Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / d125652e8a30dfeaad88bbfa5b1e04a80610469c / . / include / forward_unauthorized.hpp
blob: 89146024c3f70acced62dda854c9195caf2ef814 [file] [log] [blame]
Ed Tanous40e9b922024-09-10 13:50:16 -0700[diff] [blame]1// SPDX-License-Identifier: Apache-2.0
2// SPDX-FileCopyrightText: Copyright OpenBMC Authors
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]3#pragma once
Ed Tanous3ccb3ad2023-01-13 17:40:03 -0800[diff] [blame]4#include "http_response.hpp"
5#include "http_utility.hpp"
Ed Tanousd7857202025-01-28 15:32:26 -0800[diff] [blame]6#include "sessions.hpp"
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]7
Ed Tanousd7857202025-01-28 15:32:26 -0800[diff] [blame]8#include <boost/beast/http/field.hpp>
9#include <boost/beast/http/status.hpp>
Ed Tanousc51a58e2023-03-27 14:43:19 -0700[diff] [blame]10#include <boost/url/format.hpp>
11#include <boost/url/url.hpp>
12
Ed Tanousd7857202025-01-28 15:32:26 -0800[diff] [blame]13#include <string_view>
14
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]15namespace forward_unauthorized
16{
17
Ed Tanouscf9e4172022-12-21 09:30:16 -0800[diff] [blame]18// NOLINTNEXTLINE(cppcoreguidelines-avoid-non-const-global-variables)
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]19static bool hasWebuiRoute = false;
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]20
Ed Tanousc127a0f2022-05-11 15:23:59 -0700[diff] [blame]21inline void sendUnauthorized(std::string_view url,
22 std::string_view xRequestedWith,
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]23 std::string_view accept, crow::Response& res)
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]24{
25 // If it's a browser connecting, don't send the HTTP authenticate
26 // header, to avoid possible CSRF attacks with basic auth
Ed Tanous4a0e1a02022-09-21 15:28:04 -0700[diff] [blame]27 if (http_helpers::isContentTypeAllowed(
28 accept, http_helpers::ContentType::HTML, false /*allowWildcard*/))
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]29 {
30 // If we have a webui installed, redirect to that login page
31 if (hasWebuiRoute)
32 {
Patrick Williamsbd79bce2024-08-16 15:22:20 -0400[diff] [blame]33 boost::urls::url forward =
34 boost::urls::format("/?next={}#/login", url);
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]35 res.result(boost::beast::http::status::temporary_redirect);
Ed Tanousd9f6c622022-03-17 09:12:17 -0700[diff] [blame]36 res.addHeader(boost::beast::http::field::location,
Ed Tanousc51a58e2023-03-27 14:43:19 -0700[diff] [blame]37 forward.buffer());
Ed Tanous347d1a12022-06-22 15:49:37 -0700[diff] [blame]38 return;
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]39 }
Ed Tanous347d1a12022-06-22 15:49:37 -0700[diff] [blame]40 // If we don't have a webui installed, just return an unauthorized
41 // body
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]42 res.result(boost::beast::http::status::unauthorized);
Ed Tanous27b0cf92023-08-07 12:02:40 -0700[diff] [blame]43 res.write(
44 "No authentication provided, and no login UI present to forward to.");
Ed Tanous347d1a12022-06-22 15:49:37 -0700[diff] [blame]45 return;
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]46 }
Ed Tanous347d1a12022-06-22 15:49:37 -0700[diff] [blame]47
48 res.result(boost::beast::http::status::unauthorized);
49
50 // XHR requests from a browser will set the X-Requested-With header when
51 // doing their requests, even though they might not be requesting html.
52 if (!xRequestedWith.empty())
53 {
54 return;
55 }
56 // if basic auth is disabled, don't propose it.
57 if (!persistent_data::SessionStore::getInstance()
58 .getAuthMethodsConfig()
59 .basic)
60 {
61 return;
62 }
Ed Tanousd9f6c622022-03-17 09:12:17 -0700[diff] [blame]63 res.addHeader(boost::beast::http::field::www_authenticate, "Basic");
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]64}
65} // namespace forward_unauthorized