Rework Authorization flow

Currently we parse the whole message before authenticating,
allowing an attacker the ability to upload a large image,
or keep a connection open for the max amount of time easier
than it should be. This moves the authentication to the
earliest point possible, and restricts unauthenticated users
timeouts and max upload sizes. It also makes it so that
unauthenticated users cannot keep the connection alive
forever by refusing to close the connection.

Tested:
- login/logout
- firmware update
- large POST when unauthenticated
- timeouts when unauthenticated
- slowhttptest

Change-Id: Ifa02d8db04eac1821e8950eb85e71634a9e6d265
Signed-off-by: James Feist <james.feist@linux.intel.com>

1 files changed, 2 insertions, 2 deletions

diff --git a/src/webserver_main.cpp b/src/webserver_main.cpp
index 11e8e925a8..036db5479a 100644
--- a/src/webserver_main.cpp
+++ b/src/webserver_main.cpp
@@ -6,6 +6,7 @@
 #include <dbus_singleton.hpp>
 #include <image_upload.hpp>
 #include <kvm_websocket.hpp>
+#include <login_routes.hpp>
 #include <obmc_console.hpp>
 #include <openbmc_dbus_rest.hpp>
 
@@ -21,7 +22,6 @@
 #include <sdbusplus/server.hpp>
 #include <security_headers_middleware.hpp>
 #include <ssl_key_handler.hpp>
-#include <token_authorization_middleware.hpp>
 #include <vm_websocket.hpp>
 #include <webassets.hpp>
 #include <webserver_common.hpp>
@@ -104,7 +104,7 @@ int main(int argc, char** argv)
     crow::ibm_mc_lock::Lock::getInstance();
 #endif
 
-    crow::token_authorization::requestRoutes(app);
+    crow::login_routes::requestRoutes(app);
 
     BMCWEB_LOG_INFO << "bmcweb (" << __DATE__ << ": " << __TIME__ << ')';
     setupSocket(app);