From a4c5dcd67a7cdf8d35ec9b664b64cd542725468a Mon Sep 17 00:00:00 2001
From: rudolfkoenig <>
Date: Sun, 3 Jan 2016 13:54:44 +0000
Subject: [PATCH] 96_allowed.pm: basicAuthExpiry patch by viegener (Forum
#46380)
git-svn-id: https://svn.fhem.de/fhem/trunk@10347 2b470e98-0d58-463d-a4d8-8e2adae1ed80
---
fhem/FHEM/01_FHEMWEB.pm | 6 +++++-
fhem/FHEM/96_allowed.pm | 46 +++++++++++++++++++++++++++++++++++++++--
2 files changed, 49 insertions(+), 3 deletions(-)
diff --git a/fhem/FHEM/01_FHEMWEB.pm b/fhem/FHEM/01_FHEMWEB.pm
index eab9bfaf1..4ec70a74c 100755
--- a/fhem/FHEM/01_FHEMWEB.pm
+++ b/fhem/FHEM/01_FHEMWEB.pm
@@ -382,7 +382,11 @@ FW_Read($$)
} elsif($ret == 1) {
$FW_chash->{Authenticated} = 1; # ok
-
+ # Need to send set-cookie (if set) after succesful authentication
+ my $ah = $FW_chash->{".httpAuthHeader"};
+ $FW_headerlines .= $ah if($ah);
+ delete $FW_chash->{".httpAuthHeader"};
+
} else {
my $ah = $FW_chash->{".httpAuthHeader"};
TcpServer_WriteBlocking($hash,
diff --git a/fhem/FHEM/96_allowed.pm b/fhem/FHEM/96_allowed.pm
index 979f0a867..d069f1596 100755
--- a/fhem/FHEM/96_allowed.pm
+++ b/fhem/FHEM/96_allowed.pm
@@ -16,7 +16,8 @@ allowed_Initialize($)
$hash->{AuthenticateFn} = "allowed_Authenticate";
$hash->{AttrFn} = "allowed_Attr";
$hash->{AttrList} = "disable:0,1 validFor allowedCommands allowedDevices ".
- "basicAuth basicAuthMsg password globalpassword";
+ "basicAuth basicAuthMsg password globalpassword ".
+ "basicAuthExpiry";
$hash->{UndefFn} = "allowed_Undef";
}
@@ -90,6 +91,17 @@ allowed_Authenticate($$$$)
my $FW_httpheader = $param;
my $secret = $FW_httpheader->{Authorization};
$secret =~ s/^Basic //i if($secret);
+
+ # Check for Cookie in headers if no basicAuth header is set
+ my $authcookie;
+ if ( ( ! $secret ) && ( $FW_httpheader->{Cookie} ) ) {
+ if ( AttrVal($aName, "basicAuthExpiry", 0)) {
+ my $cookie = "; ".$FW_httpheader->{Cookie}.";";
+ $authcookie = $1 if ( $cookie =~ /; AuthToken=([^;]+);/ );
+ $secret = $authcookie;
+ }
+ }
+
my $pwok = ($secret && $secret eq $basicAuth); # Base64
if($secret && $basicAuth =~ m/^{.*}$/) {
eval "use MIME::Base64";
@@ -102,7 +114,27 @@ allowed_Authenticate($$$$)
Log3 $aName, 1, "basicAuth expression: $@" if($@);
}
}
-
+
+ # Add Cookie header ONLY if
+ # authentication with basic auth was succesful
+ # (meaning if no or wrong authcookie set)
+ if ( ( $pwok ) &&
+ ( ( ! defined($authcookie) ) || ( $secret ne $authcookie ) ) ) {
+ # no cookie set but authorization succesful
+ # check if cookie should be set --> Cookie Attribute != 0
+ my $time = int(AttrVal($aName, "basicAuthExpiry", 0));
+ if ( $time ) {
+ # time specified in days until next expiry (but timestamp is in seconds)
+ $time *= 86400;
+ $time += time();
+ # generate timestamp according to RFC-1130 in Expires
+ my $expires = "Expires=".FmtDateTimeRFC1123($time);
+ # set header with expiry
+ $cl->{".httpAuthHeader"} = "Set-Cookie: AuthToken=".$secret.
+ "; Path=/ ; ".$expires."\r\n" ;
+ }
+ }
+
return 1 if($pwok);
my $msg = AttrVal($aName, "basicAuthMsg", "FHEM: login required");
@@ -262,6 +294,16 @@ allowed_Attr(@)
+
+ basicAuthExpiry
+ allow the basicAuth to be kept valid for a given number of days.
+ So username/password as specified in basicAuth are only requested
+ after a certain period.
+ This is achieved by sending a cookie to the browser that will expire
+ after the given period.
+ Only valid if basicAuth is set.
+
+
password
Specify a password for telnet instances, which has to be entered as the