blob: a48b775374201a3f703c49e16dab4e36d9574dae [file] [log] [blame]
Ed Tanousd4b6c662021-03-10 13:29:30 -08001#pragma once
2#include <http_request.hpp>
3#include <http_response.hpp>
4#include <http_utility.hpp>
5
6namespace forward_unauthorized
7{
8
Ed Tanous4f48d5f2021-06-21 08:27:45 -07009static bool hasWebuiRoute = false;
Ed Tanousd4b6c662021-03-10 13:29:30 -080010
Ed Tanousc127a0f2022-05-11 15:23:59 -070011inline void sendUnauthorized(std::string_view url,
12 std::string_view xRequestedWith,
John Edward Broadbent59b98b22021-07-13 15:36:32 -070013 std::string_view accept, crow::Response& res)
Ed Tanousd4b6c662021-03-10 13:29:30 -080014{
15 // If it's a browser connecting, don't send the HTTP authenticate
16 // header, to avoid possible CSRF attacks with basic auth
John Edward Broadbent59b98b22021-07-13 15:36:32 -070017 if (http_helpers::requestPrefersHtml(accept))
Ed Tanousd4b6c662021-03-10 13:29:30 -080018 {
19 // If we have a webui installed, redirect to that login page
20 if (hasWebuiRoute)
21 {
22 res.result(boost::beast::http::status::temporary_redirect);
Ed Tanousd9f6c622022-03-17 09:12:17 -070023 res.addHeader(boost::beast::http::field::location,
John Edward Broadbent59b98b22021-07-13 15:36:32 -070024 "/#/login?next=" + http_helpers::urlEncode(url));
Ed Tanous347d1a12022-06-22 15:49:37 -070025 return;
Ed Tanousd4b6c662021-03-10 13:29:30 -080026 }
Ed Tanous347d1a12022-06-22 15:49:37 -070027 // If we don't have a webui installed, just return an unauthorized
28 // body
Ed Tanousd4b6c662021-03-10 13:29:30 -080029 res.result(boost::beast::http::status::unauthorized);
Ed Tanous347d1a12022-06-22 15:49:37 -070030 res.body() = "Unauthorized";
31 return;
Ed Tanousd4b6c662021-03-10 13:29:30 -080032 }
Ed Tanous347d1a12022-06-22 15:49:37 -070033
34 res.result(boost::beast::http::status::unauthorized);
35
36 // XHR requests from a browser will set the X-Requested-With header when
37 // doing their requests, even though they might not be requesting html.
38 if (!xRequestedWith.empty())
39 {
40 return;
41 }
42 // if basic auth is disabled, don't propose it.
43 if (!persistent_data::SessionStore::getInstance()
44 .getAuthMethodsConfig()
45 .basic)
46 {
47 return;
48 }
Ed Tanousd9f6c622022-03-17 09:12:17 -070049 res.addHeader(boost::beast::http::field::www_authenticate, "Basic");
Ed Tanousd4b6c662021-03-10 13:29:30 -080050}
51} // namespace forward_unauthorized