feedc0de/bobbycar-boardcomputer-firmware
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added security to json backend

Browse Source
This commit is contained in:
CommanderRedYT
2021-12-09 14:56:06 +01:00
parent 64ac74ea5d
commit 7761f415a5
6 changed files with 104 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
main/presets.cpp
View File

@@ -58,7 +58,7 @@ StringSettings makeDefaultStringSettings()
#ifdef FEATURE_OTA #ifdef FEATURE_OTA
.otaServerBranch = {}, .otaServerBranch = {},
#endif #endif
.webserver_password = STRING(AP_PASSWORD), .webserver_password = {},
}; };
} }
} // namespace presets } // namespace presets

35
main/webserver.cpp
View File

@@ -33,6 +33,7 @@ void initWebserver()
httpd_uri_t { .uri = "/reboot", .method = HTTP_GET, .handler = webserver_reboot_handler, .user_ctx = NULL }, httpd_uri_t { .uri = "/reboot", .method = HTTP_GET, .handler = webserver_reboot_handler, .user_ctx = NULL },
#ifdef FEATURE_OTA #ifdef FEATURE_OTA
httpd_uri_t { .uri = "/ota", .method = HTTP_GET, .handler = webserver_ota_handler, .user_ctx = NULL }, httpd_uri_t { .uri = "/ota", .method = HTTP_GET, .handler = webserver_ota_handler, .user_ctx = NULL },
httpd_uri_t { .uri = "/otaPercent", .method = HTTP_GET, .handler = webserver_ota_percentage_handler, .user_ctx = NULL },
httpd_uri_t { .uri = "/triggerOta", .method = HTTP_GET, .handler = webserver_trigger_ota_handler, .user_ctx = NULL }, httpd_uri_t { .uri = "/triggerOta", .method = HTTP_GET, .handler = webserver_trigger_ota_handler, .user_ctx = NULL },
#endif #endif
httpd_uri_t { .uri = "/settings", .method = HTTP_GET, .handler = webserver_settings_handler, .user_ctx = NULL }, httpd_uri_t { .uri = "/settings", .method = HTTP_GET, .handler = webserver_settings_handler, .user_ctx = NULL },
@@ -42,6 +43,7 @@ void initWebserver()
#ifdef OLD_NVS #ifdef OLD_NVS
httpd_uri_t { .uri = "/dumpnvs", .method = HTTP_GET, .handler = webserver_dump_nvs_handler, .user_ctx = NULL }, httpd_uri_t { .uri = "/dumpnvs", .method = HTTP_GET, .handler = webserver_dump_nvs_handler, .user_ctx = NULL },
#endif #endif
httpd_uri_t { .uri = "/check", .method = HTTP_GET, .handler = webserver_status_handler, .user_ctx = NULL },
}) })
{ {
const auto result = httpd_register_uri_handler(httpdHandle, &uri); const auto result = httpd_register_uri_handler(httpdHandle, &uri);
@@ -66,4 +68,37 @@ esp_err_t webserver_reboot_handler(httpd_req_t *req)
CALL_AND_EXIT(esphttpdutils::webserver_resp_send, req, esphttpdutils::ResponseStatus::Ok, "text/plain", "REBOOT called...") CALL_AND_EXIT(esphttpdutils::webserver_resp_send, req, esphttpdutils::ResponseStatus::Ok, "text/plain", "REBOOT called...")
} }
esp_err_t webserver_status_handler(httpd_req_t *req)
{
espcpputils::LockHelper helper{webserver_lock->handle, std::chrono::ceil<espcpputils::ticks>(5s).count()};
if (!helper.locked())
{
constexpr const std::string_view msg = "could not lock webserver_lock";
ESP_LOGE(TAG, "%.*s", msg.size(), msg.data());
CALL_AND_EXIT(esphttpdutils::webserver_resp_send, req, esphttpdutils::ResponseStatus::BadRequest, "text/plain", msg);
}
std::string body;
std::string wants_json_query;
if (auto result = esphttpdutils::webserver_get_query(req))
wants_json_query = *result;
else
{
ESP_LOGE(TAG, "%.*s", result.error().size(), result.error().data());
CALL_AND_EXIT(esphttpdutils::webserver_resp_send, req, esphttpdutils::ResponseStatus::BadRequest, "text/plain", result.error());
}
char tmpBuf[256];
const auto key_result = httpd_query_key_value(wants_json_query.data(), "json", tmpBuf, 256);
if (key_result == ESP_OK && (tmpBuf == stringSettings.webserver_password || stringSettings.webserver_password.empty()))
{
CALL_AND_EXIT(esphttpdutils::webserver_resp_send, req, esphttpdutils::ResponseStatus::Ok, "text/plain", "Ok.");
}
else
{
CALL_AND_EXIT(esphttpdutils::webserver_resp_send, req, esphttpdutils::ResponseStatus::Unauthorized, "text/plain", "");
}
}
#endif #endif

