Close #289: Add checking for valid RUUVISESSION cookie when auth_type…

… is set to 'allow'
ruuvi · Apr 17, 2024 · d08a094 · d08a094
1 parent 9fd73e9
commit d08a094
Show file tree

Hide file tree

Showing 7 changed files with 119 additions and 48 deletions.
diff --git a/src/http_server_auth.c b/src/http_server_auth.c
@@ -105,3 +105,17 @@ http_server_get_auth(void)
 {
     return &g_auth_info;
 }
+
+void
+http_server_auth_ruuvi_add_authorized_session(
+    http_server_auth_ruuvi_t* const                  p_auth_ruuvi,
+    const http_server_auth_ruuvi_session_id_t* const p_session_id,
+    const sta_ip_string_t* const                     p_remote_ip)
+{
+    for (int32_t i = HTTP_SERVER_AUTH_RUUVI_MAX_NUM_SESSIONS - 1; i > 0; --i)
+    {
+        p_auth_ruuvi->authorized_sessions[i] = p_auth_ruuvi->authorized_sessions[i - 1];
+    }
+    p_auth_ruuvi->authorized_sessions[0].session_id = *p_session_id;
+    p_auth_ruuvi->authorized_sessions[0].remote_ip  = *p_remote_ip;
+}
diff --git a/src/http_server_auth.h b/src/http_server_auth.h
@@ -47,6 +47,12 @@ http_server_strnstr(const char* const p_haystack, const char* const p_needle, co
 http_server_auth_info_t*
 http_server_get_auth(void);
 
+void
+http_server_auth_ruuvi_add_authorized_session(
+    http_server_auth_ruuvi_t* const                  p_auth_ruuvi,
+    const http_server_auth_ruuvi_session_id_t* const p_session_id,
+    const sta_ip_string_t* const                     p_remote_ip);
+
 #ifdef __cplusplus
 }
 #endif

diff --git a/src/http_server_handle_req_delete_auth.c b/src/http_server_handle_req_delete_auth.c
@@ -25,7 +25,8 @@ http_server_handle_req_delete_auth(
     {
         return http_server_resp_401_auth_ruuvi(
             p_hostinfo,
-            (HTTP_SERVER_AUTH_TYPE_DEFAULT == p_auth_info->auth_type) ? true : false);
+            (HTTP_SERVER_AUTH_TYPE_DEFAULT == p_auth_info->auth_type) ? HTTP_SERVER_AUTH_TYPE_DEFAULT
+                                                                      : HTTP_SERVER_AUTH_TYPE_RUUVI);
     }
     http_server_auth_ruuvi_authorized_session_t* const p_authorized_session
         = http_server_auth_ruuvi_find_authorized_session(&session_id, p_remote_ip);
@@ -34,7 +35,8 @@ http_server_handle_req_delete_auth(
     {
         return http_server_resp_401_auth_ruuvi(
             p_hostinfo,
-            (HTTP_SERVER_AUTH_TYPE_DEFAULT == p_auth_info->auth_type) ? true : false);
+            (HTTP_SERVER_AUTH_TYPE_DEFAULT == p_auth_info->auth_type) ? HTTP_SERVER_AUTH_TYPE_DEFAULT
+                                                                      : HTTP_SERVER_AUTH_TYPE_RUUVI);
     }
 
     p_authorized_session->session_id.buf[0] = '\0';

