patrick/OpenDTU
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Implement readonly security for API endpoints

Browse Source
This commit is contained in:
Thomas Basler 2022-11-22 23:40:19 +01:00
parent 4bdbcbccc5
commit 510f0c59f9
11 changed files with 51 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
include/WebApi.h
View File

@ -27,6 +27,7 @@ public:
void loop(); void loop();
static bool checkCredentials(AsyncWebServerRequest* request); static bool checkCredentials(AsyncWebServerRequest* request);
static bool checkCredentialsReadonly(AsyncWebServerRequest* request);
private: private:
AsyncWebServer _server; AsyncWebServer _server;

10
src/WebApi.cpp
View File

@ -77,4 +77,14 @@ bool WebApiClass::checkCredentials(AsyncWebServerRequest* request)
return false; return false;
} }
bool WebApiClass::checkCredentialsReadonly(AsyncWebServerRequest* request)
{
CONFIG_T& config = Configuration.get();
if (config.Security_AllowReadonly) {
return true;
} else {
return checkCredentials(request);
}
}
WebApiClass WebApi; WebApiClass WebApi;

5
src/WebApi_devinfo.cpp
View File

@ -6,6 +6,7 @@
#include "ArduinoJson.h" #include "ArduinoJson.h"
#include "AsyncJson.h" #include "AsyncJson.h"
#include "Hoymiles.h" #include "Hoymiles.h"
#include "WebApi.h"
#include <ctime> #include <ctime>
void WebApiDevInfoClass::init(AsyncWebServer* server) void WebApiDevInfoClass::init(AsyncWebServer* server)
@ -23,6 +24,10 @@ void WebApiDevInfoClass::loop()
void WebApiDevInfoClass::onDevInfoStatus(AsyncWebServerRequest* request) void WebApiDevInfoClass::onDevInfoStatus(AsyncWebServerRequest* request)
{ {
if (!WebApi.checkCredentialsReadonly(request)) {
return;
}
AsyncJsonResponse* response = new AsyncJsonResponse(); AsyncJsonResponse* response = new AsyncJsonResponse();
JsonObject root = response->getRoot(); JsonObject root = response->getRoot();

5
src/WebApi_eventlog.cpp
View File

@ -6,6 +6,7 @@
#include "ArduinoJson.h" #include "ArduinoJson.h"
#include "AsyncJson.h" #include "AsyncJson.h"
#include "Hoymiles.h" #include "Hoymiles.h"
#include "WebApi.h"
void WebApiEventlogClass::init(AsyncWebServer* server) void WebApiEventlogClass::init(AsyncWebServer* server)
{ {
@ -22,6 +23,10 @@ void WebApiEventlogClass::loop()
void WebApiEventlogClass::onEventlogStatus(AsyncWebServerRequest* request) void WebApiEventlogClass::onEventlogStatus(AsyncWebServerRequest* request)
{ {
if (!WebApi.checkCredentialsReadonly(request)) {
return;
}
AsyncJsonResponse* response = new AsyncJsonResponse(false, 2048); AsyncJsonResponse* response = new AsyncJsonResponse(false, 2048);
JsonObject root = response->getRoot(); JsonObject root = response->getRoot();

4
src/WebApi_limit.cpp
View File

@ -24,6 +24,10 @@ void WebApiLimitClass::loop()
void WebApiLimitClass::onLimitStatus(AsyncWebServerRequest* request) void WebApiLimitClass::onLimitStatus(AsyncWebServerRequest* request)
{ {
if (!WebApi.checkCredentialsReadonly(request)) {
return;
}
AsyncJsonResponse* response = new AsyncJsonResponse(); AsyncJsonResponse* response = new AsyncJsonResponse();
JsonObject root = response->getRoot(); JsonObject root = response->getRoot();

4
src/WebApi_mqtt.cpp
View File

@ -28,6 +28,10 @@ void WebApiMqttClass::loop()
void WebApiMqttClass::onMqttStatus(AsyncWebServerRequest* request) void WebApiMqttClass::onMqttStatus(AsyncWebServerRequest* request)
{ {
if (!WebApi.checkCredentialsReadonly(request)) {
return;
}
AsyncJsonResponse* response = new AsyncJsonResponse(false, MQTT_JSON_DOC_SIZE); AsyncJsonResponse* response = new AsyncJsonResponse(false, MQTT_JSON_DOC_SIZE);
JsonObject root = response->getRoot(); JsonObject root = response->getRoot();
const CONFIG_T& config = Configuration.get(); const CONFIG_T& config = Configuration.get();

