Password protection for security settings API

Also implemented the base functionallity to protect further API endpoints.
2026-04-11 19:53:25 +02:00 · 2022-11-03 21:00:13 +01:00
parent af4b47beeb
commit 8d14dbd367
16 changed files with 295 additions and 13 deletions
--- a/src/WebApi.cpp
+++ b/src/WebApi.cpp
@@ -5,6 +5,7 @@
 #include "WebApi.h"
 #include "ArduinoJson.h"
 #include "AsyncJson.h"
+#include "Configuration.h"
 #include "defaults.h"

 WebApiClass::WebApiClass()
@@ -55,4 +56,22 @@ void WebApiClass::loop()
    _webApiWsLive.loop();
 }

+bool WebApiClass::checkCredentials(AsyncWebServerRequest* request)
+{
+    CONFIG_T& config = Configuration.get();
+    if (request->authenticate(AUTH_USERNAME, config.Security_Password)) {
+        return true;
+    }
+
+    AsyncWebServerResponse* r = request->beginResponse(401);
+
+    // WebAPI should set the X-Requested-With to prevent browser internal auth dialogs
+    if (!request->hasHeader("X-Requested-With")) {
+        r->addHeader(F("WWW-Authenticate"), F("Basic realm=\"Login Required\""));
+    }
+    request->send(r);
+
+    return false;
+}
+
 WebApiClass WebApi;