topaLE
/
ahoy
mirror of https://github.com/lumapu/ahoy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

0.8.78 

* fixed protection
pull/1433/head
lumapu 12 months ago
parent
8b2db4abfa
commit
d5cecbb5b0
7 changed files with 49 additions and 56 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      src/CHANGES.md
  2. 12
      src/app.h
  3. 5
      src/appInterface.h
  4. 2
      src/defines.h
  5. 72
      src/web/Protection.h
  6. 6
      src/web/RestApi.h
  7. 6
      src/web/web.h

2
src/CHANGES.md
View File

@ -1,6 +1,6 @@
# Development Changes
## 0.8.78 - 2024-02-09
## 0.8.78 - 2024-02-10
* finalized API token access #1415
## 0.8.77 - 2024-02-08

12
src/app.h
View File

@ -247,8 +247,8 @@ class app : public IApp, public ah::Scheduler {
#endif
}
void lock(void) override {
mProtection->lock();
void lock(bool fromWeb) override {
mProtection->lock(fromWeb);
}
char *unlock(const char *clientIp, bool loginFromWeb) override {
@ -259,12 +259,8 @@ class app : public IApp, public ah::Scheduler {
mProtection->resetLockTimeout();
}
bool isProtected(void) const override {
return mProtection->isProtected();
}
bool isProtected(const char *token, bool askedFromWeb) const override {
return mProtection->isProtected(token, askedFromWeb);
bool isProtected(const char *clientIp, const char *token, bool askedFromWeb) const override {
return mProtection->isProtected(clientIp, token, askedFromWeb);
}
bool getNrfEnabled(void) override {

5
src/appInterface.h
View File

@ -61,11 +61,10 @@ class IApp {
virtual uint32_t getMqttRxCnt() = 0;
virtual uint32_t getMqttTxCnt() = 0;
virtual void lock(void) = 0;
virtual void lock(bool fromWeb) = 0;
virtual char *unlock(const char *clientIp, bool loginFromWeb) = 0;
virtual void resetLockTimeout(void) = 0;
virtual bool isProtected(void) const = 0;
virtual bool isProtected(const char *token, bool askedFromWeb) const = 0;
virtual bool isProtected(const char *clientIp, const char *token, bool askedFromWeb) const = 0;
virtual uint16_t getHistoryValue(uint8_t type, uint16_t i) = 0;
virtual uint16_t getHistoryMaxDay() = 0;

2
src/defines.h
View File

@ -13,7 +13,7 @@
//-------------------------------------
#define VERSION_MAJOR 0
#define VERSION_MINOR 8
#define VERSION_PATCH 77
#define VERSION_PATCH 78
//-------------------------------------
typedef struct {

72
src/web/Protection.h
View File

@ -18,12 +18,9 @@ class Protection {
explicit Protection(const char *pwd) {
mPwd = pwd;
mLogoutTimeout = 0;
mLoginIp.fill(0);
mWebIp.fill(0);
mApiIp.fill(0);
mToken.fill(0);
// no password set - unlock
if(pwd[0] == '\0')
mProtected = false;
}
public:
@ -40,27 +37,30 @@ class Protection {
// auto logout
if(0 != mLogoutTimeout) {
if (0 == --mLogoutTimeout) {
if(mPwd[0] != '\0') {
mProtected = true;
}
if(mPwd[0] != '\0')
lock(false);
}
}
}
void lock(void) {
mProtected = true;
mLoginIp.fill(0);
void lock(bool fromWeb) {
mWebIp.fill(0);
if(fromWeb)
return;
mApiIp.fill(0);
mToken.fill(0);
}
char *unlock(const char *clientIp, bool loginFromWeb) {
mLogoutTimeout = LOGOUT_TIMEOUT;
mProtected = false;
if(loginFromWeb)
ah::ip2Arr(static_cast<uint8_t*>(mLoginIp.data()), clientIp);
else
ah::ip2Arr(static_cast<uint8_t*>(mWebIp.data()), clientIp);
else {
ah::ip2Arr(static_cast<uint8_t*>(mApiIp.data()), clientIp);
genToken();
}
return reinterpret_cast<char*>(mToken.data());
}
@ -70,30 +70,19 @@ class Protection {
mLogoutTimeout = LOGOUT_TIMEOUT;
}
bool isProtected(void) const {
return mProtected;
}
bool isProtected(const char *token, bool askedFromWeb) const { // token == clientIp
if(mProtected)
return true;
if(mPwd[0] == '\0')
bool isProtected(const char *clientIp, const char *token, bool askedFromWeb) const {
if(mPwd[0] == '\0') // no password set
return false;
if(askedFromWeb) { // check IP address
std::array<uint8_t, 4> ip;
ah::ip2Arr(static_cast<uint8_t*>(ip.data()), token);
for(uint8_t i = 0; i < 4; i++) {
if(mLoginIp[i] != ip[i])
return true;
}
} else { // API call - check token
if(0 == mToken[0]) // token is zero
return true;
if(askedFromWeb)
return !isIdentical(clientIp, mWebIp);
// API call
if(0 == mToken[0]) // token is zero, from WebUi (logged in)
return !isIdentical(clientIp, mWebIp);
if(isIdentical(clientIp, mApiIp))
return (0 != strncmp(token, mToken.data(), 16));
}
return false;
}
@ -106,8 +95,18 @@ class Protection {
if(mToken[i] < 10)
mToken[i] += 0x30; // convert to ascii number 1-9 (zero isn't allowed)
else
mToken[i] += 0x37; // convert to ascii upper case character
mToken[i] += 0x37; // convert to ascii upper case character A-Z
}
}
bool isIdentical(const char *clientIp, const std::array<uint8_t, 4> cmp) const {
std::array<uint8_t, 4> ip;
ah::ip2Arr(static_cast<uint8_t*>(ip.data()), clientIp);
for(uint8_t i = 0; i < 4; i++) {
if(cmp[i] != ip[i])
return false;
}
return true;
}
protected:
@ -115,9 +114,8 @@ class Protection {
private:
const char *mPwd;
bool mProtected = true;
uint16_t mLogoutTimeout = 0;
std::array<uint8_t, 4> mLoginIp;
std::array<uint8_t, 4> mWebIp, mApiIp;
std::array<char, 17> mToken;
};

