Merge pull request #3445 from Moustachauve/ota-lock-post-fix

Update response code when access is denied
This commit is contained in:
Blaž Kristan 2023-10-17 06:29:43 +02:00 committed by GitHub
commit 36290c20aa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -40,7 +40,7 @@ bool isIp(String str) {
void handleUpload(AsyncWebServerRequest *request, const String& filename, size_t index, uint8_t *data, size_t len, bool final) { void handleUpload(AsyncWebServerRequest *request, const String& filename, size_t index, uint8_t *data, size_t len, bool final) {
if (!correctPIN) { if (!correctPIN) {
if (final) request->send(500, "text/plain", FPSTR(s_unlock_cfg)); if (final) request->send(401, "text/plain", FPSTR(s_unlock_cfg));
return; return;
} }
if (!index) { if (!index) {
@ -86,7 +86,7 @@ void createEditHandler(bool enable) {
#endif #endif
} else { } else {
editHandler = &server.on("/edit", HTTP_ANY, [](AsyncWebServerRequest *request){ editHandler = &server.on("/edit", HTTP_ANY, [](AsyncWebServerRequest *request){
serveMessage(request, 500, "Access Denied", FPSTR(s_unlock_cfg), 254); serveMessage(request, 401, "Access Denied", FPSTR(s_unlock_cfg), 254);
}); });
} }
} }
@ -201,7 +201,7 @@ void initServer()
verboseResponse = deserializeState(root); verboseResponse = deserializeState(root);
} else { } else {
if (!correctPIN && strlen(settingsPIN)>0) { if (!correctPIN && strlen(settingsPIN)>0) {
request->send(403, "application/json", F("{\"error\":1}")); // ERR_DENIED request->send(401, "application/json", F("{\"error\":1}")); // ERR_DENIED
releaseJSONBufferLock(); releaseJSONBufferLock();
return; return;
} }
@ -282,7 +282,7 @@ void initServer()
//init ota page //init ota page
server.on("/update", HTTP_GET, [](AsyncWebServerRequest *request){ server.on("/update", HTTP_GET, [](AsyncWebServerRequest *request){
if (otaLock) { if (otaLock) {
serveMessage(request, 500, "Access Denied", FPSTR(s_unlock_ota), 254); serveMessage(request, 401, "Access Denied", FPSTR(s_unlock_ota), 254);
} else } else
serveSettings(request); // checks for "upd" in URL and handles PIN serveSettings(request); // checks for "upd" in URL and handles PIN
}); });
@ -292,7 +292,11 @@ void initServer()
serveSettings(request, true); // handle PIN page POST request serveSettings(request, true); // handle PIN page POST request
return; return;
} }
if (Update.hasError() || otaLock) { if (otaLock) {
serveMessage(request, 401, "Access Denied", FPSTR(s_unlock_ota), 254);
return;
}
if (Update.hasError()) {
serveMessage(request, 500, F("Update failed!"), F("Please check your file and retry!"), 254); serveMessage(request, 500, F("Update failed!"), F("Please check your file and retry!"), 254);
} else { } else {
serveMessage(request, 200, F("Update successful!"), F("Rebooting..."), 131); serveMessage(request, 200, F("Update successful!"), F("Rebooting..."), 131);
@ -533,7 +537,7 @@ void serveSettingsJS(AsyncWebServerRequest* request)
} }
if (subPage > 0 && !correctPIN && strlen(settingsPIN)>0) { if (subPage > 0 && !correctPIN && strlen(settingsPIN)>0) {
strcpy_P(buf, PSTR("alert('PIN incorrect.');")); strcpy_P(buf, PSTR("alert('PIN incorrect.');"));
request->send(403, "application/javascript", buf); request->send(401, "application/javascript", buf);
return; return;
} }
strcat_P(buf,PSTR("function GetV(){var d=document;")); strcat_P(buf,PSTR("function GetV(){var d=document;"));
@ -575,7 +579,7 @@ void serveSettings(AsyncWebServerRequest* request, bool post)
// if OTA locked or too frequent PIN entry requests fail hard // if OTA locked or too frequent PIN entry requests fail hard
if ((subPage == SUBPAGE_WIFI && wifiLock && otaLock) || (post && !correctPIN && millis()-lastEditTime < PIN_RETRY_COOLDOWN)) if ((subPage == SUBPAGE_WIFI && wifiLock && otaLock) || (post && !correctPIN && millis()-lastEditTime < PIN_RETRY_COOLDOWN))
{ {
serveMessage(request, 500, "Access Denied", FPSTR(s_unlock_ota), 254); return; serveMessage(request, 401, "Access Denied", FPSTR(s_unlock_ota), 254); return;
} }
if (post) { //settings/set POST request, saving if (post) { //settings/set POST request, saving
@ -605,7 +609,7 @@ void serveSettings(AsyncWebServerRequest* request, bool post)
if (!s2[0]) strcpy_P(s2, s_redirecting); if (!s2[0]) strcpy_P(s2, s_redirecting);
bool redirectAfter9s = (subPage == SUBPAGE_WIFI || ((subPage == SUBPAGE_SEC || subPage == SUBPAGE_UM) && doReboot)); bool redirectAfter9s = (subPage == SUBPAGE_WIFI || ((subPage == SUBPAGE_SEC || subPage == SUBPAGE_UM) && doReboot));
serveMessage(request, 200, s, s2, redirectAfter9s ? 129 : (correctPIN ? 1 : 3)); serveMessage(request, (correctPIN ? 200 : 401), s, s2, redirectAfter9s ? 129 : (correctPIN ? 1 : 3));
return; return;
} }
} }
@ -633,7 +637,7 @@ void serveSettings(AsyncWebServerRequest* request, bool post)
serveMessage(request, 200, strlen(settingsPIN) > 0 ? PSTR("Settings locked") : PSTR("No PIN set"), FPSTR(s_redirecting), 1); serveMessage(request, 200, strlen(settingsPIN) > 0 ? PSTR("Settings locked") : PSTR("No PIN set"), FPSTR(s_redirecting), 1);
return; return;
} }
case SUBPAGE_PINREQ : response = request->beginResponse_P(200, "text/html", PAGE_settings_pin, PAGE_settings_pin_length); break; case SUBPAGE_PINREQ : response = request->beginResponse_P(401, "text/html", PAGE_settings_pin, PAGE_settings_pin_length); break;
case SUBPAGE_CSS : response = request->beginResponse_P(200, "text/css", PAGE_settingsCss, PAGE_settingsCss_length); break; case SUBPAGE_CSS : response = request->beginResponse_P(200, "text/css", PAGE_settingsCss, PAGE_settingsCss_length); break;
case SUBPAGE_JS : serveSettingsJS(request); return; case SUBPAGE_JS : serveSettingsJS(request); return;
case SUBPAGE_WELCOME : response = request->beginResponse_P(200, "text/html", PAGE_welcome, PAGE_welcome_length); break; case SUBPAGE_WELCOME : response = request->beginResponse_P(200, "text/html", PAGE_welcome, PAGE_welcome_length); break;