Limit app password permissions

[DL6ER]

What does this implement/fix?

Limit app password permissions by default. Add new webserver.api.app_sudo mode for users to remove this new limitation if they really need to

---

Related issue or feature (if applicable): N/A

Pull request in docs with documentation (if applicable): N/A

---

By submitting this pull request, I confirm the following:

1. I have read and understood the contributors guide, as well as this entire template. I understand which branch to base my commits and Pull Requests against.
2. I have commented my proposed changes within the code.
3. I am willing to help maintain this change if there are issues with it later.
4. It is compatible with the EUPL 1.2 license
5. I have squashed any insignificant commits. (git rebase)

Checklist:

• The code change is tested and works locally.
• I based my code and PRs against the repositories developmental branch.
• I signed off all commits. Pi-hole enforces the DCO for all contributions
• I signed all my commits. Pi-hole requires signatures to verify authorship
• I have read the above and my PR is ready for review.

[DL6ER]

[yubiuser]

I think I found a bug here.
Login via app password and try a config change. Won't work. Enabled app_sudo > config change will work. Disable app_sudo > Config change will still work

(Also the web interface won't show this active session as coming from an app password)

chrko@ThinkPad-X230:~$ curl -k -XPOST "https://pi.hole/api/auth" --data '{"password":"nDgnVeJVko5buF1HMA/zfZ7KbTDPAbOpv4zvlDkIq8I="}'
{
	"session":	{
		"valid":	true,
		"totp":	false,
		"sid":	"pNMUGNtG42aiQAIwtYT5ng=",
		"csrf":	"eKihaYo8VP9sNHfJLg6syA=",
		"validity":	300,
		"message":	"app-password correct"
	},
	"took":	1.1221466064453125
}chrko@ThinkPad-X230:~$ curl -k -X UT "https://pi.hole/api/config/dns/upstreams/1.1.1.1" --data '{"sid":"pNMUGNtG42aiQAIwtYT5ng="}'
{
	"error":	{
		"key":	"forbidden",
		"message":	"Unable to change configuration (read-only)",
		"hint":	"The current app session is not allowed to modify Pi-hole config settings (webserver.api.app_sudo is false)"
	},
	"took":	0.00031328201293945312
}chrko@ThinkPad-X230:~$ curl -k -X PUT "https://pi.hole/api/config/dns/upstreams/1.1.1.1" --data '{"sid":"pNMUGNtG42aiQAIwtYT5ng="}'
{
	"took":	0.050773859024047852
}chrko@ThinkPad-X230:~$ curl -k -X PUT "https://pi.hole/api/config/dns/upstreams/2.2.2.2" --data '{"sid":"pNMUGNtG42aiQAIwtYT5ng="}'
{
	"took":	0.057279586791992188

[DL6ER]

Ah, yes. Your case is special. The reason is that FTL restarted in between (to add the new DNS server) and sessions restoring from the database had a small copy-paste bug causing the app status not to be saved to the database and, hence, all app sessions backed up during a restart became full-blown sessions after the restart and the setting became ineffective by design for them.

Change addressed

[yubiuser]

Somewhere in send_json_error() must be a type (tab instead of space) between message: and the actual message.

	"error":	{
		"key":	"forbidden",
		"message":	"Unable to change configuration (read-only)",
		"hint":	"The current app session is not allowed to modify Pi-hole config settings (webserver.api.app_sudo is false)"
	},

[DL6ER]

send_json_error() uses cJSON to create the output. If you have webserver.api.prettyJSON = false, the output will be most compact, if the value is true, the expected separator between between keys and values is \t so just as in your example.

Have a look at

FTL/src/webserver/http-common.c

Lines 23 to 47 in 0367117

	// Provides a compile-time flag for JSON formatting
	// This should never be needed as all modern browsers
	// typically contain a JSON explorer
	// This string needs to be freed after using it
	char *json_formatter(const cJSON *object)
	{
	if(config.webserver.api.prettyJSON.v.b)
	{
	/* Exemplary output:
	{
	"queries in database": 70,
	"database filesize": 49152,
	"SQLite version": "3.30.1"
	}
	*/
	return cJSON_Print(object);
	}
	else
	{
	/* Exemplary output
	{"queries in database":70,"database filesize":49152,"SQLite version":"3.30.1"}
	*/
	return cJSON_PrintUnformatted(object);
	}
	}

where you can also see that the expected (formatted) output has tabs as separators.

[yubiuser]

I have webserver.api.prettyJSON = true and was only surprised of the different distances between key and value

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved.