add WebUI basic auth

softwarecrash · Nov 1, 2023 · f5971fc · f5971fc
1 parent d46cd1e
commit f5971fc
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 1 deletion.
diff --git a/src/Settings.h b/src/Settings.h
@@ -8,7 +8,7 @@
 class Settings
 {
   // change eeprom config version ONLY when new parameter is added and need reset the parameter
-  unsigned int configVersion = 10;
+  unsigned int configVersion = 11;
 
 public:
   String deviceNameStr;
@@ -26,6 +26,8 @@ class Settings
     unsigned int deviceQuantity; // Quantity of Devices
     bool mqttJson;               // switch between classic mqtt and json
     bool webUIdarkmode;          // Flag for color mode in webUI
+    char httpUser[40];           // http basic auth username
+    char httpPass[40];           // http basic auth password
   } data;
 
   void load()
@@ -103,6 +105,14 @@ class Settings
     {
       data.webUIdarkmode = false;
     }
+    if (strlen(data.httpUser) == 0 || strlen(data.httpUser) >= 40)
+    {
+      strcpy(data.httpUser, "");
+    }
+    if (strlen(data.httpPass) == 0 || strlen(data.httpPass) >= 40)
+    {
+      strcpy(data.httpPass, "");
+    }
   }
   void coVersCheck()
   {
@@ -120,6 +130,8 @@ class Settings
       data.mqttRefresh = 300;
       data.mqttJson = false;
       data.webUIdarkmode = false;
+      strcpy(data.httpUser, "");
+      strcpy(data.httpPass, "");
 
       save();
       load();

diff --git a/src/htmlProzessor.h b/src/htmlProzessor.h
@@ -38,5 +38,9 @@ String htmlProcessor(const String &var)
         return (_settings.data.webUIdarkmode ? "dark" : "light");
     if (var == F("pre_webuidarkmode"))
         return (_settings.data.webUIdarkmode ? "checked" : "");
+    if (var == F("pre_http_user"))
+        return (_settings.data.httpUser);
+    if (var == F("pre_http_pass"))
+        return (_settings.data.httpPass);
     return String();
 }
diff --git a/src/main.cpp b/src/main.cpp
@@ -234,29 +234,34 @@ void setup()
 
     server.on("/", HTTP_GET, [](AsyncWebServerRequest *request)
               {
+      if(strlen(_settings.data.httpUser) > 0 && !request->authenticate(_settings.data.httpUser, _settings.data.httpPass)) return request->requestAuthentication();
       AsyncWebServerResponse *response = request->beginResponse_P(200, "text/html", HTML_MAIN, htmlProcessor);
       request->send(response); });
 
     server.on("/livejson", HTTP_GET, [](AsyncWebServerRequest *request)
               {
+                if(strlen(_settings.data.httpUser) > 0 && !request->authenticate(_settings.data.httpUser, _settings.data.httpPass)) return request->requestAuthentication();
                 AsyncResponseStream *response = request->beginResponseStream("application/json");
                 serializeJson(liveJson, *response);
                 request->send(response); });
 
     server.on("/reboot", HTTP_GET, [](AsyncWebServerRequest *request)
               {
+                if(strlen(_settings.data.httpUser) > 0 && !request->authenticate(_settings.data.httpUser, _settings.data.httpPass)) return request->requestAuthentication();
                 AsyncWebServerResponse *response = request->beginResponse_P(200, "text/html", HTML_REBOOT, htmlProcessor);
                 request->send(response);
                 restartNow = true;
                 RestartTimer = millis(); });
 
     server.on("/confirmreset", HTTP_GET, [](AsyncWebServerRequest *request)
               {
+                if(strlen(_settings.data.httpUser) > 0 && !request->authenticate(_settings.data.httpUser, _settings.data.httpPass)) return request->requestAuthentication();
       AsyncWebServerResponse *response = request->beginResponse_P(200, "text/html", HTML_CONFIRM_RESET, htmlProcessor);
       request->send(response); });
 
