make HTTP Update Server more secure (#2104)

* make HTTP Update Server more secure * added option for authentication * added option to change the url for upload * move to overloaded setup * remove delay in both examples * Get better result responses * fix strings interesting, the meta did not refresh if the successResponse is put in "R"
2025-06-15 00:02:49 +03:00 · 2016-06-07 05:09:05 +03:00
parent 32bd42b028
commit a7ced9cabb
4 changed files with 94 additions and 14 deletions
--- a/libraries/ESP8266HTTPUpdateServer/src/ESP8266HTTPUpdateServer.cpp
+++ b/libraries/ESP8266HTTPUpdateServer/src/ESP8266HTTPUpdateServer.cpp
@ -7,34 +7,41 @@


 const char* ESP8266HTTPUpdateServer::_serverIndex =
-R"(<html><body><form method='POST' action='/update' enctype='multipart/form-data'>
+R"(<html><body><form method='POST' action='' enctype='multipart/form-data'>
                  <input type='file' name='update'>
                  <input type='submit' value='Update'>
               </form>
         </body></html>)";
+const char* ESP8266HTTPUpdateServer::_failedResponse = R"(Update Failed!)";
+const char* ESP8266HTTPUpdateServer::_successResponse = "<META http-equiv=\"refresh\" content=\"15;URL=\">Update Success! Rebooting...";

 ESP8266HTTPUpdateServer::ESP8266HTTPUpdateServer(bool serial_debug)
 {
  _serial_output = serial_debug;
  _server = NULL;
+  _username = NULL;
+  _password = NULL;
+  _authenticated = false;
 }

-void ESP8266HTTPUpdateServer::setup(ESP8266WebServer *server)
+void ESP8266HTTPUpdateServer::setup(ESP8266WebServer *server, const char * path, const char * username, const char * password)
 {
    _server = server;
+    _username = (char *)username;
+    _password = (char *)password;

    // handler for the /update form page
-    _server->on("/update", HTTP_GET, [&](){
-      _server->sendHeader("Connection", "close");
-      _server->sendHeader("Access-Control-Allow-Origin", "*");
+    _server->on(path, HTTP_GET, [&](){
+      if(_username != NULL && _password != NULL && !_server->authenticate(_username, _password))
+        return _server->requestAuthentication();
      _server->send(200, "text/html", _serverIndex);
    });

    // handler for the /update form POST (once file upload finishes)
-    _server->on("/update", HTTP_POST, [&](){
-      _server->sendHeader("Connection", "close");
-      _server->sendHeader("Access-Control-Allow-Origin", "*");
-      _server->send(200, "text/html", (Update.hasError())?"FAIL":"<META http-equiv=\"refresh\" content=\"15;URL=/update\">OK");
+    _server->on(path, HTTP_POST, [&](){
+      if(!_authenticated)
+        return _server->requestAuthentication();
+      _server->send(200, "text/html", Update.hasError() ? _failedResponse : _successResponse);
      ESP.restart();
    },[&](){
      // handler for the file upload, get's the sketch bytes, and writes
@ -43,6 +50,14 @@ void ESP8266HTTPUpdateServer::setup(ESP8266WebServer *server)
      if(upload.status == UPLOAD_FILE_START){
        if (_serial_output)
          Serial.setDebugOutput(true);
+
+        _authenticated = (_username == NULL || _password == NULL || _server->authenticate(_username, _password));
+        if(!_authenticated){
+          if (_serial_output)
+            Serial.printf("Unauthenticated Update\n");
+          return;
+        }
+
        WiFiUDP::stopAll();
        if (_serial_output)
          Serial.printf("Update: %s\n", upload.filename.c_str());
@ -50,20 +65,20 @@ void ESP8266HTTPUpdateServer::setup(ESP8266WebServer *server)
        if(!Update.begin(maxSketchSpace)){//start with max available size
          if (_serial_output) Update.printError(Serial);
        }
-      } else if(upload.status == UPLOAD_FILE_WRITE){
+      } else if(_authenticated && upload.status == UPLOAD_FILE_WRITE){
        if (_serial_output) Serial.printf(".");
        if(Update.write(upload.buf, upload.currentSize) != upload.currentSize){
          if (_serial_output) Update.printError(Serial);

        }
-      } else if(upload.status == UPLOAD_FILE_END){
+      } else if(_authenticated && upload.status == UPLOAD_FILE_END){
        if(Update.end(true)){ //true to set the size to the current progress
          if (_serial_output) Serial.printf("Update Success: %u\nRebooting...\n", upload.totalSize);
        } else {
          if (_serial_output) Update.printError(Serial);
        }
        if (_serial_output) Serial.setDebugOutput(false);
-      } else if(upload.status == UPLOAD_FILE_ABORTED){
+      } else if(_authenticated && upload.status == UPLOAD_FILE_ABORTED){
        Update.end();
        if (_serial_output) Serial.println("Update was aborted");
      }
--- a/libraries/ESP8266HTTPUpdateServer/src/ESP8266HTTPUpdateServer.h
+++ b/libraries/ESP8266HTTPUpdateServer/src/ESP8266HTTPUpdateServer.h
@ -9,9 +9,30 @@ class ESP8266HTTPUpdateServer
    bool _serial_output;
    ESP8266WebServer *_server;
    static const char *_serverIndex;
+    static const char *_failedResponse;
+    static const char *_successResponse;
+    char * _username;
+    char * _password;
+    bool _authenticated;
  public:
    ESP8266HTTPUpdateServer(bool serial_debug=false);
-    void setup(ESP8266WebServer *server=NULL);
+
+    void setup(ESP8266WebServer *server)
+    {
+      setup(server, NULL, NULL);
+    }
+
+    void setup(ESP8266WebServer *server, const char * path)
+    {
+      setup(server, path, NULL, NULL);
+    }
+
+    void setup(ESP8266WebServer *server, const char * username, const char * password)
+    {
+      setup(server, "/update", username, password);
+    }
+
+    void setup(ESP8266WebServer *server, const char * path, const char * username, const char * password);
 };