From 2c6dff3714b20718e995807d88218c5b9a1f5044 Mon Sep 17 00:00:00 2001
From: helgeerbe <helge@erbehome.de>
Date: Sat, 19 Nov 2022 14:34:59 +0100
Subject: [PATCH] Password protection for vedirect settings API

---
 .vscode/settings.json                  |   6 +++++-
 include/WebApi_vedirect.h              |   1 +
 src/WebApi_vedirect.cpp                |  13 +++++++++++--
 webapp/src/router/index.ts             |   2 +-
 webapp/src/views/VedirectAdminView.vue |   2 +-
 webapp_dist/js/app.js.gz               | Bin 116774 -> 116771 bytes
 6 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/.vscode/settings.json b/.vscode/settings.json
index ed5966875..012b4c280 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,3 +1,7 @@
 {
-    "C_Cpp.clang_format_style": "WebKit"
+    "C_Cpp.clang_format_style": "WebKit",
+    "files.associations": {
+        "*.tcc": "cpp",
+        "algorithm": "cpp"
+    }
 }
\ No newline at end of file
diff --git a/include/WebApi_vedirect.h b/include/WebApi_vedirect.h
index 8359dbdc3..1dd3a3fa1 100644
--- a/include/WebApi_vedirect.h
+++ b/include/WebApi_vedirect.h
@@ -3,6 +3,7 @@
 
 #include <ESPAsyncWebServer.h>
 
+
 class WebApiVedirectClass {
 public:
     void init(AsyncWebServer* server);
diff --git a/src/WebApi_vedirect.cpp b/src/WebApi_vedirect.cpp
index a283f3d9f..4af889b10 100644
--- a/src/WebApi_vedirect.cpp
+++ b/src/WebApi_vedirect.cpp
@@ -7,6 +7,7 @@
 #include "ArduinoJson.h"
 #include "AsyncJson.h"
 #include "Configuration.h"
+#include "WebApi.h"
 #include "helper.h"
 
 void WebApiVedirectClass::init(AsyncWebServer* server)
@@ -28,7 +29,7 @@ void WebApiVedirectClass::onVedirectStatus(AsyncWebServerRequest* request)
 {
     AsyncJsonResponse* response = new AsyncJsonResponse();
     JsonObject root = response->getRoot();
-    CONFIG_T& config = Configuration.get();
+    const CONFIG_T& config = Configuration.get();
 
     root[F("vedirect_enabled")] = config.Vedirect_Enabled;
     root[F("vedirect_pollinterval")] = config.Vedirect_PollInterval;
@@ -40,9 +41,13 @@ void WebApiVedirectClass::onVedirectStatus(AsyncWebServerRequest* request)
 
 void WebApiVedirectClass::onVedirectAdminGet(AsyncWebServerRequest* request)
 {
+    if (!WebApi.checkCredentials(request)) {
+        return;
+    }
+
     AsyncJsonResponse* response = new AsyncJsonResponse();
     JsonObject root = response->getRoot();
-    CONFIG_T& config = Configuration.get();
+    const CONFIG_T& config = Configuration.get();
 
     root[F("vedirect_enabled")] = config.Vedirect_Enabled;
     root[F("vedirect_pollinterval")] = config.Vedirect_PollInterval;
@@ -54,6 +59,10 @@ void WebApiVedirectClass::onVedirectAdminGet(AsyncWebServerRequest* request)
 
 void WebApiVedirectClass::onVedirectAdminPost(AsyncWebServerRequest* request)
 {
+    if (!WebApi.checkCredentials(request)) {
+        return;
+    }
+
     AsyncJsonResponse* response = new AsyncJsonResponse();
     JsonObject retMsg = response->getRoot();
     retMsg[F("type")] = F("warning");
diff --git a/webapp/src/router/index.ts b/webapp/src/router/index.ts
index 5c01d0ed1..e519a4df6 100644
--- a/webapp/src/router/index.ts
+++ b/webapp/src/router/index.ts
@@ -111,7 +111,7 @@ const router = createRouter({
 
 router.beforeEach((to, from, next) => {
     // redirect to login page if not logged in and trying to access a restricted page
-    const publicPages = ['/', '/login', '/about', '/info/network', '/info/system', '/info/ntp', '/info/mqtt', ];
+    const publicPages = ['/', '/login', '/about', '/info/network', '/info/system', '/info/ntp', '/info/mqtt', '/info/vedirect', ];
     const authRequired = !publicPages.includes(to.path);
     const loggedIn = localStorage.getItem('user');
 
