Added security to json backend
This commit is contained in:
@@ -58,7 +58,7 @@ StringSettings makeDefaultStringSettings()
|
|||||||
#ifdef FEATURE_OTA
|
#ifdef FEATURE_OTA
|
||||||
.otaServerBranch = {},
|
.otaServerBranch = {},
|
||||||
#endif
|
#endif
|
||||||
.webserver_password = STRING(AP_PASSWORD),
|
.webserver_password = {},
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
} // namespace presets
|
} // namespace presets
|
||||||
|
@@ -33,6 +33,7 @@ void initWebserver()
|
|||||||
httpd_uri_t { .uri = "/reboot", .method = HTTP_GET, .handler = webserver_reboot_handler, .user_ctx = NULL },
|
httpd_uri_t { .uri = "/reboot", .method = HTTP_GET, .handler = webserver_reboot_handler, .user_ctx = NULL },
|
||||||
#ifdef FEATURE_OTA
|
#ifdef FEATURE_OTA
|
||||||
httpd_uri_t { .uri = "/ota", .method = HTTP_GET, .handler = webserver_ota_handler, .user_ctx = NULL },
|
httpd_uri_t { .uri = "/ota", .method = HTTP_GET, .handler = webserver_ota_handler, .user_ctx = NULL },
|
||||||
|
httpd_uri_t { .uri = "/otaPercent", .method = HTTP_GET, .handler = webserver_ota_percentage_handler, .user_ctx = NULL },
|
||||||
httpd_uri_t { .uri = "/triggerOta", .method = HTTP_GET, .handler = webserver_trigger_ota_handler, .user_ctx = NULL },
|
httpd_uri_t { .uri = "/triggerOta", .method = HTTP_GET, .handler = webserver_trigger_ota_handler, .user_ctx = NULL },
|
||||||
#endif
|
#endif
|
||||||
httpd_uri_t { .uri = "/settings", .method = HTTP_GET, .handler = webserver_settings_handler, .user_ctx = NULL },
|
httpd_uri_t { .uri = "/settings", .method = HTTP_GET, .handler = webserver_settings_handler, .user_ctx = NULL },
|
||||||
@@ -42,6 +43,7 @@ void initWebserver()
|
|||||||
#ifdef OLD_NVS
|
#ifdef OLD_NVS
|
||||||
httpd_uri_t { .uri = "/dumpnvs", .method = HTTP_GET, .handler = webserver_dump_nvs_handler, .user_ctx = NULL },
|
httpd_uri_t { .uri = "/dumpnvs", .method = HTTP_GET, .handler = webserver_dump_nvs_handler, .user_ctx = NULL },
|
||||||
#endif
|
#endif
|
||||||
|
httpd_uri_t { .uri = "/check", .method = HTTP_GET, .handler = webserver_status_handler, .user_ctx = NULL },
|
||||||
})
|
})
|
||||||
{
|
{
|
||||||
const auto result = httpd_register_uri_handler(httpdHandle, &uri);
|
const auto result = httpd_register_uri_handler(httpdHandle, &uri);
|
||||||
@@ -66,4 +68,37 @@ esp_err_t webserver_reboot_handler(httpd_req_t *req)
|
|||||||
CALL_AND_EXIT(esphttpdutils::webserver_resp_send, req, esphttpdutils::ResponseStatus::Ok, "text/plain", "REBOOT called...")
|
CALL_AND_EXIT(esphttpdutils::webserver_resp_send, req, esphttpdutils::ResponseStatus::Ok, "text/plain", "REBOOT called...")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
esp_err_t webserver_status_handler(httpd_req_t *req)
|
||||||
|
{
|
||||||
|
espcpputils::LockHelper helper{webserver_lock->handle, std::chrono::ceil<espcpputils::ticks>(5s).count()};
|
||||||
|
if (!helper.locked())
|
||||||
|
{
|
||||||
|
constexpr const std::string_view msg = "could not lock webserver_lock";
|
||||||
|
ESP_LOGE(TAG, "%.*s", msg.size(), msg.data());
|
||||||
|
CALL_AND_EXIT(esphttpdutils::webserver_resp_send, req, esphttpdutils::ResponseStatus::BadRequest, "text/plain", msg);
|
||||||
|
}
|
||||||
|
|
||||||
|
std::string body;
|
||||||
|
|
||||||
|
std::string wants_json_query;
|
||||||
|
if (auto result = esphttpdutils::webserver_get_query(req))
|
||||||
|
wants_json_query = *result;
|
||||||
|
else
|
||||||
|
{
|
||||||
|
ESP_LOGE(TAG, "%.*s", result.error().size(), result.error().data());
|
||||||
|
CALL_AND_EXIT(esphttpdutils::webserver_resp_send, req, esphttpdutils::ResponseStatus::BadRequest, "text/plain", result.error());
|
||||||
|
}
|
||||||
|
|
||||||
|
char tmpBuf[256];
|
||||||
|
const auto key_result = httpd_query_key_value(wants_json_query.data(), "json", tmpBuf, 256);
