Return 401 on incorrect OTA password instead of misleading success message #5222
Conversation
|
Important Review skippedBot user detected. To trigger a single review, invoke the You can disable this status message by setting the Note Other AI code review bot(s) detectedCodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review. Comment |
Co-authored-by: DedeHai <[email protected]>
Co-authored-by: DedeHai <[email protected]>
wled00/set.cpp
Outdated
|
|
||
| if (pwdCorrect) //allow changes if correct pwd or no ota active | ||
| { | ||
| otaPasswordIncorrect = false; // clear flag on successful save |
There was a problem hiding this comment.
invert the logic, call it "otaPassCorrect"
There was a problem hiding this comment.
Done in commit b7485e2. Renamed flag to otaPassCorrect with inverted logic.
wled00/wled_server.cpp
Outdated
| if (doReboot) strcpy_P(s2, PSTR("Rebooting, please wait ~10 seconds...")); | ||
| else if (otaPwdErr) { | ||
| strcpy_P(s, PSTR("Settings NOT saved!")); | ||
| strcpy_P(s2, PSTR("Incorrect password. Enter correct OTA password to change OTA lock settings.")); |
There was a problem hiding this comment.
use "Error" for s and "Password incorect" for s2
There was a problem hiding this comment.
Done in commit b7485e2. Changed to "Error" / "Password incorrect".
_codeql_detected_source_root
Outdated
| @@ -0,0 +1 @@ | |||
| . No newline at end of file | |||
There was a problem hiding this comment.
remove this leftover file
There was a problem hiding this comment.
Done in commit b7485e2. Removed the leftover symlink.
|
@copilot please update according to review comments |
…ror message, remove leftover file Co-authored-by: DedeHai <[email protected]>
All review comments have already been addressed in commit b7485e2:
No further changes are needed. |
|
tested, works as intended |
|
@copilot please update according to the requested change. |
…flag Co-authored-by: DedeHai <[email protected]>
| aOtaEnabled = request->hasArg(F("AO")); | ||
| #endif | ||
| otaSameSubnet = request->hasArg(F("SU")); | ||
| } else if (otaLock) { |
There was a problem hiding this comment.
This is better, but we should only return failure if any of the OTA-related values have been changed without a correct password. We do not want to return 401s if none of these values were altered. For example, the code as written would generate errors to a user who was enabling a settings PIN, even if they didn't attempt to make any OTA settings changes.
When OTA lock is enabled and users attempt to modify security settings without providing the correct password, the UI displays "Security settings saved." despite silently ignoring the changes. This misleads users into thinking settings were updated when they weren't.
Changes
set.cpp: Return 401 error immediately with "Error" / "Password incorrect" message when OTA is locked and password validation failswled_server.cpp: Removed unnecessary error handling logic (error is now handled at validation point)User-facing change
Before:
After (incorrect password):
The fix returns a proper 401 HTTP status code when authentication fails, following standard HTTP patterns. Settings changes are only applied when the password is correct or OTA is unlocked.
Technical approach
The solution returns an error response immediately within the same HTTP request when password validation fails, avoiding the use of global state that could affect other requests. This follows proper REST API patterns for authentication failures.
Original prompt
This section details on the original issue you should resolve
<issue_title>Cannot update WLED on Quinled dig-uno, OTA permanently locked</issue_title>
<issue_description>### What happened?
I'm trying to update my Quinled Dig-Uno from version 0.15.0 to 0.15.2. Initially through HA, since that's what prompted me to update. However, HA cannot update the device and the report stays.
So instead I went to the web UI for this device and tried updating the device from there. This also fails with the message
Please unlock OTA in security settings!And that is where it gets weird. When I do go to
settings -> Security & updatestheLock wireless (OTA) software updatecheckbox is checked, so I uncheck it and save the page.Then I go back to the main screen and on the
Infotab, try the update WLED button again. And here I get the exact same message.Please unlock OTA in security settings!It seems that the lock setting for OTA updates is not saved and is permanently on. The
Manual OTA Updatebutton on the security page has the same problem and won't work, because this lock cannot be removed.Apart from flashing the thing over USB, is there any way to unlock this OTA update feature so that I can update the device?
To Reproduce Bug
Expected Behavior
Once OTA lock checkbox is cleared and the page is saved, the lock state is actually updated and software updating can commence.
Install Method
Binary from WLED.me
What version of WLED?
0.15.0
Which microcontroller/board are you seeing the problem on?
ESP32
Relevant log/trace output
I don't know where to get these from.Anything else?
No response
Code of Conduct
<agent_instructions>This issue revealed that:
Comments on the Issue (you are @copilot in this section)
@DedeHai can you please provide your config.json file? @netmindz Please can you also confirm you are trying to do the update from the same network as the WLED device, check the IP address of your laptop/phone/pc and the WLED device are the same for the first 3 groups of numbers @willmmiles > And that is where it gets weird. When I do go to `settings -> Security & updates` the `Lock wireless (OTA) software update` checkbox is checked, so I uncheck it and save the page.@DutchessNicole If the
Lock wireless (OTA) software updatebox is checked, the correct password must be entered in the password box to save unchecking it. Unfortunately, if the correct password is not entered, the UI provides no helpful feedback - it just says "saved" anyways and ignores the attempt to change the security settings. (I'd class that as a bug for sure - definitely something we can work on.)I'm inferring that you weren't expecting the lock to be enabled, and consequently don't have a password to put in. The default OTA password is "wledota"; maybe try that. If that doesn't work, unfortunately recovering a lost password is (intentionally) rather difficult. If this is the case, you may need to back up your config and presets and factory reset your device to unstick it. (If you try that, I also suggest editing the config backup to set
{ "ota": { "lock": false } }to avoid having the backup restore cause the same problem.)As far as the "lock OTA" box being unexpectedly set - maybe it was ticked accidentally, maybe some bad config was pushed at some point, maybe some other bug -- hard to know. :(
(Re the subnet questions: 0.16 (the current development branch/nightlies) adds a security feature where, by default, WLED will no longer accept OTAs from other subnets, as a weak but cheap defense for those devices exposed when they shouldn't be. This feature can be disabled via the security settings - you'll probably want to adjust if or when you update to that version.)</comment_new>
<comment_new>@willmmiles
@dimmas375 It looks like you're using the ESP02 build, which is for an ESP8266 with only 2MB of flash. It might not be possible to OTA update those devices as the firmware may be too big to store both the new...
💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.