From ee5ded29acd739aea5e53a7bb4f1197203d5aa85 Mon Sep 17 00:00:00 2001 From: Stefan Agner Date: Thu, 3 Oct 2024 18:17:13 +0200 Subject: [PATCH] Allow Supervisor token authentication from landing page (#5321) The landing page provides the Supervisor token as authentication, so consider the landingpage as new enough too. --- supervisor/api/middleware/security.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/supervisor/api/middleware/security.py b/supervisor/api/middleware/security.py index 59c6eb6ef..1c3ce7aa0 100644 --- a/supervisor/api/middleware/security.py +++ b/supervisor/api/middleware/security.py @@ -9,6 +9,8 @@ from aiohttp.web import Request, RequestHandler, Response, middleware from aiohttp.web_exceptions import HTTPBadRequest, HTTPForbidden, HTTPUnauthorized from awesomeversion import AwesomeVersion +from supervisor.homeassistant.const import LANDINGPAGE + from ...addons.const import RE_SLUG from ...const import ( REQUEST_FROM, @@ -288,8 +290,10 @@ class SecurityMiddleware(CoreSysAttributes): @middleware async def core_proxy(self, request: Request, handler: RequestHandler) -> Response: """Validate user from Core API proxy.""" - if request[REQUEST_FROM] != self.sys_homeassistant or version_is_new_enough( - self.sys_homeassistant.version, _CORE_VERSION + if ( + request[REQUEST_FROM] != self.sys_homeassistant + or self.sys_homeassistant.version == LANDINGPAGE + or version_is_new_enough(self.sys_homeassistant.version, _CORE_VERSION) ): return await handler(request)