Dev (#417)

## v1.0.13
**Improvements**
- Show QR Code for Guest WiFi
- New "guestonly" policy for Guest APs

Author: lts-rad

RELEASE-NOTES.md

@@ -1,4 +1,9 @@
 # Secure Programmable Router (SPR) Release Notes
+## v1.0.13
+**Improvements**
+- Show QR Code for Guest WiFi
+- New "guestonly" policy for Guest APs
+
 ## v1.0.12
 **Improvements**
 - Golang version update & module upgrades

api/code/api.go

@@ -126,7 +126,7 @@ type DeviceEntry struct {
 	DeviceDisabled   bool //tbd deprecate this in favor of only using the policy name.
 }
 
-var ValidPolicyStrings = []string{"wan", "lan", "dns", "api", "lan_upstream", "noapi", "disabled", "quarantine", "dns:family"}
+var ValidPolicyStrings = []string{"wan", "lan", "dns", "api", "lan_upstream", "noapi", "guestonly", "disabled", "quarantine", "dns:family"}
 
 var config = APIConfig{}
 

api/code/dhcp.go

@@ -21,6 +21,7 @@ import (
 	"os"
 	"os/exec"
 	"regexp"
+	"slices"
 	"strconv"
 	"strings"
 	"sync"
@@ -62,6 +63,14 @@ type DHCPResponse struct {
 	LeaseTime  string
 }
 
+type DHCPFail struct {
+	MAC        string
+	Identifier string
+	Name       string
+	Iface      string
+	Reason     string
+}
+
 var DHCPmtx sync.Mutex
 
 func SUBNETP1(subnet string) string {
@@ -321,7 +330,8 @@ func handleDHCPResult(MAC string, IP string, Router string, Name string, Iface s
 
 		//guest ssid defaults
 		if strings.Contains(Iface, ExtraBSSPrefix) {
-			newDevice.Policies = []string{"wan", "dns", "noapi"}
+			//guestonly policy -> can only exist on the guest AP
+			newDevice.Policies = []string{"wan", "dns", "noapi", "guestonly"}
 			newDevice.DeviceTags = []string{"guest"}
 		}
 
@@ -386,6 +396,24 @@ func dhcpRequest(w http.ResponseWriter, r *http.Request) {
 	devices := getDevicesJson()
 	val, exists := devices[dhcp.MAC]
 
+	if exists {
+		if strings.Contains(dhcp.Iface, ExtraBSSPrefix) {
+			//ensure the device had the guestonly policy
+			//this should only happen if a MAC is already known for a device
+			if !slices.Contains(val.Policies, "guestonly") {
+				fail := DHCPFail{}
+				fail.Iface = dhcp.Iface
+				fail.MAC = dhcp.MAC
+				fail.Identifier = dhcp.Identifier
+				fail.Name = dhcp.Name
+				fail.Reason = "Missing GuestOnly Policy, Possible MAC Spoofing"
+				SprbusPublish("dhcp:spoof", fail)
+				http.Error(w, "Refuse dhcp from wanif", 400)
+				return
+			}
+		}
+	}
+
 	if exists && val.RecentIP != "" && isTinyNetIPLocked(val.RecentIP) {
 		IP = val.RecentIP
 		Router = RouterFromTinyIP(IP)

frontend/src/components/Wifi/WifiGuestNetworkParameters.js

@@ -30,6 +30,7 @@ import {
 import { EyeIcon } from 'lucide-react-native'
 
 import { Select } from 'components/Select'
+import DeviceQRCode from 'components/Devices/DeviceQRCode'
 
 let modes = [
   { label: '5 & 6 GHz', value: 'a' },
@@ -343,6 +344,11 @@ const WifiChannelParameters = ({
                       autoComplete="off"
                     />
                   </Input>
+                  <>
+                    {(uipasswordType == 'text') && (
+                      <DeviceQRCode ssid={extraSSID} psk={guestPassword} type="WPA" />
+                    )}
+                  </>
                   {'password' in errors ? (
                     <FormControlError>
                       <FormControlErrorText>