diff --git a/src/http_server_handle_req_get_auth.c b/src/http_server_handle_req_get_auth.c
@@ -183,21 +183,25 @@ static http_server_resp_t
 http_server_handle_req_get_auth_ruuvi(
     const http_server_handle_req_auth_param_t* const p_param,
     const bool                                       flag_check,
-    const bool                                       flag_auth_default,
+    const http_server_auth_type_e                    auth_type,
     http_header_extra_fields_t* const                p_extra_header_fields)
 {
     http_server_auth_ruuvi_session_id_t session_id = { 0 };
     if (!http_server_auth_ruuvi_get_session_id_from_cookies(p_param->http_header, &session_id))
     {
+        if (HTTP_SERVER_AUTH_TYPE_ALLOW == auth_type)
+        {
+            return http_server_handle_req_get_auth_allow(p_param->p_hostinfo, p_param->flag_access_from_lan);
+        }
         if (flag_check)
         {
-            return http_server_resp_401_auth_ruuvi(p_param->p_hostinfo, flag_auth_default);
+            return http_server_resp_401_auth_ruuvi(p_param->p_hostinfo, auth_type);
         }
         return http_server_resp_401_auth_ruuvi_with_new_session_id(
             p_param->p_remote_ip,
             p_param->p_hostinfo,
             p_extra_header_fields,
-            flag_auth_default,
+            auth_type,
             NULL);
     }
     const http_server_auth_ruuvi_authorized_session_t* const p_authorized_session
@@ -207,19 +211,26 @@ http_server_handle_req_get_auth_ruuvi(
     {
         if (flag_check)
         {
-            return http_server_resp_401_auth_ruuvi(p_param->p_hostinfo, flag_auth_default);
+            return http_server_resp_401_auth_ruuvi(p_param->p_hostinfo, auth_type);
+        }
+        if (HTTP_SERVER_AUTH_TYPE_ALLOW == auth_type)
+        {
+            return http_server_resp_200_auth_allow_with_new_session_id(
+                p_param->p_remote_ip,
+                p_param->p_hostinfo,
+                p_extra_header_fields);
         }
         return http_server_resp_401_auth_ruuvi_with_new_session_id(
             p_param->p_remote_ip,
             p_param->p_hostinfo,
             p_extra_header_fields,
-            flag_auth_default,
+            auth_type,
             NULL);
     }
 
     const http_server_resp_auth_json_t* p_auth_json = http_server_fill_auth_json(
         p_param->p_hostinfo,
-        flag_auth_default ? HTTP_SERVER_AUTH_TYPE_DEFAULT : HTTP_SERVER_AUTH_TYPE_RUUVI,
+        auth_type,
         p_param->flag_access_from_lan,
         NULL);
     return http_server_resp_200_json(p_auth_json->buf);
@@ -269,17 +280,29 @@ http_server_handle_req_get_or_check_auth(
     switch (p_param->p_auth_info->auth_type)
     {
         case HTTP_SERVER_AUTH_TYPE_ALLOW:
-            return http_server_handle_req_get_auth_allow(p_param->p_hostinfo, p_param->flag_access_from_lan);
+            return http_server_handle_req_get_auth_ruuvi(
+                p_param,
+                flag_check,
+                p_param->p_auth_info->auth_type,
+                p_extra_header_fields);
         case HTTP_SERVER_AUTH_TYPE_BASIC:
             return http_server_handle_req_get_auth_basic(p_param, p_extra_header_fields);
         case HTTP_SERVER_AUTH_TYPE_DIGEST:
             return http_server_handle_req_get_auth_digest(p_param, p_extra_header_fields);
         case HTTP_SERVER_AUTH_TYPE_RUUVI:
-            return http_server_handle_req_get_auth_ruuvi(p_param, flag_check, false, p_extra_header_fields);
+            return http_server_handle_req_get_auth_ruuvi(
+                p_param,
+                flag_check,
+                p_param->p_auth_info->auth_type,
+                p_extra_header_fields);
         case HTTP_SERVER_AUTH_TYPE_DENY:
             return http_server_handle_req_get_auth_deny(p_param->p_hostinfo);
         case HTTP_SERVER_AUTH_TYPE_DEFAULT:
-            return http_server_handle_req_get_auth_ruuvi(p_param, flag_check, true, p_extra_header_fields);
+            return http_server_handle_req_get_auth_ruuvi(
+                p_param,
+                flag_check,
+                p_param->p_auth_info->auth_type,
+                p_extra_header_fields);
         case HTTP_SERVER_AUTH_TYPE_BEARER:
             return http_server_resp_500();
     }
@@ -312,5 +335,6 @@ http_server_handle_req_get_auth(
     {
         return http_server_handle_req_get_auth_allow(p_param->p_hostinfo, p_param->flag_access_from_lan);
     }
-    return http_server_handle_req_get_or_check_auth(p_param, false, p_extra_header_fields, NULL);
+    const bool flag_check = false;
+    return http_server_handle_req_get_or_check_auth(p_param, flag_check, p_extra_header_fields, NULL);
 }
diff --git a/src/http_server_handle_req_post_auth.c b/src/http_server_handle_req_post_auth.c
@@ -117,27 +117,13 @@ http_server_auth_ruuvi_gen_hashed_password(
     return true;
 }
 
