added user system

firmware/v3/web-server/api.ino

@@ -7,14 +7,14 @@
 */
 
 /* Utilities Functions */
-String GetPara(AsyncWebServerRequest * request, String key) {
+String GetPara(AsyncWebServerRequest *request, String key) {
   if (request->hasParam(key)) {
     return request->getParam(key)->value();
   }
   return "";
 }
 
-void SendErrorResp(AsyncWebServerRequest * r, String errorMessage) {
+void SendErrorResp(AsyncWebServerRequest *r, String errorMessage) {
   //Parse the error message into json
   StaticJsonDocument<200> jsonDocument;
   JsonObject root = jsonDocument.to<JsonObject>();
@@ -26,7 +26,7 @@ void SendErrorResp(AsyncWebServerRequest * r, String errorMessage) {
   r->send(200, "application/json", jsonString);
 }
 
-void SendJsonResp(AsyncWebServerRequest * r, String jsonString) {
+void SendJsonResp(AsyncWebServerRequest *r, String jsonString) {
   r->send(200, "application/json", jsonString);
 }
 
@@ -89,7 +89,7 @@ void HandleLogin(AsyncWebServerRequest *r) {
     AsyncWebServerResponse *response = r->beginResponse(200, "application/json", "\"ok\"");
     response->addHeader("Server", mdnsName);
     response->addHeader("Cache-Control", "no-cache");
-    response->addHeader("Set-Cookie",  "web-auth=" + cookieId + "; Path=/; Expires=" + expireUTC + "; Max-Age=604800");
+    response->addHeader("Set-Cookie", "web-auth=" + cookieId + "; Path=/; Expires=" + expireUTC + "; Max-Age=604800");
 
     //Save the cookie id
     DBWrite("auth", "cookie", cookieId);
@@ -99,6 +99,29 @@ void HandleLogin(AsyncWebServerRequest *r) {
     r->send(response);
 
     Serial.println(username + " logged in");
+    return;
+  } else if (UserCheckAuth(username, password)) {
+    //User Login. Generate a session for this user
+    String cookieId = GeneratedRandomHex();
+    Serial.print("Generating new cookie ID ");
+    Serial.println(cookieId);
+
+    String expireUTC = getUTCTimeString(getTime() + 604800);
+    Serial.print("Generating expire UTC timestamp ");
+    Serial.println(expireUTC);
+
+    AsyncWebServerResponse *response = r->beginResponse(200, "application/json", "\"ok\"");
+    response->addHeader("Server", mdnsName);
+    response->addHeader("Cache-Control", "no-cache");
+    response->addHeader("Set-Cookie", "web-auth=" + cookieId + "; Path=/; Expires=" + expireUTC + "; Max-Age=604800");
+
+    //Save the cookie id
+    DBWrite("sess", cookieId, username);
+    //Return login succ
+    r->send(response);
+
+    Serial.println(username + " logged in");
+    return;
   } else {
     SendErrorResp(r, "invalid username or password");
     return;
@@ -114,16 +137,27 @@ void HandleLogout(AsyncWebServerRequest *r) {
     return;
   }
 
+  //Delete the server side cookie
+  if (IsAdmin(r)) {
+    DBRemove("auth", "cookie");
+    authSession = "";
+  } else {
+    //Get the session from user
+    String authCookie = GetCookieValueByKey(r, "web-auth");
+    if (authCookie == "") {
+      SendErrorResp(r, "unknown error: unable to read cookie from header");
+      return;
+    }
+    //Remove the session map
+    DBRemove("sess", authCookie);
+  }
+
   //Remove the cookie on client side
   AsyncWebServerResponse *response = r->beginResponse(200, "application/json", "\"ok\"");
   response->addHeader("Server", mdnsName);
   response->addHeader("Cache-Control", "no-cache");
-  response->addHeader("Set-Cookie",  "web-auth=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT");
+  response->addHeader("Set-Cookie", "web-auth=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT");
   r->send(response);
-
-  //Delete the server side cookie
-  DBRemove("auth", "cookie");
-  authSession = "";
 }
 
 /* File System Functions */
@@ -154,7 +188,6 @@ void HandleListDir(AsyncWebServerRequest *r) {
           } else {
             firstObject = false;
           }
-
         }
 
         String isDirString = "true";
@@ -304,7 +337,6 @@ void HandleFileDownload(AsyncWebServerRequest *r) {
     //Download
     r->send(SDFS, "/www" + targetFile, "application/octet-stream", false);
   }
-
 }
 
 //Get the file / folder properties
@@ -400,8 +432,10 @@ void HandleLoadPref(AsyncWebServerRequest *r) {
 /* Handle System Info */
 void HandleLoadSpaceInfo(AsyncWebServerRequest *r) {
   String jsonResp = "{\
-    \"diskSpace\":" + String(getSDCardTotalSpace()) + ",\
-    \"usedSpace\": " + String(getSDCardUsedSpace()) + "\
+    \"diskSpace\":" + String(getSDCardTotalSpace())
+                    + ",\
+    \"usedSpace\": " + String(getSDCardUsedSpace())
+                    + "\
   }";
 
   SendJsonResp(r, jsonResp);

firmware/v3/web-server/kvdb.ino

@@ -27,7 +27,8 @@ String DBCleanInput(const String& inputString) {
 void DBInit() {
   DBNewTable("auth");
   DBNewTable("pref");
-  DBNewTable("user");
+  DBNewTable("user"); //User Store
+  DBNewTable("sess"); //Session Store
 }
 