diff --git a/webapp/src/views/VedirectAdminView.vue b/webapp/src/views/VedirectAdminView.vue
index 3a313b69b..cc66bf7d1 100644
--- a/webapp/src/views/VedirectAdminView.vue
+++ b/webapp/src/views/VedirectAdminView.vue
@@ -74,7 +74,7 @@ export default defineComponent({
     methods: {
         getVedirectConfig() {
             this.dataLoading = true;
-            fetch("api/vedirect/config", { headers: authHeader() })
+            fetch("/api/vedirect/config", { headers: authHeader() })
                 .then((response) => handleResponse(response, this.$emitter))
                 .then((data) => {
                     this.vedirectConfigList = data;
diff --git a/webapp_dist/js/app.js.gz b/webapp_dist/js/app.js.gz
index 2b894a5774eca5c6aafa04d8024bcad03f4d27ad..d9ca72bfba2fe87407d69a91bff4338613b992df 100644
GIT binary patch
delta 2081
zcmV++2;TRmkO!lX2Y|Ez9>9Mwpk6r5T}0Je1$ljFy~Jd99A9sBHVGByD(L@?k@lQs
zQmf)Ox4rbea|#qxS-ib*QyOn?(v$^%^O|Dtw`8C<dXk_>%<dE#4-XeEHc8AuGSw;3
zwAkzRrZfti)r>0&s4)!<x&&A4z6*7R(#iIle_wPyTRz!&GbK9Tpt*nR=zOje=IM7Y
z5WO<^G$10}&nDyHQkk=dG&6=A=Iaa#)NAfEdf!!Z_tE?KCi!m=zYRhB;*2|t<d<OQ
zE8+Z{rgrH!`OEVrFPgx2j~C5^BCDAQW4A(ThpdDW6?t?uxfO!hMXV=ltiIKwBYG6(
zuU!e-x5S*k85&06)M$UadHOmYVC-}7Z2|mw^FJtx-#YMj9M3Q7P$=0Anp6rDvomK~
zDPfIVScoZKqmi&i*FR38A@j`|KXBdj8P7)ky*-r*jYCTP4!qIJP;(_%AXR5-vY>%C
zO%%+7rYM+SHE|7=YX$R+VtAMcmRbO$i`C~Kg{KMCv@E+w&8&Y>#h1!>dsb5g=Wvp#
zVlxVaixq+JY-@oq{`#stA5ql{9`bu~aqy(ME;HU~qEw-E+{q1&Prf53amKzwVnsL2
zSVlY1RJ7HMUXQh#(Oar!q6OP8%4?ug7PpzVdmXjo62q%C5<{A7U`b?yb8<_|E*3-)
z_JOd^IQ!TW*vEfKQ%sF>+T4&^xzpS>w{nuaR(7m3!}7*fVV>oU6%*N(Tg^4Os@qLj
z`fkEqISQIPM1jEYwnT%_ax*G~$_aFwuS3Uc2|A?wI2HNbv^3Rgc=2b#i<dE8{EG16
zH@j7mY-a=p*Pr>!3zo?&3BJFW%xvcMmCH%_`x{nEt~P&3mTu(n;Zz=kqyLcNWEHUR
z1c(D?rqqtAt<$z7U<~r;`?acY(Ke0olPQ^5UZU~Hg(Lb38byyMf#Q6bqa>QpfaDg|
