Skip to content

Commit

Permalink
0.8.78
Browse files Browse the repository at this point in the history
* finalized API token access #1415
  • Loading branch information
lumapu committed Feb 10, 2024
1 parent d5cecbb commit a51a761
Show file tree
Hide file tree
Showing 6 changed files with 64 additions and 64 deletions.
2 changes: 1 addition & 1 deletion src/platformio.ini
Original file line number Diff line number Diff line change
Expand Up @@ -350,7 +350,7 @@ build_flags = ${env.build_flags}
-DDEF_LED1=17
-DLED_ACTIVE_HIGH
-DARDUINO_USB_MODE=1
#-DARDUINO_USB_CDC_ON_BOOT=1
-DARDUINO_USB_CDC_ON_BOOT=1
monitor_filters =
esp32_exception_decoder, colorize

Expand Down
16 changes: 8 additions & 8 deletions src/web/Protection.h
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,7 @@ class Protection {
return mInstance;
}

void tickSecond() {
// auto logout
void tickSecond() { // auto logout
if(0 != mLogoutTimeout) {
if (0 == --mLogoutTimeout) {
if(mPwd[0] != '\0')
Expand Down Expand Up @@ -77,8 +76,10 @@ class Protection {
if(askedFromWeb)
return !isIdentical(clientIp, mWebIp);

// API call
if(0 == mToken[0]) // token is zero, from WebUi (logged in)
if(nullptr == token)
return true;

if('*' == token[0]) // call from WebUI
return !isIdentical(clientIp, mWebIp);

if(isIdentical(clientIp, mApiIp))
Expand All @@ -92,10 +93,9 @@ class Protection {
mToken.fill(0);
for(uint8_t i = 0; i < 16; i++) {
mToken[i] = random(1, 35);
if(mToken[i] < 10)
mToken[i] += 0x30; // convert to ascii number 1-9 (zero isn't allowed)
else
mToken[i] += 0x37; // convert to ascii upper case character A-Z
// convert to ascii number 1-9 (zero isn't allowed) or upper
// case character A-Z
mToken[i] += (mToken[i] < 10) ? 0x30 : 0x37;
}
}

Expand Down
41 changes: 23 additions & 18 deletions src/web/RestApi.h
Original file line number Diff line number Diff line change
Expand Up @@ -841,15 +841,8 @@ class RestApi {
return true;
}

if(mConfig->sys.adminPwd[0] != '\0') { // check if admin password is set
if(strncmp("*", clientIP, 1) != 0) { // no call from MqTT
const char* token = jsonIn["token"];
if(mApp->isProtected(clientIP, token, false)) {
jsonOut[F("error")] = F(IS_PROTECTED);
return false;
}
}
}
if(isProtected(jsonIn, jsonOut, clientIP))
return false;

Inverter<> *iv = mSys->getInverterByPos(jsonIn[F("id")]);
bool accepted = true;
Expand Down Expand Up @@ -894,15 +887,8 @@ class RestApi {
}

bool setSetup(JsonObject jsonIn, JsonObject jsonOut, const char *clientIP) {
if(mConfig->sys.adminPwd[0] != '\0') { // check if admin password is set
if(strncmp("*", clientIP, 1) != 0) { // no call from MqTT
const char* token = jsonIn["token"];
if(mApp->isProtected(clientIP, token, false)) {
jsonOut[F("error")] = F(IS_PROTECTED);
return false;
}
}
}
if(isProtected(jsonIn, jsonOut, clientIP))
return false;

#if !defined(ETHERNET)
if(F("scan_wifi") == jsonIn[F("cmd")])
Expand Down Expand Up @@ -951,6 +937,25 @@ class RestApi {
return true;
}

bool isProtected(JsonObject jsonIn, JsonObject jsonOut, const char *clientIP) {
if(mConfig->sys.adminPwd[0] != '\0') { // check if admin password is set
if(strncmp("*", clientIP, 1) != 0) { // no call from MqTT
const char* token = nullptr;
if(jsonIn.containsKey(F("token")))
token = jsonIn["token"];

if(!mApp->isProtected(clientIP, token, false))
return false;

jsonOut[F("error")] = F(IS_PROTECTED);
return true;
}
}

return false;
}

private:
IApp *mApp = nullptr;
HMSYSTEM *mSys = nullptr;
HmRadio<> *mRadioNrf = nullptr;
Expand Down
23 changes: 10 additions & 13 deletions src/web/html/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -41,27 +41,24 @@ <h3>{#SUPPORT}:</h3>
var release = null;

