Add authentication to web interface, RSP and DAAP

src/httpd.c

@@ -488,12 +488,36 @@ serve_file(struct evhttp_request *req, char *uri)
   char path[PATH_MAX];
   char *deref;
   char *ctype;
+  char *passwd;
   struct evbuffer *evbuf;
   struct stat sb;
   int fd;
   int i;
   int ret;
 
+  /* Check authentication */
+  passwd = cfg_getstr(cfg_getsec(cfg, "general"), "admin_password");
+  if (passwd)
+    {
+      DPRINTF(E_DBG, L_HTTPD, "Checking web interface authentication\n");
+
+      ret = httpd_basic_auth(req, "admin", passwd, PACKAGE " web interface");
+      if (ret != 0)
+	return;
+
+      DPRINTF(E_DBG, L_HTTPD, "Authentication successful\n");
+    }
+  else
+    {
+      if (strcmp(req->remote_host, "127.0.0.1") != 0)
+	{
+	  DPRINTF(E_LOG, L_HTTPD, "Remote web interface request denied; no password set\n");
+
+	  evhttp_send_error(req, 403, "Forbidden");
+	  return;
+	}
+    }
+
   ret = snprintf(path, sizeof(path), "%s%s", WEBFACE_ROOT, uri + 1); /* skip starting '/' */
   if ((ret < 0) || (ret >= sizeof(path)))
     {

src/httpd_daap.c

@@ -1789,6 +1789,9 @@ daap_request(struct evhttp_request *req)
   char *uri_parts[7];
   struct evbuffer *evbuf;
   struct evkeyvalq query;
+  cfg_t *lib;
+  char *libname;
+  char *passwd;
   int handler;
   int ret;
   int i;
@@ -1838,6 +1841,34 @@ daap_request(struct evhttp_request *req)
       return;
     }
 
+  /* Check authentication */
+  lib = cfg_getnsec(cfg, "library", 0);
+  passwd = cfg_getstr(lib, "password");
+
+  /* No authentication for these URIs */
+  if ((strcmp(uri, "/server-info") == 0)
+      || (strcmp(uri, "/logout") == 0)
+      || (strncmp(uri, "/databases/1/items/", strlen("/databases/1/items/")) == 0))
+    passwd = NULL;
+
+  if (passwd)
+    {
+      libname = cfg_getstr(lib, "name");
+
+      DPRINTF(E_DBG, L_HTTPD, "Checking authentication for library '%s'\n", libname);
+
+      /* We don't care about the username */
+      ret = httpd_basic_auth(req, NULL, passwd, libname);
+      if (ret != 0)
+	{
+	  free(uri);
+	  free(full_uri);
+	  return;
+	}
+
+      DPRINTF(E_DBG, L_HTTPD, "Library authentication successful\n");
+    }
+
   memset(uri_parts, 0, sizeof(uri_parts));
 
   uri_parts[0] = strtok_r(uri, "/", &ptr);

src/httpd_rsp.c

@@ -903,6 +903,9 @@ rsp_request(struct evhttp_request *req)
   char *ptr;
   char *uri_parts[5];
   struct evkeyvalq query;
+  cfg_t *lib;
+  char *libname;
+  char *passwd;
   int handler;
   int i;
   int ret;
@@ -952,6 +955,27 @@ rsp_request(struct evhttp_request *req)
       return;
     }
 
+  /* Check authentication */
+  lib = cfg_getnsec(cfg, "library", 0);
+  passwd = cfg_getstr(lib, "password");
+  if (passwd)
+    {
+      libname = cfg_getstr(lib, "name");
+
+      DPRINTF(E_DBG, L_HTTPD, "Checking authentication for library '%s'\n", libname);
+
+      /* We don't care about the username */
+      ret = httpd_basic_auth(req, NULL, passwd, libname);
+      if (ret != 0)
+	{
+	  free(uri);
+	  free(full_uri);
+	  return;
+	}
+
+      DPRINTF(E_DBG, L_HTTPD, "Library authentication successful\n");
+    }
+
   memset(uri_parts, 0, sizeof(uri_parts));
 
   uri_parts[0] = strtok_r(uri, "/", &ptr);