Tweaks after testing against docs and latest Library tree

Author: dirkx

libraries/WebServer/examples/HttpAuthCallbackInline/HttpAuthCallbackInline.ino

@@ -35,28 +35,32 @@ void setup() {
 
   server.on("/", []() {
     if (!server.authenticate([](HTTPAuthMethod mode, String username, String params[]) -> String * {
-        // Scan the password list for the username and return the password.
-        //
-        for (credentials_t * entry = passwdfile; entry->username; entry++) {
-            if (username == entry->username)
-                return new String(entry->password);
-        return NULL;
-      }))
-      {
-        server.requestAuthentication();
-        return;
-      }
-      server.send(200, "text/plain", "Login OK");
-    });
-    server.begin();
-
-    Serial.print("Open http://");
-    Serial.print(WiFi.localIP());
-    Serial.println("/ in your browser to see it working");
-  }
+      // Scan the password list for the username and return the password if
+      // we find the username.
+      //
+      for (credentials_t * entry = passwdfile; entry->username; entry++) {
+        if (username == entry->username) {
+          return new String(entry->password);
+        };
+      };
+      // we've not found the user in the list.
+      return NULL;
+    }))
+    {
+      server.requestAuthentication();
+      return;
+    }
+    server.send(200, "text/plain", "Login OK");
+  });
+  server.begin();
+
+  Serial.print("Open http://");
+  Serial.print(WiFi.localIP());
+  Serial.println("/ in your browser to see it working");
+}
 
-  void loop() {
-    ArduinoOTA.handle();
-    server.handleClient();
-    delay(2);//allow the cpu to switch to other tasks
-  }
+void loop() {
+  ArduinoOTA.handle();
+  server.handleClient();
+  delay(2);//allow the cpu to switch to other tasks
+}

libraries/WebServer/examples/HttpAuthOneTimePassword/HttpAuthOneTimePassword.ino

@@ -4,11 +4,17 @@
 #include <WebServer.h>
 #include <lwip/apps/sntp.h>
 
-// https://github.com/dirkx/Arduino-Base32-Decode
+// https://github.com/dirkx/Arduino-Base32-Decode or simply from
+// Sketch->Include Library->Library manager and search for
+// "Base32-Decode".
+//
 #include <Base32-Decode.h>
 
-// https://github.com/dirkx/Arduino-TOTP-RFC6238-generator
-#include <TOTP-generator.hpp>
+// https://github.com/dirkx/Arduino-TOTP-RFC6238-generator or simply from
+// Sketch->Include Library->Library manager and search for
+// "TOTP-RC6236-generator".
+//
+#include <TOTP-RC6236-generator.hpp>
 
 #include <mbedtls/md.h> // for the hmac/ cookie
 
@@ -123,10 +129,10 @@ String * checkOTP(HTTPAuthMethod mode, String username, String params[]) {
   //          people their typical clocks.
   //
   for (int i = -2 ; i <= 2; i++) {
-    String * otp = TOTP::currentOTP(*seed); //, time(NULL) + i * TOTP::RFC6238_DEFAULT_interval);
+    String * otp = TOTP::currentOTP(time(NULL) + i * TOTP::RFC6238_DEFAULT_interval, *seed);
 
     if (!params[0].startsWith(*otp))
-      next;
+      continue;
 
     // Issue 3) Use proper 2FA/MFA - and insist the user types the token followed by the password
     //
@@ -212,4 +218,4 @@ void loop() {
 
     delete otp;
   }
-}
+}

libraries/WebServer/examples/HttpAuthOneTimePasswordNaive/HttpAuthOneTimePasswordNaive.ino

@@ -4,11 +4,17 @@
 #include <WebServer.h>
 #include <lwip/apps/sntp.h>
 
-// https://github.com/dirkx/Arduino-Base32-Decode
+// https://github.com/dirkx/Arduino-Base32-Decode or simply from
+// Sketch->Include Library->Library manager and search for
+// "Base32-Decode".
+//
 #include <Base32-Decode.h>
 
-// https://github.com/dirkx/Arduino-TOTP-RFC6238-generator
-#include <TOTP-generator.hpp>
+// https://github.com/dirkx/Arduino-TOTP-RFC6238-generator or simply from
+// Sketch->Include Library->Library manager and search for
+// "TOTP-RC6236-generator".
+//
+#include <TOTP-RC6236-generator.hpp>
 
 // Naive RFC 6238 one time password; with a couple of possibly flawed
 // assumptionms:
@@ -82,7 +88,7 @@ void setup() {
   server.on("/", []() {
     if (!server.authenticate([](HTTPAuthMethod mode, String username, String params[]) -> String * {
     if (username == demouser) 
-        return otp = TOTP::currentOTP(seed);
+        return TOTP::currentOTP(seed);
       return NULL;
     }))
     {

libraries/WebServer/examples/HttpBasicAuthSHA1orBearerToken/HttpBasicAuthSHA1orBearerToken.ino

