Basic authentication with the ESP-IDF HTTPS-Server

[StevePeake]

Apologies if I've missed something obvious, but I can't find any basic authentication in any of the http_server/https_server examples.

Like the OP, I'm looking to add username/password authentication to my https server (based on the "simple" examples).

Thanks.

[StevePeake]

I've found the answer to where the Basic Auth is in the simple example:

https://github.com/espressif/esp-idf/co ... efeb1e6e58

This requires the latest stable ESP-IDF (v4.3.1)

Haven't got it working in my project yet, but will keep at it

[patefil]

Use the following

Code: Select all

esp_err_t httpRequestAuthorization(httpd_req_t *req)
{
	httpd_resp_set_hdr(req, "WWW-Authenticate", "Basic realm=\"my_realm1\"");
    httpd_resp_set_status(req, "401 Unauthorized");
    httpd_resp_set_type(req, HTTPD_TYPE_TEXT);
	httpd_resp_sendstr(req, "Unauthorized");
	return ESP_OK;
}

Code: Select all

bool httpAuthenticateRequest(httpd_req_t *req, const char *server_username, const char *server_password)
{
	char  authorization_header[64] = {0};
	char decoded_authorization[32] = {0};
    size_t buf_len;

	// Get header value string length
	buf_len = httpd_req_get_hdr_value_len(req, "Authorization");

	//ESP_LOGD(TAG, "Authorization header length %d", buf_len);
	//bound check
	if ((buf_len > 0) && (buf_len < 64))
	{
		// Copy null terminated value string into buffer
		if (httpd_req_get_hdr_value_str(req, "Authorization", authorization_header, buf_len + 1) == ESP_OK)
		{
			//ESP_LOGD(TAG, "Authorization header : %s", authorization_header);
			
			//find the "Basic " part of the header
			char *encoded_authorization = strstr(authorization_header, "Basic ");
			if(encoded_authorization != NULL)
			{
				//move the pointer to the start of the encoded authorization string
				encoded_authorization = &encoded_authorization[strlen("Basic ")];

				//ESP_LOGD(TAG, "Authorization string : %s", encoded_authorization);

				//decode the authorization string
				int decode_res = mbedtls_base64_decode((unsigned char *)decoded_authorization, sizeof(decoded_authorization), &buf_len, (unsigned char *)encoded_authorization, strlen(encoded_authorization));
				if(decode_res == 0)
				{
					//ESP_LOGD(TAG, "Decoded Authorization string : %s", decoded_authorization);

					//find the separator between username:password
					char *colon_index = strchr(decoded_authorization, ':');
					if(colon_index != NULL)
					{
						//replace colon index with null termination 
						colon_index[0] = 0;
						//username is from start till our previous null termination
						char *req_username = &decoded_authorization[0];
						//the rest is the password
						char *req_password = &colon_index[1];

						//ESP_LOGD(TAG, "Username:%s, Password:%s", req_username, req_password);
						
						//check if both username and password match the server's credentials
						if ((strcmp(req_username, server_username) == 0) && (strcmp(req_password, server_password) == 0))
						{
							return true;
						}
					}
					else
					{
						//ESP_LOGD(TAG, "Decoede authorization does not contain password");
					}
				}
				else
				{
					//ESP_LOGD(TAG, "Decoding failed");
				}
			}
			else
			{
				//ESP_LOGD(TAG, "Authorization value not in correct format");
			}
		}
		else
		{
			//ESP_LOGD(TAG, "Cannot retrieve autorization value");
		}
	}
	else
	{
		//ESP_LOGD(TAG, "No autorization header or too long");
	}
	
	//ESP_LOGW(TAG, "Authentication Failed");
	return false;
}

usage

Code: Select all

esp_err_t handlerGetRoot(httpd_req_t *req)
{
	if(httpAuthenticateRequest(req, "username", "password") == false)
	{
		return httpRequestAuthorization(req);
	}
...
}

[fypfpga]

I did implement Basic authorization for local HTTP server using username and password