|
||||||
|
if (key_result == ESP_OK && (tmpBuf == stringSettings.webserver_password || stringSettings.webserver_password.empty()))
|
||||||
|
{
|
||||||
|
CALL_AND_EXIT(esphttpdutils::webserver_resp_send, req, esphttpdutils::ResponseStatus::Ok, "text/plain", "Ok.");
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
CALL_AND_EXIT(esphttpdutils::webserver_resp_send, req, esphttpdutils::ResponseStatus::Unauthorized, "text/plain", "");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
@@ -32,4 +32,5 @@ extern httpd_handle_t httpdHandle;
|
|||||||
void initWebserver();
|
void initWebserver();
|
||||||
void handleWebserver();
|
void handleWebserver();
|
||||||
esp_err_t webserver_reboot_handler(httpd_req_t *req);
|
esp_err_t webserver_reboot_handler(httpd_req_t *req);
|
||||||
|
esp_err_t webserver_status_handler(httpd_req_t *req);
|
||||||
#endif
|
#endif
|
||||||
|
@@ -30,7 +30,7 @@ esp_err_t webserver_root_handler(httpd_req_t *req)
|
|||||||
|
|
||||||
char tmpBuf[256];
|
char tmpBuf[256];
|
||||||
const auto key_result = httpd_query_key_value(wants_json_query.data(), "json", tmpBuf, 256);
|
const auto key_result = httpd_query_key_value(wants_json_query.data(), "json", tmpBuf, 256);
|
||||||
if (key_result == ESP_OK)
|
if (key_result == ESP_OK && (tmpBuf == stringSettings.webserver_password || stringSettings.webserver_password.empty()))
|
||||||
{
|
{
|
||||||
body += "{";
|
body += "{";
|
||||||
if (auto currentDisplay = static_cast<const espgui::Display *>(espgui::currentDisplay.get()))
|
if (auto currentDisplay = static_cast<const espgui::Display *>(espgui::currentDisplay.get()))
|
||||||
@@ -46,7 +46,7 @@ esp_err_t webserver_root_handler(httpd_req_t *req)
|
|||||||
body += fmt::format("\"index\":{},\"items\":[", menuDisplay->selectedIndex());
|
body += fmt::format("\"index\":{},\"items\":[", menuDisplay->selectedIndex());
|
||||||
menuDisplay->runForEveryMenuItem([&,selectedIndex=menuDisplay->selectedIndex()](const espgui::MenuItem &menuItem){
|
menuDisplay->runForEveryMenuItem([&,selectedIndex=menuDisplay->selectedIndex()](const espgui::MenuItem &menuItem){
|
||||||
body += "{";
|
body += "{";
|
||||||
body += fmt::format("\"name\":\"{}\",\"icon\":\"{}\"", menuItem.text(), "none"); // menuItem.icon()->name
|
body += fmt::format("\"name\":\"{}\",\"icon\":\"{}\"", menuItem.text(), menuItem.icon()->name);
|
||||||
body += "},";
|
body += "},";
|
||||||
});
|
});
|
||||||
body += "],";
|
body += "],";
|
||||||
@@ -66,6 +66,10 @@ esp_err_t webserver_root_handler(httpd_req_t *req)
|
|||||||
}
|
}
|
||||||
body += "}";
|
body += "}";
|
||||||
}
|
}
|
||||||
|
else if (tmpBuf != stringSettings.webserver_password)
|
||||||
|
{
|
||||||
|
CALL_AND_EXIT(esphttpdutils::webserver_resp_send, req, esphttpdutils::ResponseStatus::Unauthorized, "text/plain", "");
|
||||||
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
HtmlTag htmlTag{"html", body};
|
HtmlTag htmlTag{"html", body};
|
||||||
|
@@ -11,6 +11,61 @@ namespace {
|
|||||||
constexpr const char * const TAG = "BOBBYWEB";
|
constexpr const char * const TAG = "BOBBYWEB";
|
||||||
} // namespace
|
} // namespace
|
||||||
|
|
||||||
|
esp_err_t webserver_ota_percentage_handler(httpd_req_t *req)
|
||||||
|
{
|
||||||
|
espcpputils::LockHelper helper{webserver_lock->handle, std::chrono::ceil<espcpputils::ticks>(5s).count()};
|
||||||
|
if (!helper.locked())
|
||||||
|
{
|
||||||
|
constexpr const std::string_view msg = "could not lock webserver_lock";
|
||||||
|
ESP_LOGE(TAG, "%.*s", msg.size(), msg.data());
|
||||||
|
CALL_AND_EXIT(esphttpdutils::webserver_resp_send, req, esphttpdutils::ResponseStatus::BadRequest, "text/plain", msg);
|
||||||
|
}
|
||||||
|
|
||||||
|
std::string body;
|
||||||
|
|