1
main/webserver.h
View File

@@ -32,4 +32,5 @@ extern httpd_handle_t httpdHandle;
void initWebserver(); void initWebserver();
void handleWebserver(); void handleWebserver();
esp_err_t webserver_reboot_handler(httpd_req_t *req); esp_err_t webserver_reboot_handler(httpd_req_t *req);
esp_err_t webserver_status_handler(httpd_req_t *req);
#endif #endif

8
main/webserver_displaycontrol.cpp
View File

@@ -30,7 +30,7 @@ esp_err_t webserver_root_handler(httpd_req_t *req)
char tmpBuf[256]; char tmpBuf[256];
const auto key_result = httpd_query_key_value(wants_json_query.data(), "json", tmpBuf, 256); const auto key_result = httpd_query_key_value(wants_json_query.data(), "json", tmpBuf, 256);
if (key_result == ESP_OK) if (key_result == ESP_OK && (tmpBuf == stringSettings.webserver_password || stringSettings.webserver_password.empty()))
{ {
body += "{"; body += "{";
if (auto currentDisplay = static_cast<const espgui::Display *>(espgui::currentDisplay.get())) if (auto currentDisplay = static_cast<const espgui::Display *>(espgui::currentDisplay.get()))
@@ -46,7 +46,7 @@ esp_err_t webserver_root_handler(httpd_req_t *req)
body += fmt::format("\"index\":{},\"items\":[", menuDisplay->selectedIndex()); body += fmt::format("\"index\":{},\"items\":[", menuDisplay->selectedIndex());
menuDisplay->runForEveryMenuItem([&,selectedIndex=menuDisplay->selectedIndex()](const espgui::MenuItem &menuItem){ menuDisplay->runForEveryMenuItem([&,selectedIndex=menuDisplay->selectedIndex()](const espgui::MenuItem &menuItem){
body += "{"; body += "{";
body += fmt::format("\"name\":\"{}\",\"icon\":\"{}\"", menuItem.text(), "none"); // menuItem.icon()->name body += fmt::format("\"name\":\"{}\",\"icon\":\"{}\"", menuItem.text(), menuItem.icon()->name);
body += "},"; body += "},";
}); });
body += "],"; body += "],";
@@ -66,6 +66,10 @@ esp_err_t webserver_root_handler(httpd_req_t *req)
} }
body += "}"; body += "}";
} }
else if (tmpBuf != stringSettings.webserver_password)
{
CALL_AND_EXIT(esphttpdutils::webserver_resp_send, req, esphttpdutils::ResponseStatus::Unauthorized, "text/plain", "");
}
else else
{ {
HtmlTag htmlTag{"html", body}; HtmlTag htmlTag{"html", body};