4
src/WebApi_network.cpp
View File

@ -27,6 +27,10 @@ void WebApiNetworkClass::loop()
void WebApiNetworkClass::onNetworkStatus(AsyncWebServerRequest* request) void WebApiNetworkClass::onNetworkStatus(AsyncWebServerRequest* request)
{ {
if (!WebApi.checkCredentialsReadonly(request)) {
return;
}
AsyncJsonResponse* response = new AsyncJsonResponse(); AsyncJsonResponse* response = new AsyncJsonResponse();
JsonObject root = response->getRoot(); JsonObject root = response->getRoot();

4
src/WebApi_ntp.cpp
View File

@ -29,6 +29,10 @@ void WebApiNtpClass::loop()
void WebApiNtpClass::onNtpStatus(AsyncWebServerRequest* request) void WebApiNtpClass::onNtpStatus(AsyncWebServerRequest* request)
{ {
if (!WebApi.checkCredentialsReadonly(request)) {
return;
}
AsyncJsonResponse* response = new AsyncJsonResponse(); AsyncJsonResponse* response = new AsyncJsonResponse();
JsonObject root = response->getRoot(); JsonObject root = response->getRoot();
const CONFIG_T& config = Configuration.get(); const CONFIG_T& config = Configuration.get();

4
src/WebApi_power.cpp
View File

@ -24,6 +24,10 @@ void WebApiPowerClass::loop()
void WebApiPowerClass::onPowerStatus(AsyncWebServerRequest* request) void WebApiPowerClass::onPowerStatus(AsyncWebServerRequest* request)
{ {
if (!WebApi.checkCredentialsReadonly(request)) {
return;
}
AsyncJsonResponse* response = new AsyncJsonResponse(); AsyncJsonResponse* response = new AsyncJsonResponse();
JsonObject root = response->getRoot(); JsonObject root = response->getRoot();

5
src/WebApi_sysstatus.cpp
View File

@ -7,6 +7,7 @@
#include "AsyncJson.h" #include "AsyncJson.h"
#include "Configuration.h" #include "Configuration.h"
#include "NetworkSettings.h" #include "NetworkSettings.h"
#include "WebApi.h"
#include <Hoymiles.h> #include <Hoymiles.h>
#include <LittleFS.h> #include <LittleFS.h>
#include <ResetReason.h> #include <ResetReason.h>
@ -30,6 +31,10 @@ void WebApiSysstatusClass::loop()
void WebApiSysstatusClass::onSystemStatus(AsyncWebServerRequest* request) void WebApiSysstatusClass::onSystemStatus(AsyncWebServerRequest* request)
{ {
if (!WebApi.checkCredentialsReadonly(request)) {
return;
}
AsyncJsonResponse* response = new AsyncJsonResponse(); AsyncJsonResponse* response = new AsyncJsonResponse();
JsonObject root = response->getRoot(); JsonObject root = response->getRoot();

5
src/WebApi_ws_live.cpp
View File

@ -6,6 +6,7 @@
#include "AsyncJson.h" #include "AsyncJson.h"
#include "Configuration.h" #include "Configuration.h"
#include "defaults.h" #include "defaults.h"
#include "WebApi.h"
WebApiWsLiveClass::WebApiWsLiveClass() WebApiWsLiveClass::WebApiWsLiveClass()
: _ws("/livedata") : _ws("/livedata")
@ -200,6 +201,10 @@ void WebApiWsLiveClass::onWebsocketEvent(AsyncWebSocket* server, AsyncWebSocketC
void WebApiWsLiveClass::onLivedataStatus(AsyncWebServerRequest* request) void WebApiWsLiveClass::onLivedataStatus(AsyncWebServerRequest* request)
{ {
if (!WebApi.checkCredentialsReadonly(request)) {
return;
}
AsyncJsonResponse* response = new AsyncJsonResponse(false, 40960U); AsyncJsonResponse* response = new AsyncJsonResponse(false, 40960U);
JsonVariant root = response->getRoot(); JsonVariant root = response->getRoot();