Password protection for vedirect settings API

helgeerbe · Nov 19, 2022 · 2c6dff3 · 2c6dff3
1 parent f35395e
commit 2c6dff3
Show file tree

Hide file tree

Showing 6 changed files with 19 additions and 5 deletions.
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -1,3 +1,7 @@
 {
-    "C_Cpp.clang_format_style": "WebKit"
+    "C_Cpp.clang_format_style": "WebKit",
+    "files.associations": {
+        "*.tcc": "cpp",
+        "algorithm": "cpp"
+    }
 }
diff --git a/include/WebApi_vedirect.h b/include/WebApi_vedirect.h
@@ -3,6 +3,7 @@
 
 #include <ESPAsyncWebServer.h>
 
+
 class WebApiVedirectClass {
 public:
     void init(AsyncWebServer* server);

diff --git a/src/WebApi_vedirect.cpp b/src/WebApi_vedirect.cpp
@@ -7,6 +7,7 @@
 #include "ArduinoJson.h"
 #include "AsyncJson.h"
 #include "Configuration.h"
+#include "WebApi.h"
 #include "helper.h"
 
 void WebApiVedirectClass::init(AsyncWebServer* server)
@@ -28,7 +29,7 @@ void WebApiVedirectClass::onVedirectStatus(AsyncWebServerRequest* request)
 {
     AsyncJsonResponse* response = new AsyncJsonResponse();
     JsonObject root = response->getRoot();
-    CONFIG_T& config = Configuration.get();
+    const CONFIG_T& config = Configuration.get();
 
     root[F("vedirect_enabled")] = config.Vedirect_Enabled;
     root[F("vedirect_pollinterval")] = config.Vedirect_PollInterval;
@@ -40,9 +41,13 @@ void WebApiVedirectClass::onVedirectStatus(AsyncWebServerRequest* request)
 
 void WebApiVedirectClass::onVedirectAdminGet(AsyncWebServerRequest* request)
 {
+    if (!WebApi.checkCredentials(request)) {
+        return;
+    }
+
     AsyncJsonResponse* response = new AsyncJsonResponse();
     JsonObject root = response->getRoot();
-    CONFIG_T& config = Configuration.get();
+    const CONFIG_T& config = Configuration.get();
 
     root[F("vedirect_enabled")] = config.Vedirect_Enabled;
     root[F("vedirect_pollinterval")] = config.Vedirect_PollInterval;
@@ -54,6 +59,10 @@ void WebApiVedirectClass::onVedirectAdminGet(AsyncWebServerRequest* request)
 
 void WebApiVedirectClass::onVedirectAdminPost(AsyncWebServerRequest* request)
 {
+    if (!WebApi.checkCredentials(request)) {
+        return;
+    }
+
     AsyncJsonResponse* response = new AsyncJsonResponse();
     JsonObject retMsg = response->getRoot();
     retMsg[F("type")] = F("warning");

diff --git a/webapp/src/router/index.ts b/webapp/src/router/index.ts
@@ -111,7 +111,7 @@ const router = createRouter({
 
 router.beforeEach((to, from, next) => {
     // redirect to login page if not logged in and trying to access a restricted page
-    const publicPages = ['/', '/login', '/about', '/info/network', '/info/system', '/info/ntp', '/info/mqtt', ];
+    const publicPages = ['/', '/login', '/about', '/info/network', '/info/system', '/info/ntp', '/info/mqtt', '/info/vedirect', ];
     const authRequired = !publicPages.includes(to.path);
     const loggedIn = localStorage.getItem('user');
 

diff --git a/webapp/src/views/VedirectAdminView.vue b/webapp/src/views/VedirectAdminView.vue
@@ -74,7 +74,7 @@ export default defineComponent({
     methods: {
         getVedirectConfig() {
             this.dataLoading = true;
-            fetch("api/vedirect/config", { headers: authHeader() })
+            fetch("/api/vedirect/config", { headers: authHeader() })
                 .then((response) => handleResponse(response, this.$emitter))
                 .then((data) => {
                     this.vedirectConfigList = data;

diff --git a/webapp_dist/js/app.js.gz b/webapp_dist/js/app.js.gz