Apply patch from RaspAP/raspap-insiders#209

.gitignore

@@ -4,3 +4,4 @@ yarn-error.log
 *.swp
 includes/config.php
 rootCA.pem
+vendor

ajax/bandwidth/get_bandwidth.php

@@ -3,12 +3,6 @@
 require '../../includes/csrf.php';
 
 require_once '../../includes/config.php';
-require_once RASPI_CONFIG.'/raspap.php';
-
-header('X-Frame-Options: DENY');
-header("Content-Security-Policy: default-src 'none'; connect-src 'self'");
-require_once '../../includes/authenticate.php';
-
 
 $interface = filter_input(INPUT_GET, 'inet', FILTER_SANITIZE_SPECIAL_CHARS);
 if (empty($interface)) {

app/lib/Auth.php

@@ -0,0 +1,136 @@
+<?php
+
+/**
+ * Authentication class
+ *
+ * @description Basic HTTP authentication class for RaspAP
+ * @author      Bill Zimmerman <billzimmerman@gmail.com>
+ * @license     https://github.com/raspap/raspap-webgui/blob/master/LICENSE
+ * @see         https://www.php.net/manual/en/features.http-auth.php
+ */
+
+declare(strict_types=1);
+
+namespace RaspAP\Authenticate;
+
+class HTTPAuth
+{
+
+    /**
+     * @var string $realm
+     */
+    public $realm = 'Authentication Required';
+
+    /**
+     * Stored login credentials
+     * @var array $auth_config
+     */
+    protected $auth_config;
+
+    /**
+     * Default login credentials
+     * @var array $auth_default
+     */
+    private $auth_default = array(
+        'admin_user' => 'admin',
+        'admin_pass' => '$2y$10$YKIyWAmnQLtiJAy6QgHQ.eCpY4m.HCEbiHaTgN6.acNC6bDElzt.i'
+    );
+
+    // Constructor
+    public function __construct()
+    {
+        $this->auth_config = $this->getAuthConfig();
+    }
+
+    /*
+     * Determines if user is logged in
+     * return boolean
+     */
+    public function isLogged()
+    {
+        return isset($_SESSION['user_id']);
+    }
+
+    /*
+     * Authenticate a user using HTTP basic auth
+     */
+    public function authenticate()
+    {
+        if (!$this->isLogged()) {
+            header('HTTP/1.0 401 Unauthorized');
+            header('WWW-Authenticate: Basic realm="'.$this->realm.'"');
+            if (function_exists('http_response_code')) {
+                // http_response_code will respond with proper HTTP version
+                http_response_code(401);
+            } else {
+                header('HTTP/1.0 401 Unauthorized');
+            }
+            exit('Not authorized'.PHP_EOL);
+        }
+    }
+
+    /*
+     * Attempt to login a user with supplied credentials
+     * @var string $user
+     * @var string $pass
+     * return boolean
+     */
+    public function login(string $user, string $pass)
+    {
+        if ($this->isValidCredentials($user, $pass)) {
+            $_SESSION['user_id'] = $user;
+            return true;
+        }
+        return false;
+    }
+
+    /*
+     * Gets the current authentication config
+     * return array $config
+     */
+    public function getAuthConfig()
+    {
+        $config = $this->auth_default;
+
+        if (file_exists(RASPI_CONFIG . '/raspap.auth')) {
+            if ($auth_details = fopen(RASPI_CONFIG . '/raspap.auth', 'r')) {
+                $config['admin_user'] = trim(fgets($auth_details));
+                $config['admin_pass'] = trim(fgets($auth_details));
+                fclose($auth_details);
+            }
+        }
+        return $config;
+    }
+
+    /*
+     * Validates a set of credentials
+     * @var string $user
+     * @var string $pass
+     * return boolean
+     */
+    protected function isValidCredentials(string $user, string $pass)
+    {
+        return $this->validateUser($user) && $this->validatePassword($pass);
+    }
+
+    /**
+     * Validates a user
+     *
+     * @param string $user
+     */
+    protected function validateUser(string $user)
+    {
+        return $user == $this->auth_config['admin_user'];
+    }
+
+    /**
+     * Validates a password
+     *
+     * @param string $pass
+     */
+    protected function validatePassword(string $pass)
+    {
+        return password_verify($pass, $this->auth_config['admin_pass']);
+    }
+
+}

includes/admin.php

@@ -2,9 +2,13 @@
 
 require_once 'includes/status_messages.php';
 
-function DisplayAuthConfig($username, $password)
+function DisplayAuthConfig($username)
 {
     $status = new StatusMessages();
+    $auth = new \RaspAP\Authenticate\HTTPAuth;
+    $config = $auth->getAuthConfig();
+    $password = $config['admin_pass'];
+
     if (isset($_POST['UpdateAdminPassword'])) {
         if (password_verify($_POST['oldpass'], $password)) {
             $new_username=trim($_POST['username']);
@@ -33,5 +37,10 @@ function DisplayAuthConfig($username, $password)
         }
     }
 
-    echo renderTemplate("admin", compact("status", "username"));
+    echo renderTemplate(
+        "admin", compact(
+            "status",
+            "username"
+        )
+    );
 }

includes/authenticate.php

@@ -1,22 +1,16 @@
 <?php
-$user = $_SERVER['PHP_AUTH_USER'] ?? "";
-$pass = $_SERVER['PHP_AUTH_PW'] ?? "";
-
-require_once RASPI_CONFIG.'/raspap.php';
-$config = getConfig();
 
 if (RASPI_AUTH_ENABLED) {
-    $validated = ($user == $config['admin_user']) && password_verify($pass, $config['admin_pass']);
-    if (!$validated) {
-        header('WWW-Authenticate: Basic realm="RaspAP"');
-        if (function_exists('http_response_code')) {
-            // http_response_code will respond with proper HTTP version back.
-            http_response_code(401);
+    $user = $_SERVER['PHP_AUTH_USER'] ?? '';
+    $pass = $_SERVER['PHP_AUTH_PW'] ?? '';
+
+    $auth = new \RaspAP\Authenticate\HTTPAuth;
+
+    if (!$auth->isLogged()) {
+        if ($auth->login($user, $pass)) {
+            $config = $auth->getAuthConfig();
         } else {
-            header('HTTP/1.0 401 Unauthorized');
+            $auth->authenticate();
         }
-        exit('Not authorized'.PHP_EOL);
     }