From 4f1965fbaa6690d2de477d4d2de2512f77d10e2b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bla=C5=BE=20Kristan?= Date: Sat, 23 Nov 2024 11:24:03 +0100 Subject: [PATCH 1/4] Add ability to configure settings PIN at compile time --- wled00/wled.h | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/wled00/wled.h b/wled00/wled.h index 2b3a77d24..45d9dd5da 100644 --- a/wled00/wled.h +++ b/wled00/wled.h @@ -214,6 +214,10 @@ using PSRAMDynamicJsonDocument = BasicJsonDocument; #define WLED_AP_PASS DEFAULT_AP_PASS #endif +#ifndef WLED_PIN + #define WLED_PIN "" +#endif + #ifndef SPIFFS_EDITOR_AIRCOOOKIE #error You are not using the Aircoookie fork of the ESPAsyncWebserver library.\ Using upstream puts your WiFi password at risk of being served by the filesystem.\ @@ -556,10 +560,10 @@ WLED_GLOBAL byte macroLongPress[WLED_MAX_BUTTONS] _INIT({0}); WLED_GLOBAL byte macroDoublePress[WLED_MAX_BUTTONS] _INIT({0}); // Security CONFIG -WLED_GLOBAL bool otaLock _INIT(false); // prevents OTA firmware updates without password. ALWAYS enable if system exposed to any public networks -WLED_GLOBAL bool wifiLock _INIT(false); // prevents access to WiFi settings when OTA lock is enabled -WLED_GLOBAL bool aOtaEnabled _INIT(true); // ArduinoOTA allows easy updates directly from the IDE. Careful, it does not auto-disable when OTA lock is on -WLED_GLOBAL char settingsPIN[5] _INIT(""); // PIN for settings pages +WLED_GLOBAL bool otaLock _INIT(false); // prevents OTA firmware updates without password. ALWAYS enable if system exposed to any public networks +WLED_GLOBAL bool wifiLock _INIT(false); // prevents access to WiFi settings when OTA lock is enabled +WLED_GLOBAL bool aOtaEnabled _INIT(true); // ArduinoOTA allows easy updates directly from the IDE. Careful, it does not auto-disable when OTA lock is on +WLED_GLOBAL char settingsPIN[5] _INIT(WLED_PIN); // PIN for settings pages WLED_GLOBAL bool correctPIN _INIT(true); WLED_GLOBAL unsigned long lastEditTime _INIT(0); From 855e6061631df03ee297eba900d60230bbbc6e9f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bla=C5=BE=20Kristan?= Date: Sun, 24 Nov 2024 17:17:17 +0100 Subject: [PATCH 2/4] Fix 1st use --- wled00/wled.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wled00/wled.h b/wled00/wled.h index 45d9dd5da..62c3a3f09 100644 --- a/wled00/wled.h +++ b/wled00/wled.h @@ -564,7 +564,7 @@ WLED_GLOBAL bool otaLock _INIT(false); // prevents OTA firmware updat WLED_GLOBAL bool wifiLock _INIT(false); // prevents access to WiFi settings when OTA lock is enabled WLED_GLOBAL bool aOtaEnabled _INIT(true); // ArduinoOTA allows easy updates directly from the IDE. Careful, it does not auto-disable when OTA lock is on WLED_GLOBAL char settingsPIN[5] _INIT(WLED_PIN); // PIN for settings pages -WLED_GLOBAL bool correctPIN _INIT(true); +WLED_GLOBAL bool correctPIN _INIT(!strlen(settingsPIN)); WLED_GLOBAL unsigned long lastEditTime _INIT(0); WLED_GLOBAL uint16_t userVar0 _INIT(0), userVar1 _INIT(0); //available for use in usermod From 2c583c3071926a15411efa1349e1a3916e6572fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bla=C5=BE=20Kristan?