void WebApplication::action_public_login() { const Preferences* const pref = Preferences::instance(); QCryptographicHash md5(QCryptographicHash::Md5); md5.addData(request().posts["password"].toLocal8Bit()); QString pass = md5.result().toHex(); QString token = request().posts["token"]; bool equalUser = Utils::String::slowEquals(request().posts["username"].toUtf8(), pref->getWebUiUsername().toUtf8()); bool equalPass = Utils::String::slowEquals(pass.toUtf8(), pref->getWebUiPassword().toUtf8()); bool userAuthenticated = equalUser && equalPass; // check if the provided token matches one of our authentication tokens bool tokenAuthenticated = pref->isAuthenticationTokenValid(token); if (tokenAuthenticated || userAuthenticated) { sessionStart(token); print(QByteArray("Ok."), Http::CONTENT_TYPE_TXT); } else { QString addr = env().clientAddress.toString(); increaseFailedAttempts(); qDebug("client IP: %s (%d failed attempts)", qPrintable(addr), failedAttempts()); print(QByteArray("Fails."), Http::CONTENT_TYPE_TXT); } }
AbstractRequestHandler::AbstractRequestHandler(const HttpRequest &request, const HttpEnvironment &env, WebApplication *app) : app_(app), session_(0), request_(request), env_(env) { sessionInitialize(); if (!sessionActive() && !isAuthNeeded()) sessionStart(); }
Http::Response AbstractWebApplication::processRequest(const Http::Request &request, const Http::Environment &env) { session_ = 0; request_ = request; env_ = env; // clear response clear(); // avoid clickjacking attacks header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN"); header(Http::HEADER_X_XSS_PROTECTION, "1; mode=block"); header(Http::HEADER_X_CONTENT_TYPE_OPTIONS, "nosniff"); header(Http::HEADER_CONTENT_SECURITY_POLICY, "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none';"); // block cross-site requests if (isCrossSiteRequest(request_)) { status(401, "Unauthorized"); return response(); } sessionInitialize(); if (!sessionActive() && !isAuthNeeded()) sessionStart(); if (isBanned()) { status(403, "Forbidden"); print(QObject::tr("Your IP address has been banned after too many failed authentication attempts."), Http::CONTENT_TYPE_TXT); } else { doProcessRequest(); } return response(); }
Http::Response AbstractWebApplication::processRequest(const Http::Request &request, const Http::Environment &env) { session_ = 0; request_ = request; env_ = env; clear(); // clear response sessionInitialize(); if (!sessionActive() && !isAuthNeeded()) sessionStart(); if (isBanned()) { status(403, "Forbidden"); print(QObject::tr("Your IP address has been banned after too many failed authentication attempts."), Http::CONTENT_TYPE_TXT); } else { processRequest(); } return response(); }
void WebApplication::action_public_login() { const Preferences* const pref = Preferences::instance(); QCryptographicHash md5(QCryptographicHash::Md5); md5.addData(request().posts["password"].toLocal8Bit()); QString pass = md5.result().toHex(); bool equalUser = Utils::String::slowEquals(request().posts["username"].toUtf8(), pref->getWebUiUsername().toUtf8()); bool equalPass = Utils::String::slowEquals(pass.toUtf8(), pref->getWebUiPassword().toUtf8()); if (equalUser && equalPass) { sessionStart(); print(QByteArray("Ok."), Http::CONTENT_TYPE_TXT); } else { QString addr = env().clientAddress.toString(); increaseFailedAttempts(); qDebug("client IP: %s (%d failed attempts)", qPrintable(addr), failedAttempts()); print(QByteArray("Fails."), Http::CONTENT_TYPE_TXT); } }