 //Create a new Database table

firmware/v3/web-server/server.ino

@@ -118,6 +118,12 @@ void initWebServer() {
   server.on("/api/auth/login", HTTP_POST, HandleLogin);
   server.on("/api/auth/logout", HTTP_GET, HandleLogout);
 
+  /* User System Functions */
+  server.on("/api/user/new", HTTP_POST, HandleNewUser);
+  server.on("/api/user/chpw", HTTP_POST, HandleUserChangePassword);
+  server.on("/api/user/del", HTTP_POST, HandleRemoveUser);
+  server.on("/api/user/list", HTTP_GET, HandleUserList);
+
   /* File System Functions */
   server.on("/api/fs/list", HTTP_GET, HandleListDir);
   server.on("/api/fs/del", HTTP_POST, HandleFileDel);

firmware/v3/web-server/users.ino

@@ -5,6 +5,48 @@
 
 */
 
+//Check if a user login is valid by username and password
+bool UserCheckAuth(String username, String password) {
+  username.trim();
+  password.trim();
+  //Load user info from db
+  if (!DBKeyExists("user", username)) {
+    return false;
+  }
+
+  String userHashedPassword = DBRead("user", username);  //User hashed password from kvdb
+  String enteredHashedPassword = sha1(password);         //Entered hashed password
+  return userHashedPassword.equals(enteredHashedPassword);
+}
+
+//Get the username from the request, return empty string if unable to resolve
+String GetUsernameFromRequest(AsyncWebServerRequest *r) {
+  if (r->hasHeader("Cookie")) {
+    //User cookie from browser
+    String authCookie = GetCookieValueByKey(r, "web-auth");
+    if (authCookie == "") {
+      return "";
+    }
+
+    //Check if this is admin login
+    if (authCookie.equals(authSession)) {
+      return adminUsername;
+    }
+
+    //Check if user login
+    if (DBKeyExists("sess", authCookie)) {
+      //Return the username of this session
+      return DBRead("sess", authCookie);
+    }
+
+    //Not found
+    return "";
+  }
+
+  //This user have no cookie in header
+  return "";
+}
+
 //Create new user, creator must be admin
 void HandleNewUser(AsyncWebServerRequest *r) {
   if (!IsAdmin(r)) {
@@ -67,5 +109,91 @@ void HandleRemoveUser(AsyncWebServerRequest *r) {
 
 //Admin or the user themselve change password for the account
 void HandleUserChangePassword(AsyncWebServerRequest *r) {
-  
+  //Get requesting username
+  if (!IsUserAuthed(r)) {
+    SendErrorResp(r, "user not logged in");
+    return;
+  }
+
+  String currentUser = GetUsernameFromRequest(r);
+  if (currentUser == "") {
+    SendErrorResp(r, "unable to load user from system");
+    return;
+  }
+
+  //Check if the user can change password
+  //note that admin password cannot be changed on-the-fly
+  //admin password can only be changed in SD card config file
+  String modifyingUsername = GetPara(r, "username");
+  String newPassword = GetPara(r, "newpw");
+  modifyingUsername.trim();
+  newPassword.trim();
+
+  if (modifyingUsername == adminUsername) {
+    SendErrorResp(r, "admin username can only be changed in the config file");
+    return;
+  }
+  if (currentUser == adminUsername || modifyingUsername == currentUser) {
+    //Allow modify
+    if (newPassword.length() < 8) {
+      SendErrorResp(r, "password must contain at least 8 characters");
+      return;
+    }
+
+    //Write to database
+    bool succ = DBWrite("user", modifyingUsername, sha1(newPassword));
+    if (!succ) {
+      SendErrorResp(r, "write new user to database failed");
+      return;
+    }
+    SendOK(r);
+
+  } else {
+    SendErrorResp(r, "permission denied");
+    return;
+  }
+
+  SendOK(r);
+}
+
+
+//Remove the given username from the system
+void HandleUserList(AsyncWebServerRequest *r) {
+  if (!IsAdmin(r)) {
+    SendErrorResp(r, "this function require admin permission");
+    return;
+  }
+
+  //Build the json with brute force
+  String jsonString = "[";
+  //As the DB do not support list, it directly access the root of the folder where the kvdb stores the entries
+  File root = SD.open(DB_root + "user/");
+  bool firstObject = true;
+  if (root) {
+    while (true) {
+      File entry = root.openNextFile();
+      if (!entry) {
+        // No more files
+        break;
+      } else {
+        //There are more lines. Add a , to the end of the previous json object
+        if (!firstObject) {
+          jsonString = jsonString + ",";
+        } else {
+          firstObject = false;
+        }
+
+        //Filter out all the directory if any
+        if (entry.isDirectory()) {
+          continue;
+        }
+
+        //Append to the JSON line
+        jsonString = jsonString + "{\"Username\":\"" + entry.name() + "\"}";
+      }
+    }
+  }
+  jsonString += "]";
+
+  r->send(200, "application/json", "\"OK\"");
 }

firmware/v3/web-server/web-server.ino

@@ -46,7 +46,6 @@ String adminUsername = "";
 String adminPassword = "";
 String mdnsName = "webstick";
 String authSession = ""; //Session key for admin
-String userSessions = ""; //Session keys for users
 
 /* Time Keeping */
 WiFiUDP ntpUDP;