6
src/web/RestApi.h
View File

@ -266,7 +266,7 @@ class RestApi {
obj[F("modules")] = String(mApp->getVersionModules());
obj[F("build")] = String(AUTO_GIT_HASH);
obj[F("env")] = String(ENV_NAME);
obj[F("menu_prot")] = mApp->isProtected(request->client()->remoteIP().toString().c_str(), true);
obj[F("menu_prot")] = mApp->isProtected(request->client()->remoteIP().toString().c_str(), "", true);
obj[F("menu_mask")] = (uint16_t)(mConfig->sys.protectionMask );
obj[F("menu_protEn")] = (bool) (mConfig->sys.adminPwd[0] != '\0');
obj[F("cst_lnk")] = String(mConfig->plugin.customLink);
@ -844,7 +844,7 @@ class RestApi {
if(mConfig->sys.adminPwd[0] != '\0') { // check if admin password is set
if(strncmp("*", clientIP, 1) != 0) { // no call from MqTT
const char* token = jsonIn["token"];
if(mApp->isProtected(token, false)) {
if(mApp->isProtected(clientIP, token, false)) {
jsonOut[F("error")] = F(IS_PROTECTED);
return false;
}
@ -897,7 +897,7 @@ class RestApi {
if(mConfig->sys.adminPwd[0] != '\0') { // check if admin password is set
if(strncmp("*", clientIP, 1) != 0) { // no call from MqTT
const char* token = jsonIn["token"];
if(mApp->isProtected(token, false)) {
if(mApp->isProtected(clientIP, token, false)) {
jsonOut[F("error")] = F(IS_PROTECTED);
return false;
}

6
src/web/web.h
View File

@ -227,7 +227,7 @@ class Web {
}
void checkProtection(AsyncWebServerRequest *request) {
if(mApp->isProtected(request->client()->remoteIP().toString().c_str(), true)) {
if(mApp->isProtected(request->client()->remoteIP().toString().c_str(), "", true)) {
checkRedirect(request);
return;
}
@ -328,7 +328,7 @@ class Web {
DPRINTLN(DBG_VERBOSE, F("onLogout"));
checkProtection(request);
mApp->lock();
mApp->lock(true);
AsyncWebServerResponse *response = request->beginResponse_P(200, F("text/html; charset=UTF-8"), system_html, system_html_len);
response->addHeader(F("Content-Encoding"), "gzip");
@ -455,7 +455,7 @@ class Web {
// protection
if (request->arg("adminpwd") != "{PWD}") {
request->arg("adminpwd").toCharArray(mConfig->sys.adminPwd, PWD_LEN);
mApp->lock();
mApp->lock(false);
}
mConfig->sys.protectionMask = 0x0000;
for (uint8_t i = 0; i < 7; i++) {

Write Preview
Loading…
Cancel
Save