From 1812e6eb6a84d5cfda72f3bc7ee6ed3deb33882a Mon Sep 17 00:00:00 2001 From: Bernhard Kirchen Date: Mon, 30 Sep 2024 22:26:31 +0200 Subject: [PATCH] Fix: prevent unauthorized access to OnBattery websockets it turns out that authentication was never implemented on OpenDTU-OnBattery-specific websocket connections. found while applying https://github.com/tbnobody/OpenDTU/pull/2320 --- include/WebApi_ws_Huawei.h | 2 ++ include/WebApi_ws_battery.h | 2 ++ include/WebApi_ws_vedirect_live.h | 2 ++ src/WebApi.cpp | 3 +++ src/WebApi_ws_Huawei.cpp | 20 ++++++++++++++++++++ src/WebApi_ws_battery.cpp | 20 ++++++++++++++++++++ src/WebApi_ws_vedirect_live.cpp | 20 ++++++++++++++++++++ 7 files changed, 69 insertions(+) diff --git a/include/WebApi_ws_Huawei.h b/include/WebApi_ws_Huawei.h index 43e528e83..9ab9c8b7c 100644 --- a/include/WebApi_ws_Huawei.h +++ b/include/WebApi_ws_Huawei.h @@ -10,6 +10,7 @@ class WebApiWsHuaweiLiveClass { public: WebApiWsHuaweiLiveClass(); void init(AsyncWebServer& server, Scheduler& scheduler); + void reload(); private: void generateCommonJsonResponse(JsonVariant& root); @@ -18,6 +19,7 @@ class WebApiWsHuaweiLiveClass { AsyncWebServer* _server; AsyncWebSocket _ws; + AuthenticationMiddleware _simpleDigestAuth; std::mutex _mutex; diff --git a/include/WebApi_ws_battery.h b/include/WebApi_ws_battery.h index d89e01aec..bc014d390 100644 --- a/include/WebApi_ws_battery.h +++ b/include/WebApi_ws_battery.h @@ -10,6 +10,7 @@ class WebApiWsBatteryLiveClass { public: WebApiWsBatteryLiveClass(); void init(AsyncWebServer& server, Scheduler& scheduler); + void reload(); private: void generateCommonJsonResponse(JsonVariant& root); @@ -18,6 +19,7 @@ class WebApiWsBatteryLiveClass { AsyncWebServer* _server; AsyncWebSocket _ws; + AuthenticationMiddleware _simpleDigestAuth; uint32_t _lastUpdateCheck = 0; static constexpr uint16_t _responseSize = 1024 + 512; diff --git a/include/WebApi_ws_vedirect_live.h b/include/WebApi_ws_vedirect_live.h index b9890834e..7c3bedf60 100644 --- a/include/WebApi_ws_vedirect_live.h +++ b/include/WebApi_ws_vedirect_live.h @@ -12,6 +12,7 @@ class WebApiWsVedirectLiveClass { public: WebApiWsVedirectLiveClass(); void init(AsyncWebServer& server, Scheduler& scheduler); + void reload(); private: void generateCommonJsonResponse(JsonVariant& root, bool fullUpdate); @@ -22,6 +23,7 @@ class WebApiWsVedirectLiveClass { AsyncWebServer* _server; AsyncWebSocket _ws; + AuthenticationMiddleware _simpleDigestAuth; uint32_t _lastFullPublish = 0; uint32_t _lastPublish = 0; diff --git a/src/WebApi.cpp b/src/WebApi.cpp index ffd212dd3..47ce7657e 100644 --- a/src/WebApi.cpp +++ b/src/WebApi.cpp @@ -51,6 +51,9 @@ void WebApiClass::reload() { _webApiWsConsole.reload(); _webApiWsLive.reload(); + _webApiWsBatteryLive.reload(); + _webApiWsVedirectLive.reload(); + _webApiWsHuaweiLive.reload(); } bool WebApiClass::checkCredentials(AsyncWebServerRequest* request) diff --git a/src/WebApi_ws_Huawei.cpp b/src/WebApi_ws_Huawei.cpp index f171a18ab..cf4819914 100644 --- a/src/WebApi_ws_Huawei.cpp +++ b/src/WebApi_ws_Huawei.cpp @@ -42,6 +42,26 @@ void WebApiWsHuaweiLiveClass::init(AsyncWebServer& server, Scheduler& scheduler) _sendDataTask.setIterations(TASK_FOREVER); _sendDataTask.setInterval(1 * TASK_SECOND); _sendDataTask.enable(); + + _simpleDigestAuth.setUsername(AUTH_USERNAME); + _simpleDigestAuth.setRealm("AC charger websocket"); + + reload(); +} + +void WebApiWsHuaweiLiveClass::reload() +{ + _ws.removeMiddleware(&_simpleDigestAuth); + + auto const& config = Configuration.get(); + + if (config.Security.AllowReadonly) { return; } + + _ws.enable(false); + _simpleDigestAuth.setPassword(config.Security.Password); + _ws.addMiddleware(&_simpleDigestAuth); + _ws.closeAll(); + _ws.enable(true); } void WebApiWsHuaweiLiveClass::wsCleanupTaskCb() diff --git a/src/WebApi_ws_battery.cpp b/src/WebApi_ws_battery.cpp index 42913abc6..b932bfc4e 100644 --- a/src/WebApi_ws_battery.cpp +++ b/src/WebApi_ws_battery.cpp @@ -42,6 +42,26 @@ void WebApiWsBatteryLiveClass::init(AsyncWebServer& server, Scheduler& scheduler _sendDataTask.setIterations(TASK_FOREVER); _sendDataTask.setInterval(1 * TASK_SECOND); _sendDataTask.enable(); + + _simpleDigestAuth.setUsername(AUTH_USERNAME); + _simpleDigestAuth.setRealm("battery websocket"); + + reload(); +} + +void WebApiWsBatteryLiveClass::reload() +{ + _ws.removeMiddleware(&_simpleDigestAuth); + + auto const& config = Configuration.get(); + + if (config.Security.AllowReadonly) { return; } + + _ws.enable(false); + _simpleDigestAuth.setPassword(config.Security.Password); + _ws.addMiddleware(&_simpleDigestAuth); + _ws.closeAll(); + _ws.enable(true); } void WebApiWsBatteryLiveClass::wsCleanupTaskCb() diff --git a/src/WebApi_ws_vedirect_live.cpp b/src/WebApi_ws_vedirect_live.cpp index abf3376eb..473db8390 100644 --- a/src/WebApi_ws_vedirect_live.cpp +++ b/src/WebApi_ws_vedirect_live.cpp @@ -44,6 +44,26 @@ void WebApiWsVedirectLiveClass::init(AsyncWebServer& server, Scheduler& schedule _sendDataTask.setIterations(TASK_FOREVER); _sendDataTask.setInterval(500 * TASK_MILLISECOND); _sendDataTask.enable(); + + _simpleDigestAuth.setUsername(AUTH_USERNAME); + _simpleDigestAuth.setRealm("vedirect websocket"); + + reload(); +} + +void WebApiWsVedirectLiveClass::reload() +{ + _ws.removeMiddleware(&_simpleDigestAuth); + + auto const& config = Configuration.get(); + + if (config.Security.AllowReadonly) { return; } + + _ws.enable(false); + _simpleDigestAuth.setPassword(config.Security.Password); + _ws.addMiddleware(&_simpleDigestAuth); + _ws.closeAll(); + _ws.enable(true); } void WebApiWsVedirectLiveClass::wsCleanupTaskCb()