fix: address review feedback for access-control

neatnoise · neatnoise · commit b413b9de6e1b · 2026-03-26T16:51:30.000+01:00
- Replace enable/disable button with Bootstrap switch toggle
- Split auth checks and add CSRF validation per new pattern
- Add @api_examples for updateClient endpoint
- Remove blank doc comment line
diff --git a/docs/api.md b/docs/api.md
@@ -61,6 +61,9 @@ curl -u user:pass -H "X-CSRF-Token: your_token_here" \
 ## POST /api/clients/unpair-all
 @copydoc confighttp::unpairAll()
 
+## POST /api/clients/update
+@copydoc confighttp::updateClient()
+
 ## GET /api/config
 @copydoc confighttp::getConfig()
 
diff --git a/src/confighttp.cpp b/src/confighttp.cpp
@@ -847,17 +847,25 @@ namespace confighttp {
    * @brief Enable or disable a client.
    * @param response The HTTP response object.
    * @param request The HTTP request object.
-   *
    * The body for the POST request should be JSON serialized in the following format:
    * @code{.json}
    * {
    *   "uuid": "<uuid>",
    *   "enabled": true
    * }
    * @endcode
+   *
+   * @api_examples{/api/clients/update| POST| {"uuid":"<uuid>","enabled":true}}
    */
   void updateClient(resp_https_t response, req_https_t request) {
-    if (!check_content_type(response, request, "application/json") || !authenticate(response, request)) {
+    if (!check_content_type(response, request, "application/json")) {
+      return;
+    }
+    if (!authenticate(response, request)) {
+      return;
+    }
+    std::string client_id = get_client_id(request);
+    if (!validate_csrf_token(response, request, client_id)) {
       return;
     }
 
diff --git a/src_assets/common/assets/web/troubleshooting.html b/src_assets/common/assets/web/troubleshooting.html
@@ -137,13 +137,13 @@ <h2 id="unpair" class="mb-0">{{ $t('troubleshooting.unpair_title') }}</h2>
         <li v-for="client in clients" :key="client.uuid" class="list-group-item d-flex align-items-center">
           <div class="flex-grow-1">
             {{ client.name !== "" ? client.name : $t('troubleshooting.unpair_single_unknown') }}
-            <span class="badge ms-2" :class="client.enabled ? 'bg-success' : 'bg-secondary'">
-              {{ client.enabled ? 'Enabled' : 'Disabled' }}
-            </span>
           </div>
-          <button class="btn btn-sm ms-2" :class="client.enabled ? 'btn-warning' : 'btn-success'" @click="toggleClient(client.uuid, !client.enabled)">
-            {{ client.enabled ? 'Disable' : 'Enable' }}
-          </button>
+          <div class="form-check form-switch ms-2 mb-0">
+            <input class="form-check-input" type="checkbox" role="switch"
+                   :id="'toggle-' + client.uuid"
+                   :checked="client.enabled"
+                   @change="toggleClient(client.uuid, !client.enabled)">
+          </div>
           <button class="btn btn-danger btn-sm ms-2" @click="unpairSingle(client.uuid)">
             <trash-2 :size="18" class="icon"></trash-2>
           </button>
