Extend hash auth to API calls

2025-12-25 05:05:33 +00:00 · 2016-11-16 23:35:10 +01:00
parent 8c278f3853
commit 4372c2e25b
5 changed files with 47 additions and 34 deletions
--- a/api.php
+++ b/api.php
@@ -1,4 +1,7 @@
 <?php
+    require "php/password.php";
+    if(!$auth)
+        exit();
    include('data.php');
    header('Content-type: application/json');

@@ -58,7 +61,7 @@
 	    }
 	    return $sanArray;
    }
-    
+
    $data = filterArray($data);
    echo json_encode($data);
 ?>
--- a/header.php
+++ b/header.php
@@ -1,29 +1,5 @@
 <?php
-    $pwhash =  parse_ini_file("/etc/pihole/setupVars.conf")['WEBPASSWORD'];
-
-    // Test if password is set
-    if(strlen($pwhash) > 0)
-    {
-        // Password set compare with double hash
-        if(hash('sha256',hash('sha256',$_POST["pw"])) == $pwhash || $_GET["auth"] == $pwhash)
-        {
-            // Password (POST) correct or hash (GET) correct
-            $auth = true;
-            $pwstring = "auth=".$pwhash;
-        }
-        else
-        {
-            // Password or hash wrong
-            $auth = false;
-            $pwstring = "";
-        }
-    }
-    else
-    {
-        // No password set
-        $auth = true;
-        $pwstring = "";
-    }
+    require "php/password.php";

    if (isset($_GET['enable']) && $auth) {
      exec('sudo pihole enable');
@@ -84,6 +60,7 @@
    <div class="js-warn" id="js-warn-exit"><h1>Javascript Is Disabled</h1><p>Javascript seems to be disabled. This will break some site features.</p>
        <p>To enable Javascript click <a href="http://www.enable-javascript.com/" target="_blank">here</a></p><label for="js-hide">Close</label></div>
 </div>
+<div id="hash" hidden><?php echo $pwstring; ?></div>
 <!-- /JS Warning -->
 <script src="js/pihole/header.js"></script>
 <div class="wrapper">
--- a/js/pihole/index.js
+++ b/js/pihole/index.js
@@ -105,6 +105,9 @@ $(document).ready(function() {
        }
    });

+    // Get auth hash
+    hash = document.getElementById("hash").innerHTML;
+
    // Pull in data via AJAX

    updateSummaryData();
@@ -123,7 +126,7 @@ $(document).ready(function() {
 // Functions to update data in page

 function updateSummaryData(runOnce) {
-    $.getJSON("api.php?summary", function LoadSummaryData(data) {
+    $.getJSON("api.php?summary&"+hash, function LoadSummaryData(data) {
        //$("h3.statistic").addClass("glow");
        if ($("h3#ads_blocked_today").text() != data.ads_blocked_today) {
            $("h3#ads_blocked_today").addClass("glow");
@@ -154,7 +157,7 @@ function updateSummaryData(runOnce) {
 }

 function updateQueriesOverTime() {
-    $.getJSON("api.php?overTimeData", function(data) {
+    $.getJSON("api.php?overTimeData&"+hash, function(data) {
        // Add data for each hour that is available
        for (hour in data.ads_over_time) {
            // Add x-axis label
@@ -168,7 +171,7 @@ function updateQueriesOverTime() {
 }

 function updateQueryTypes() {
-    $.getJSON("api.php?getQueryTypes", function(data) {
+    $.getJSON("api.php?getQueryTypes&"+hash, function(data) {
        var colors = [];
        // Get colors from AdminLTE
        $.each($.AdminLTE.options.colors, function(key, value) { colors.push(value); });
@@ -191,7 +194,7 @@ function updateQueryTypes() {
 }

 function updateTopClientsChart() {
-    $.getJSON("api.php?summaryRaw&getQuerySources", function(data) {
+    $.getJSON("api.php?summaryRaw&getQuerySources&"+hash, function(data) {
        var clienttable =  $('#client-frequency').find('tbody:last');
        for (domain in data.top_sources) {
            clienttable.append('<tr> <td>' + domain +
@@ -204,7 +207,7 @@ function updateTopClientsChart() {
 }

 function updateForwardDestinations() {
-    $.getJSON("api.php?getForwardDestinations", function(data) {
+    $.getJSON("api.php?getForwardDestinations&"+hash, function(data) {
        var colors = [];
        // Get colors from AdminLTE
        $.each($.AdminLTE.options.colors, function(key, value) { colors.push(value); });
@@ -227,7 +230,7 @@ function updateForwardDestinations() {
 }

 function updateTopLists() {
-    $.getJSON("api.php?summaryRaw&topItems", function(data) {
+    $.getJSON("api.php?summaryRaw&topItems&"+hash, function(data) {
        var domaintable = $('#domain-frequency').find('tbody:last');
        var adtable = $('#ad-frequency').find('tbody:last');

--- a/js/pihole/queries.js
+++ b/js/pihole/queries.js
@@ -1,4 +1,7 @@
 $(document).ready(function() {
+    // Get auth hash
+    hash = document.getElementById("hash").innerHTML;
+
    tableApi = $('#all-queries').DataTable( {
        "rowCallback": function( row, data, index ){
            if (data[4] == "Pi-holed") {
@@ -11,7 +14,7 @@ $(document).ready(function() {
            }

        },
-        "ajax": "api.php?getAllQueries",
+        "ajax": "api.php?getAllQueries&"+hash,
        "autoWidth" : false,
        "order" : [[0, "desc"]],
        "columns": [
@@ -42,7 +45,7 @@ $(document).ready(function() {
 } );

 function refreshData() {
-    tableApi.ajax.url("api.php?getAllQueries").load();
+    tableApi.ajax.url("api.php?getAllQueries&"+hash).load();
 }

 function add(domain,list) {
--- a/php/password.php
+++ b/php/password.php
@@ -0,0 +1,27 @@
+<?php
+    $pwhash =  parse_ini_file("/etc/pihole/setupVars.conf")['WEBPASSWORD'];
+
+    // Test if password is set
+    if(strlen($pwhash) > 0)
+    {
+        // Password set compare with double hash
+        if(hash('sha256',hash('sha256',$_POST["pw"])) == $pwhash || $_GET["auth"] == $pwhash)
+        {
+            // Password (POST) correct or hash (GET) correct
+            $auth = true;
+            $pwstring = "auth=".$pwhash;
+        }
+        else
+        {
+            // Password or hash wrong
+            $auth = false;
+            $pwstring = "";
+        }
+    }
+    else
+    {
+        // No password set
+        $auth = true;
+        $pwstring = "";
+    }
+?>