From d557fd02f4cd9345ca2e88f10ade4f7f8fd698b6 Mon Sep 17 00:00:00 2001
From: Max Prokhorov <prokhorov.max@outlook.com>
Date: Sun, 7 Jul 2019 22:03:47 +0300
Subject: [PATCH] Web OTA: check authentication result before accepting payload

---
 code/espurna/web.ino | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/code/espurna/web.ino b/code/espurna/web.ino
index 42b8bf6c7b..5282229687 100644
--- a/code/espurna/web.ino
+++ b/code/espurna/web.ino
@@ -125,6 +125,10 @@ void _onPostConfig(AsyncWebServerRequest *request) {
 
 void _onPostConfigData(AsyncWebServerRequest *request, String filename, size_t index, uint8_t *data, size_t len, bool final) {
 
+    if (!webAuthenticate(request)) {
+        return request->requestAuthentication(getSetting("hostname").c_str());
+    }
+
     // No buffer
     if (final && (index == 0)) {
         DynamicJsonBuffer jsonBuffer;
@@ -297,7 +301,11 @@ void _onUpgrade(AsyncWebServerRequest *request) {
 
 }
 
-void _onUpgradeData(AsyncWebServerRequest *request, String filename, size_t index, uint8_t *data, size_t len, bool final) {
+void _onUpgradeFile(AsyncWebServerRequest *request, String filename, size_t index, uint8_t *data, size_t len, bool final) {
+
+    if (!webAuthenticate(request)) {
+        return request->requestAuthentication(getSetting("hostname").c_str());
+    }
 
     if (!index) {
 
@@ -455,7 +463,7 @@ void webSetup() {
     _server->on("/reset", HTTP_GET, _onReset);
     _server->on("/config", HTTP_GET, _onGetConfig);
     _server->on("/config", HTTP_POST | HTTP_PUT, _onPostConfig, _onPostConfigData);
-    _server->on("/upgrade", HTTP_POST, _onUpgrade, _onUpgradeData);
+    _server->on("/upgrade", HTTP_POST, _onUpgrade, _onUpgradeFile);
     _server->on("/discover", HTTP_GET, _onDiscover);
 
     // Serve static files