-static void
-http_server_auth_ruuvi_add_authorized_session(
-    http_server_auth_ruuvi_t* const                  p_auth_ruuvi,
-    const http_server_auth_ruuvi_session_id_t* const p_session_id,
-    const sta_ip_string_t* const                     p_remote_ip)
-{
-    for (int32_t i = HTTP_SERVER_AUTH_RUUVI_MAX_NUM_SESSIONS - 1; i > 0; --i)
-    {
-        p_auth_ruuvi->authorized_sessions[i] = p_auth_ruuvi->authorized_sessions[i - 1];
-    }
-    p_auth_ruuvi->authorized_sessions[0].session_id = *p_session_id;
-    p_auth_ruuvi->authorized_sessions[0].remote_ip  = *p_remote_ip;
-}
-
 static bool
 http_server_handle_req_post_auth_check_login_session(
     const http_server_auth_ruuvi_login_session_t* const p_login_session,
     const http_server_auth_ruuvi_session_id_t*          p_session_id,
     const sta_ip_string_t* const                        p_remote_ip,
     const wifiman_hostinfo_t* const                     p_hostinfo,
-    const bool                                          flag_auth_default,
+    const http_server_auth_type_e                       auth_type,
     http_header_extra_fields_t* const                   p_extra_header_fields,
     http_server_resp_t* const                           p_resp)
 {
@@ -148,7 +134,7 @@ http_server_handle_req_post_auth_check_login_session(
             p_remote_ip,
             p_hostinfo,
             p_extra_header_fields,
-            flag_auth_default,
+            auth_type,
             NULL);
         return false;
     }
@@ -162,7 +148,7 @@ http_server_handle_req_post_auth_check_login_session(
             p_remote_ip,
             p_hostinfo,
             p_extra_header_fields,
-            flag_auth_default,
+            auth_type,
             NULL);
         return false;
     }
@@ -173,7 +159,7 @@ http_server_handle_req_post_auth_check_login_session(
             p_remote_ip,
             p_hostinfo,
             p_extra_header_fields,
-            flag_auth_default,
+            auth_type,
             NULL);
         return false;
     }
@@ -183,7 +169,7 @@ http_server_handle_req_post_auth_check_login_session(
 http_server_resp_t
 http_server_handle_req_post_auth_check_auth(
     http_server_auth_ruuvi_req_t* const  p_auth_req,
-    const bool                           flag_auth_default,
+    const http_server_auth_type_e        auth_type,
     const sta_ip_string_t* const         p_remote_ip,
     const http_req_body_t                http_body,
     const http_server_auth_info_t* const p_auth_info,
@@ -197,7 +183,7 @@ http_server_handle_req_post_auth_check_auth(
             p_remote_ip,
             p_hostinfo,
             p_extra_header_fields,
-            flag_auth_default,
+            auth_type,
             NULL);
     }
     if ('\0' == p_auth_req->username.buf[0])
@@ -207,7 +193,7 @@ http_server_handle_req_post_auth_check_auth(
             p_remote_ip,
             p_hostinfo,
             p_extra_header_fields,
-            flag_auth_default,
+            auth_type,
             "The username is empty");
     }
     if (0 != strcmp(p_auth_info->auth_user.buf, p_auth_req->username.buf))
@@ -217,7 +203,7 @@ http_server_handle_req_post_auth_check_auth(
             p_remote_ip,
             p_hostinfo,
             p_extra_header_fields,
-            flag_auth_default,
+            auth_type,
             "Incorrect username");
     }
     wifiman_sha256_digest_hex_str_t* p_password_hash = os_calloc(1, sizeof(*p_password_hash));
@@ -238,7 +224,7 @@ http_server_handle_req_post_auth_check_auth(
             p_remote_ip,
             p_hostinfo,
             p_extra_header_fields,
-            flag_auth_default,
+            auth_type,
             NULL);
     }
     if (0 != strcmp(p_password_hash->buf, p_auth_req->password.buf))
@@ -252,7 +238,7 @@ http_server_handle_req_post_auth_check_auth(
             p_remote_ip,
             p_hostinfo,
             p_extra_header_fields,
-            flag_auth_default,
+            auth_type,
             "Incorrect password");
     }
     os_free(p_password_hash);
@@ -285,8 +271,6 @@ http_server_handle_req_post_auth(
         return http_server_resp_503();
     }
 
