From a4ff5a2f7506e18567c39a17d6395bdb2c9a6437 Mon Sep 17 00:00:00 2001
From: Djuri Baars <dsbaars@users.noreply.github.com>
Date: Tue, 3 Sep 2024 01:36:44 +0200
Subject: [PATCH] Add WebUI authentication

---
 data                  |  2 +-
 src/lib/defaults.hpp  |  6 +++++-
 src/lib/webserver.cpp | 48 ++++++++++++++++++++++++++++++++++++-------
 3 files changed, 47 insertions(+), 9 deletions(-)

diff --git a/data b/data
index 2c7f7f6..34b09a2 160000
--- a/data
+++ b/data
@@ -1 +1 @@
-Subproject commit 2c7f7f667ccb10271db072a4b4e6bf8fd4912f2b
+Subproject commit 34b09a2d1134d48d7733a3d11a9e6f3f15d080a9
diff --git a/src/lib/defaults.hpp b/src/lib/defaults.hpp
index 8e16eb8..ac95653 100644
--- a/src/lib/defaults.hpp
+++ b/src/lib/defaults.hpp
@@ -54,4 +54,8 @@
 #define DEFAULT_BITAXE_HOSTNAME "bitaxe1"
 
 #define DEFAULT_ZAP_NOTIFY_ENABLED false
-#define DEFAULT_ZAP_NOTIFY_PUBKEY "b5127a08cf33616274800a4387881a9f98e04b9c37116e92de5250498635c422"
\ No newline at end of file
+#define DEFAULT_ZAP_NOTIFY_PUBKEY "b5127a08cf33616274800a4387881a9f98e04b9c37116e92de5250498635c422"
+
+#define DEFAULT_HTTP_AUTH_ENABLED false
+#define DEFAULT_HTTP_AUTH_USERNAME "btclock"
+#define DEFAULT_HTTP_AUTH_PASSWORD "satoshi"
\ No newline at end of file
diff --git a/src/lib/webserver.cpp b/src/lib/webserver.cpp
index 352983d..f735877 100644
--- a/src/lib/webserver.cpp
+++ b/src/lib/webserver.cpp
@@ -10,14 +10,23 @@ void setupWebserver()
                    { client->send("welcome", NULL, millis(), 1000); });
   server.addHandler(&events);
 
+  //  server.ad.
   // server.serveStatic("/css", LittleFS, "/css/");
-  server.serveStatic("/fonts", LittleFS, "/fonts/");
-  server.serveStatic("/build", LittleFS, "/build");
-  server.serveStatic("/swagger.json", LittleFS, "/swagger.json");
-  server.serveStatic("/api.html", LittleFS, "/api.html");
-  server.serveStatic("/fs_hash.txt", LittleFS, "/fs_hash.txt");
+  // server.serveStatic("/fonts", LittleFS, "/fonts/");
+  // server.serveStatic("/build", LittleFS, "/build");
+  // server.serveStatic("/swagger.json", LittleFS, "/swagger.json");
+  // server.serveStatic("/api.html", LittleFS, "/api.html");
+  // server.serveStatic("/fs_hash.txt", LittleFS, "/fs_hash.txt");
 
-  server.on("/", HTTP_GET, onIndex);
+  AsyncStaticWebHandler &staticHandler = server.serveStatic("/", LittleFS, "/").setDefaultFile("index.html");
+
+  if (preferences.getBool("httpAuthEnabled", DEFAULT_HTTP_AUTH_ENABLED))
+  {
+    staticHandler.setAuthentication(
+        preferences.getString("httpAuthUser", DEFAULT_HTTP_AUTH_USERNAME),
+        preferences.getString("httpAuthPass", DEFAULT_HTTP_AUTH_PASSWORD));
+  }
+  //  server.on("/", HTTP_GET, onIndex);
 
   server.on("/api/status", HTTP_GET, onApiStatus);
   server.on("/api/system_status", HTTP_GET, onApiSystemStatus);
@@ -437,6 +446,15 @@ void onApiShowTextAdvanced(AsyncWebServerRequest *request, JsonVariant &json)
 
 void onApiSettingsPatch(AsyncWebServerRequest *request, JsonVariant &json)
 {
+  if (
+      preferences.getBool("httpAuthEnabled", DEFAULT_HTTP_AUTH_ENABLED) &&
+      !request->authenticate(
+          preferences.getString("httpAuthUser", DEFAULT_HTTP_AUTH_USERNAME).c_str(),
+          preferences.getString("httpAuthPass", DEFAULT_HTTP_AUTH_PASSWORD).c_str()))
+  {
+    return request->requestAuthentication();
+  }
+
   JsonObject settings = json.as<JsonObject>();
 
   bool settingsChanged = true;
@@ -502,7 +520,10 @@ void onApiSettingsPatch(AsyncWebServerRequest *request, JsonVariant &json)
   String boolSettings[] = {"fetchEurPrice", "ledTestOnPower", "ledFlashOnUpd",
                            "mdnsEnabled", "otaEnabled", "stealFocus",
                            "mcapBigChar", "useSatsSymbol", "useBlkCountdown",
-                           "suffixPrice", "disableLeds", "ownDataSource", "flAlwaysOn", "flDisable", "flFlashOnUpd", "mempoolSecure", "useNostr", "bitaxeEnabled", "nostrZapNotify", "stagingSource"};
+                           "suffixPrice", "disableLeds", "ownDataSource",
+                           "flAlwaysOn", "flDisable", "flFlashOnUpd",
+                           "mempoolSecure", "useNostr", "bitaxeEnabled",
+                           "nostrZapNotify", "stagingSource", "httpAuthEnabled"};
 
   for (String setting : boolSettings)
   {
@@ -587,6 +608,15 @@ void onApiIdentify(AsyncWebServerRequest *request)
  */
 void onApiSettingsGet(AsyncWebServerRequest *request)
 {
+  if (
+      preferences.getBool("httpAuthEnabled", DEFAULT_HTTP_AUTH_ENABLED) &&
+      !request->authenticate(
+          preferences.getString("httpAuthUser", DEFAULT_HTTP_AUTH_USERNAME).c_str(),
+          preferences.getString("httpAuthPass", DEFAULT_HTTP_AUTH_PASSWORD).c_str()))
+  {
+    return request->requestAuthentication();
+  }
+
   JsonDocument root;
   root["numScreens"] = NUM_SCREENS;
   root["fgColor"] = getFgColor();
@@ -633,6 +663,10 @@ void onApiSettingsGet(AsyncWebServerRequest *request)
   root["bitaxeEnabled"] = preferences.getBool("bitaxeEnabled", DEFAULT_BITAXE_ENABLED);
   root["bitaxeHostname"] = preferences.getString("bitaxeHostname", DEFAULT_BITAXE_HOSTNAME);
 
+  root["httpAuthEnabled"] = preferences.getBool("httpAuthEnabled", DEFAULT_HTTP_AUTH_ENABLED);
+  root["httpAuthUser"] = preferences.getString("httpAuthUser", DEFAULT_HTTP_AUTH_USERNAME);
+  root["httpAuthPass"] = preferences.getString("httpAuthPass", DEFAULT_HTTP_AUTH_PASSWORD);
+
 #ifdef HAS_FRONTLIGHT
   root["hasFrontlight"] = true;
   root["flDisable"] = preferences.getBool("flDisable", DEFAULT_DISABLE_FL);