diff --git a/changelog/52_UNRELEASED_2019-xx-xx.md b/changelog/52_UNRELEASED_2019-xx-xx.md
index eb2a5bf5..932b4979 100644
--- a/changelog/52_UNRELEASED_2019-xx-xx.md
+++ b/changelog/52_UNRELEASED_2019-xx-xx.md
@@ -7,3 +7,4 @@
- New endpoint `/stock/shoppinglist/remove-product` to remove a product from a shopping list (thanks @Forceu)
- When adding a product (through `stock/product/{productId}/add` or `stock/product/{productId}/inventory`) with omitted best before date and if the given product has "Default best before days" set, the best before date is calculated based on that (so far always today was used which is still the case when no date is supplied and also the product has no "Default best before days set) (thanks @Forceu)
- New endpoint `/objects/{entity}/search/{searchString}` search for objects by name (contains search)
+ - It's now also possible to provide the API key via a query parameter (same name as the header, so `GROCY-API-KEY`)
diff --git a/grocy.openapi.json b/grocy.openapi.json
index 3fcc5982..d7f51af3 100644
--- a/grocy.openapi.json
+++ b/grocy.openapi.json
@@ -2,7 +2,7 @@
"openapi": "3.0.0",
"info": {
"title": "grocy REST API",
- "description": "Authentication is done via API keys (header *GROCY-API-KEY*), which you can manage [here](PlaceHolderManageApiKeysUrl).
Additionally requests from within the frontend are also valid (via session cookie).",
+ "description": "Authentication is done via API keys (header *GROCY-API-KEY* or same named query parameter), which you can manage [here](PlaceHolderManageApiKeysUrl).
Additionally requests from within the frontend are also valid (via session cookie).",
"version": "xxx",
"contact": {
"email": "bernd@berrnd.de"
diff --git a/middleware/ApiKeyAuthMiddleware.php b/middleware/ApiKeyAuthMiddleware.php
index 82487c03..f8a4de08 100644
--- a/middleware/ApiKeyAuthMiddleware.php
+++ b/middleware/ApiKeyAuthMiddleware.php
@@ -31,6 +31,7 @@ class ApiKeyAuthMiddleware extends BaseMiddleware
{
$validSession = true;
$validApiKey = true;
+ $usedApiKey = null;
$sessionService = new SessionService();
if (!isset($_COOKIE[$this->SessionCookieName]) || !$sessionService->IsValidSession($_COOKIE[$this->SessionCookieName]))
@@ -39,10 +40,23 @@ class ApiKeyAuthMiddleware extends BaseMiddleware
}
$apiKeyService = new ApiKeyService();
+
+ // First check of the API key in the configured header
if (!$request->hasHeader($this->ApiKeyHeaderName) || !$apiKeyService->IsValidApiKey($request->getHeaderLine($this->ApiKeyHeaderName)))
{
$validApiKey = false;
}
+ else
+ {
+ $usedApiKey = $request->getHeaderLine($this->ApiKeyHeaderName);
+ }
+
+ // Not recommended, but it's also possible to provide the API key via a query parameter (same name as the configured header)
+ if (!$validApiKey && !empty($request->getQueryParam($this->ApiKeyHeaderName)) && $apiKeyService->IsValidApiKey($request->getQueryParam($this->ApiKeyHeaderName)))
+ {
+ $validApiKey = true;
+ $usedApiKey = $request->getQueryParam($this->ApiKeyHeaderName);
+ }
// Handling of special purpose API keys
if (!$validApiKey)
@@ -63,7 +77,7 @@ class ApiKeyAuthMiddleware extends BaseMiddleware
}
elseif ($validApiKey)
{
- $user = $apiKeyService->GetUserByApiKey($request->getHeaderLine($this->ApiKeyHeaderName));
+ $user = $apiKeyService->GetUserByApiKey($usedApiKey);
define('GROCY_AUTHENTICATED', true);
define('GROCY_USER_ID', $user->id);