diff --git a/wled00/wled.h b/wled00/wled.h index 2b3a77d24b..74719a6f2f 100644 --- a/wled00/wled.h +++ b/wled00/wled.h @@ -214,6 +214,10 @@ using PSRAMDynamicJsonDocument = BasicJsonDocument; #define WLED_AP_PASS DEFAULT_AP_PASS #endif +#ifndef WLED_PIN + #define WLED_PIN "" +#endif + #ifndef SPIFFS_EDITOR_AIRCOOOKIE #error You are not using the Aircoookie fork of the ESPAsyncWebserver library.\ Using upstream puts your WiFi password at risk of being served by the filesystem.\ @@ -274,7 +278,11 @@ WLED_GLOBAL char releaseString[] _INIT(TOSTRING(WLED_RELEASE_NAME)); // somehow // AP and OTA default passwords (for maximum security change them!) WLED_GLOBAL char apPass[65] _INIT(WLED_AP_PASS); +#ifdef WLED_OTA_PASS +WLED_GLOBAL char otaPass[33] _INIT(WLED_OTA_PASS); +#else WLED_GLOBAL char otaPass[33] _INIT(DEFAULT_OTA_PASS); +#endif // Hardware and pin config #ifndef BTNPIN @@ -556,11 +564,15 @@ WLED_GLOBAL byte macroLongPress[WLED_MAX_BUTTONS] _INIT({0}); WLED_GLOBAL byte macroDoublePress[WLED_MAX_BUTTONS] _INIT({0}); // Security CONFIG -WLED_GLOBAL bool otaLock _INIT(false); // prevents OTA firmware updates without password. ALWAYS enable if system exposed to any public networks -WLED_GLOBAL bool wifiLock _INIT(false); // prevents access to WiFi settings when OTA lock is enabled -WLED_GLOBAL bool aOtaEnabled _INIT(true); // ArduinoOTA allows easy updates directly from the IDE. Careful, it does not auto-disable when OTA lock is on -WLED_GLOBAL char settingsPIN[5] _INIT(""); // PIN for settings pages -WLED_GLOBAL bool correctPIN _INIT(true); +#ifdef WLED_OTA_PASS +WLED_GLOBAL bool otaLock _INIT(true); // prevents OTA firmware updates without password. ALWAYS enable if system exposed to any public networks +#else +WLED_GLOBAL bool otaLock _INIT(false); // prevents OTA firmware updates without password. ALWAYS enable if system exposed to any public networks +#endif +WLED_GLOBAL bool wifiLock _INIT(false); // prevents access to WiFi settings when OTA lock is enabled +WLED_GLOBAL bool aOtaEnabled _INIT(true); // ArduinoOTA allows easy updates directly from the IDE. Careful, it does not auto-disable when OTA lock is on +WLED_GLOBAL char settingsPIN[5] _INIT(WLED_PIN); // PIN for settings pages +WLED_GLOBAL bool correctPIN _INIT(!strlen(settingsPIN)); WLED_GLOBAL unsigned long lastEditTime _INIT(0); WLED_GLOBAL uint16_t userVar0 _INIT(0), userVar1 _INIT(0); //available for use in usermod diff --git a/wled00/wled_server.cpp b/wled00/wled_server.cpp index e8cbb41ae5..6dac16ab4c 100644 --- a/wled00/wled_server.cpp +++ b/wled00/wled_server.cpp @@ -567,13 +567,14 @@ void serveSettings(AsyncWebServerRequest* request, bool post) { //else if (url.indexOf("/edit") >= 0) subPage = 10; else subPage = SUBPAGE_WELCOME; - if (!correctPIN && strlen(settingsPIN) > 0 && (subPage > 0 && subPage < 11)) { + bool pinRequired = !correctPIN && strlen(settingsPIN) > 0 && (subPage > (WLED_WIFI_CONFIGURED ? SUBPAGE_MENU : SUBPAGE_WIFI) && subPage < SUBPAGE_LOCK); + if (pinRequired) { originalSubPage = subPage; subPage = SUBPAGE_PINREQ; // require PIN } // if OTA locked or too frequent PIN entry requests fail hard - if ((subPage == SUBPAGE_WIFI && wifiLock && otaLock) || (post && !correctPIN && millis()-lastEditTime < PIN_RETRY_COOLDOWN)) + if ((subPage == SUBPAGE_WIFI && wifiLock && otaLock) || (post && pinRequired && millis()-lastEditTime < PIN_RETRY_COOLDOWN)) { serveMessage(request, 401, FPSTR(s_accessdenied), FPSTR(s_unlock_ota), 254); return; } @@ -609,7 +610,7 @@ void serveSettings(AsyncWebServerRequest* request, bool post) { if (!s2[0]) strcpy_P(s2, s_redirecting); bool redirectAfter9s = (subPage == SUBPAGE_WIFI || ((subPage == SUBPAGE_SEC || subPage == SUBPAGE_UM) && doReboot)); - serveMessage(request, (correctPIN ? 200 : 401), s, s2, redirectAfter9s ? 129 : (correctPIN ? 1 : 3)); + serveMessage(request, (!pinRequired ? 200 : 401), s, s2, redirectAfter9s ? 129 : (!pinRequired ? 1 : 3)); return; } }