From a51a7612155cb7d13f15c4cb4f9b6e33ac894229 Mon Sep 17 00:00:00 2001 From: lumapu Date: Sun, 11 Feb 2024 00:07:20 +0100 Subject: [PATCH] 0.8.78 * finalized API token access #1415 --- src/platformio.ini | 2 +- src/web/Protection.h | 16 ++++++------- src/web/RestApi.h | 41 ++++++++++++++++++--------------- src/web/html/index.html | 23 ++++++++---------- src/web/html/setup.html | 28 ++++++++++------------ src/web/html/visualization.html | 18 ++++++++------- 6 files changed, 64 insertions(+), 64 deletions(-) diff --git a/src/platformio.ini b/src/platformio.ini index f949aa37..7130bf4c 100644 --- a/src/platformio.ini +++ b/src/platformio.ini @@ -350,7 +350,7 @@ build_flags = ${env.build_flags} -DDEF_LED1=17 -DLED_ACTIVE_HIGH -DARDUINO_USB_MODE=1 - #-DARDUINO_USB_CDC_ON_BOOT=1 + -DARDUINO_USB_CDC_ON_BOOT=1 monitor_filters = esp32_exception_decoder, colorize diff --git a/src/web/Protection.h b/src/web/Protection.h index 7c1ff71e..82e4be49 100644 --- a/src/web/Protection.h +++ b/src/web/Protection.h @@ -33,8 +33,7 @@ class Protection { return mInstance; } - void tickSecond() { - // auto logout + void tickSecond() { // auto logout if(0 != mLogoutTimeout) { if (0 == --mLogoutTimeout) { if(mPwd[0] != '\0') @@ -77,8 +76,10 @@ class Protection { if(askedFromWeb) return !isIdentical(clientIp, mWebIp); - // API call - if(0 == mToken[0]) // token is zero, from WebUi (logged in) + if(nullptr == token) + return true; + + if('*' == token[0]) // call from WebUI return !isIdentical(clientIp, mWebIp); if(isIdentical(clientIp, mApiIp)) @@ -92,10 +93,9 @@ class Protection { mToken.fill(0); for(uint8_t i = 0; i < 16; i++) { mToken[i] = random(1, 35); - if(mToken[i] < 10) - mToken[i] += 0x30; // convert to ascii number 1-9 (zero isn't allowed) - else - mToken[i] += 0x37; // convert to ascii upper case character A-Z + // convert to ascii number 1-9 (zero isn't allowed) or upper + // case character A-Z + mToken[i] += (mToken[i] < 10) ? 0x30 : 0x37; } } diff --git a/src/web/RestApi.h b/src/web/RestApi.h index 53b604b5..fadd7277 100644 --- a/src/web/RestApi.h +++ b/src/web/RestApi.h @@ -841,15 +841,8 @@ class RestApi { return true; } - if(mConfig->sys.adminPwd[0] != '\0') { // check if admin password is set - if(strncmp("*", clientIP, 1) != 0) { // no call from MqTT - const char* token = jsonIn["token"]; - if(mApp->isProtected(clientIP, token, false)) { - jsonOut[F("error")] = F(IS_PROTECTED); - return false; - } - } - } + if(isProtected(jsonIn, jsonOut, clientIP)) + return false; Inverter<> *iv = mSys->getInverterByPos(jsonIn[F("id")]); bool accepted = true; @@ -894,15 +887,8 @@ class RestApi { } bool setSetup(JsonObject jsonIn, JsonObject jsonOut, const char *clientIP) { - if(mConfig->sys.adminPwd[0] != '\0') { // check if admin password is set - if(strncmp("*", clientIP, 1) != 0) { // no call from MqTT - const char* token = jsonIn["token"]; - if(mApp->isProtected(clientIP, token, false)) { - jsonOut[F("error")] = F(IS_PROTECTED); - return false; - } - } - } + if(isProtected(jsonIn, jsonOut, clientIP)) + return false; #if !defined(ETHERNET) if(F("scan_wifi") == jsonIn[F("cmd")]) @@ -951,6 +937,25 @@ class RestApi { return true; } + bool isProtected(JsonObject jsonIn, JsonObject jsonOut, const char *clientIP) { + if(mConfig->sys.adminPwd[0] != '\0') { // check if admin password is set + if(strncmp("*", clientIP, 1) != 0) { // no call from MqTT + const char* token = nullptr; + if(jsonIn.containsKey(F("token"))) + token = jsonIn["token"]; + + if(!mApp->isProtected(clientIP, token, false)) + return false; + + jsonOut[F("error")] = F(IS_PROTECTED); + return true; + } + } + + return false; + } + + private: IApp *mApp = nullptr; HMSYSTEM *mSys = nullptr; HmRadio<> *mRadioNrf = nullptr; diff --git