blob: 9ba2b1cef9c1731607ef8365060e5008e76767a2 [file] [log] [blame]
Ed Tanousd4b6c662021-03-10 13:29:30 -08001#pragma once
Ed Tanous3ccb3ad2023-01-13 17:40:03 -08002#include "http_request.hpp"
3#include "http_response.hpp"
4#include "http_utility.hpp"
Ed Tanousd4b6c662021-03-10 13:29:30 -08005
Ed Tanousc51a58e2023-03-27 14:43:19 -07006#include <boost/url/format.hpp>
7#include <boost/url/url.hpp>
8
Ed Tanousd4b6c662021-03-10 13:29:30 -08009namespace forward_unauthorized
10{
11
Ed Tanouscf9e4172022-12-21 09:30:16 -080012// NOLINTNEXTLINE(cppcoreguidelines-avoid-non-const-global-variables)
Ed Tanous4f48d5f2021-06-21 08:27:45 -070013static bool hasWebuiRoute = false;
Ed Tanousd4b6c662021-03-10 13:29:30 -080014
Ed Tanousc127a0f2022-05-11 15:23:59 -070015inline void sendUnauthorized(std::string_view url,
16 std::string_view xRequestedWith,
John Edward Broadbent59b98b22021-07-13 15:36:32 -070017 std::string_view accept, crow::Response& res)
Ed Tanousd4b6c662021-03-10 13:29:30 -080018{
19 // If it's a browser connecting, don't send the HTTP authenticate
20 // header, to avoid possible CSRF attacks with basic auth
Ed Tanous4a0e1a02022-09-21 15:28:04 -070021 if (http_helpers::isContentTypeAllowed(
22 accept, http_helpers::ContentType::HTML, false /*allowWildcard*/))
Ed Tanousd4b6c662021-03-10 13:29:30 -080023 {
24 // If we have a webui installed, redirect to that login page
25 if (hasWebuiRoute)
26 {
Ed Tanousc51a58e2023-03-27 14:43:19 -070027 boost::urls::url forward = boost::urls::format("/?next={}#/login",
28 url);
Ed Tanousd4b6c662021-03-10 13:29:30 -080029 res.result(boost::beast::http::status::temporary_redirect);
Ed Tanousd9f6c622022-03-17 09:12:17 -070030 res.addHeader(boost::beast::http::field::location,
Ed Tanousc51a58e2023-03-27 14:43:19 -070031 forward.buffer());
Ed Tanous347d1a12022-06-22 15:49:37 -070032 return;
Ed Tanousd4b6c662021-03-10 13:29:30 -080033 }
Ed Tanous347d1a12022-06-22 15:49:37 -070034 // If we don't have a webui installed, just return an unauthorized
35 // body
Ed Tanousd4b6c662021-03-10 13:29:30 -080036 res.result(boost::beast::http::status::unauthorized);
Ed Tanous347d1a12022-06-22 15:49:37 -070037 res.body() = "Unauthorized";
38 return;
Ed Tanousd4b6c662021-03-10 13:29:30 -080039 }
Ed Tanous347d1a12022-06-22 15:49:37 -070040
41 res.result(boost::beast::http::status::unauthorized);
42
43 // XHR requests from a browser will set the X-Requested-With header when
44 // doing their requests, even though they might not be requesting html.
45 if (!xRequestedWith.empty())
46 {
47 return;
48 }
49 // if basic auth is disabled, don't propose it.
50 if (!persistent_data::SessionStore::getInstance()
51 .getAuthMethodsConfig()
52 .basic)
53 {
54 return;
55 }
Ed Tanousd9f6c622022-03-17 09:12:17 -070056 res.addHeader(boost::beast::http::field::www_authenticate, "Basic");
Ed Tanousd4b6c662021-03-10 13:29:30 -080057}
58} // namespace forward_unauthorized