||||||
|
std::string wants_json_query;
|
||||||
|
if (auto result = esphttpdutils::webserver_get_query(req))
|
||||||
|
wants_json_query = *result;
|
||||||
|
else
|
||||||
|
{
|
||||||
|
ESP_LOGE(TAG, "%.*s", result.error().size(), result.error().data());
|
||||||
|
CALL_AND_EXIT(esphttpdutils::webserver_resp_send, req, esphttpdutils::ResponseStatus::BadRequest, "text/plain", result.error());
|
||||||
|
}
|
||||||
|
|
||||||
|
char tmpBuf[256];
|
||||||
|
const auto key_result = httpd_query_key_value(wants_json_query.data(), "json", tmpBuf, 256);
|
||||||
|
if (key_result == ESP_OK && (tmpBuf == stringSettings.webserver_password || stringSettings.webserver_password.empty()))
|
||||||
|
{
|
||||||
|
body += "{";
|
||||||
|
if (asyncOta)
|
||||||
|
{
|
||||||
|
if (const auto &appDesc = asyncOta->appDesc())
|
||||||
|
{
|
||||||
|
const auto progress = asyncOta->progress();
|
||||||
|
const auto totalSize = asyncOta->totalSize();
|
||||||
|
|
||||||
|
body += fmt::format("\"cur_ota_percent\":\"{}\",", (totalSize && *totalSize > 0) ? fmt::format("{:.02f}", float(progress) / *totalSize * 100) : "?");
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
body += "\"err\":\"Could not access asyncOta->appDesc()\",";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
body += "\"info\":\"Updater is not constructed.\"";
|
||||||
|
}
|
||||||
|
|
||||||
|
body += "}";
|
||||||
|
}
|
||||||
|
else if (tmpBuf != stringSettings.webserver_password)
|
||||||
|
{
|
||||||
|
CALL_AND_EXIT(esphttpdutils::webserver_resp_send, req, esphttpdutils::ResponseStatus::Unauthorized, "text/plain", "");
|
||||||
|
}
|
||||||
|
|
||||||
|
CALL_AND_EXIT(esphttpdutils::webserver_resp_send, req, esphttpdutils::ResponseStatus::Ok, (key_result == ESP_OK) ? "application/json" : "text/html", body)
|
||||||
|
}
|
||||||
|
|
||||||
esp_err_t webserver_ota_handler(httpd_req_t *req)
|
esp_err_t webserver_ota_handler(httpd_req_t *req)
|
||||||
{
|
{
|
||||||
espcpputils::LockHelper helper{webserver_lock->handle, std::chrono::ceil<espcpputils::ticks>(5s).count()};
|
espcpputils::LockHelper helper{webserver_lock->handle, std::chrono::ceil<espcpputils::ticks>(5s).count()};
|
||||||
@@ -34,7 +89,7 @@ esp_err_t webserver_ota_handler(httpd_req_t *req)
|
|||||||
|
|
||||||
char tmpBuf[256];
|
char tmpBuf[256];
|
||||||
const auto key_result = httpd_query_key_value(wants_json_query.data(), "json", tmpBuf, 256);
|
const auto key_result = httpd_query_key_value(wants_json_query.data(), "json", tmpBuf, 256);
|
||||||
if (key_result == ESP_OK)
|
if (key_result == ESP_OK && (tmpBuf == stringSettings.webserver_password || stringSettings.webserver_password.empty()))
|
||||||
{
|
{
|
||||||
body += "{";
|
body += "{";
|
||||||
|
|
||||||
@@ -86,6 +141,10 @@ esp_err_t webserver_ota_handler(httpd_req_t *req)
|
|||||||
|
|
||||||
body += "}}";
|
body += "}}";
|
||||||
}
|
}
|
||||||
|
else if (tmpBuf != stringSettings.webserver_password)
|
||||||
|
{
|
||||||
|
CALL_AND_EXIT(esphttpdutils::webserver_resp_send, req, esphttpdutils::ResponseStatus::Unauthorized, "text/plain", "");
|
||||||
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
HtmlTag htmlTag{"html", body};
|
HtmlTag htmlTag{"html", body};
|
||||||
|
@@ -24,5 +24,6 @@
|
|||||||
|
|
||||||
#if defined(FEATURE_WEBSERVER) && defined(FEATURE_OTA)
|
#if defined(FEATURE_WEBSERVER) && defined(FEATURE_OTA)
|
||||||
esp_err_t webserver_ota_handler(httpd_req_t *req);
|
esp_err_t webserver_ota_handler(httpd_req_t *req);
|
||||||
|
esp_err_t webserver_ota_percentage_handler(httpd_req_t *req);
|
||||||
esp_err_t webserver_trigger_ota_handler(httpd_req_t *req);
|
esp_err_t webserver_trigger_ota_handler(httpd_req_t *req);
|
||||||
#endif
|
#endif
|
||||||
|
Reference in New Issue
Block a user