blob: 02e112307e2d5ff157f7cc98d990245abe55fe93 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
#pragma once
#include <http_request.hpp>
#include <http_response.hpp>
#include <http_utility.hpp>
namespace forward_unauthorized
{
bool hasWebuiRoute = false;
inline void sendUnauthorized(const crow::Request& req, crow::Response& res)
{
// If it's a browser connecting, don't send the HTTP authenticate
// header, to avoid possible CSRF attacks with basic auth
if (http_helpers::requestPrefersHtml(req))
{
// If we have a webui installed, redirect to that login page
if (hasWebuiRoute)
{
res.result(boost::beast::http::status::temporary_redirect);
res.addHeader("Location",
"/#/login?next=" + http_helpers::urlEncode(req.url));
}
else
{
// If we don't have a webui installed, just return a lame
// unauthorized body
res.result(boost::beast::http::status::unauthorized);
res.body() = "Unauthorized";
}
}
else
{
res.result(boost::beast::http::status::unauthorized);
// only send the WWW-authenticate header if this isn't a xhr
// from the browser. Most scripts, tend to not set a user-agent header.
// So key off that to know whether or not we need to suggest basic auth
if (req.getHeaderValue("User-Agent").empty())
{
res.addHeader("WWW-Authenticate", "Basic");
}
}
}
} // namespace forward_unauthorized
|