Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / refs/heads/master / . / include / forward_unauthorized.hpp
blob: 3891077532c131d2d5d1988590ec4e849c9dcc95 [file] [log] [blame]
Ed Tanous40e9b922024-09-10 13:50:16 -0700[diff] [blame]1// SPDX-License-Identifier: Apache-2.0
2// SPDX-FileCopyrightText: Copyright OpenBMC Authors
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]3#pragma once
Ed Tanous3ccb3ad2023-01-13 17:40:03 -0800[diff] [blame]4#include "http_response.hpp"
5#include "http_utility.hpp"
Ed Tanousd7857202025-01-28 15:32:26 -0800[diff] [blame]6#include "sessions.hpp"
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]7
Ed Tanousd7857202025-01-28 15:32:26 -0800[diff] [blame]8#include <boost/beast/http/field.hpp>
9#include <boost/beast/http/status.hpp>
Ed Tanousc51a58e2023-03-27 14:43:19 -0700[diff] [blame]10#include <boost/url/format.hpp>
11#include <boost/url/url.hpp>
12
Ed Tanousd7857202025-01-28 15:32:26 -0800[diff] [blame]13#include <string_view>
14
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]15namespace forward_unauthorized
16{
17
Myung Bae834d99b2025-08-03 11:33:43 -0500[diff] [blame]18inline bool& hasWebuiRoute()
19{
20 static bool webuiRoute = false;
21 return webuiRoute;
22}
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]23
Ed Tanousc127a0f2022-05-11 15:23:59 -0700[diff] [blame]24inline void sendUnauthorized(std::string_view url,
25 std::string_view xRequestedWith,
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]26 std::string_view accept, crow::Response& res)
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]27{
28 // If it's a browser connecting, don't send the HTTP authenticate
29 // header, to avoid possible CSRF attacks with basic auth
Ed Tanous4a0e1a02022-09-21 15:28:04 -0700[diff] [blame]30 if (http_helpers::isContentTypeAllowed(
31 accept, http_helpers::ContentType::HTML, false /*allowWildcard*/))
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]32 {
33 // If we have a webui installed, redirect to that login page
Myung Bae834d99b2025-08-03 11:33:43 -0500[diff] [blame]34 if (hasWebuiRoute())
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]35 {
Patrick Williamsbd79bce2024-08-16 15:22:20 -0400[diff] [blame]36 boost::urls::url forward =
37 boost::urls::format("/?next={}#/login", url);
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]38 res.result(boost::beast::http::status::temporary_redirect);
Ed Tanousd9f6c622022-03-17 09:12:17 -0700[diff] [blame]39 res.addHeader(boost::beast::http::field::location,
Ed Tanousc51a58e2023-03-27 14:43:19 -0700[diff] [blame]40 forward.buffer());
Ed Tanous347d1a12022-06-22 15:49:37 -0700[diff] [blame]41 return;
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]42 }
Ed Tanous347d1a12022-06-22 15:49:37 -0700[diff] [blame]43 // If we don't have a webui installed, just return an unauthorized
44 // body
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]45 res.result(boost::beast::http::status::unauthorized);
Ed Tanous27b0cf92023-08-07 12:02:40 -0700[diff] [blame]46 res.write(
47 "No authentication provided, and no login UI present to forward to.");
Ed Tanous347d1a12022-06-22 15:49:37 -0700[diff] [blame]48 return;
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]49 }
Ed Tanous347d1a12022-06-22 15:49:37 -0700[diff] [blame]50
51 res.result(boost::beast::http::status::unauthorized);
52
53 // XHR requests from a browser will set the X-Requested-With header when
54 // doing their requests, even though they might not be requesting html.
55 if (!xRequestedWith.empty())
56 {
57 return;
58 }
59 // if basic auth is disabled, don't propose it.
60 if (!persistent_data::SessionStore::getInstance()
61 .getAuthMethodsConfig()
62 .basic)
63 {
64 return;
65 }
Ed Tanousd9f6c622022-03-17 09:12:17 -0700[diff] [blame]66 res.addHeader(boost::beast::http::field::www_authenticate, "Basic");
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]67}
68} // namespace forward_unauthorized