-    const bool flag_auth_default = (HTTP_SERVER_AUTH_TYPE_DEFAULT == p_auth_info->auth_type) ? true : false;
-
     http_server_auth_ruuvi_session_id_t session_id = { 0 };
     if (!http_server_auth_ruuvi_get_session_id_from_cookies(http_header, &session_id))
     {
@@ -295,7 +279,7 @@ http_server_handle_req_post_auth(
             p_remote_ip,
             p_hostinfo,
             p_extra_header_fields,
-            flag_auth_default,
+            p_auth_info->auth_type,
             NULL);
     }
     const http_server_auth_ruuvi_prev_url_t prev_url = http_server_auth_ruuvi_get_prev_url_from_cookies(http_header);
@@ -308,7 +292,7 @@ http_server_handle_req_post_auth(
             &session_id,
             p_remote_ip,
             p_hostinfo,
-            flag_auth_default,
+            p_auth_info->auth_type,
             p_extra_header_fields,
             &resp))
     {
@@ -323,7 +307,7 @@ http_server_handle_req_post_auth(
     }
     resp = http_server_handle_req_post_auth_check_auth(
         p_auth_req,
-        flag_auth_default,
+        p_auth_info->auth_type,
         p_remote_ip,
         http_body,
         p_auth_info,
@@ -349,7 +333,7 @@ http_server_handle_req_post_auth(
     }
     const http_server_resp_auth_json_t* p_auth_json = http_server_fill_auth_json(
         p_hostinfo,
-        flag_auth_default ? HTTP_SERVER_AUTH_TYPE_DEFAULT : HTTP_SERVER_AUTH_TYPE_RUUVI,
+        p_auth_info->auth_type,
         flag_access_from_lan,
         NULL);
     return http_server_resp_200_json(p_auth_json->buf);

diff --git a/src/http_server_resp.c b/src/http_server_resp.c
@@ -476,7 +476,7 @@ http_server_resp_401_auth_ruuvi_with_new_session_id(
     const sta_ip_string_t* const      p_remote_ip,
     const wifiman_hostinfo_t* const   p_hostinfo,
     http_header_extra_fields_t* const p_extra_header_fields,
-    const bool                        flag_auth_default,
+    const http_server_auth_type_e     lan_auth_type,
     const char* const                 p_err_message)
 {
     http_server_auth_ruuvi_t* const               p_auth_info     = http_server_auth_ruuvi_get_info();
@@ -495,25 +495,58 @@ http_server_resp_401_auth_ruuvi_with_new_session_id(
 
