From 510f0c59f95bfd9bb66b3398bb000343b2002996 Mon Sep 17 00:00:00 2001 From: Thomas Basler Date: Tue, 22 Nov 2022 23:40:19 +0100 Subject: [PATCH] Implement readonly security for API endpoints --- include/WebApi.h | 1 + src/WebApi.cpp | 10 ++++++++++ src/WebApi_devinfo.cpp | 5 +++++ src/WebApi_eventlog.cpp | 5 +++++ src/WebApi_limit.cpp | 4 ++++ src/WebApi_mqtt.cpp | 4 ++++ src/WebApi_network.cpp | 4 ++++ src/WebApi_ntp.cpp | 4 ++++ src/WebApi_power.cpp | 4 ++++ src/WebApi_sysstatus.cpp | 5 +++++ src/WebApi_ws_live.cpp | 5 +++++ 11 files changed, 51 insertions(+) diff --git a/include/WebApi.h b/include/WebApi.h index 5c8927f..1d6c864 100644 --- a/include/WebApi.h +++ b/include/WebApi.h @@ -27,6 +27,7 @@ public: void loop(); static bool checkCredentials(AsyncWebServerRequest* request); + static bool checkCredentialsReadonly(AsyncWebServerRequest* request); private: AsyncWebServer _server; diff --git a/src/WebApi.cpp b/src/WebApi.cpp index 37941c2..5076ce4 100644 --- a/src/WebApi.cpp +++ b/src/WebApi.cpp @@ -77,4 +77,14 @@ bool WebApiClass::checkCredentials(AsyncWebServerRequest* request) return false; } +bool WebApiClass::checkCredentialsReadonly(AsyncWebServerRequest* request) +{ + CONFIG_T& config = Configuration.get(); + if (config.Security_AllowReadonly) { + return true; + } else { + return checkCredentials(request); + } +} + WebApiClass WebApi; \ No newline at end of file diff --git a/src/WebApi_devinfo.cpp b/src/WebApi_devinfo.cpp index 93f2fa7..1a29081 100644 --- a/src/WebApi_devinfo.cpp +++ b/src/WebApi_devinfo.cpp @@ -6,6 +6,7 @@ #include "ArduinoJson.h" #include "AsyncJson.h" #include "Hoymiles.h" +#include "WebApi.h" #include void WebApiDevInfoClass::init(AsyncWebServer* server) @@ -23,6 +24,10 @@ void WebApiDevInfoClass::loop() void WebApiDevInfoClass::onDevInfoStatus(AsyncWebServerRequest* request) { + if (!WebApi.checkCredentialsReadonly(request)) { + return; + } + AsyncJsonResponse* response = new AsyncJsonResponse(); JsonObject root = response->getRoot(); diff --git a/src/WebApi_eventlog.cpp b/src/WebApi_eventlog.cpp index 9ba3c52..6c03fb4 100644 --- a/src/WebApi_eventlog.cpp +++ b/src/WebApi_eventlog.cpp @@ -6,6 +6,7 @@ #include "ArduinoJson.h" #include "AsyncJson.h" #include "Hoymiles.h" +#include "WebApi.h" void WebApiEventlogClass::init(AsyncWebServer* server) { @@ -22,6 +23,10 @@ void WebApiEventlogClass::loop() void WebApiEventlogClass::onEventlogStatus(AsyncWebServerRequest* request) { + if (!WebApi.checkCredentialsReadonly(request)) { + return; + } + AsyncJsonResponse* response = new AsyncJsonResponse(false, 2048); JsonObject root = response->getRoot(); diff --git a/src/WebApi_limit.cpp b/src/WebApi_limit.cpp index 00880c3..3195d40 100644 --- a/src/WebApi_limit.cpp +++ b/src/WebApi_limit.cpp @@ -24,6 +24,10 @@ void WebApiLimitClass::loop() void WebApiLimitClass::onLimitStatus(AsyncWebServerRequest* request) { + if (!WebApi.checkCredentialsReadonly(request)) { + return; + } + AsyncJsonResponse* response = new AsyncJsonResponse(); JsonObject root = response->getRoot(); diff --git a/src/WebApi_mqtt.cpp b/src/WebApi_mqtt.cpp index 3083851..5431024 100644 --- a/src/WebApi_mqtt.cpp +++ b/src/WebApi_mqtt.cpp @@ -28,6 +28,10 @@ void WebApiMqttClass::loop() void WebApiMqttClass::onMqttStatus(AsyncWebServerRequest* request) { + if (!WebApi.checkCredentialsReadonly(request)) { + return; + } + AsyncJsonResponse* response = new AsyncJsonResponse(false, MQTT_JSON_DOC_SIZE); JsonObject root = response->getRoot(); const CONFIG_T& config = Configuration.get(); diff --git a/src/WebApi_network.cpp b/src/WebApi_network.cpp index 4c3cf2b..c5a3484 100644 --- a/src/WebApi_network.cpp +++ b/src/WebApi_network.cpp @@ -27,6 +27,10 @@ void WebApiNetworkClass::loop() void WebApiNetworkClass::onNetworkStatus(AsyncWebServerRequest* request) { + if (!WebApi.checkCredentialsReadonly(request)) { + return; + } + AsyncJsonResponse* response = new AsyncJsonResponse(); JsonObject root = response->getRoot(); diff --git a/src/WebApi_ntp.cpp b/src/WebApi_ntp.cpp index b019d23..a2d1e93 100644 --- a/src/WebApi_ntp.cpp +++ b/src/WebApi_ntp.cpp @@ -29,6 +29,10 @@ void WebApiNtpClass::loop() void WebApiNtpClass::onNtpStatus(AsyncWebServerRequest* request) { + if (!WebApi.checkCredentialsReadonly(request)) { + return; + } + AsyncJsonResponse* response = new AsyncJsonResponse(); JsonObject root = response->getRoot(); const CONFIG_T& config = Configuration.get(); diff --git a/src/WebApi_power.cpp b/src/WebApi_power.cpp index 413bc0f..22591c0 100644 --- a/src/WebApi_power.cpp +++ b/src/WebApi_power.cpp @@ -24,6 +24,10 @@ void WebApiPowerClass::loop() void WebApiPowerClass::onPowerStatus(AsyncWebServerRequest* request) { + if (!WebApi.checkCredentialsReadonly(request)) { + return; + } + AsyncJsonResponse* response = new AsyncJsonResponse(); JsonObject root = response->getRoot(); diff --git a/src/WebApi_sysstatus.cpp b/src/WebApi_sysstatus.cpp index 2d6b298..ce7c21a 100644 --- a/src/WebApi_sysstatus.cpp +++ b/src/WebApi_sysstatus.cpp @@ -7,6 +7,7 @@ #include "AsyncJson.h" #include "Configuration.h" #include "NetworkSettings.h" +#include "WebApi.h" #include #include #include @@ -30,6 +31,10 @@ void WebApiSysstatusClass::loop() void WebApiSysstatusClass::onSystemStatus(AsyncWebServerRequest* request) { + if (!WebApi.checkCredentialsReadonly(request)) { + return; + } + AsyncJsonResponse* response = new AsyncJsonResponse(); JsonObject root = response->getRoot(); diff --git a/src/WebApi_ws_live.cpp b/src/WebApi_ws_live.cpp index 35f94d5..166fdea 100644 --- a/src/WebApi_ws_live.cpp +++ b/src/WebApi_ws_live.cpp @@ -6,6 +6,7 @@ #include "AsyncJson.h" #include "Configuration.h" #include "defaults.h" +#include "WebApi.h" WebApiWsLiveClass::WebApiWsLiveClass() : _ws("/livedata") @@ -200,6 +201,10 @@ void WebApiWsLiveClass::onWebsocketEvent(AsyncWebSocket* server, AsyncWebSocketC void WebApiWsLiveClass::onLivedataStatus(AsyncWebServerRequest* request) { + if (!WebApi.checkCredentialsReadonly(request)) { + return; + } + AsyncJsonResponse* response = new AsyncJsonResponse(false, 40960U); JsonVariant root = response->getRoot();