Update response code when access is denied

Having the wrong pin would result in a server error (500). The more appropriate error code for that would be 401.
This also changes the page that asks for users to login from 200 to 401.
This commit is contained in:
Christophe Gagnier 2023-10-16 03:19:14 -04:00
parent 3847bfc41a
commit 225fd0d05b

View File

@ -40,7 +40,7 @@ bool isIp(String str) {
void handleUpload(AsyncWebServerRequest *request, const String& filename, size_t index, uint8_t *data, size_t len, bool final) {
if (!correctPIN) {
if (final) request->send(500, "text/plain", FPSTR(s_unlock_cfg));
if (final) request->send(401, "text/plain", FPSTR(s_unlock_cfg));
return;
}
if (!index) {
@ -86,7 +86,7 @@ void createEditHandler(bool enable) {
#endif
} else {
editHandler = &server.on("/edit", HTTP_ANY, [](AsyncWebServerRequest *request){
serveMessage(request, 500, "Access Denied", FPSTR(s_unlock_cfg), 254);
serveMessage(request, 401, "Access Denied", FPSTR(s_unlock_cfg), 254);
});
}
}
@ -201,7 +201,7 @@ void initServer()
verboseResponse = deserializeState(root);
} else {
if (!correctPIN && strlen(settingsPIN)>0) {
request->send(403, "application/json", F("{\"error\":1}")); // ERR_DENIED
request->send(401, "application/json", F("{\"error\":1}")); // ERR_DENIED
releaseJSONBufferLock();
return;
}
@ -282,7 +282,7 @@ void initServer()
//init ota page
server.on("/update", HTTP_GET, [](AsyncWebServerRequest *request){
if (otaLock) {
serveMessage(request, 500, "Access Denied", FPSTR(s_unlock_ota), 254);
serveMessage(request, 401, "Access Denied", FPSTR(s_unlock_ota), 254);
} else
serveSettings(request); // checks for "upd" in URL and handles PIN
});
@ -292,7 +292,11 @@ void initServer()
serveSettings(request, true); // handle PIN page POST request
return;
}
if (Update.hasError() || otaLock) {
if (otaLock) {
serveMessage(request, 401, "Access Denied", FPSTR(s_unlock_ota), 254);
return;
}
if (Update.hasError()) {
serveMessage(request, 500, F("Update failed!"), F("Please check your file and retry!"), 254);
} else {
serveMessage(request, 200, F("Update successful!"), F("Rebooting..."), 131);
@ -533,7 +537,7 @@ void serveSettingsJS(AsyncWebServerRequest* request)
}
if (subPage > 0 && !correctPIN && strlen(settingsPIN)>0) {
strcpy_P(buf, PSTR("alert('PIN incorrect.');"));
request->send(403, "application/javascript", buf);
request->send(401, "application/javascript", buf);
return;
}
strcat_P(buf,PSTR("function GetV(){var d=document;"));
@ -575,7 +579,7 @@ void serveSettings(AsyncWebServerRequest* request, bool post)
// if OTA locked or too frequent PIN entry requests fail hard
if ((subPage == SUBPAGE_WIFI && wifiLock && otaLock) || (post && !correctPIN && millis()-lastEditTime < PIN_RETRY_COOLDOWN))
{
serveMessage(request, 500, "Access Denied", FPSTR(s_unlock_ota), 254); return;
serveMessage(request, 401, "Access Denied", FPSTR(s_unlock_ota), 254); return;
}
if (post) { //settings/set POST request, saving
@ -605,7 +609,7 @@ void serveSettings(AsyncWebServerRequest* request, bool post)
if (!s2[0]) strcpy_P(s2, s_redirecting);
bool redirectAfter9s = (subPage == SUBPAGE_WIFI || ((subPage == SUBPAGE_SEC || subPage == SUBPAGE_UM) && doReboot));
serveMessage(request, 200, s, s2, redirectAfter9s ? 129 : (correctPIN ? 1 : 3));
serveMessage(request, (correctPIN ? 200 : 401), s, s2, redirectAfter9s ? 129 : (correctPIN ? 1 : 3));
return;
}
}
@ -633,7 +637,7 @@ void serveSettings(AsyncWebServerRequest* request, bool post)
serveMessage(request, 200, strlen(settingsPIN) > 0 ? PSTR("Settings locked") : PSTR("No PIN set"), FPSTR(s_redirecting), 1);
return;
}
case SUBPAGE_PINREQ : response = request->beginResponse_P(200, "text/html", PAGE_settings_pin, PAGE_settings_pin_length); break;
case SUBPAGE_PINREQ : response = request->beginResponse_P(401, "text/html", PAGE_settings_pin, PAGE_settings_pin_length); break;
case SUBPAGE_CSS : response = request->beginResponse_P(200, "text/css", PAGE_settingsCss, PAGE_settingsCss_length); break;
case SUBPAGE_JS : serveSettingsJS(request); return;
case SUBPAGE_WELCOME : response = request->beginResponse_P(200, "text/html", PAGE_welcome, PAGE_welcome_length); break;