Definition
Section titled “Definition”Authentication is an additional security layer to protect the ESP3D web interface and ESP3D commands from unauthorized access. It is based on a username and password. Authentication is optional and can be enabled/disabled in the ESP3D configuration. There are 3 login levels:
- guest, which does not require authentication
- user, which has limited access to ESP3D features
- admin, which has full access to ESP3D features
Currently, login accounts cannot be customized, so authentication is limited to user and admin levels. The guest level is always available and cannot be disabled.
Configuration
Section titled “Configuration”In configuration.h, uncomment the following line to enable authentication:
#define AUTHENTICATION_FEATUREThe default password for admin is admin, and for user it is user. You can change them using the Web Interface or the [ESP550] and [ESP555] commands.
Web Interface
Section titled “Web Interface”When user authentication is enabled, the web interface asks for a username and password. If authentication succeeds, the user is redirected to the web interface. If authentication fails, the user is redirected to the login page.
The web interface also supports inline authentication. This means you can pass the username and password in the URL. This is useful if you want to use command-line tools such as curl or wget to access the web interface. The URL format is:
http://user:password@<ip_address>In the web interface, an authenticated session stays open until the browser is closed. If you close the browser and reopen it, you will be asked to authenticate again. This session can also time out. The default timeout is 3 minutes of inactivity. You can change this timeout in the ESP3D configuration web interface or by using the [ESP510] command.
ESPXXX Command
Section titled “ESPXXX Command”When user authentication is enabled, the ESPXXX commands will ask for a password. If the authentication is successful, the command will be executed. If the authentication fails, the command will be rejected.
The session for ESPXXX commands is sticky. This means that once authenticated, the session remains authenticated until ESP3D is restarted or the session is closed (e.g., Telnet / WebSocket).
Limitations
Section titled “Limitations”The current authentication system lacks many features, such as:
- user management
- https support
- password encryption
- password recovery
- password expiration in time
- password lockout if too many failed attempts
So you should not consider this authentication foolproof security. It is only an additional security layer.
Because ESPXXX commands rely only on passwords, do not use the same password for user and admin accounts. If you do, you will not be able to use ESPXXX commands at user level; everything will be treated as admin once authenticated.
Passwords are never displayed in clear text, but they are stored in the ESP3D configuration in clear text. So if you want to change a password, you must use the Web Interface or ESPXXX commands.
In the web interface, passwords are replaced by *******, so any modification must be complete, not partial.
All passwords and sensitive information are sent in plain text. So if you want to use ESP3D on a public network or outside your local network (which is not recommended), you must use a VPN.
Here is the scope of rights for each authentication level:
| Feature | not authenticated | guest | user | admin |
|---|---|---|---|---|
| Web Interface | No | No | Yes | Yes |
| Telnet | No | No | Yes | Yes |
| WebSocket | No | No | Yes | Yes |
| WebDav | No | No | Yes | Yes |
| Bluetooth | No | No | Yes | Yes |
| Upload | No | No | Yes | Yes |
| Update | No | No | No | Yes |