a/src/web/html/index.html b/src/web/html/index.html index e7b7afc4..2611db5b 100644 --- a/src/web/html/index.html +++ b/src/web/html/index.html @@ -41,27 +41,24 @@ var release = null; function apiCb(obj) { - var e = document.getElementById("apiResult"); + var e = document.getElementById("apiResult") if(obj.success) { - e.innerHTML = " {#COMMAND_EXE}"; - getAjax("/api/index", parse); - } - else - e.innerHTML = " {#ERROR}: " + obj.error; + e.innerHTML = " {#COMMAND_EXE}" + getAjax("/api/index", parse) + } else + e.innerHTML = " {#ERROR}: " + obj.error } function setTime() { - var date = new Date(); - var obj = new Object(); - obj.cmd = "set_time"; - obj.val = parseInt(date.getTime() / 1000); - getAjax("/api/setup", apiCb, "POST", JSON.stringify(obj)); + var date = new Date() + var obj = {cmd: "set_time", token: "*", val: parseInt(date.getTime() / 1000)} + getAjax("/api/setup", apiCb, "POST", JSON.stringify(obj)) } function parseGeneric(obj) { if(exeOnce) - parseESP(obj); - parseRssi(obj); + parseESP(obj) + parseRssi(obj) } function parseSys(obj) { diff --git a/src/web/html/setup.html b/src/web/html/setup.html index dec62830..4859fe34 100644 --- a/src/web/html/setup.html +++ b/src/web/html/setup.html @@ -559,31 +559,26 @@ } function setTime() { - var date = new Date(); - var obj = new Object(); - obj.cmd = "set_time"; - obj.val = parseInt(date.getTime() / 1000); - getAjax("/api/setup", apiCbNtp, "POST", JSON.stringify(obj)); - setTimeout(function() {getAjax('/api/index', apiCbNtp2)}, 2000); + var date = new Date() + var obj = {cmd: "set_time", token: "*", val: parseInt(date.getTime() / 1000)} + getAjax("/api/setup", apiCbNtp, "POST", JSON.stringify(obj)) + setTimeout(function() {getAjax('/api/index', apiCbNtp2)}, 2000) } function scan() { - var obj = new Object(); - obj.cmd = "scan_wifi"; + var obj = {cmd: "scan_wifi", token: "*"} getAjax("/api/setup", apiCbWifi, "POST", JSON.stringify(obj)); setTimeout(function() {getAjax('/api/setup/networks', listNetworks)}, 5000); } function syncTime() { - var obj = new Object(); - obj.cmd = "sync_ntp"; - getAjax("/api/setup", apiCbNtp, "POST", JSON.stringify(obj)); - setTimeout(function() {getAjax('/api/index', apiCbNtp2)}, 2000); + var obj = {cmd: "sync_ntp", token: "*"} + getAjax("/api/setup", apiCbNtp, "POST", JSON.stringify(obj)) + setTimeout(function() {getAjax('/api/index', apiCbNtp2)}, 2000) } function sendDiscoveryConfig() { - var obj = new Object(); - obj.cmd = "discovery_cfg"; + var obj = {cmd: "discovery_cfg", token: "*"} getAjax("/api/setup", apiCbMqtt, "POST", JSON.stringify(obj)); } @@ -837,8 +832,9 @@ function ivSave() { var o = new Object(); - o.cmd = "save_iv"; - o.id = obj.id; + o.cmd = "save_iv" + o.token = "*" + o.id = obj.id o.ser = parseInt(document.getElementsByName("ser")[0].value, 16); o.name = document.getElementsByName("name")[0].value; o.en = document.getElementsByName("enable")[0].checked; diff --git a/src/web/html/visualization.html b/src/web/html/visualization.html index 3b90a028..1ce4e264 100644 --- a/src/web/html/visualization.html +++ b/src/web/html/visualization.html @@ -454,18 +454,20 @@ val = 100; var obj = new Object(); - obj.id = id; - obj.cmd = cmd; - obj.val = Math.round(val*10); - getAjax("/api/ctrl", ctrlCb, "POST", JSON.stringify(obj)); + obj.id = id + obj.token = "*" + obj.cmd = cmd + obj.val = Math.round(val*10) + getAjax("/api/ctrl", ctrlCb, "POST", JSON.stringify(obj)) } function applyCtrl(id, cmd, val=0) { var obj = new Object(); - obj.id = id; - obj.cmd = cmd; - obj.val = val; - getAjax("/api/ctrl", ctrlCb2, "POST", JSON.stringify(obj)); + obj.id = id + obj.token = "*" + obj.cmd = cmd + obj.val = val + getAjax("/api/ctrl", ctrlCb2, "POST", JSON.stringify(obj)) } function ctrlCb(obj) {