Modifying the alert-like popup in ESPAsyncWebServer authenticate() function

Question 1

So, ESPAsyncWebServer library is using the Digest MD5 Authentication by default, and I want to use this feature in my webserver, but there is a problem, I don't like the ugly prompt box, and I don't want to write a form for authentication, because is sends the password in clear text. I have searched all files in the Src folder of the ESPAsyncWebServer library, Yet I had no luck up to my beginner programming knowledge. So, how can I do this? it is something totally browser side and I cannot change it?

Update: I was able to get the following from the Wireshark.

Hypertext Transfer Protocol
 GET /openthefdoor HTTP/1.1\r\n
 [Expert Info (Chat/Sequence): GET /openthefdoor HTTP/1.1\r\n]
 [GET /openthefdoor HTTP/1.1\r\n]
 [Severity level: Chat]
 [Group: Sequence]
 Request Method: GET
 Request URI: /openthefdoor
 Request Version: HTTP/1.1
 Host: 192.168.1.3\r\n
 Connection: keep-alive\r\n
 Cache-Control: max-age=0\r\n
 [truncated]Authorization: Digest username="admin", realm="asyncesp", nonce="d13ba3040a4ed5c661a47d28c08554f4", uri="/openthefdoor", response="ca8806aa058dda66838784e784e67f8b", opaque="90ba2cd8a2870065f4daa582fd57105a", qop=auth, nc=0000
 username="admin"
 realm="asyncesp"
 nonce="d13ba3040a4ed5c661a47d28c08554f4"
 uri="/openthefdoor"
 response="ca8806aa058dda66838784e784e67f8b"
 opaque="90ba2cd8a2870065f4daa582fd57105a"
 qop=auth
 nc=00000002

2nd update: based on this question I guess the popup is coming up from the browser and I was looking in a wrong place!

Question 2

searched all files in the Src folder ... what did you search for?

Question 3

If you write a nice webpage to login, why can't you do the login exactly the same way, with a webrequest from the browser through javascript? Why would that be any less encrypted than doing it directly?

Question 4

@chrisl Can I implement Digest MD5 Authentication? also I don't have enough memory on my esp8266.

Question 5

@jsotola for theauthenticate() and requestDigestAuthentication() and WWW-Authenticate and to my knowledge I couldn't find anything useful to me.

Question 6

try searching for HTML tags ... if you can determine the HTML code for the login popup, it may help to search for the tags in the popup

Question 7

The authentication dialog, that you get, is provided by the browser. You cannot change this, since it is part of the browser software.

I don't want to write a form for authentication, because is sends the password in clear text.

That is false. How exactly the data is send depends on how you implement your login/action site. You can also tap into the forms submit event and use javascript with something other than Basic Authentication, like the Digest Authentication, that you mentioned. So your webpage, that gets served from the ESP, would contain the nice looking HTML form and javascript code, that uses the submit event of the form and does a webrequest to the ESP for the /openthefdoor endpoint, providing the credentials as digest (hashes).

From the ESPs (aka webservers) perspective, it is functionally irrelevant, if the login webrequest is done by typing in the login address in the address bar, or by javascript code embedded inside the served website. Both are just simple webrequests. You don't need to submit data from a form directly (unencrypted)

I cannot give you a ready made example of such javascript code and this is off topic for this Arduino site. Though you should be able to find example code online. Maybe by searching for something like "javascript digest authentication" or similar.

Note: Digest authentication transmits hashes of the credentials. That is not the same as encryption, especially with an easy hash standard like MD5. Better than plain text, but with a hash table an attacker would still be able to read the credentials. For encryption you would need TLS (https).

chrisl chrisl 16.6k2 gold badges18 silver badges27 bronze badges · Answer 1 · 2023-12-26 01:24:00Z

The authentication dialog, that you get, is provided by the browser. You cannot change this, since it is part of the browser software.

I don't want to write a form for authentication, because is sends the password in clear text.

That is false. How exactly the data is send depends on how you implement your login/action site. You can also tap into the forms submit event and use javascript with something other than Basic Authentication, like the Digest Authentication, that you mentioned. So your webpage, that gets served from the ESP, would contain the nice looking HTML form and javascript code, that uses the submit event of the form and does a webrequest to the ESP for the /openthefdoor endpoint, providing the credentials as digest (hashes).

From the ESPs (aka webservers) perspective, it is functionally irrelevant, if the login webrequest is done by typing in the login address in the address bar, or by javascript code embedded inside the served website. Both are just simple webrequests. You don't need to submit data from a form directly (unencrypted)

I cannot give you a ready made example of such javascript code and this is off topic for this Arduino site. Though you should be able to find example code online. Maybe by searching for something like "javascript digest authentication" or similar.

Note: Digest authentication transmits hashes of the credentials. That is not the same as encryption, especially with an easy hash standard like MD5. Better than plain text, but with a hash table an attacker would still be able to read the credentials. For encryption you would need TLS (https).

Stack Exchange Network

Modifying the alert-like popup in ESPAsyncWebServer authenticate() function

1 Answer 1

Your Answer

Sign up or log in

Post as a guest

Post as a guest

Hot Network Questions

Modifying the alert-like popup in ESPAsyncWebServer authenticate() function

1 Answer 1

Your Answer

Sign up or log in

Post as a guest

Post as a guest

Related

Hot Network Questions