From 233efe3a5061a2a06001e8405ce3ad5f3944ade1 Mon Sep 17 00:00:00 2001
From: Thomas Basler <thomas@familie-basler.net>
Date: Mon, 7 Nov 2022 19:02:07 +0100
Subject: [PATCH] Password protection for firmware update API

---
 src/WebApi_firmware.cpp                  | 9 +++++++++
 webapp/src/router/index.ts               | 3 +--
 webapp/src/views/FirmwareUpgradeView.vue | 4 ++++
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/WebApi_firmware.cpp b/src/WebApi_firmware.cpp
index 9b33dc7..48984f4 100644
--- a/src/WebApi_firmware.cpp
+++ b/src/WebApi_firmware.cpp
@@ -7,6 +7,7 @@
 #include "AsyncJson.h"
 #include "Configuration.h"
 #include "Update.h"
+#include "WebApi.h"
 #include "helper.h"
 
 void WebApiFirmwareClass::init(AsyncWebServer* server)
@@ -31,6 +32,10 @@ void WebApiFirmwareClass::loop()
 
 void WebApiFirmwareClass::onFirmwareUpdateFinish(AsyncWebServerRequest* request)
 {
+    if (!WebApi.checkCredentials(request)) {
+        return;
+    }
+
     // the request handler is triggered after the upload has finished...
     // create the response, add header, and send response
 
@@ -46,6 +51,10 @@ void WebApiFirmwareClass::onFirmwareUpdateFinish(AsyncWebServerRequest* request)
 
 void WebApiFirmwareClass::onFirmwareUpdateUpload(AsyncWebServerRequest* request, String filename, size_t index, uint8_t* data, size_t len, bool final)
 {
+    if (!WebApi.checkCredentials(request)) {
+        return;
+    }
+
     // Upload handler chunks in data
     if (!index) {
         if (!request->hasParam("MD5", true)) {
diff --git a/webapp/src/router/index.ts b/webapp/src/router/index.ts
index 166172f..74a7d12 100644
--- a/webapp/src/router/index.ts
+++ b/webapp/src/router/index.ts
@@ -99,8 +99,7 @@ const router = createRouter({
 
 router.beforeEach((to, from, next) => {
     // redirect to login page if not logged in and trying to access a restricted page
-    const publicPages = ['/', '/login', '/about', '/info/network', '/info/system', '/info/ntp', '/info/mqtt',
-        '/firmware/upgrade', ];
+    const publicPages = ['/', '/login', '/about', '/info/network', '/info/system', '/info/ntp', '/info/mqtt', ];
     const authRequired = !publicPages.includes(to.path);
     const loggedIn = localStorage.getItem('user');
 
diff --git a/webapp/src/views/FirmwareUpgradeView.vue b/webapp/src/views/FirmwareUpgradeView.vue
index 7e4958e..f9a7b42 100644
--- a/webapp/src/views/FirmwareUpgradeView.vue
+++ b/webapp/src/views/FirmwareUpgradeView.vue
@@ -77,6 +77,7 @@ import {
     BIconArrowRepeat,
     BIconCheckCircle
 } from 'bootstrap-icons-vue';
+import { authHeader } from '@/utils/authentication';
 
 export default defineComponent({
     components: {
@@ -160,6 +161,9 @@ export default defineComponent({
                     formData.append("MD5", (md5 as string));
                     formData.append("firmware", this.file, "firmware");
                     request.open("post", "/api/firmware/update");
+                    authHeader().forEach((value, key) => {
+                        request.setRequestHeader(key, value);
+                    });
                     request.send(formData);
                 })
                 .catch(() => {