Ed Tanous | d4b6c66 | 2021-03-10 13:29:30 -0800 | [diff] [blame] | 1 | #pragma once |
| 2 | #include <http_request.hpp> |
| 3 | #include <http_response.hpp> |
| 4 | #include <http_utility.hpp> |
| 5 | |
| 6 | namespace forward_unauthorized |
| 7 | { |
| 8 | |
Ed Tanous | 4f48d5f | 2021-06-21 08:27:45 -0700 | [diff] [blame] | 9 | static bool hasWebuiRoute = false; |
Ed Tanous | d4b6c66 | 2021-03-10 13:29:30 -0800 | [diff] [blame] | 10 | |
Ed Tanous | c127a0f | 2022-05-11 15:23:59 -0700 | [diff] [blame] | 11 | inline void sendUnauthorized(std::string_view url, |
| 12 | std::string_view xRequestedWith, |
John Edward Broadbent | 59b98b2 | 2021-07-13 15:36:32 -0700 | [diff] [blame] | 13 | std::string_view accept, crow::Response& res) |
Ed Tanous | d4b6c66 | 2021-03-10 13:29:30 -0800 | [diff] [blame] | 14 | { |
| 15 | // If it's a browser connecting, don't send the HTTP authenticate |
| 16 | // header, to avoid possible CSRF attacks with basic auth |
John Edward Broadbent | 59b98b2 | 2021-07-13 15:36:32 -0700 | [diff] [blame] | 17 | if (http_helpers::requestPrefersHtml(accept)) |
Ed Tanous | d4b6c66 | 2021-03-10 13:29:30 -0800 | [diff] [blame] | 18 | { |
| 19 | // If we have a webui installed, redirect to that login page |
| 20 | if (hasWebuiRoute) |
| 21 | { |
| 22 | res.result(boost::beast::http::status::temporary_redirect); |
Ed Tanous | d9f6c62 | 2022-03-17 09:12:17 -0700 | [diff] [blame^] | 23 | res.addHeader(boost::beast::http::field::location, |
John Edward Broadbent | 59b98b2 | 2021-07-13 15:36:32 -0700 | [diff] [blame] | 24 | "/#/login?next=" + http_helpers::urlEncode(url)); |
Ed Tanous | 347d1a1 | 2022-06-22 15:49:37 -0700 | [diff] [blame] | 25 | return; |
Ed Tanous | d4b6c66 | 2021-03-10 13:29:30 -0800 | [diff] [blame] | 26 | } |
Ed Tanous | 347d1a1 | 2022-06-22 15:49:37 -0700 | [diff] [blame] | 27 | // If we don't have a webui installed, just return an unauthorized |
| 28 | // body |
Ed Tanous | d4b6c66 | 2021-03-10 13:29:30 -0800 | [diff] [blame] | 29 | res.result(boost::beast::http::status::unauthorized); |
Ed Tanous | 347d1a1 | 2022-06-22 15:49:37 -0700 | [diff] [blame] | 30 | res.body() = "Unauthorized"; |
| 31 | return; |
Ed Tanous | d4b6c66 | 2021-03-10 13:29:30 -0800 | [diff] [blame] | 32 | } |
Ed Tanous | 347d1a1 | 2022-06-22 15:49:37 -0700 | [diff] [blame] | 33 | |
| 34 | res.result(boost::beast::http::status::unauthorized); |
| 35 | |
| 36 | // XHR requests from a browser will set the X-Requested-With header when |
| 37 | // doing their requests, even though they might not be requesting html. |
| 38 | if (!xRequestedWith.empty()) |
| 39 | { |
| 40 | return; |
| 41 | } |
| 42 | // if basic auth is disabled, don't propose it. |
| 43 | if (!persistent_data::SessionStore::getInstance() |
| 44 | .getAuthMethodsConfig() |
| 45 | .basic) |
| 46 | { |
| 47 | return; |
| 48 | } |
Ed Tanous | d9f6c62 | 2022-03-17 09:12:17 -0700 | [diff] [blame^] | 49 | res.addHeader(boost::beast::http::field::www_authenticate, "Basic"); |
Ed Tanous | d4b6c66 | 2021-03-10 13:29:30 -0800 | [diff] [blame] | 50 | } |
| 51 | } // namespace forward_unauthorized |