Only allow sending wifi credentials in AP mode

[arjhun]

Hi Ryan,

Thanks for this awesome library!!! After the initial connection is made I think it's safer if to not let users enter their credentials over http... is this something I need to implement myself (i'm doing this right now but feels hacky because i'm using your handleFileRead method)? I'm checking if AP mode is on before showing input fields. Do you have an idea of how best to go about this?

This is what i'm doing now:

server.on("/wifi.htm", handleApException);
server.on("/mqtt.htm", handleApException);

void handleApException(){
  if(WiFi.status() != WL_CONNECTED){
     server.handleFileRead(server.uri()); 
  }else{
    server.send(405, "text/html", "Only allowed in AP mode");
  }
}

Maybe you could handle this automatically by detecting a user specified flag in the file name or a comment in the first line of the file like for example:

wifi-apmode.htm
or

<!-- apmode -->
<html>
...

//encourage users to not acces this page while connected to wifi
persWM.onlyApMode(true);
//Optional: Custom flag to set default : "apmode" 
persWM.onlyApFlag("apmode");
// Optional: A file to redirect to so people can switch to 
// AP mode or get some information etc. 
//default: server.send(405, "text/html","Only allowed in AP mode");
persWM.onlyApFile("/apmode.htm");

Cheers,

Arjen

[r-downing]

Interesting idea, thanks! Should be simple enough to implement. I will think about it for a little bit and get back to you

[donnm]

I submitted a pull request r-downing/SPIFFSReadServer#1 implementing HTTPS for SPIFFSReadServer that should solve this issue if security is the only concern. In this case just use SPIFFSReadServerSecure instead of SPIFFSReadServer. See the examples for ESP8266WebServerSecure for help with certificates.