     const http_server_resp_auth_json_t* const p_auth_json = http_server_fill_auth_json(
         p_hostinfo,
-        flag_auth_default ? HTTP_SERVER_AUTH_TYPE_DEFAULT : HTTP_SERVER_AUTH_TYPE_RUUVI,
+        lan_auth_type,
         flag_access_from_lan,
         p_err_message);
     return http_server_resp_401_json(p_auth_json);
 }
 
 http_server_resp_t
-http_server_resp_401_auth_ruuvi(const wifiman_hostinfo_t* const p_hostinfo, const bool flag_auth_default)
+http_server_resp_401_auth_ruuvi(const wifiman_hostinfo_t* const p_hostinfo, const http_server_auth_type_e lan_auth_type)
 {
     const bool flag_access_from_lan = true;
 
     const http_server_resp_auth_json_t* const p_auth_json = http_server_fill_auth_json(
         p_hostinfo,
-        flag_auth_default ? HTTP_SERVER_AUTH_TYPE_DEFAULT : HTTP_SERVER_AUTH_TYPE_RUUVI,
+        lan_auth_type,
         flag_access_from_lan,
         NULL);
     return http_server_resp_401_json(p_auth_json);
 }
 
+http_server_resp_t
+http_server_resp_200_auth_allow_with_new_session_id(
+    const sta_ip_string_t* const      p_remote_ip,
+    const wifiman_hostinfo_t* const   p_hostinfo,
+    http_header_extra_fields_t* const p_extra_header_fields)
+{
+    http_server_auth_ruuvi_t* const               p_auth_info     = http_server_auth_ruuvi_get_info();
+    http_server_auth_ruuvi_login_session_t* const p_login_session = &p_auth_info->login_session;
+
+    http_server_login_session_init(p_login_session, p_remote_ip);
+
+    if (wifiman_sha256_is_empty_digest_hex_str(&p_login_session->challenge))
+    {
+        return http_server_resp_503();
+    }
+
+    http_server_resp_auth_ruuvi_prep_www_authenticate_header(p_hostinfo, p_login_session, p_extra_header_fields);
+
+    http_server_auth_ruuvi_add_authorized_session(
+        http_server_auth_ruuvi_get_info(),
+        &p_login_session->session_id,
+        p_remote_ip);
+
+    const bool flag_access_from_lan = true;
+
+    const http_server_resp_auth_json_t* const p_auth_json = http_server_fill_auth_json(
+        p_hostinfo,
+        HTTP_SERVER_AUTH_TYPE_ALLOW,
+        flag_access_from_lan,
+        NULL);
+    return http_server_resp_200_json(p_auth_json->buf);
+}
+
 http_server_resp_t
 http_server_resp_403_auth_deny(const wifiman_hostinfo_t* const p_hostinfo)
 {

diff --git a/src/include/http_server_resp.h b/src/include/http_server_resp.h
@@ -124,11 +124,19 @@ http_server_resp_401_auth_ruuvi_with_new_session_id(
     const sta_ip_string_t* const      p_remote_ip,
     const wifiman_hostinfo_t* const   p_hostinfo,
     http_header_extra_fields_t* const p_extra_header_fields,
-    const bool                        flag_auth_default,
+    const http_server_auth_type_e     lan_auth_type,
     const char* const                 p_err_message);
 
 http_server_resp_t
-http_server_resp_401_auth_ruuvi(const wifiman_hostinfo_t* const p_hostinfo, const bool flag_auth_default);
+http_server_resp_401_auth_ruuvi(
+    const wifiman_hostinfo_t* const p_hostinfo,
+    const http_server_auth_type_e   lan_auth_type);
+
+http_server_resp_t
+http_server_resp_200_auth_allow_with_new_session_id(
+    const sta_ip_string_t* const      p_remote_ip,
+    const wifiman_hostinfo_t* const   p_hostinfo,
+    http_header_extra_fields_t* const p_extra_header_fields);
 
 http_server_resp_t
 http_server_resp_403_auth_deny(const wifiman_hostinfo_t* const p_hostinfo);