the webcam feed and status of my three octoprint servers from a single page. I have a virtual host in nginx using reverse proxy configuration which correctly allows me to use the three printers on the same domain under different subpaths and I can view the camera feed from each.
Here is the code, feel free to use as an example on how to do this if you want: https://gist.github.com/taxilian/87e83fd9e4d9c1a4408f2fb67524a516
Now I'm trying to fetch the current status -- temperature, current job (if any), est time remaining, and maybe status bar or other such info.
What did you expect to happen?
I expected this to be pretty trivial to grab using either the Octoprint JS api or else using the REST api via ajax requests.
What happened instead?
It seems that a) the Octoprint JS api expects that you'll never need to talk to more than one octoprint server in a given page and b) whether using the provided js library or using the REST api I need an API token -- even for "anonymous" request. I think I can work around (a) either by using the REST api or by changing credentials and paths for every single request; (b) is particularly vexing, though, because I don't want to do anything that would require authentication and I most definitely do not want to expose my API key on a public page, but there isn't an easy way to get the anonymous API key.
Currently I'm using AJAX to request the main octoprint page (which is around 480kb), truncating to about 3kb, and then using a regular expression to extract the anonymous UI key. This is very slow and definitely not ideal, but it works.
Branch & Commit or Version of OctoPrint
I have a few thoughts on how I probably would fix this, but as I'm not familiar with the reasons that you did things in the specific ways you did them I'm going to just list the variants I can think of that would satisfy my request.
I'm also willing to do the coding if you'll tell me which method you'd be willing to accept =] I just don't want to do it one way and find you're not willing to accept it for reasons I don't have the context to anticipate.
I have read the FAQ. I also feel your pain on stupid "already-answered" questions and have attempted to avoid creating another one =] I believe this could be solved with a plugin, but it seems to me something that would be better solved in the main project since any solution to extract the anonymous API key would likely be hacky at best and rely on implementation details that are probably better off without the plugin knowing about.
Sorry again for the delay.
Back in ancient history, when I added the requirement for this anonymous
These days, I have to say I'm not sure myself if that makes much sense anymore, especially since it complicates a lot of things. So from my own point of view I'd say, let's just get rid of that
A solution would be to still keep the stock UI utilizing the
What do you think?
No worries on the delay; I have it working using the hack I mentioned, I just feel that's somewhat less than ideal =]
Regarding the question of API keys and with that background in mind, I would suggest that the UI_API_KEY be deprecated but left in place; as you suggest, if the API is disabled then disabling anonymous API usage makes sense, but it's worth considering that the only way to effectively do that would be to also disable any api access from the UI when the user is not logged in. Even as things are now, all you have to do is download the UI page and use a regex to strip the API key from the html file. It seems like what the setting should actually be is whether or not anonymous access to the UI is allowed and if it's disabled then disable all APIs without an authenticated API key. At that point you can get rid of the API key for anonymous access and fall back to "if no key, default to anonymous privileges".
As I mentioned I'm happy to help with this -- I'm a tiny bit rusty but still pretty strong in python but I might need some help finding where in the code to get started as I'm strapped for time =]
Old and still valid usage pattern:
New usage pattern:
Basically to do this all you'd have to do is wrap the current library in an object and then do something like:
As to where I was a year ago -- I was just learning the basics of 3d printing and had just gotten my first printer ;-)
Refactoring the JS client isn't as trivial as the above due to how it assembles itself from multiple components JS files. However I took a shot at it today and I think I've found something that works, see the above commit + its comment. I fear that the code might cause seasoned JS devs to start to cry since it's somewhat hackish, but it allows full backwards compatibility to everything that was already documented and might since be in use.
I've only pushed it to a feature branch for now since I want to give it some more testing with the real application to make sure I didn't overlook something critical, but you might want to play with it to see if it solves your problems as well.
About the API key, the relevant parts would be this and this. I have to admit that it's been ages since I touched that stuff and I'd need to check in which case which one is used. If my memory does serve me at least slightly well though,
I think in order to disable the
+1 to this idea, I have been tinkering around with the OctoPrint API, and this issue has been giving me a bit of trouble
As it stands right now, there is no way to secure your API (if it is enabled that is), as all API requests require an API key, which can easily be retrieved from visiting the webpage (or just open a websocket connection, and it is returned in the first frame). Even the https://github.com/OctoPrint/OctoPrint-ForceLogin plugin does not secure OctoPrint, as the ui api key is returned (sure, the UI is hidden though, but API is not secure)
I think a couple improvements that could be made would be
New Behavior Changes
Really enjoying OctoPrint, as I just got my 3d printer not to long ago, and OctoPrint is exactly what I was looking for, I may try and implement this depending on what you think, if I got time in the future