Ed Tanous | d4b6c66 | 2021-03-10 13:29:30 -0800 | [diff] [blame] | 1 | #pragma once |
Ed Tanous | 3ccb3ad | 2023-01-13 17:40:03 -0800 | [diff] [blame] | 2 | #include "http_request.hpp" |
| 3 | #include "http_response.hpp" |
| 4 | #include "http_utility.hpp" |
Ed Tanous | d4b6c66 | 2021-03-10 13:29:30 -0800 | [diff] [blame] | 5 | |
Ed Tanous | c51a58e | 2023-03-27 14:43:19 -0700 | [diff] [blame] | 6 | #include <boost/url/format.hpp> |
| 7 | #include <boost/url/url.hpp> |
| 8 | |
Ed Tanous | d4b6c66 | 2021-03-10 13:29:30 -0800 | [diff] [blame] | 9 | namespace forward_unauthorized |
| 10 | { |
| 11 | |
Ed Tanous | cf9e417 | 2022-12-21 09:30:16 -0800 | [diff] [blame] | 12 | // NOLINTNEXTLINE(cppcoreguidelines-avoid-non-const-global-variables) |
Ed Tanous | 4f48d5f | 2021-06-21 08:27:45 -0700 | [diff] [blame] | 13 | static bool hasWebuiRoute = false; |
Ed Tanous | d4b6c66 | 2021-03-10 13:29:30 -0800 | [diff] [blame] | 14 | |
Ed Tanous | c127a0f | 2022-05-11 15:23:59 -0700 | [diff] [blame] | 15 | inline void sendUnauthorized(std::string_view url, |
| 16 | std::string_view xRequestedWith, |
John Edward Broadbent | 59b98b2 | 2021-07-13 15:36:32 -0700 | [diff] [blame] | 17 | std::string_view accept, crow::Response& res) |
Ed Tanous | d4b6c66 | 2021-03-10 13:29:30 -0800 | [diff] [blame] | 18 | { |
| 19 | // If it's a browser connecting, don't send the HTTP authenticate |
| 20 | // header, to avoid possible CSRF attacks with basic auth |
Ed Tanous | 4a0e1a0 | 2022-09-21 15:28:04 -0700 | [diff] [blame] | 21 | if (http_helpers::isContentTypeAllowed( |
| 22 | accept, http_helpers::ContentType::HTML, false /*allowWildcard*/)) |
Ed Tanous | d4b6c66 | 2021-03-10 13:29:30 -0800 | [diff] [blame] | 23 | { |
| 24 | // If we have a webui installed, redirect to that login page |
| 25 | if (hasWebuiRoute) |
| 26 | { |
Ed Tanous | c51a58e | 2023-03-27 14:43:19 -0700 | [diff] [blame] | 27 | boost::urls::url forward = boost::urls::format("/?next={}#/login", |
| 28 | url); |
Ed Tanous | d4b6c66 | 2021-03-10 13:29:30 -0800 | [diff] [blame] | 29 | res.result(boost::beast::http::status::temporary_redirect); |
Ed Tanous | d9f6c62 | 2022-03-17 09:12:17 -0700 | [diff] [blame] | 30 | res.addHeader(boost::beast::http::field::location, |
Ed Tanous | c51a58e | 2023-03-27 14:43:19 -0700 | [diff] [blame] | 31 | forward.buffer()); |
Ed Tanous | 347d1a1 | 2022-06-22 15:49:37 -0700 | [diff] [blame] | 32 | return; |
Ed Tanous | d4b6c66 | 2021-03-10 13:29:30 -0800 | [diff] [blame] | 33 | } |
Ed Tanous | 347d1a1 | 2022-06-22 15:49:37 -0700 | [diff] [blame] | 34 | // If we don't have a webui installed, just return an unauthorized |
| 35 | // body |
Ed Tanous | d4b6c66 | 2021-03-10 13:29:30 -0800 | [diff] [blame] | 36 | res.result(boost::beast::http::status::unauthorized); |
Ed Tanous | 27b0cf9 | 2023-08-07 12:02:40 -0700 | [diff] [blame] | 37 | res.write( |
| 38 | "No authentication provided, and no login UI present to forward to."); |
Ed Tanous | 347d1a1 | 2022-06-22 15:49:37 -0700 | [diff] [blame] | 39 | return; |
Ed Tanous | d4b6c66 | 2021-03-10 13:29:30 -0800 | [diff] [blame] | 40 | } |
Ed Tanous | 347d1a1 | 2022-06-22 15:49:37 -0700 | [diff] [blame] | 41 | |
| 42 | res.result(boost::beast::http::status::unauthorized); |
| 43 | |
| 44 | // XHR requests from a browser will set the X-Requested-With header when |
| 45 | // doing their requests, even though they might not be requesting html. |
| 46 | if (!xRequestedWith.empty()) |
| 47 | { |
| 48 | return; |
| 49 | } |
| 50 | // if basic auth is disabled, don't propose it. |
| 51 | if (!persistent_data::SessionStore::getInstance() |
| 52 | .getAuthMethodsConfig() |
| 53 | .basic) |
| 54 | { |
| 55 | return; |
| 56 | } |
Ed Tanous | d9f6c62 | 2022-03-17 09:12:17 -0700 | [diff] [blame] | 57 | res.addHeader(boost::beast::http::field::www_authenticate, "Basic"); |
Ed Tanous | d4b6c66 | 2021-03-10 13:29:30 -0800 | [diff] [blame] | 58 | } |
| 59 | } // namespace forward_unauthorized |