Added JWT token passing via querystring

app/api/authentication.py

@@ -0,0 +1,6 @@
+from rest_framework_jwt.authentication import BaseJSONWebTokenAuthentication
+
+
+class JSONWebTokenAuthenticationQS(BaseJSONWebTokenAuthentication):
+    def get_jwt_value(self, request):
+         return request.query_params.get('jwt')

app/tests/test_api.py

@@ -413,8 +413,13 @@ class TestApi(BootTestCase):
         token = res.data['token']
         self.assertTrue(len(token) > 0)
 
-        # Can access resources by passing token
+        # Can access resources by passing token via querystring
+        res = client.get('/api/processingnodes/?jwt={}'.format(token))
+        self.assertEqual(res.status_code, status.HTTP_200_OK)
+
+        # Can access resources by passing token via header
         client = APIClient(HTTP_AUTHORIZATION="{0} {1}".format(api_settings.JWT_AUTH_HEADER_PREFIX, token))
         res = client.get('/api/processingnodes/')
         self.assertEqual(res.status_code, status.HTTP_200_OK)
 
+

slate/source/includes/reference/_authentication.md

@@ -18,6 +18,15 @@ curl -H "Authorization: JWT <your_token>" http://localhost:8000/api/projects/
 {"count":13, ...}
 ```
 
+> Use authentication token via querystring (less secure):
+
+```bash
+curl http://localhost:8000/api/projects/?jwt=<your_token>
+
+{"count":13, ...}
+```
+
+
 `POST /api/token-auth/`
 
 Field | Type | Description
@@ -34,3 +43,5 @@ Header |
 Authorization: JWT `your_token` |
 
 The token expires after a set amount of time. The expiration time is dependent on WebODM's settings. You will need to request another token when a token expires.
+
+Since applications sometimes do not allow headers to be modified, you can also authenticate by appending the `jwt` querystring parameter to a protected URL. This is less secure, so pass the token via header if possible.

slate/source/includes/reference/_task.md

@@ -184,6 +184,8 @@ If a [Task](#task) has been canceled or has failed processing, or has completed
 
 After a task has been successfully processed, a TMS layer is made available for inclusion in programs such as [Leaflet](http://leafletjs.com/) or [Cesium](http://cesiumjs.org).
 
+<aside class="notice">If you use <a href="http://leafletjs.com/" target="_blank">Leaflet</a>, you'll need to pass the authentication token via querystring: /api/projects/{project_id}/tasks/{task_id}/tiles/{Z}/{X}/{Y}.png?jwt=your_token</aside>
+
 ### Pending Actions
 
 In some circumstances, a [Task](#task) can have a pending action that requires some amount of time to be performed.

webodm/settings.py

@@ -230,6 +230,7 @@ REST_FRAMEWORK = {
     'rest_framework.authentication.SessionAuthentication',
     'rest_framework.authentication.BasicAuthentication',
     'rest_framework_jwt.authentication.JSONWebTokenAuthentication',
+    'app.api.authentication.JSONWebTokenAuthenticationQS',
   ),
   'PAGE_SIZE': 10,
 }