| Ed Tanous | d4b6c66 | 2021-03-10 13:29:30 -0800 | [diff] [blame] | 1 | #pragma once |
| 2 | #include <http_request.hpp> |
| 3 | #include <http_response.hpp> |
| 4 | #include <http_utility.hpp> |
| 5 | |
| 6 | namespace forward_unauthorized |
| 7 | { |
| 8 | |
| 9 | bool hasWebuiRoute = false; |
| 10 | |
| 11 | inline void sendUnauthorized(const crow::Request& req, crow::Response& res) |
| 12 | { |
| 13 | // If it's a browser connecting, don't send the HTTP authenticate |
| 14 | // header, to avoid possible CSRF attacks with basic auth |
| 15 | if (http_helpers::requestPrefersHtml(req)) |
| 16 | { |
| 17 | // If we have a webui installed, redirect to that login page |
| 18 | if (hasWebuiRoute) |
| 19 | { |
| 20 | res.result(boost::beast::http::status::temporary_redirect); |
| 21 | res.addHeader("Location", |
| 22 | "/#/login?next=" + http_helpers::urlEncode(req.url)); |
| 23 | } |
| 24 | else |
| 25 | { |
| 26 | // If we don't have a webui installed, just return a lame |
| 27 | // unauthorized body |
| 28 | res.result(boost::beast::http::status::unauthorized); |
| 29 | res.body() = "Unauthorized"; |
| 30 | } |
| 31 | } |
| 32 | else |
| 33 | { |
| 34 | res.result(boost::beast::http::status::unauthorized); |
| 35 | // only send the WWW-authenticate header if this isn't a xhr |
| 36 | // from the browser. Most scripts, tend to not set a user-agent header. |
| 37 | // So key off that to know whether or not we need to suggest basic auth |
| 38 | if (req.getHeaderValue("User-Agent").empty()) |
| 39 | { |
| 40 | res.addHeader("WWW-Authenticate", "Basic"); |
| 41 | } |
| 42 | } |
| 43 | } |
| 44 | } // namespace forward_unauthorized |