| [ESP0] | Yes | Yes | Yes | Yes |
| [ESP100] | No | No | Get | Get/Set |
| [ESP101] | No | No | No | Set |
| [ESP102] | No | No | Get | Get/Set |
| [ESP103] | No | No | Get | Get/Set |
| [ESP104] | No | No | Get | Get/Set |
| [ESP105] | No | No | Get | Get/Set |
| [ESP106] | No | No | No | Set |
| [ESP107] | No | No | Get | Get/Set |
| [ESP108] | No | No | Get | Get/Set |
| [ESP110] | No | No | Get | Get/Set |
| [ESP111] | No | No | Get | Get |
| [ESP112] | No | No | Get | Get/Set |
| [ESP114] | No | No | Get | Get/Set |
| [ESP115] | No | No | Get | Get/Set |
| [ESP116] | No | No | Get | Get/Set |
| [ESP117] | No | No | Get | Get/Set |
| [ESP118] | No | No | Get | Get/Set |
| [ESP120] | No | No | Get | Get/Set |
| [ESP121] | No | No | Get | Get/Set |
| [ESP130] | No | No | Get | Get/Set |
| [ESP131] | No | No | Get | Get/Set |
| [ESP140] | No | No | Get | Get/Set |
| [ESP150] | No | No | Get | Get/Set |
| [ESP160] | No | No | Get | Get/Set |
| [ESP161] | No | No | Get | Get/Set |
| [ESP170] | No | No | Get/Set | Get/Set |
| [ESP171] | No | No | Get | Get |
| [ESP180] | No | No | Get | Get/Set |
| [ESP181] | No | No | Get | Get/Set |
| [ESP190] | No | No | Get | Get/Set |
| [ESP191] | No | No | Get | Get/Set |
| [ESP200] | No | No | Get/Set | Get/Set |
| [ESP201] | No | No | Get/Set | Get/Set |
| [ESP202] | No | No | Get | Get/Set |
| [ESP210] | No | No | Get | Get/Set |
| [ESP212] | No | No | Set | Set |
| [ESP214] | No | No | Set | Set |
| [ESP215] | No | No | No | Set |
| [ESP220] | No | No | Get | Get |
| [ESP250] | No | No | Set | Set |
| [ESP290] | No | No | Set | Set |
| [ESP300] | No | No | Set | Set |
| [ESP301] | No | No | Get/Set | Get/Set |
| [ESP400] | No | No | Get | Get |
| [ESP401] | No | No | No | Set |
| [ESP402] | No | No | Get | Get/Set |
| [ESP410] | No | No | Get | Get |
| [ESP420] | No | No | Get | Get |
| [ESP444] | No | No | Set(only RESTART) | Set |
| [ESP450] | No | No | Get | Get |
| [ESP500] | Get/Set | Get/Set | Get/Set | Get/Set |
| [ESP510] | No | No | Get | Get/Set |
| [ESP550] | No | No | No | Get/Set |
| [ESP555] | No | No | Get/Set | Get/Set |
| [ESP600] | No | No | Set | Set |
| [ESP610] | No | No | Get | Get/Set |
| [ESP620] | No | No | Set | Set |
| [ESP700] | No | No | Set | Set |
| [ESP701] | No | No | Get/Set | Get/Set |
| [ESP710] | No | No | No | Set |
| [ESP715] | No | No | No | Set |
| [ESP720] | No | No | Get | Get |
| [ESP730] | No | No | Get/Set | Get/Set |
| [ESP740] | No | No | Get | Get |
| [ESP750] | No | No | Get/Set | Get/Set |
| [ESP780] | No | No | Get | Get |
| [ESP790] | No | No | Get/Set | Get/Set |
| [ESP800] | No | No | Get/Set | Get/Set |
| [ESP900] | No | No | Get/Set | Get/Set |
| [ESP901] | No | No | Get | Get/Set |
| [ESP902] | No | No | Get | Get/Set |
| [ESP910] | No | No | Get/Set | Get/Set |
| [ESP930] | No | No | Get | Get/Set |
| [ESP931] | No | No | Get | Get/Set |
| [ESP950] | No | No | Get | Get/Set |
| [ESP999] | No | No | No | Set |
API Description
Section titled “API Description”Global
Section titled “Global”Each authenticated session has a unique session ID that is stored on ESP3D with additional information:
- session id (25 characters)
- session level (Guest / Admin / User)
- client_id (serial / http / telnet / WebSocket)
- session last activity (timestamp)
- client IP (http)
- Client socket ID (telnet / WebSocket)
When authentication is enabled, the HTTP server checks whether the session is authenticated. If not, it asks for authentication. If the session is authenticated, it checks whether the session is still valid. If not, it asks for authentication again. If the session is still valid, it processes the request.
The session ID is stored in the ESP3D_SESSIONID cookie.