From 90d52616703eae482780c0f8f68dcb44f7cc8930 Mon Sep 17 00:00:00 2001
From: Thomas Hooge <thomas@hoogi.de>
Date: Fri, 6 Mar 2026 09:25:41 +0100
Subject: [PATCH] Add salt and md5 firmware check to webserver

---
 src/webserver.cpp | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/src/webserver.cpp b/src/webserver.cpp
index 90325c7..05585d5 100644
--- a/src/webserver.cpp
+++ b/src/webserver.cpp
@@ -10,10 +10,15 @@
 #include "esp_rom_uart.h" // for uart wait idle
 #include <Update.h>
 
+// TODO
+// - replace StaticJsonDocument by AsyncResponseStream
+// - add lastseen to devices in devicelist
+
 // Logging
 static const char* TAG = "WEB";
 
 AsyncWebServer server(80);
+uint32_t apiToken = esp_random();
 bool updateSuccess = false;
 String updateError = "";
 
@@ -120,7 +125,6 @@ void webserver_init() {
         doc["instDesc2"] = config.getString("instDesc2");
         doc["logLevel"] = loglevel;
         doc["version"] = VERSION;
-        doc["salt"] = "secret";
         doc["AdminPassword"] = "********";
         doc["useAdminPass"] = config.getBool("useAdminPass") ? "true" : "false";
         doc["apEnable"] = config.getBool("apEnable") ? "true" : "false";
@@ -220,6 +224,11 @@ void webserver_init() {
         doc["n2kstate"] = NMEA2000.stateStr(driverState);
         doc["n2knode"] = NMEA2000.GetN2kSource();
 
+        // use timeBucket of 8s
+        char salt[9];
+        sprintf(salt, "%08X", apiToken + (millis()/1000UL & ~0x7UL));
+        doc["salt"] = salt;
+
         doc["status"] = "OK";
         String out;
         serializeJson(doc, out);
@@ -297,6 +306,11 @@ void webserver_init() {
         // this is the new image upload part
         if (index == 0) {
             LOGI(TAG, "Retrieving firmware image named: %s", filename.c_str());
+            if (request->hasParam("md5", true)) {
+                String md5 = request->getParam("md5", true)->value();
+                LOGI(TAG, "MD5 hash: %s", md5.c_str());
+                Update.setMD5(md5.c_str());
+            }
             if (! Update.begin(UPDATE_SIZE_UNKNOWN)) {
                 Update.printError(Serial);
                 updateError = "Update.begin() failed";
@@ -337,8 +351,7 @@ void webserver_init() {
             }
             // TODO last seen?
             uint16_t mfcode = d->GetManufacturerCode();
-            // TODO RAW-String!
-            response->printf("{\"source\":%d,\"name\":\"%s\",\"manufcode\":\"%d\",\"model\":\"%s\",\"manufname\":\"%s\"}",
+            response->printf(R"DELIM({"source":%d,"name":"%s","manufcode":%d,"model":"%s","manufname":"%s"})DELIM",
                              i, hex_name, mfcode, d->GetModelID(), NMEA2000.GetManufacturerName(mfcode));
         }
         response->print("]");