61
main/webserver_ota.cpp
View File

@@ -11,6 +11,61 @@ namespace {
constexpr const char * const TAG = "BOBBYWEB"; constexpr const char * const TAG = "BOBBYWEB";
} // namespace } // namespace
esp_err_t webserver_ota_percentage_handler(httpd_req_t *req)
{
espcpputils::LockHelper helper{webserver_lock->handle, std::chrono::ceil<espcpputils::ticks>(5s).count()};
if (!helper.locked())
{
constexpr const std::string_view msg = "could not lock webserver_lock";
ESP_LOGE(TAG, "%.*s", msg.size(), msg.data());
CALL_AND_EXIT(esphttpdutils::webserver_resp_send, req, esphttpdutils::ResponseStatus::BadRequest, "text/plain", msg);
}
std::string body;
std::string wants_json_query;
if (auto result = esphttpdutils::webserver_get_query(req))
wants_json_query = *result;
else
{
ESP_LOGE(TAG, "%.*s", result.error().size(), result.error().data());
CALL_AND_EXIT(esphttpdutils::webserver_resp_send, req, esphttpdutils::ResponseStatus::BadRequest, "text/plain", result.error());
}
char tmpBuf[256];
const auto key_result = httpd_query_key_value(wants_json_query.data(), "json", tmpBuf, 256);
if (key_result == ESP_OK && (tmpBuf == stringSettings.webserver_password || stringSettings.webserver_password.empty()))
{
body += "{";
if (asyncOta)
{
if (const auto &appDesc = asyncOta->appDesc())
{
const auto progress = asyncOta->progress();
const auto totalSize = asyncOta->totalSize();
body += fmt::format("\"cur_ota_percent\":\"{}\",", (totalSize && *totalSize > 0) ? fmt::format("{:.02f}", float(progress) / *totalSize * 100) : "?");
}
else
{
body += "\"err\":\"Could not access asyncOta->appDesc()\",";
}
}
else
{
body += "\"info\":\"Updater is not constructed.\"";
}
body += "}";
}
else if (tmpBuf != stringSettings.webserver_password)
{
CALL_AND_EXIT(esphttpdutils::webserver_resp_send, req, esphttpdutils::ResponseStatus::Unauthorized, "text/plain", "");
}
CALL_AND_EXIT(esphttpdutils::webserver_resp_send, req, esphttpdutils::ResponseStatus::Ok, (key_result == ESP_OK) ? "application/json" : "text/html", body)
}
esp_err_t webserver_ota_handler(httpd_req_t *req) esp_err_t webserver_ota_handler(httpd_req_t *req)
{ {
espcpputils::LockHelper helper{webserver_lock->handle, std::chrono::ceil<espcpputils::ticks>(5s).count()}; espcpputils::LockHelper helper{webserver_lock->handle, std::chrono::ceil<espcpputils::ticks>(5s).count()};
@@ -34,7 +89,7 @@ esp_err_t webserver_ota_handler(httpd_req_t *req)
char tmpBuf[256]; char tmpBuf[256];
const auto key_result = httpd_query_key_value(wants_json_query.data(), "json", tmpBuf, 256); const auto key_result = httpd_query_key_value(wants_json_query.data(), "json", tmpBuf, 256);
if (key_result == ESP_OK) if (key_result == ESP_OK && (tmpBuf == stringSettings.webserver_password || stringSettings.webserver_password.empty()))
{ {
body += "{"; body += "{";
@@ -86,6 +141,10 @@ esp_err_t webserver_ota_handler(httpd_req_t *req)
body += "}}"; body += "}}";
} }
else if (tmpBuf != stringSettings.webserver_password)
{
CALL_AND_EXIT(esphttpdutils::webserver_resp_send, req, esphttpdutils::ResponseStatus::Unauthorized, "text/plain", "");
}
else else
{ {
HtmlTag htmlTag{"html", body}; HtmlTag htmlTag{"html", body};

1
main/webserver_ota.h
View File

@@ -24,5 +24,6 @@
#if defined(FEATURE_WEBSERVER) && defined(FEATURE_OTA) #if defined(FEATURE_WEBSERVER) && defined(FEATURE_OTA)
esp_err_t webserver_ota_handler(httpd_req_t *req); esp_err_t webserver_ota_handler(httpd_req_t *req);
esp_err_t webserver_ota_percentage_handler(httpd_req_t *req);
esp_err_t webserver_trigger_ota_handler(httpd_req_t *req); esp_err_t webserver_trigger_ota_handler(httpd_req_t *req);
#endif #endif