= Date: Mon, 25 Nov 2024 22:56:22 +0100 Subject: [PATCH 3/4] Allow editing WiFi settings --- wled00/wled_server.cpp | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/wled00/wled_server.cpp b/wled00/wled_server.cpp index e8cbb41ae..6dac16ab4 100644 --- a/wled00/wled_server.cpp +++ b/wled00/wled_server.cpp @@ -567,13 +567,14 @@ void serveSettings(AsyncWebServerRequest* request, bool post) { //else if (url.indexOf("/edit") >= 0) subPage = 10; else subPage = SUBPAGE_WELCOME; - if (!correctPIN && strlen(settingsPIN) > 0 && (subPage > 0 && subPage < 11)) { + bool pinRequired = !correctPIN && strlen(settingsPIN) > 0 && (subPage > (WLED_WIFI_CONFIGURED ? SUBPAGE_MENU : SUBPAGE_WIFI) && subPage < SUBPAGE_LOCK); + if (pinRequired) { originalSubPage = subPage; subPage = SUBPAGE_PINREQ; // require PIN } // if OTA locked or too frequent PIN entry requests fail hard - if ((subPage == SUBPAGE_WIFI && wifiLock && otaLock) || (post && !correctPIN && millis()-lastEditTime < PIN_RETRY_COOLDOWN)) + if ((subPage == SUBPAGE_WIFI && wifiLock && otaLock) || (post && pinRequired && millis()-lastEditTime < PIN_RETRY_COOLDOWN)) { serveMessage(request, 401, FPSTR(s_accessdenied), FPSTR(s_unlock_ota), 254); return; } @@ -609,7 +610,7 @@ void serveSettings(AsyncWebServerRequest* request, bool post) { if (!s2[0]) strcpy_P(s2, s_redirecting); bool redirectAfter9s = (subPage == SUBPAGE_WIFI || ((subPage == SUBPAGE_SEC || subPage == SUBPAGE_UM) && doReboot)); - serveMessage(request, (correctPIN ? 200 : 401), s, s2, redirectAfter9s ? 129 : (correctPIN ? 1 : 3)); + serveMessage(request, (!pinRequired ? 200 : 401), s, s2, redirectAfter9s ? 129 : (!pinRequired ? 1 : 3)); return; } } From 7236589037a9c987cf75874398507cdcb2f2050e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bla=C5=BE=20Kristan?= Date: Mon, 25 Nov 2024 22:57:21 +0100 Subject: [PATCH 4/4] Allow pre-compiled OTA password --- wled00/wled.h | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/wled00/wled.h b/wled00/wled.h index 62c3a3f09..74719a6f2 100644 --- a/wled00/wled.h +++ b/wled00/wled.h @@ -278,7 +278,11 @@ WLED_GLOBAL char releaseString[] _INIT(TOSTRING(WLED_RELEASE_NAME)); // somehow // AP and OTA default passwords (for maximum security change them!) WLED_GLOBAL char apPass[65] _INIT(WLED_AP_PASS); +#ifdef WLED_OTA_PASS +WLED_GLOBAL char otaPass[33] _INIT(WLED_OTA_PASS); +#else WLED_GLOBAL char otaPass[33] _INIT(DEFAULT_OTA_PASS); +#endif // Hardware and pin config #ifndef BTNPIN @@ -560,7 +564,11 @@ WLED_GLOBAL byte macroLongPress[WLED_MAX_BUTTONS] _INIT({0}); WLED_GLOBAL byte macroDoublePress[WLED_MAX_BUTTONS] _INIT({0}); // Security CONFIG +#ifdef WLED_OTA_PASS +WLED_GLOBAL bool otaLock _INIT(true); // prevents OTA firmware updates without password. ALWAYS enable if system exposed to any public networks +#else WLED_GLOBAL bool otaLock _INIT(false); // prevents OTA firmware updates without password. ALWAYS enable if system exposed to any public networks +#endif WLED_GLOBAL bool wifiLock _INIT(false); // prevents access to WiFi settings when OTA lock is enabled WLED_GLOBAL bool aOtaEnabled _INIT(true); // ArduinoOTA allows easy updates directly from the IDE. Careful, it does not auto-disable when OTA lock is on WLED_GLOBAL char settingsPIN[5] _INIT(WLED_PIN); // PIN for settings pages