From 225fd0d05b02ce6cbd277e2edf255a691f94c251 Mon Sep 17 00:00:00 2001
From: Christophe Gagnier <Moustachauve@users.noreply.github.com>
Date: Mon, 16 Oct 2023 03:19:14 -0400
Subject: [PATCH] Update response code when access is denied

Having the wrong pin would result in a server error (500). The more appropriate error code for that would be 401.
This also changes the page that asks for users to login from 200 to 401.
---
 wled00/wled_server.cpp | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/wled00/wled_server.cpp b/wled00/wled_server.cpp
index 740a0dde..abf2e530 100644
--- a/wled00/wled_server.cpp
+++ b/wled00/wled_server.cpp
@@ -40,7 +40,7 @@ bool isIp(String str) {
 
 void handleUpload(AsyncWebServerRequest *request, const String& filename, size_t index, uint8_t *data, size_t len, bool final) {
   if (!correctPIN) {
-    if (final) request->send(500, "text/plain", FPSTR(s_unlock_cfg));
+    if (final) request->send(401, "text/plain", FPSTR(s_unlock_cfg));
     return;
   }
   if (!index) {
@@ -86,7 +86,7 @@ void createEditHandler(bool enable) {
     #endif
   } else {
     editHandler = &server.on("/edit", HTTP_ANY, [](AsyncWebServerRequest *request){
-      serveMessage(request, 500, "Access Denied", FPSTR(s_unlock_cfg), 254);
+      serveMessage(request, 401, "Access Denied", FPSTR(s_unlock_cfg), 254);
     });
   }
 }
@@ -201,7 +201,7 @@ void initServer()
       verboseResponse = deserializeState(root);
     } else {
       if (!correctPIN && strlen(settingsPIN)>0) {
-        request->send(403, "application/json", F("{\"error\":1}")); // ERR_DENIED
+        request->send(401, "application/json", F("{\"error\":1}")); // ERR_DENIED
         releaseJSONBufferLock();
         return;
       }
@@ -282,7 +282,7 @@ void initServer()
   //init ota page
   server.on("/update", HTTP_GET, [](AsyncWebServerRequest *request){
     if (otaLock) {
-      serveMessage(request, 500, "Access Denied", FPSTR(s_unlock_ota), 254);
+      serveMessage(request, 401, "Access Denied", FPSTR(s_unlock_ota), 254);
     } else
       serveSettings(request); // checks for "upd" in URL and handles PIN
   });
@@ -292,7 +292,11 @@ void initServer()
       serveSettings(request, true); // handle PIN page POST request
       return;
     }
-    if (Update.hasError() || otaLock) {
+    if (otaLock) {
+      serveMessage(request, 401, "Access Denied", FPSTR(s_unlock_ota), 254);
+      return;
+    }
+    if (Update.hasError()) {
       serveMessage(request, 500, F("Update failed!"), F("Please check your file and retry!"), 254);
     } else {
       serveMessage(request, 200, F("Update successful!"), F("Rebooting..."), 131);
@@ -533,7 +537,7 @@ void serveSettingsJS(AsyncWebServerRequest* request)
   }
   if (subPage > 0 && !correctPIN && strlen(settingsPIN)>0) {
     strcpy_P(buf, PSTR("alert('PIN incorrect.');"));
-    request->send(403, "application/javascript", buf);
+    request->send(401, "application/javascript", buf);
     return;
   }
   strcat_P(buf,PSTR("function GetV(){var d=document;"));
@@ -575,7 +579,7 @@ void serveSettings(AsyncWebServerRequest* request, bool post)
   // if OTA locked or too frequent PIN entry requests fail hard
   if ((subPage == SUBPAGE_WIFI && wifiLock && otaLock) || (post && !correctPIN && millis()-lastEditTime < PIN_RETRY_COOLDOWN))
   {
-    serveMessage(request, 500, "Access Denied", FPSTR(s_unlock_ota), 254); return;
+    serveMessage(request, 401, "Access Denied", FPSTR(s_unlock_ota), 254); return;
   }
 
   if (post) { //settings/set POST request, saving
@@ -605,7 +609,7 @@ void serveSettings(AsyncWebServerRequest* request, bool post)
       if (!s2[0]) strcpy_P(s2, s_redirecting);
 
       bool redirectAfter9s = (subPage == SUBPAGE_WIFI || ((subPage == SUBPAGE_SEC || subPage == SUBPAGE_UM) && doReboot));
-      serveMessage(request, 200, s, s2, redirectAfter9s ? 129 : (correctPIN ? 1 : 3));
+      serveMessage(request, (correctPIN ? 200 : 401), s, s2, redirectAfter9s ? 129 : (correctPIN ? 1 : 3));
       return;
     }
   }
@@ -633,7 +637,7 @@ void serveSettings(AsyncWebServerRequest* request, bool post)
       serveMessage(request, 200, strlen(settingsPIN) > 0 ? PSTR("Settings locked") : PSTR("No PIN set"), FPSTR(s_redirecting), 1);
       return;
     }
-    case SUBPAGE_PINREQ  : response = request->beginResponse_P(200, "text/html", PAGE_settings_pin,  PAGE_settings_pin_length);  break;
+    case SUBPAGE_PINREQ  : response = request->beginResponse_P(401, "text/html", PAGE_settings_pin,  PAGE_settings_pin_length);  break;
     case SUBPAGE_CSS     : response = request->beginResponse_P(200, "text/css",  PAGE_settingsCss,   PAGE_settingsCss_length);   break;
     case SUBPAGE_JS      : serveSettingsJS(request); return;
     case SUBPAGE_WELCOME : response = request->beginResponse_P(200, "text/html", PAGE_welcome,       PAGE_welcome_length);       break;