Implement readonly security for API endpoints

2022-11-22 23:40:19 +01:00 · 2022-11-22 23:40:19 +01:00 · 510f0c59f9
commit 510f0c59f9
parent 4bdbcbccc5
11 changed files with 51 additions and 0 deletions
--- a/include/WebApi.h
+++ b/include/WebApi.h
@ -27,6 +27,7 @@ public:
    void loop();

    static bool checkCredentials(AsyncWebServerRequest* request);
+    static bool checkCredentialsReadonly(AsyncWebServerRequest* request);

 private:
    AsyncWebServer _server;
--- a/src/WebApi.cpp
+++ b/src/WebApi.cpp
@ -77,4 +77,14 @@ bool WebApiClass::checkCredentials(AsyncWebServerRequest* request)
    return false;
 }

+bool WebApiClass::checkCredentialsReadonly(AsyncWebServerRequest* request)
+{
+    CONFIG_T& config = Configuration.get();
+    if (config.Security_AllowReadonly) {
+        return true;
+    } else {
+        return checkCredentials(request);
+    }
+}
+
 WebApiClass WebApi;
--- a/src/WebApi_devinfo.cpp
+++ b/src/WebApi_devinfo.cpp
@ -6,6 +6,7 @@
 #include "ArduinoJson.h"
 #include "AsyncJson.h"
 #include "Hoymiles.h"
+#include "WebApi.h"
 #include <ctime>

 void WebApiDevInfoClass::init(AsyncWebServer* server)
@ -23,6 +24,10 @@ void WebApiDevInfoClass::loop()

 void WebApiDevInfoClass::onDevInfoStatus(AsyncWebServerRequest* request)
 {
+    if (!WebApi.checkCredentialsReadonly(request)) {
+        return;
+    }
+
    AsyncJsonResponse* response = new AsyncJsonResponse();
    JsonObject root = response->getRoot();

--- a/src/WebApi_eventlog.cpp
+++ b/src/WebApi_eventlog.cpp
@ -6,6 +6,7 @@
 #include "ArduinoJson.h"
 #include "AsyncJson.h"
 #include "Hoymiles.h"
+#include "WebApi.h"

 void WebApiEventlogClass::init(AsyncWebServer* server)
 {
@ -22,6 +23,10 @@ void WebApiEventlogClass::loop()

 void WebApiEventlogClass::onEventlogStatus(AsyncWebServerRequest* request)
 {
+    if (!WebApi.checkCredentialsReadonly(request)) {
+        return;
+    }
+
    AsyncJsonResponse* response = new AsyncJsonResponse(false, 2048);
    JsonObject root = response->getRoot();

--- a/src/WebApi_limit.cpp
+++ b/src/WebApi_limit.cpp
@ -24,6 +24,10 @@ void WebApiLimitClass::loop()

 void WebApiLimitClass::onLimitStatus(AsyncWebServerRequest* request)
 {
+    if (!WebApi.checkCredentialsReadonly(request)) {
+        return;
+    }
+
    AsyncJsonResponse* response = new AsyncJsonResponse();
    JsonObject root = response->getRoot();

--- a/src/WebApi_mqtt.cpp
+++ b/src/WebApi_mqtt.cpp
@ -28,6 +28,10 @@ void WebApiMqttClass::loop()

 void WebApiMqttClass::onMqttStatus(AsyncWebServerRequest* request)
 {
+    if (!WebApi.checkCredentialsReadonly(request)) {
+        return;
+    }
+
    AsyncJsonResponse* response = new AsyncJsonResponse(false, MQTT_JSON_DOC_SIZE);
    JsonObject root = response->getRoot();
    const CONFIG_T& config = Configuration.get();
--- a/src/WebApi_network.cpp
+++ b/src/WebApi_network.cpp
@ -27,6 +27,10 @@ void WebApiNetworkClass::loop()

 void WebApiNetworkClass::onNetworkStatus(AsyncWebServerRequest* request)
 {
+    if (!WebApi.checkCredentialsReadonly(request)) {
+        return;
+    }
+
    AsyncJsonResponse* response = new AsyncJsonResponse();
    JsonObject root = response->getRoot();

--- a/src/WebApi_ntp.cpp
+++ b/src/WebApi_ntp.cpp
@ -29,6 +29,10 @@ void WebApiNtpClass::loop()

 void WebApiNtpClass::onNtpStatus(AsyncWebServerRequest* request)
 {
+    if (!WebApi.checkCredentialsReadonly(request)) {
+        return;
+    }
+
    AsyncJsonResponse* response = new AsyncJsonResponse();
    JsonObject root = response->getRoot();
    const CONFIG_T& config = Configuration.get();
--- a/src/WebApi_power.cpp
+++ b/src/WebApi_power.cpp
@ -24,6 +24,10 @@ void WebApiPowerClass::loop()

 void WebApiPowerClass::onPowerStatus(AsyncWebServerRequest* request)
 {
+    if (!WebApi.checkCredentialsReadonly(request)) {
+        return;
+    }
+
    AsyncJsonResponse* response = new AsyncJsonResponse();
    JsonObject root = response->getRoot();

--- a/src/WebApi_sysstatus.cpp
+++ b/src/WebApi_sysstatus.cpp
@ -7,6 +7,7 @@
 #include "AsyncJson.h"
 #include "Configuration.h"
 #include "NetworkSettings.h"
+#include "WebApi.h"
 #include <Hoymiles.h>
 #include <LittleFS.h>
 #include <ResetReason.h>
@ -30,6 +31,10 @@ void WebApiSysstatusClass::loop()

 void WebApiSysstatusClass::onSystemStatus(AsyncWebServerRequest* request)
 {
+    if (!WebApi.checkCredentialsReadonly(request)) {
+        return;
+    }
+
    AsyncJsonResponse* response = new AsyncJsonResponse();
    JsonObject root = response->getRoot();

--- a/src/WebApi_ws_live.cpp
+++ b/src/WebApi_ws_live.cpp
@ -6,6 +6,7 @@
 #include "AsyncJson.h"
 #include "Configuration.h"
 #include "defaults.h"
+#include "WebApi.h"

 WebApiWsLiveClass::WebApiWsLiveClass()
    : _ws("/livedata")
@ -200,6 +201,10 @@ void WebApiWsLiveClass::onWebsocketEvent(AsyncWebSocket* server, AsyncWebSocketC

 void WebApiWsLiveClass::onLivedataStatus(AsyncWebServerRequest* request)
 {
+    if (!WebApi.checkCredentialsReadonly(request)) {
+        return;
+    }
+
    AsyncJsonResponse* response = new AsyncJsonResponse(false, 40960U);
    JsonVariant root = response->getRoot();