function apiCb(obj) {
var e = document.getElementById("apiResult");
var e = document.getElementById("apiResult")
if(obj.success) {
e.innerHTML = " {#COMMAND_EXE}";
getAjax("/api/index", parse);
}
else
e.innerHTML = " {#ERROR}: " + obj.error;
e.innerHTML = " {#COMMAND_EXE}"
getAjax("/api/index", parse)
} else
e.innerHTML = " {#ERROR}: " + obj.error
}

function setTime() {
var date = new Date();
var obj = new Object();
obj.cmd = "set_time";
obj.val = parseInt(date.getTime() / 1000);
getAjax("/api/setup", apiCb, "POST", JSON.stringify(obj));
var date = new Date()
var obj = {cmd: "set_time", token: "*", val: parseInt(date.getTime() / 1000)}
getAjax("/api/setup", apiCb, "POST", JSON.stringify(obj))
}

function parseGeneric(obj) {
if(exeOnce)
parseESP(obj);
parseRssi(obj);
parseESP(obj)
parseRssi(obj)
}

function parseSys(obj) {
Expand Down
28 changes: 12 additions & 16 deletions src/web/html/setup.html
Original file line number Diff line number Diff line change
Expand Up @@ -559,31 +559,26 @@
}

function setTime() {
var date = new Date();
var obj = new Object();
obj.cmd = "set_time";
obj.val = parseInt(date.getTime() / 1000);
getAjax("/api/setup", apiCbNtp, "POST", JSON.stringify(obj));
setTimeout(function() {getAjax('/api/index', apiCbNtp2)}, 2000);
var date = new Date()
var obj = {cmd: "set_time", token: "*", val: parseInt(date.getTime() / 1000)}
getAjax("/api/setup", apiCbNtp, "POST", JSON.stringify(obj))
setTimeout(function() {getAjax('/api/index', apiCbNtp2)}, 2000)
}

function scan() {
var obj = new Object();
obj.cmd = "scan_wifi";
var obj = {cmd: "scan_wifi", token: "*"}
getAjax("/api/setup", apiCbWifi, "POST", JSON.stringify(obj));
setTimeout(function() {getAjax('/api/setup/networks', listNetworks)}, 5000);
}

function syncTime() {
var obj = new Object();
obj.cmd = "sync_ntp";
getAjax("/api/setup", apiCbNtp, "POST", JSON.stringify(obj));
setTimeout(function() {getAjax('/api/index', apiCbNtp2)}, 2000);
var obj = {cmd: "sync_ntp", token: "*"}
getAjax("/api/setup", apiCbNtp, "POST", JSON.stringify(obj))
setTimeout(function() {getAjax('/api/index', apiCbNtp2)}, 2000)
}

function sendDiscoveryConfig() {
var obj = new Object();
obj.cmd = "discovery_cfg";
var obj = {cmd: "discovery_cfg", token: "*"}
getAjax("/api/setup", apiCbMqtt, "POST", JSON.stringify(obj));
}

Expand Down Expand Up @@ -837,8 +832,9 @@

function ivSave() {
var o = new Object();
o.cmd = "save_iv";
o.id = obj.id;
o.cmd = "save_iv"
o.token = "*"
o.id = obj.id
o.ser = parseInt(document.getElementsByName("ser")[0].value, 16);
o.name = document.getElementsByName("name")[0].value;
o.en = document.getElementsByName("enable")[0].checked;
Expand Down
18 changes: 10 additions & 8 deletions src/web/html/visualization.html
Original file line number Diff line number Diff line change
Expand Up @@ -454,18 +454,20 @@
val = 100;

var obj = new Object();
obj.id = id;
obj.cmd = cmd;
obj.val = Math.round(val*10);
getAjax("/api/ctrl", ctrlCb, "POST", JSON.stringify(obj));
obj.id = id
obj.token = "*"
obj.cmd = cmd
obj.val = Math.round(val*10)
getAjax("/api/ctrl", ctrlCb, "POST", JSON.stringify(obj))
}

function applyCtrl(id, cmd, val=0) {
var obj = new Object();
obj.id = id;
obj.cmd = cmd;
obj.val = val;
getAjax("/api/ctrl", ctrlCb2, "POST", JSON.stringify(obj));
obj.id = id
obj.token = "*"
obj.cmd = cmd
obj.val = val
getAjax("/api/ctrl", ctrlCb2, "POST", JSON.stringify(obj))
}

function ctrlCb(obj) {
Expand Down

0 comments on commit a51a761

Please sign in to comment.