Password protection for firmware update API

src/WebApi_firmware.cpp

@@ -7,6 +7,7 @@
 #include "AsyncJson.h"
 #include "Configuration.h"
 #include "Update.h"
+#include "WebApi.h"
 #include "helper.h"
 
 void WebApiFirmwareClass::init(AsyncWebServer* server)
@@ -31,6 +32,10 @@ void WebApiFirmwareClass::loop()
 
 void WebApiFirmwareClass::onFirmwareUpdateFinish(AsyncWebServerRequest* request)
 {
+    if (!WebApi.checkCredentials(request)) {
+        return;
+    }
+
     // the request handler is triggered after the upload has finished...
     // create the response, add header, and send response
 
@@ -46,6 +51,10 @@ void WebApiFirmwareClass::onFirmwareUpdateFinish(AsyncWebServerRequest* request)
 
 void WebApiFirmwareClass::onFirmwareUpdateUpload(AsyncWebServerRequest* request, String filename, size_t index, uint8_t* data, size_t len, bool final)
 {
+    if (!WebApi.checkCredentials(request)) {
+        return;
+    }
+
     // Upload handler chunks in data
     if (!index) {
         if (!request->hasParam("MD5", true)) {

webapp/src/router/index.ts

@@ -99,8 +99,7 @@ const router = createRouter({
 
 router.beforeEach((to, from, next) => {
     // redirect to login page if not logged in and trying to access a restricted page
-    const publicPages = ['/', '/login', '/about', '/info/network', '/info/system', '/info/ntp', '/info/mqtt',
+    const publicPages = ['/', '/login', '/about', '/info/network', '/info/system', '/info/ntp', '/info/mqtt', ];
-        '/firmware/upgrade', ];
     const authRequired = !publicPages.includes(to.path);
     const loggedIn = localStorage.getItem('user');
 

webapp/src/views/FirmwareUpgradeView.vue

@@ -77,6 +77,7 @@ import {
     BIconArrowRepeat,
     BIconCheckCircle
 } from 'bootstrap-icons-vue';
+import { authHeader } from '@/utils/authentication';
 
 export default defineComponent({
     components: {
@@ -160,6 +161,9 @@ export default defineComponent({
                     formData.append("MD5", (md5 as string));
                     formData.append("firmware", this.file, "firmware");
                     request.open("post", "/api/firmware/update");
+                    authHeader().forEach((value, key) => {
+                        request.setRequestHeader(key, value);
+                    });
                     request.send(formData);
                 })
                 .catch(() => {