zY>WiBssv#i`To1LK&yZxv_P_z{CCs?y<9o=FPhsYNQOIr!U4r|^PT*>e<IZ`JWtc8
zL|takrm%myOp)?Mu2gs`9sliy@tG-qhFQ>>N@6m%^2vN^?l_?``mI>F7#?!VU^0sq
zMe%%P?qllYiDFSx8>9$j;an-?PBVZDo1#LMnesE~;^(}kT+MMV{)FT<os7pQsnD0{
zitXHZ&|={_#L?yCje-}8f^r@xqdA%mJ4(G!sFr^*!_my@V}?C$9`SXzYMb|egW9Ie
z_V0g{HY-Uu<4T)2{|}WmiBn-kY4Z|<fD10Sz7youC-D6_FZv?aR7{hsAx&2i)e}<S
zRm({gMN})JDre0>CeOUEra?0K!c&0wEl0rZZV(XiupdK1LNk+)BczbW>x965BFYos
z1X+I~|GyxD<C~b^_?`%kA9pD@>RSqqw2!y5Ay!4!IVOp(bCK+b-zi%IsWJKH4eh>z
zV-^a7b!4h4lg9RDlX>72zRaE3l9%VH+4SR^iDxTCU;t5Yn0)^3F83fO$e*q?wucVO
zIu}Y((QG2~?QhY<9X@aWp3LI-C)L^C_o07lRVKMU9gsK!R4n1n%b~zhz)!TzzP@(s
zLvIY+cQm6hw&GAD)vRv}xCs3uVp7j|Mdpk0(kJB|xeQB%pl2&W&~MEx{c+n%KX67$
zYjW+e7hoUc640+riGeD5)vn4Q;mQ!V$nZOLwLKT!2i;gh&psSDj(uhIKSO2bTt0t<
ze=ZK;2BYCq946u<f)vHx;jJBJk}`~UZeH@+rQmKkJKy~|%@F?o)7eZD9|JS|jUN&p
znqoffb-A<Y$t^MmJhNlWg49aQq5Ufi^?Os397*(LW5yFSByPkZ<(m<?Yl8MAeyV+g
z)8UYjB5F}0c1FDtSqDUILe3$63Wa}VaqW9>&UY4y$YJ8@Tud1vA0?iO+d0=R{c~;Y
zLA~Xn$}y8X>$k>C*ntc)f*2xTW_-?>K~~Jf1R9>;`FyR3Rb-$Sa*X5-4!3w67z=rC
zP%_pgpk^|Ib&fK_$C%78J4YZ#GxPIQ{RYPYn)Mt#!z(-5<a*=JCw&Ysams)0V&n&2
zzThPGk1oGWEtHxb<k+e_pAcFNMUSJ~1?+TIXGrHvD>49hP3xT3w65@QV>M6c4_?zf
z<26wNc`$YYK=J3W!K?5mZ*sMlXyTKjDQwYZzj%W;C&@8_Y1Dt`jaW6PB&v?S1kvPQ
ze(7|?$}d}q$~VyqQ`$f<)Zl-uJ~w%*(1JS!YT<6i+dr?!+Q%T0wsTJ<?NVnf?czo@
z^(2O*Ex&XmEyIkxVe2sEuC#}}wxkC;n1_wyNd$Sjw?aE1qzw%;z}l_^AP}j|kc=Bz
zKGEh9V|3pBcUk-JvJ}y5^qV()(Y){8=Z`_6ymEjQI@BGF$QL|7lxKhbbcq`_+K|zH
zOKzvcUJ-XfjMS5)+%0(H{%~$PKFOqpv1n)JaMHJiZQw2dFlvd<p-+{ZZ#fbb+XHqv
z%QKP2R})Nw$oxm&`0avr41(%0Nms@Ns^K}0|MkrpLQONcyF+E>OKYl4#z#@8HN*-_
zZ5H5+R40EtemthqxQ~Ap%@~Z&finzGh{<5Eq3Qm<>O*sXN&**-3&fM<^#Hnh^ypC$
zWEtKgkseT*-`M3i3?W(=SyP^r&C7rDpkt8J)v$i<ms~!-z5$LwbexnDu4m@+f%+Pj
zr+;n&-tx!SvjX#xy&g`ktl^s(`eFs1!!IFb{~W8q!l|PfX+afyyw%)4tmzb%^8frV
L?S@A)*@FiFLb?~t

