Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(webui / rest api): Add basic HTTP authentication for WebUI + REST API #197

Merged
merged 7 commits into from
Dec 23, 2024
Merged

feat(webui / rest api): Add basic HTTP authentication for WebUI + REST API #197

merged 7 commits into from
Dec 23, 2024

Conversation

Slider0007
Copy link
Owner

@Slider0007 Slider0007 commented Dec 21, 2024
edited
Loading

Add Basic HTTP authentication scheme for WebUI and REST API endpoints

⚠️ Security Considerations

  • Only basic access authentication scheme using unencrypted HTTP protocol is implemented.
  • The basic authentication scheme is not a secure method of user authentication, nor does it in any way protect the entity, which is transmitted in cleartext (only Base64 encoded, not encyrpted or hashed) across the physical network used as the carrier.
  • All data (also security related data, e.g. password) are transmitted unencrypted (HTTP only, no HTTPS).
  • The access is not only granted to WebUI, but also to any REST API endpoint, because it's protected with same mechanism and linked to same account.

Configuration

The authentication for WebUI and REST API needs to be configured via WebUI: Settings > Configuration > Section 'WebUI' > Authentication or during initial setup procedure (Initial Setup Wizard).

Default Configuration

Authentication disabled (Opt-In feature, not breaking anything; may change in newer releases)

WebUI Security

The authentication process is handled using web browsers default solution (built-in basic authentication popup). After authentication was successful the browser is caching the credentials for the requested domain / realm. As long browsing the same domain / security area, no more authentication is required, cached authentication data is used instead. This cache is usually cleared by e.g. closing the browser.

REST API Endpoint Security

Usage

  1. Include Authorization header to REST API endpoint request
    • Header value: Basic concatenated with Base64 encoded USERNAME:PASSWORD, e.g. Basic abcdefghijklnm=
  2. http://{USERNAME}:{PASSWORD}@{IP-ADDRESS}/{REST API Endpoint}, e.g. http://username:password@192.168.4.1/info

Endpoint Response

If authorization is enabled and Authorization header is missing or authorization is rejected, system is responding
with status 401 Unauthorized. Check REST API response message to get more details / rejection reason.

Further adaptions

  • Handle cross-origin access globally (e.g. required for HTML development environment)
  • Handle parameter tooltip style globally in param_tooltip.css (style is already used in 3 files)

Usage statistics

Before (based on ESP32):
RAM: [= ] 14.3% (used 46972 bytes from 327680 bytes)
Flash: [========= ] 87.9% (used 1710949 bytes from 1945600 bytes)

After:
RAM: [= ] 14.4% (used 47116 bytes from 327680 bytes)
Flash: [========= ] 88.1% (used 1713489 bytes from 1945600 bytes)

Authentication implementation is derived/inspired from jomjol#2241. Thanks to @crasu for the template.

@Slider0007 Slider0007 merged commit 232509d into develop Dec 23, 2024
10 checks passed
@Slider0007 Slider0007 deleted the auth branch December 23, 2024 09:33
@github-actions github-actions bot mentioned this pull request Dec 23, 2024
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Slider0007