@@ -0,0 +1,106 @@
+#include <WiFi.h>
+#include <ESPmDNS.h>
+#include <ArduinoOTA.h>
+#include <WebServer.h>
+#include "mbedtls/sha1.h"
+#include "sodium/utils.h"
+
+
+/// We have two options - we either come in with a bearer
+// token - i.e. a special header or API token; or we
+// get a normal HTTP style basic auth prompt.
+//
+// To do a bearer fetch - use something like Swagger or with curl:
+//
+//    curl https://myesp.com/  -H "Authorization: Bearer SecritToken"
+//
+// We avoid hardcoding this "SecritToken" into the code by
+// using a SHA1 instead (which is not paricularly secure).
+
+// Create the secet token SHA1 with:
+//        echo -n SecritToken | openssl sha1
+//
+String secret_token_hex = "d2cce6b472959484a21c3194080c609b8a2c910b";
+
+// Wifi credentials
+//
+const char* ssid = "........";
+const char* password = "........";
+
+WebServer server(80);
+
+// Rather than specify the admin password as plaintext; we
+// provide it as an (unsalted!) SHA1 hash. This is not
+// much more secure (SHA1 is past its retirement age,
+// and long obsolte/insecure) - but it helps a little.
+
+// The sha1 of 'esp32' (without the trailing \0) expressed as 20
+// bytes of hex. Created by for example 'echo -n esp32 | openssl sha1'
+// or http://www.sha1-online.com.
+//
+const char* www_username_hex = "hexadmin";
+const char* www_password_hex = "8cb124f8c277c16ec0b2ee00569fd151a08e342b";
+
+// The same; but now expressed as a base64 string (e.g. as commonly used
+// by webservers). Created by ` echo -n esp32 | openssl sha1 -binary | openssl base64`
+//
+const char* www_username_base64 = "base64admin";
+const char* www_password_base64 = "jLEk+MJ3wW7Asu4AVp/RUaCONCs=";
+
+String * check_bearer_or_auth(HTTPAuthMethod mode, String authReq, String params[]) {
+  // we expect authReq to be "bearer some-secret"
+  //
+  String lcAuthReq = authReq;
+  lcAuthReq.toLowerCase();
+  if (mode == OTHER_AUTH && (lcAuthReq.startsWith("bearer "))) {
+    String secret = authReq.substring(7);
+    secret.trim();
+
+    uint8_t sha1[20];
+    mbedtls_sha1((const uint8_t*) secret.c_str(), secret.length(), sha1);
+
+    char sha1calc[48]; // large enough for base64 and Hex represenation
+    sodium_bin2hex(sha1calc, sizeof(sha1calc), sha1, sizeof(sha1));
+
+    if (secret_token_hex.equalsConstantTime(sha1calc))
+      return new String("anything non null");
+  };
+
+  // that failed - so do a normal auth
+  //
+  return server.authenticateBasicSHA1(www_username_hex, www_password_hex) ?
+         new String(params[0]) : NULL;
+};
+
+void setup() {
+  Serial.begin(115200);
+  WiFi.mode(WIFI_STA);
+  WiFi.begin(ssid, password);
+  if (WiFi.waitForConnectResult() != WL_CONNECTED) {
+    Serial.println("WiFi Connect Failed! Rebooting...");
+    delay(1000);
+    ESP.restart();
+  }
+  ArduinoOTA.begin();
+
+  server.on("/", []() {
+    if (!server.authenticate(&check_bearer_or_auth)) {
+      Serial.println("No/failed authentication");
+      return server.requestAuthentication();
+    }
+    server.send(200, "text/plain", "Login okOK");
+    return;
+  });
+
+  server.begin();
+
+  Serial.print("Open http://");
+  Serial.print(WiFi.localIP());
+  Serial.println("/ in your browser to see it working");
+}
+
+void loop() {
+  ArduinoOTA.handle();
+  server.handleClient();
+  delay(2);//allow the cpu to switch to other tasks
+}

libraries/WebServer/src/WebServer.cpp

@@ -284,8 +284,11 @@ bool WebServer::authenticate(THandlerFunctionAuthCheck fn) {
 
     log_v("The Proper response=%s", _responsecheck.c_str());
     return _response == _responsecheck;
+  } else if (authReq.length()) {
+      String * ret = fn(OTHER_AUTH, authReq, {});
+      if (ret)
+         return true;
   }
-
 exf:
   authReq = "";
   return false;

libraries/WebServer/src/WebServer.h

@@ -33,7 +33,7 @@
 enum HTTPUploadStatus { UPLOAD_FILE_START, UPLOAD_FILE_WRITE, UPLOAD_FILE_END,
                         UPLOAD_FILE_ABORTED };
 enum HTTPClientStatus { HC_NONE, HC_WAIT_READ, HC_WAIT_CLOSE };
-enum HTTPAuthMethod { BASIC_AUTH, DIGEST_AUTH };
+enum HTTPAuthMethod { BASIC_AUTH, DIGEST_AUTH, OTHER_AUTH };
 
 #define HTTP_DOWNLOAD_UNIT_SIZE 1436