Retropex/datum_gateway
1
0
Fork 0
forked from Ocean/datum_gateway
Code Pull Requests Activity

Merge branch 'workaround_safari' into 0.2.x

Browse Source
This commit is contained in:
Luke Dashjr 2025-03-19 03:34:23 +00:00
commit 37597c31e7
No known key found for this signature in database
GPG Key ID: A291A2C45D0C504A
1 changed files with 20 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
src/datum_api.c
View File

@ -417,21 +417,38 @@ bool datum_api_check_admin_password_only(struct MHD_Connection * const connectio
return false; return false;
} }
static enum MHD_DigestAuthAlgorithm datum_api_pick_digest_algo(struct MHD_Connection * const connection, const bool nonce_is_stale) {
const char * const ua = MHD_lookup_connection_value(connection, MHD_HEADER_KIND, "User-Agent");
if (strstr(ua, "AppleWebKit/") && !(strstr(ua, "Chrome/") || strstr(ua, "Brave/") || strstr(ua, "Edge/"))) {
static bool safari_warned = false;
if (!(nonce_is_stale && safari_warned)) {
DLOG_WARN("Detected login request from Apple Safari. For some reason, this browser only supports obsolete and insecure MD5 digest authentication. Login at your own risk!");
safari_warned = true;
}
return MHD_DIGEST_ALG_MD5;
}
return MHD_DIGEST_ALG_SHA256;
}
bool datum_api_check_admin_password_httponly(struct MHD_Connection * const connection, const create_response_func_t auth_failure_response_creator) { bool datum_api_check_admin_password_httponly(struct MHD_Connection * const connection, const create_response_func_t auth_failure_response_creator) {
int ret; int ret;
char * const username = MHD_digest_auth_get_username(connection); char * const username = MHD_digest_auth_get_username(connection);
const char * const realm = "DATUM Gateway"; const char * const realm = "DATUM Gateway";
if (username) { if (username) {
ret = MHD_digest_auth_check2(connection, realm, username, datum_config.api_admin_password, 300, MHD_DIGEST_ALG_SHA256); ret = MHD_digest_auth_check2(connection, realm, username, datum_config.api_admin_password, 300, MHD_DIGEST_ALG_AUTO);
free(username); free(username);
} else { } else {
ret = MHD_NO; ret = MHD_NO;
} }
if (ret != MHD_YES) { if (ret != MHD_YES) {
const bool nonce_is_stale = (ret == MHD_INVALID_NONCE);
if (username && !nonce_is_stale) {
DLOG_DEBUG("Wrong password in HTTP authentication"); DLOG_DEBUG("Wrong password in HTTP authentication");
}
const enum MHD_DigestAuthAlgorithm algo = datum_api_pick_digest_algo(connection, nonce_is_stale);
struct MHD_Response * const response = auth_failure_response_creator(); struct MHD_Response * const response = auth_failure_response_creator();
ret = MHD_queue_auth_fail_response2(connection, realm, datum_config.api_csrf_token, response, (ret == MHD_INVALID_NONCE) ? MHD_YES : MHD_NO, MHD_DIGEST_ALG_SHA256); ret = MHD_queue_auth_fail_response2(connection, realm, datum_config.api_csrf_token, response, nonce_is_stale ? MHD_YES : MHD_NO, algo);
MHD_destroy_response(response); MHD_destroy_response(response);
return false; return false;
} }