1 #pragma once 2 #include <http_request.hpp> 3 #include <http_response.hpp> 4 #include <http_utility.hpp> 5 6 namespace forward_unauthorized 7 { 8 9 bool hasWebuiRoute = false; 10 11 inline void sendUnauthorized(const crow::Request& req, crow::Response& res) 12 { 13 // If it's a browser connecting, don't send the HTTP authenticate 14 // header, to avoid possible CSRF attacks with basic auth 15 if (http_helpers::requestPrefersHtml(req)) 16 { 17 // If we have a webui installed, redirect to that login page 18 if (hasWebuiRoute) 19 { 20 res.result(boost::beast::http::status::temporary_redirect); 21 res.addHeader("Location", 22 "/#/login?next=" + http_helpers::urlEncode(req.url)); 23 } 24 else 25 { 26 // If we don't have a webui installed, just return a lame 27 // unauthorized body 28 res.result(boost::beast::http::status::unauthorized); 29 res.body() = "Unauthorized"; 30 } 31 } 32 else 33 { 34 res.result(boost::beast::http::status::unauthorized); 35 // only send the WWW-authenticate header if this isn't a xhr 36 // from the browser. Most scripts, tend to not set a user-agent header. 37 // So key off that to know whether or not we need to suggest basic auth 38 if (req.getHeaderValue("User-Agent").empty()) 39 { 40 res.addHeader("WWW-Authenticate", "Basic"); 41 } 42 } 43 } 44 } // namespace forward_unauthorized 45