delta 2084
zcmV+<2;29gkO!ua2Y|Ez9>9MtpdRWB!ddPjsNO2X>m%zW=DOqXdaJWZXgF6v|91?u
z=QNW_6~DRdo$sAfprFda?Twq#aC?)cEcTn%6l1?7<Gj&>1SMj2rO<eExNxyaUJjC|
zPKl<)-nKWTLEx-rTu(r4X=uzPxM}xYs56vKw%`2wg7ew($<CW8!TEm%&0PoQbEPm(
zzk7k`jlrk!5aD_@84s7roIRw8G2}2`XIP+KbEm=ku9~|K-p4n|e`EM<h~XD!++iTU
z1Up}e=I1oEOTWqAoi};W1ipK`XeJa{%|sNt6;eB7C6uVhqpQiS5X&xNJy}EbtsWiG
zqcDB#O4Pn3ru@y&Fp7VsM#Ih1xA6dDpM!4;;Ln@?K|%c1fxqK$ep!b?!EVr`LZFzO
zIonDJYvjU0O!*p(gf+VUaS{!gZ`SaE>!#0mHuCT7sZ?kjQtEf$joyWtE3pEpHdB+u
z47_QgTplz<x%{e$Yp`4^muHm1!#uFm03cneJ_jK@O{S)08$*9oM{*@IMit*F<K<aR
z6`aFKri#rd5H3~(!n3Uf!uZ>(_IyM&FL=oB$;H8w=DNgqr-@R9)^R5{I6nD~oWvRX
z4ha?AG-C<vL`%_DGkQDLZbmPunu!){zbLPPPFdJy-tKkOj!O)$)<_I#vVkR$4bI6W
zExT9{1=t6|KI4DvV^3foCrvRk&S`T)YUNII+tkWQ@><!k(ge#JTZL(sH&#p}TW&Si
zq^fQ=W!bw4cjYK(?hpk6!`l)KLd(sl5Gp6oalQ^6uO;Y^^5azGchj;|ui?d?2`^s8
zc=0R3i{I>4N3xv_7+inmGcQ;slO*{5VluOt(^oDh<?nxQSS`8MBw4zV$A?pS5RU#s
zij!5q!V@44oS9NPs<uwsl7KPDqwCkI!bRIO#!seXW_gLmBNvY7D`*ovo&<{XWsZ_)
zLIaXpShFz_;HnaYape2&)&i{plF$OlR`TCb5A<^7*uQ9QpC1|S015{b&&_x8^Ztoc
zyYM_sqY{60nL(Sv>M}*j7r9d5sdW6e8^&jr{269JYbuG!+{!2Osk!5P%ILOY;bM5m
zErZD{S`@|emAQ|ZlP8KrEp3n@l!bGpkUPx)E^LYlRc6Z1q>G>PnsPPAx%d;3+H^7=
zqohLLr7N~`<3Wps>kvPelQ#-pEDFkbpp52dIqZKZ^+KUq#so(*tB(oxxOK$W-KuTg
z{|#!JHrv1dRoblN;EXG6;`~2U+9Xbe6{XEf5CSf^-1<(CTc5!9=e+2PTvIVkvW7HW
zMO077fLARiRTNRJjH;Y92bnza!kPxj+zU?u;<p?Dx4S_=$isdN4GGOmLXMC^9<LJu
z`-y)jPk<9-3H<+p2##-Jg5!H4IDXuv;HYmYIMP1e&W2bOS?8GKz0O6lBYvlB4W!28
zi#Ig;4vtwQ4AzmUs!ST&n@#3{Q}{A>W=me4r&iOCZzi6t6oCOmv0?K0ySv<joFIR?
z*4Q38Ea_Y*Nky}Xthc{K6L<K${d+Qt<DY+2XMf*^u2q@j`gB0T3{bIz`!0t9O94O8
zH2eD6u@Aj5aNp64hS-Wjja0L~G2kL}lZZ(@;}w}NN=u)VcjPiG6@s3v2tmI!w{*vC
zFa5w7DXq!1$6kPakV`<nHYN6{=v2EZgM=$XyduNz)YJA{cpr3Q4L$pC;5hb`)&GAC
zm7R0>5dOJ1gd2>8PjQ%tlL%52dxy7nm`Tbo-nn_nZ<m6%<?MX-=QKn3|4(N#&3g>Y
z@Hc))d}xa4wAZE1rYE<^9PrGJF$+>FHHG%CFx2l&O>!jBmyH=u(2%$hhm>zd<gN+Y
zm-wmn4NiwcMvACKiP#x+N@N`nwF!SYhxjQJmc_O2!8zYqC?bb>t8+1Bh<ucICT{0k
zyY$bswFmW<hbqTR@~qz)GhqiZ%m`wLfSK_*X9ig@6BB57e&_SG7FLmcUdS<$J2>3p
zbzm&yy+O%Xn}3?g4Awcy3?E}M!|WV^9L>znQ}r7h2WZuE^bD`;Xp-xVKc9c}F}}np
zyNi(@c=>{p*gv}bHnmV{dXQtQ@_a&QH55ILZWplAS)C!BGp)z~;5DstUemh5!;RHE
zp+9&{_l(y>3FN`p2>`{P!v?RypS;P{UZROlj;63hoBiSq-kc=I2&Pg0oi}3DppvLM
z`VvHwfBB`;5i7rJB`V)UFHC=F1Hn*(xBA@VtwICt6sU!}8E^l*B5NOmNZQUlm9$Hp
zv9yaD+0>I5lD7QPk+cjG_J*y)jJwhv_S%vj>|h=?j^_~M?cNIQgorjY&H!t>5`RFX
zHbXLQX!%5&OKj13``=~l!^=`cv(azf@I~{!d!IiBiSo(;R_IV~G$Mar@c2-k`O_tC
z*l0sW`z^Vh5_?752_mU?3*NXtoZF61@}^<r*_k<<^sQkVm<hm#O5t<pLM6vpj>N$B
zfIH6eOoH*%1dkvh{?RvnnV=nmTzX8BlX3ZJc+R7JeY1v8(+uwJP<Q##nrf5rQ50AW
zk-!p}1vn$s$sdm&kEws~?W6rNhTe1F$if3*G8k-Vy1%db(A=MrFooj+@mqO4fUX`r
zdQ=3_h4)B=1r**lb~z3Mh89NFl&4_x^4~n@7{qclte^WOm(Q<nfMXDqCSCaJnfZL6
zzJ}%LpPPWU{PFdyz&v8Fhm$L7_-2NlSApm7JBQgn$7--}>S!27S`d$JHTMr|I)$bD
OKmQ9X7k&H3g9iXYs3{Ks