topaLE
/
ahoy
mirror of https://github.com/lumapu/ahoy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

0.8.78 

* finalized API token access #1415
pull/1433/head
lumapu 8 months ago
parent
d5cecbb5b0
commit
a51a761215
6 changed files with 64 additions and 64 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      src/platformio.ini
  2. 16
      src/web/Protection.h
  3. 41
      src/web/RestApi.h
  4. 23
      src/web/html/index.html
  5. 28
      src/web/html/setup.html
  6. 18
      src/web/html/visualization.html

2
src/platformio.ini
View File

@ -350,7 +350,7 @@ build_flags = ${env.build_flags}
-DDEF_LED1=17 -DDEF_LED1=17
-DLED_ACTIVE_HIGH -DLED_ACTIVE_HIGH
-DARDUINO_USB_MODE=1 -DARDUINO_USB_MODE=1
#-DARDUINO_USB_CDC_ON_BOOT=1 -DARDUINO_USB_CDC_ON_BOOT=1
monitor_filters = monitor_filters =
esp32_exception_decoder, colorize esp32_exception_decoder, colorize

16
src/web/Protection.h
View File

@ -33,8 +33,7 @@ class Protection {
return mInstance; return mInstance;
} }
void tickSecond() { void tickSecond() { // auto logout
// auto logout
if(0 != mLogoutTimeout) { if(0 != mLogoutTimeout) {
if (0 == --mLogoutTimeout) { if (0 == --mLogoutTimeout) {
if(mPwd[0] != '\0') if(mPwd[0] != '\0')
@ -77,8 +76,10 @@ class Protection {
if(askedFromWeb) if(askedFromWeb)
return !isIdentical(clientIp, mWebIp); return !isIdentical(clientIp, mWebIp);
// API call if(nullptr == token)
if(0 == mToken[0]) // token is zero, from WebUi (logged in) return true;
if('*' == token[0]) // call from WebUI
return !isIdentical(clientIp, mWebIp); return !isIdentical(clientIp, mWebIp);
if(isIdentical(clientIp, mApiIp)) if(isIdentical(clientIp, mApiIp))
@ -92,10 +93,9 @@ class Protection {
mToken.fill(0); mToken.fill(0);
for(uint8_t i = 0; i < 16; i++) { for(uint8_t i = 0; i < 16; i++) {
mToken[i] = random(1, 35); mToken[i] = random(1, 35);
if(mToken[i] < 10) // convert to ascii number 1-9 (zero isn't allowed) or upper
mToken[i] += 0x30; // convert to ascii number 1-9 (zero isn't allowed) // case character A-Z
else mToken[i] += (mToken[i] < 10) ? 0x30 : 0x37;
mToken[i] += 0x37; // convert to ascii upper case character A-Z
} }
} }

41
src/web/RestApi.h
View File

@ -841,15 +841,8 @@ class RestApi {
return true; return true;
} }
if(mConfig->sys.adminPwd[0] != '\0') { // check if admin password is set if(isProtected(jsonIn, jsonOut, clientIP))
if(strncmp("*", clientIP, 1) != 0) { // no call from MqTT return false;
const char* token = jsonIn["token"];
if(mApp->isProtected(clientIP, token, false)) {
jsonOut[F("error")] = F(IS_PROTECTED);
return false;
}
}
}
Inverter<> *iv = mSys->getInverterByPos(jsonIn[F("id")]); Inverter<> *iv = mSys->getInverterByPos(jsonIn[F("id")]);
bool accepted = true; bool accepted = true;
@ -894,15 +887,8 @@ class RestApi {
} }
bool setSetup(JsonObject jsonIn, JsonObject jsonOut, const char *clientIP) { bool setSetup(JsonObject jsonIn, JsonObject jsonOut, const char *clientIP) {
if(mConfig->sys.adminPwd[0] != '\0') { // check if admin password is set if(isProtected(jsonIn, jsonOut, clientIP))
if(strncmp("*", clientIP, 1) != 0) { // no call from MqTT return false;
const char* token = jsonIn["token"];
if(mApp->isProtected(clientIP, token, false)) {
jsonOut[F("error")] = F(IS_PROTECTED);
return false;
}
}
}
#if !defined(ETHERNET) #if !defined(ETHERNET)
if(F("scan_wifi") == jsonIn[F("cmd")]) if(F("scan_wifi") == jsonIn[F("cmd")])
@ -951,6 +937,25 @@ class RestApi {
return true; return true;
} }
bool isProtected(JsonObject jsonIn, JsonObject jsonOut, const char *clientIP) {
if(mConfig->sys.adminPwd[0] != '\0') { // check if admin password is set
if(strncmp("*", clientIP, 1) != 0) { // no call from MqTT
const char* token = nullptr;
if(jsonIn.containsKey(F("token")))
token = jsonIn["token"];
if(!mApp->isProtected(clientIP, token, false))
return false;
jsonOut[F("error")] = F(IS_PROTECTED);
return true;
}
}
return false;
}
private:
IApp *mApp = nullptr; IApp *mApp = nullptr;
HMSYSTEM *mSys = nullptr; HMSYSTEM *mSys = nullptr;
HmRadio<> *mRadioNrf = nullptr; HmRadio<> *mRadioNrf = nullptr;