     server.on("/reset", HTTP_GET, [](AsyncWebServerRequest *request)
               {
+                if(strlen(_settings.data.httpUser) > 0 && !request->authenticate(_settings.data.httpUser, _settings.data.httpPass)) return request->requestAuthentication();
                 AsyncWebServerResponse *response = request->beginResponse(200, "text/plain", "Device is Erasing...");
                 response->addHeader("Refresh", "15; url=/");
                 response->addHeader("Connection", "close");
@@ -268,16 +273,19 @@ void setup()
 
     server.on("/settings", HTTP_GET, [](AsyncWebServerRequest *request)
               {
+                if(strlen(_settings.data.httpUser) > 0 && !request->authenticate(_settings.data.httpUser, _settings.data.httpPass)) return request->requestAuthentication();
       AsyncWebServerResponse *response = request->beginResponse_P(200, "text/html", HTML_SETTINGS, htmlProcessor);
       request->send(response); });
 
     server.on("/settingsedit", HTTP_GET, [](AsyncWebServerRequest *request)
               {
+                if(strlen(_settings.data.httpUser) > 0 && !request->authenticate(_settings.data.httpUser, _settings.data.httpPass)) return request->requestAuthentication();
       AsyncWebServerResponse *response = request->beginResponse_P(200, "text/html", HTML_SETTINGS_EDIT, htmlProcessor);
       request->send(response); });
 
     server.on("/settingssave", HTTP_POST, [](AsyncWebServerRequest *request)
               {
+                if(strlen(_settings.data.httpUser) > 0 && !request->authenticate(_settings.data.httpUser, _settings.data.httpPass)) return request->requestAuthentication();
                 strncpy(_settings.data.mqttServer, request->arg("post_mqttServer").c_str(), 40);
                 _settings.data.mqttPort = request->arg("post_mqttPort").toInt();
                 strncpy(_settings.data.mqttUser, request->arg("post_mqttUser").c_str(), 40);
@@ -289,11 +297,16 @@ void setup()
                 _settings.data.mqttJson = (request->arg("post_mqttjson") == "true") ? true : false;
                 strncpy(_settings.data.mqttTriggerPath, request->arg("post_mqtttrigger").c_str(), 80);
                 _settings.data.webUIdarkmode = (request->arg("post_webuicolormode") == "true") ? true : false;
+
+                strncpy(_settings.data.httpUser, request->arg("post_httpUser").c_str(), 40);
+                strncpy(_settings.data.httpPass, request->arg("post_httpPass").c_str(), 40);
+
                 _settings.save();
                 request->redirect("/reboot"); });
 
     server.on("/set", HTTP_GET, [](AsyncWebServerRequest *request)
               {
+                if(strlen(_settings.data.httpUser) > 0 && !request->authenticate(_settings.data.httpUser, _settings.data.httpPass)) return request->requestAuthentication();
       AsyncWebParameter *p = request->getParam(0);
       String resultMsg = "message received";
       if (p->name() == "datetime")
@@ -357,6 +370,7 @@ void setup()
     server.on(
         "/update", HTTP_POST, [](AsyncWebServerRequest *request)
         {
+          if(strlen(_settings.data.httpUser) > 0 && !request->authenticate(_settings.data.httpUser, _settings.data.httpPass)) return request->requestAuthentication();
     //https://gist.github.com/JMishou/60cb762047b735685e8a09cd2eb42a60
     // the request handler is triggered after the upload has finished... 
     // create the response, add header, and send response

diff --git a/src/webpages/HTML_SETTINGS_EDIT.html b/src/webpages/HTML_SETTINGS_EDIT.html
@@ -63,6 +63,17 @@ <h1>Edit Configuration</h1>
         </div>
     </div>
 
+    <div class="input-group mb-2">
+        <span class="input-group-text w-50" id="httpUserdesc">HTTP Username</span>
+        <input type="text" class="form-control" aria-describedby="httpUserdesc" id="httpUser" name="post_httpUser" maxlength="40"
+            maxlength="35" value="%pre_http_user%">
+    </div>
+    <div class="input-group mb-2">
+        <span class="input-group-text w-50" id="httpPassdesc">HTTP Password</span>
+        <input type="password" class="form-control" aria-describedby="httpPassdesc" id="httpPass" name="post_httpPass" maxlength="40"
+            maxlength="35" value="%pre_http_pass%">
+    </div>
+
 
     <div class="d-grid gap-2">
         <input class="btn btn-primary" type="submit" value="Save settings">