From 3a2f73a2b3b2d8c074fa32c1a893cf6ab730ddfb Mon Sep 17 00:00:00 2001
From: Thomas Basler <thomas@familie-basler.net>
Date: Thu, 3 Nov 2022 21:20:12 +0100
Subject: [PATCH] Password protection for ntp settings API

---
 src/WebApi_ntp.cpp                | 17 +++++++++++++++++
 webapp/src/router/index.ts        |  2 +-
 webapp/src/views/NtpAdminView.vue | 27 +++++++++------------------
 3 files changed, 27 insertions(+), 19 deletions(-)

diff --git a/src/WebApi_ntp.cpp b/src/WebApi_ntp.cpp
index 5f2bae7..6b7d04d 100644
--- a/src/WebApi_ntp.cpp
+++ b/src/WebApi_ntp.cpp
@@ -7,6 +7,7 @@
 #include "AsyncJson.h"
 #include "Configuration.h"
 #include "NtpSettings.h"
+#include "WebApi.h"
 #include "helper.h"
 
 void WebApiNtpClass::init(AsyncWebServer* server)
@@ -52,6 +53,10 @@ void WebApiNtpClass::onNtpStatus(AsyncWebServerRequest* request)
 
 void WebApiNtpClass::onNtpAdminGet(AsyncWebServerRequest* request)
 {
+    if (!WebApi.checkCredentials(request)) {
+        return;
+    }
+
     AsyncJsonResponse* response = new AsyncJsonResponse();
     JsonObject root = response->getRoot();
     const CONFIG_T& config = Configuration.get();
@@ -66,6 +71,10 @@ void WebApiNtpClass::onNtpAdminGet(AsyncWebServerRequest* request)
 
 void WebApiNtpClass::onNtpAdminPost(AsyncWebServerRequest* request)
 {
+    if (!WebApi.checkCredentials(request)) {
+        return;
+    }
+
     AsyncJsonResponse* response = new AsyncJsonResponse();
     JsonObject retMsg = response->getRoot();
     retMsg[F("type")] = F("warning");
@@ -142,6 +151,10 @@ void WebApiNtpClass::onNtpAdminPost(AsyncWebServerRequest* request)
 
 void WebApiNtpClass::onNtpTimeGet(AsyncWebServerRequest* request)
 {
+    if (!WebApi.checkCredentials(request)) {
+        return;
+    }
+
     AsyncJsonResponse* response = new AsyncJsonResponse();
     JsonObject root = response->getRoot();
 
@@ -165,6 +178,10 @@ void WebApiNtpClass::onNtpTimeGet(AsyncWebServerRequest* request)
 
 void WebApiNtpClass::onNtpTimePost(AsyncWebServerRequest* request)
 {
+    if (!WebApi.checkCredentials(request)) {
+        return;
+    }
+
     AsyncJsonResponse* response = new AsyncJsonResponse();
     JsonObject retMsg = response->getRoot();
     retMsg[F("type")] = F("warning");
diff --git a/webapp/src/router/index.ts b/webapp/src/router/index.ts
index f4d6c7b..357f525 100644
--- a/webapp/src/router/index.ts
+++ b/webapp/src/router/index.ts
@@ -100,7 +100,7 @@ const router = createRouter({
 router.beforeEach((to, from, next) => {
     // redirect to login page if not logged in and trying to access a restricted page
     const publicPages = ['/', '/login', '/about', '/info/network', '/info/system', '/info/ntp', '/info/mqtt',
-        '/settings/ntp', '/settings/mqtt', '/settings/inverter', '/firmware/upgrade', '/settings/config', ];
+        '/settings/mqtt', '/settings/inverter', '/firmware/upgrade', '/settings/config', ];
     const authRequired = !publicPages.includes(to.path);
     const loggedIn = localStorage.getItem('user');
 
diff --git a/webapp/src/views/NtpAdminView.vue b/webapp/src/views/NtpAdminView.vue
index 138edc9..3b8315e 100644
--- a/webapp/src/views/NtpAdminView.vue
+++ b/webapp/src/views/NtpAdminView.vue
@@ -75,6 +75,7 @@
 import { defineComponent } from 'vue';
 import BasePage from '@/components/BasePage.vue';
 import BootstrapAlert from "@/components/BootstrapAlert.vue";
+import { handleResponse, authHeader } from '@/utils/authentication';
 import type { NtpConfig } from "@/types/NtpConfig";
 
 export default defineComponent({
@@ -127,8 +128,8 @@ export default defineComponent({
         },
         getNtpConfig() {
             this.dataLoading = true;
-            fetch("/api/ntp/config")
-                .then((response) => response.json())
+            fetch("/api/ntp/config", { headers: authHeader() })
+                .then(handleResponse)
                 .then(
                     (data) => {
                         this.ntpConfigList = data;
@@ -142,8 +143,8 @@ export default defineComponent({
         },
         getCurrentTime() {
             this.dataLoading = true;
-            fetch("/api/ntp/time")
-                .then((response) => response.json())
+            fetch("/api/ntp/time", { headers: authHeader() })
+                .then(handleResponse)
                 .then(
                     (data) => {
                         this.mcuTime = new Date(
@@ -168,15 +169,10 @@ export default defineComponent({
 
             fetch("/api/ntp/time", {
                 method: "POST",
+                headers: authHeader(),
                 body: formData,
             })
-                .then(function (response) {
-                    if (response.status != 200) {
-                        throw response.status;
-                    } else {
-                        return response.json();
-                    }
-                })
+                .then(handleResponse)
                 .then(
                     (response) => {
                         this.alertMessage = response.message;
@@ -196,15 +192,10 @@ export default defineComponent({
 
             fetch("/api/ntp/config", {
                 method: "POST",
+                headers: authHeader(),
                 body: formData,
             })
-                .then(function (response) {
-                    if (response.status != 200) {
-                        throw response.status;
-                    } else {
-                        return response.json();
-                    }
-                })
+                .then(handleResponse)
                 .then(
                     (response) => {
                         this.alertMessage = response.message;