Cross-Origin Bearer API Authentication

[korbin]

This PR:

• Adds mDNS service advertisement and discovery for bitaxe hostnames
• Suggests a suffixed hostname (based on the station MAC) for new Bitaxe setups
• Adds an NVS field, constant-time comparison functions, and corresponding frontend form fields for an API Secret token
• Adds Swarm support for scanning and adding cross-origin Bitaxes locally
  • Proxies Swarm local network scanning via mDNS service discovery through the currently-connected backend Bitaxe to avoid CORS issues
• Reworks and simplifies all CORS logic:
  • All cross-origin requests must present an Authorization: Bearer header as well as the X-Requested-With header (see OWASP)
  • We no longer attempt to nor need determine which network the requester belongs to for cross-origin request safety.
• Exposes current IP/subnet on the info endpoint

This has a number of advantages:

• Hostname-based now access works in many standard scenarios: port forwarding, nginx, Cloudflare tunnels, VPNs, Tailscale, etc.
• Swarm continues to work fairly seamlessly
• Cross-origin API requests are now authenticated (this can easily be adapted to make all requests authenticated.)
• Centralized UIs (just HTML pages) can be hosted (think GitHub Pages) and safely access local user Bitaxes (optional)

[skot]

This sounds amazing. I'll check it out as soon as I can.

Is authentication on needed for API / Swarm use? ie grandma doesn't have to set it up just to run a Bitaxe?

[korbin]

This sounds amazing. I'll check it out as soon as I can.

Is authentication on needed for API / Swarm use? ie grandma doesn't have to set it up just to run a Bitaxe?

No authentication is needed for any part of this (maintaining this theme for better or worse) except for cross-origin requests, which now all require an API token to be set.

Most users will not be making cross-origin requests unless they are using Swarm. If a user is using Swarm, the automatic scan-for-devices feature (visibly) works as it does currently, manually-added devices will require copying/pasting or typing whatever API secret the user chooses (or generates) into the Swarm UI.

[korbin]

I added the mDNS service discovery and ripped out the iterating scan loop (can overwhelm the ESP32, is slow, etc.), it's super slick:

https://github.com/korbin/ESP-Miner/tree/mdns-discovery
korbin@8228c70

I haven't merged it into this branch because this is something folks should test first - it's way nicer though.

You can fake a bitaxe in Linux with:

avahi-publish -s "fake-bitaxe" _bitaxe._tcp 80 "apiSecret=secretpass123"

You can scan for fake or real bitaxes using:

avahi-browse -rt _bitaxe._tcp

I added a new service: _bitaxe._tcp which has the API secret as a TXT record. The scan endpoint fetches all of these devices from the network using multicast and passes this information along to the frontend.

[korbin]

Update: I merged the mdns-discovery branch back into this one - it's working more consistently than the ESP32 port scan.

[STSMiner1]

This needs the conflicts resolved.

[mutatrum]

Code level review with some smallish remarks. Would be really nice to get this added, IMO.

[mutatrum]

Is this needed if it's already added in the root CMakeLists.txt?

[mutatrum]

Should these changes on the tests be in a separate PR?

[mutatrum]

Add to documentation.

[mutatrum]

This looks similar to the Wi-Fi AP name generation, is that the same?

[mutatrum]

Not needed, devices give their own color, this is only used for adding old firmware versions to swarm.

[eandersson]

Can you rebase this PR and remove all unnecessary changes e.g. unrelated CI changes or formatting changes.

[WantClue]

@korbin peek please again

[mutatrum]

There's also #1240. To limit the scope, would it make sense to merge that in first, and when mDNS is in place, do the auth as a smaller PR?