Allows the supervisor to send a session's user to addon with header X-Remote-User (#88472)

* Working draft for x-remote-user

* Adds comment

* Submits user id instead of its name

* Move lines out of try-catch block

* Updates payload attribute

* Removes unnecessary user data from user info API

* revert changes

homeassistant/components/hassio/const.py

@@ -9,6 +9,7 @@ ATTR_ADMIN = "admin"
 ATTR_COMPRESSED = "compressed"
 ATTR_CONFIG = "config"
 ATTR_DATA = "data"
+ATTR_SESSION_DATA_USER_ID = "user_id"
 ATTR_DISCOVERY = "discovery"
 ATTR_ENABLE = "enable"
 ATTR_ENDPOINT = "endpoint"

homeassistant/components/hassio/websocket_api.py

@@ -22,6 +22,7 @@ from .const import (
     ATTR_ENDPOINT,
     ATTR_METHOD,
     ATTR_RESULT,
+    ATTR_SESSION_DATA_USER_ID,
     ATTR_TIMEOUT,
     ATTR_WS_EVENT,
     DOMAIN,
@@ -115,12 +116,21 @@ async def websocket_supervisor_api(
     ):
         raise Unauthorized()
     supervisor: HassIO = hass.data[DOMAIN]
+
+    command = msg[ATTR_ENDPOINT]
+    payload = msg.get(ATTR_DATA, {})
+
+    if command == "/ingress/session":
+        # Send user ID on session creation, so the supervisor can correlate session tokens with users
+        # for every request that is authenticated with the given ingress session token.
+        payload[ATTR_SESSION_DATA_USER_ID] = connection.user.id
+
     try:
         result = await supervisor.send_command(
-            msg[ATTR_ENDPOINT],
+            command,
             method=msg[ATTR_METHOD],
             timeout=msg.get(ATTR_TIMEOUT, 10),
-            payload=msg.get(ATTR_DATA, {}),
+            payload=payload,
             source="core.websocket_api",
         )