Fix: prevent unauthorized access to OnBattery websockets

it turns out that authentication was never implemented on OpenDTU-OnBattery-specific websocket connections. found while applying tbnobody#2320
ranma · Sep 30, 2024 · 1812e6e · 1812e6e
1 parent 185ac36
commit 1812e6e
Show file tree

Hide file tree

Showing 7 changed files with 69 additions and 0 deletions.
diff --git a/include/WebApi_ws_Huawei.h b/include/WebApi_ws_Huawei.h
@@ -10,6 +10,7 @@ class WebApiWsHuaweiLiveClass {
 public:
     WebApiWsHuaweiLiveClass();
     void init(AsyncWebServer& server, Scheduler& scheduler);
+    void reload();
 
 private:
     void generateCommonJsonResponse(JsonVariant& root);
@@ -18,6 +19,7 @@ class WebApiWsHuaweiLiveClass {
 
     AsyncWebServer* _server;
     AsyncWebSocket _ws;
+    AuthenticationMiddleware _simpleDigestAuth;
 
     std::mutex _mutex;
 

diff --git a/include/WebApi_ws_battery.h b/include/WebApi_ws_battery.h
@@ -10,6 +10,7 @@ class WebApiWsBatteryLiveClass {
 public:
     WebApiWsBatteryLiveClass();
     void init(AsyncWebServer& server, Scheduler& scheduler);
+    void reload();
 
 private:
     void generateCommonJsonResponse(JsonVariant& root);
@@ -18,6 +19,7 @@ class WebApiWsBatteryLiveClass {
 
     AsyncWebServer* _server;
     AsyncWebSocket _ws;
+    AuthenticationMiddleware _simpleDigestAuth;
 
     uint32_t _lastUpdateCheck = 0;
     static constexpr uint16_t _responseSize = 1024 + 512;

diff --git a/include/WebApi_ws_vedirect_live.h b/include/WebApi_ws_vedirect_live.h
@@ -12,6 +12,7 @@ class WebApiWsVedirectLiveClass {
 public:
     WebApiWsVedirectLiveClass();
     void init(AsyncWebServer& server, Scheduler& scheduler);
+    void reload();
 
 private:
     void generateCommonJsonResponse(JsonVariant& root, bool fullUpdate);
@@ -22,6 +23,7 @@ class WebApiWsVedirectLiveClass {
 
     AsyncWebServer* _server;
     AsyncWebSocket _ws;
+    AuthenticationMiddleware _simpleDigestAuth;
 
     uint32_t _lastFullPublish = 0;
     uint32_t _lastPublish = 0;

diff --git a/src/WebApi.cpp b/src/WebApi.cpp
@@ -51,6 +51,9 @@ void WebApiClass::reload()
 {
     _webApiWsConsole.reload();
     _webApiWsLive.reload();
+    _webApiWsBatteryLive.reload();
+    _webApiWsVedirectLive.reload();
+    _webApiWsHuaweiLive.reload();
 }
 
 bool WebApiClass::checkCredentials(AsyncWebServerRequest* request)

diff --git a/src/WebApi_ws_Huawei.cpp b/src/WebApi_ws_Huawei.cpp
@@ -42,6 +42,26 @@ void WebApiWsHuaweiLiveClass::init(AsyncWebServer& server, Scheduler& scheduler)
     _sendDataTask.setIterations(TASK_FOREVER);
     _sendDataTask.setInterval(1 * TASK_SECOND);
     _sendDataTask.enable();
+
+    _simpleDigestAuth.setUsername(AUTH_USERNAME);
+    _simpleDigestAuth.setRealm("AC charger websocket");
+
+    reload();
+}
+
+void WebApiWsHuaweiLiveClass::reload()
+{
+    _ws.removeMiddleware(&_simpleDigestAuth);
+
+    auto const& config = Configuration.get();
+
+    if (config.Security.AllowReadonly) { return; }
+
+    _ws.enable(false);
+    _simpleDigestAuth.setPassword(config.Security.Password);
+    _ws.addMiddleware(&_simpleDigestAuth);
+    _ws.closeAll();
+    _ws.enable(true);
 }
 
 void WebApiWsHuaweiLiveClass::wsCleanupTaskCb()

diff --git a/src/WebApi_ws_battery.cpp b/src/WebApi_ws_battery.cpp
@@ -42,6 +42,26 @@ void WebApiWsBatteryLiveClass::init(AsyncWebServer& server, Scheduler& scheduler
     _sendDataTask.setIterations(TASK_FOREVER);
     _sendDataTask.setInterval(1 * TASK_SECOND);
     _sendDataTask.enable();
+
+    _simpleDigestAuth.setUsername(AUTH_USERNAME);
+    _simpleDigestAuth.setRealm("battery websocket");
+
+    reload();
+}
+
+void WebApiWsBatteryLiveClass::reload()
+{
+    _ws.removeMiddleware(&_simpleDigestAuth);
+
+    auto const& config = Configuration.get();
+
+    if (config.Security.AllowReadonly) { return; }
+
+    _ws.enable(false);
+    _simpleDigestAuth.setPassword(config.Security.Password);
+    _ws.addMiddleware(&_simpleDigestAuth);
+    _ws.closeAll();
+    _ws.enable(true);
 }
 
 void WebApiWsBatteryLiveClass::wsCleanupTaskCb()

diff --git a/src/WebApi_ws_vedirect_live.cpp b/src/WebApi_ws_vedirect_live.cpp
@@ -44,6 +44,26 @@ void WebApiWsVedirectLiveClass::init(AsyncWebServer& server, Scheduler& schedule
     _sendDataTask.setIterations(TASK_FOREVER);
     _sendDataTask.setInterval(500 * TASK_MILLISECOND);
     _sendDataTask.enable();
+
+    _simpleDigestAuth.setUsername(AUTH_USERNAME);
+    _simpleDigestAuth.setRealm("vedirect websocket");
+
+    reload();
+}
+
+void WebApiWsVedirectLiveClass::reload()
+{
+    _ws.removeMiddleware(&_simpleDigestAuth);
+
+    auto const& config = Configuration.get();
+
+    if (config.Security.AllowReadonly) { return; }
+
+    _ws.enable(false);
+    _simpleDigestAuth.setPassword(config.Security.Password);
+    _ws.addMiddleware(&_simpleDigestAuth);
+    _ws.closeAll();
+    _ws.enable(true);
 }
 
 void WebApiWsVedirectLiveClass::wsCleanupTaskCb()