fix(prusalink): increase nonce valid period

The initial valid period for the HTTP Digest Auth nonce was too low (at 5 seconds). This make it impossible to log into PrusaLink when using Safari, a saner value of 300 (chosen because it's Apache's default value) does not hinder security and fixes the issue with Safari-based browsers (macOS, ipadOS, iOS). See #3287 for more details.
prusa3d · Dec 4, 2023 · 586d292 · 586d292
1 parent f26c91b
commit 586d292
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 10 deletions.
diff --git a/lib/WUI/nhttp/req_parser.cpp b/lib/WUI/nhttp/req_parser.cpp
@@ -306,13 +306,11 @@ bool RequestParser::nonce_valid(uint64_t nonce_to_check) const {
     uint32_t random = static_cast<uint32_t>(nonce_to_check >> 32);
     uint32_t time = nonce_to_check & 0xffffffff;
     uint32_t age = ticks_s() - time;
-    // Make valid period for POST and PUT longer, to avoid infinit uploading
-    // loops if nonce get stale for upload request.
-    uint32_t max_valid_age = has_body(method) ? http::extended_valid_nonce_period : http::valid_nonce_period;
+
     // sanity check
     if (nonce_random != 0) {
         // really valid?
-        if (random == nonce_random && age < max_valid_age) {
+        if (random == nonce_random && age < http::valid_nonce_period) {
             return true;
         }
     }

diff --git a/src/common/http/types.h b/src/common/http/types.h
@@ -149,11 +149,12 @@ static const size_t MAX_URL_LEN = 168;
 using Url = std::array<char, MAX_URL_LEN>;
 
 // # of seconds after which nonce becomes stale for digest authentication
-// the extended version is used for requests with body, so that PrusaLink
-// hopefully never gets stale nonce for request uploading a gcode, which
-// can cause an infinit upload loop, if the browser does not read errors
-// before sending the whole body.
-static const uint32_t valid_nonce_period = 5;
-static const uint32_t extended_valid_nonce_period = 8;
+// The value of 300 has been chosen as it's the default value used in the Apache
+// web server, see:
+// https://httpd.apache.org/docs/2.4/mod/mod_auth_digest.html#authdigestnoncelifetime
+//
+// This value use to be much lower but would cause issues with Safari-based browser
+// See https://github.com/prusa3d/Prusa-Firmware-Buddy/issues/3287
+static const uint32_t valid_nonce_period = 300;
 
 } // namespace http