From e0b069ff3da978c370157996870096e738e392ab Mon Sep 17 00:00:00 2001
From: Thomas Basler <thomas@familie-basler.net>
Date: Tue, 8 Nov 2022 18:34:00 +0100
Subject: [PATCH] Password protection for limit/power settings API

---
 src/WebApi_limit.cpp          |  5 +++++
 src/WebApi_power.cpp          |  5 +++++
 webapp/src/views/HomeView.vue | 32 ++++++++++++++++----------------
 3 files changed, 26 insertions(+), 16 deletions(-)

diff --git a/src/WebApi_limit.cpp b/src/WebApi_limit.cpp
index 33bcd40..00880c3 100644
--- a/src/WebApi_limit.cpp
+++ b/src/WebApi_limit.cpp
@@ -6,6 +6,7 @@
 #include "ArduinoJson.h"
 #include "AsyncJson.h"
 #include "Hoymiles.h"
+#include "WebApi.h"
 
 void WebApiLimitClass::init(AsyncWebServer* server)
 {
@@ -54,6 +55,10 @@ void WebApiLimitClass::onLimitStatus(AsyncWebServerRequest* request)
 
 void WebApiLimitClass::onLimitPost(AsyncWebServerRequest* request)
 {
+    if (!WebApi.checkCredentials(request)) {
+        return;
+    }
+
     AsyncJsonResponse* response = new AsyncJsonResponse();
     JsonObject retMsg = response->getRoot();
     retMsg[F("type")] = F("warning");
diff --git a/src/WebApi_power.cpp b/src/WebApi_power.cpp
index 8e3c2bc..413bc0f 100644
--- a/src/WebApi_power.cpp
+++ b/src/WebApi_power.cpp
@@ -6,6 +6,7 @@
 #include "ArduinoJson.h"
 #include "AsyncJson.h"
 #include "Hoymiles.h"
+#include "WebApi.h"
 
 void WebApiPowerClass::init(AsyncWebServer* server)
 {
@@ -47,6 +48,10 @@ void WebApiPowerClass::onPowerStatus(AsyncWebServerRequest* request)
 
 void WebApiPowerClass::onPowerPost(AsyncWebServerRequest* request)
 {
+    if (!WebApi.checkCredentials(request)) {
+        return;
+    }
+
     AsyncJsonResponse* response = new AsyncJsonResponse();
     JsonObject retMsg = response->getRoot();
     retMsg[F("type")] = F("warning");
diff --git a/webapp/src/views/HomeView.vue b/webapp/src/views/HomeView.vue
index 60d655a..56239e4 100644
--- a/webapp/src/views/HomeView.vue
+++ b/webapp/src/views/HomeView.vue
@@ -50,7 +50,7 @@
                             </div>
                             <div class="btn-toolbar p-2" role="toolbar">
                                 <div class="btn-group me-2" role="group">
-                                    <button type="button" class="btn btn-sm btn-danger"
+                                    <button :disabled="!isLogged" type="button" class="btn btn-sm btn-danger"
                                         @click="onShowLimitSettings(inverter.serial)" title="Show / Set Inverter Limit">
                                         <BIconSpeedometer style="font-size:24px;" />
 
@@ -58,7 +58,7 @@
                                 </div>
 
                                 <div class="btn-group me-2" role="group">
-                                    <button type="button" class="btn btn-sm btn-danger"
+                                    <button :disabled="!isLogged" type="button" class="btn btn-sm btn-danger"
                                         @click="onShowPowerSettings(inverter.serial)" title="Turn Inverter on/off">
                                         <BIconPower style="font-size:24px;" />
 
@@ -337,6 +337,7 @@ import type { EventlogItems } from '@/types/EventlogStatus';
 import type { LiveData, Inverter } from '@/types/LiveDataStatus';
 import type { LimitStatus } from '@/types/LimitStatus';
 import type { LimitConfig } from '@/types/LimitConfig';
+import { isLoggedIn, handleResponse, authHeader } from '@/utils/authentication';
 import { formatNumber } from '@/utils';
 
 export default defineComponent({
@@ -360,6 +361,8 @@ export default defineComponent({
     },
     data() {
         return {
+            isLogged: this.isLoggedIn(),
+
             socket: {} as WebSocket,
             heartInterval: 0,
             dataAgeInterval: 0,
@@ -402,6 +405,12 @@ export default defineComponent({
         this.getInitialData();
         this.initSocket();
         this.initDataAgeing();
+        this.$emitter.on("logged-in", () => {
+            this.isLogged = this.isLoggedIn();
+        });
+        this.$emitter.on("logged-out", () => {
+            this.isLogged = this.isLoggedIn();
+        });
     },
     mounted() {
         this.eventLogView = new bootstrap.Modal('#eventView');
@@ -445,6 +454,7 @@ export default defineComponent({
     },
     methods: {
         formatNumber,
+        isLoggedIn,
         getInitialData() {
             this.dataLoading = true;
             fetch("/api/livedata/status")
@@ -564,15 +574,10 @@ export default defineComponent({
 
             fetch("/api/limit/config", {
                 method: "POST",
+                headers: authHeader(),
                 body: formData,
             })
-                .then(function (response) {
-                    if (response.status != 200) {
-                        throw response.status;
-                    } else {
-                        return response.json();
-                    }
-                })
+                .then((response) => handleResponse(response, this.$emitter))
                 .then(
                     (response) => {
                         if (response.type == "success") {
@@ -639,15 +644,10 @@ export default defineComponent({
 
             fetch("/api/power/config", {
                 method: "POST",
+                headers: authHeader(),
                 body: formData,
             })
-                .then(function (response) {
-                    if (response.status != 200) {
-                        throw response.status;
-                    } else {
-                        return response.json();
-                    }
-                })
+                .then((response) => handleResponse(response, this.$emitter))
                 .then(
                     (response) => {
                         if (response.type == "success") {