23
src/web/html/index.html
View File

@ -41,27 +41,24 @@
var release = null; var release = null;
function apiCb(obj) { function apiCb(obj) {
var e = document.getElementById("apiResult"); var e = document.getElementById("apiResult")
if(obj.success) { if(obj.success) {
e.innerHTML = " {#COMMAND_EXE}"; e.innerHTML = " {#COMMAND_EXE}"
getAjax("/api/index", parse); getAjax("/api/index", parse)
} } else
else e.innerHTML = " {#ERROR}: " + obj.error
e.innerHTML = " {#ERROR}: " + obj.error;
} }
function setTime() { function setTime() {
var date = new Date(); var date = new Date()
var obj = new Object(); var obj = {cmd: "set_time", token: "*", val: parseInt(date.getTime() / 1000)}
obj.cmd = "set_time"; getAjax("/api/setup", apiCb, "POST", JSON.stringify(obj))
obj.val = parseInt(date.getTime() / 1000);
getAjax("/api/setup", apiCb, "POST", JSON.stringify(obj));
} }
function parseGeneric(obj) { function parseGeneric(obj) {
if(exeOnce) if(exeOnce)
parseESP(obj); parseESP(obj)
parseRssi(obj); parseRssi(obj)
} }
function parseSys(obj) { function parseSys(obj) {

28
src/web/html/setup.html
View File

@ -559,31 +559,26 @@
} }
function setTime() { function setTime() {
var date = new Date(); var date = new Date()
var obj = new Object(); var obj = {cmd: "set_time", token: "*", val: parseInt(date.getTime() / 1000)}
obj.cmd = "set_time"; getAjax("/api/setup", apiCbNtp, "POST", JSON.stringify(obj))
obj.val = parseInt(date.getTime() / 1000); setTimeout(function() {getAjax('/api/index', apiCbNtp2)}, 2000)
getAjax("/api/setup", apiCbNtp, "POST", JSON.stringify(obj));
setTimeout(function() {getAjax('/api/index', apiCbNtp2)}, 2000);
} }
function scan() { function scan() {
var obj = new Object(); var obj = {cmd: "scan_wifi", token: "*"}
obj.cmd = "scan_wifi";
getAjax("/api/setup", apiCbWifi, "POST", JSON.stringify(obj)); getAjax("/api/setup", apiCbWifi, "POST", JSON.stringify(obj));
setTimeout(function() {getAjax('/api/setup/networks', listNetworks)}, 5000); setTimeout(function() {getAjax('/api/setup/networks', listNetworks)}, 5000);
} }
function syncTime() { function syncTime() {
var obj = new Object(); var obj = {cmd: "sync_ntp", token: "*"}
obj.cmd = "sync_ntp"; getAjax("/api/setup", apiCbNtp, "POST", JSON.stringify(obj))
getAjax("/api/setup", apiCbNtp, "POST", JSON.stringify(obj)); setTimeout(function() {getAjax('/api/index', apiCbNtp2)}, 2000)
setTimeout(function() {getAjax('/api/index', apiCbNtp2)}, 2000);
} }
function sendDiscoveryConfig() { function sendDiscoveryConfig() {
var obj = new Object(); var obj = {cmd: "discovery_cfg", token: "*"}
obj.cmd = "discovery_cfg";
getAjax("/api/setup", apiCbMqtt, "POST", JSON.stringify(obj)); getAjax("/api/setup", apiCbMqtt, "POST", JSON.stringify(obj));
} }
@ -837,8 +832,9 @@
function ivSave() { function ivSave() {
var o = new Object(); var o = new Object();
o.cmd = "save_iv"; o.cmd = "save_iv"
o.id = obj.id; o.token = "*"
o.id = obj.id
o.ser = parseInt(document.getElementsByName("ser")[0].value, 16); o.ser = parseInt(document.getElementsByName("ser")[0].value, 16);
o.name = document.getElementsByName("name")[0].value; o.name = document.getElementsByName("name")[0].value;
o.en = document.getElementsByName("enable")[0].checked; o.en = document.getElementsByName("enable")[0].checked;

18
src/web/html/visualization.html
View File

@ -454,18 +454,20 @@
val = 100; val = 100;
var obj = new Object(); var obj = new Object();
obj.id = id; obj.id = id
obj.cmd = cmd; obj.token = "*"
obj.val = Math.round(val*10); obj.cmd = cmd
getAjax("/api/ctrl", ctrlCb, "POST", JSON.stringify(obj)); obj.val = Math.round(val*10)
getAjax("/api/ctrl", ctrlCb, "POST", JSON.stringify(obj))
} }
function applyCtrl(id, cmd, val=0) { function applyCtrl(id, cmd, val=0) {
var obj = new Object(); var obj = new Object();
obj.id = id; obj.id = id
obj.cmd = cmd; obj.token = "*"
obj.val = val; obj.cmd = cmd
getAjax("/api/ctrl", ctrlCb2, "POST", JSON.stringify(obj)); obj.val = val
getAjax("/api/ctrl", ctrlCb2, "POST", JSON.stringify(obj))
} }
function ctrlCb(obj) { function ctrlCb(obj) {

Write Preview
Loading…
Cancel
Save