<?php
function is_matrix_url($url) {
// in-memory cache to avoid repeated queries for the same host
static $remembered = [];
$m = @parse_url($url);
if($m['host']) {
if(array_key_exists($m['host'],$remembered))
return $remembered[$m['host']];
$r = q("select hubloc_url from hubloc where hubloc_host = '%s' and hubloc_network = 'zot' limit 1",
dbesc($m['host'])
);
if($r) {
$remembered[$m['host']] = true;
return true;
}
$remembered[$m['host']] = false;
}
return false;
}
/**
* @brief Adds a zid parameter to a url.
*
* @param string $s
* The url to accept the zid
* @param boolean $address
* $address to use instead of session environment
* @return string
*/
function zid($s, $address = '') {
if (! strlen($s) || strpos($s,'zid='))
return $s;
$m = parse_url($s);
$fragment = ((array_key_exists('fragment',$m) && $m['fragment']) ? $m['fragment'] : false);
if($fragment !== false)
$s = str_replace('#' . $fragment,'',$s);
$has_params = ((strpos($s,'?')) ? true : false);
$num_slashes = substr_count($s, '/');
if (! $has_params)
$has_params = ((strpos($s, '&')) ? true : false);
$achar = strpos($s,'?') ? '&' : '?';
$mine = get_my_url();
$myaddr = (($address) ? $address : get_my_address());
/**
* @FIXME checking against our own channel url is no longer reliable. We may have a lot
* of urls attached to our channel. Should probably match against our site, since we
* will not need to remote authenticate on our own site anyway.
*/
if ($mine && $myaddr && (! link_compare($mine,$s)))
$zurl = $s . (($num_slashes >= 3) ? '' : '/') . $achar . 'zid=' . urlencode($myaddr);
else
$zurl = $s;
// put fragment at the end
if($fragment)
$zurl .= '#' . $fragment;
$arr = [
'url' => $s,
'zid' => urlencode($myaddr),
'result' => $zurl
];
/**
* @hooks zid
* Called when adding the observer's zid to a URL.
* * \e string \b url - url to accept zid
* * \e string \b zid - urlencoded zid
* * \e string \b result - the return string we calculated, change it if you want to return something else
*/
call_hooks('zid', $arr);
return $arr['result'];
}
function strip_query_param($s,$param) {
return preg_replace('/[\?&]' . $param . '=(.*?)(&|$)/ism','$2',$s);
}
function strip_zids($s) {
return preg_replace('/[\?&]zid=(.*?)(&|$)/ism','$2',$s);
}
function strip_owt($s) {
return preg_replace('/[\?&]owt=(.*?)(&|$)/ism','$2',$s);
}
function strip_zats($s) {
return preg_replace('/[\?&]zat=(.*?)(&|$)/ism','$2',$s);
}
function strip_auth_query_params() {
$_SERVER['QUERY_STRING'] = str_replace(array('?f=', '&f='), array('', ''), $_SERVER['QUERY_STRING']);
$_SERVER['QUERY_STRING'] = strip_zids($_SERVER['QUERY_STRING']);
$_SERVER['QUERY_STRING'] = strip_owt($_SERVER['QUERY_STRING']);
$_SERVER['REQUEST_URI'] = str_replace(array('?f=', '&f='), array('', ''), $_SERVER['REQUEST_URI']);
$_SERVER['REQUEST_URI'] = strip_zids($_SERVER['REQUEST_URI']);
$_SERVER['REQUEST_URI'] = strip_owt($_SERVER['REQUEST_URI']);
$_ENV['QUERY_STRING'] = str_replace(array('?f=', '&f='), array('', ''), $_ENV['QUERY_STRING']);
$_ENV['QUERY_STRING'] = strip_zids($_ENV['QUERY_STRING']);
$_ENV['QUERY_STRING'] = strip_owt($_ENV['QUERY_STRING']);
$_ENV['REQUEST_URI'] = str_replace(array('?f=', '&f='), array('', ''), $_ENV['REQUEST_URI']);
$_ENV['REQUEST_URI'] = strip_zids($_ENV['REQUEST_URI']);
$_ENV['REQUEST_URI'] = strip_owt($_ENV['REQUEST_URI']);
}
/**
* zidify_callback() and zidify_links() work together to turn any HTML a tags with class="zrl" into zid links
* These will typically be generated by a bbcode '[zrl]' tag. This is done inside prepare_text() rather than bbcode()
* because the latter is used for general purpose conversions and the former is used only when preparing text for
* immediate display.
*
* @TODO Issues: Currently the order of HTML parameters in the text is somewhat rigid and inflexible.
* We assume it looks like \<a class="zrl" href="xxxxxxxxxx"\> and will not work if zrl and href appear in a different order.
*
* @param array $match
* @return string
*/
function zidify_callback($match) {
$is_zid = ((feature_enabled(local_channel(), 'sendzid')) || (strpos($match[1], 'zrl')) ? true : false);
$replace = '<a' . $match[1] . ' href="' . (($is_zid) ? zid($match[2]) : $match[2]) . '"';
$x = str_replace($match[0], $replace, $match[0]);
return $x;
}
function zidify_img_callback($match) {
$is_zid = ((feature_enabled(local_channel(), 'sendzid')) || (strpos($match[1], 'zrl')) ? true : false);
$replace = '<img' . $match[1] . ' src="' . (($is_zid) ? zid($match[2]) : $match[2]) . '"';
$x = str_replace($match[0], $replace, $match[0]);
return $x;
}
function zidify_links($s) {
$s = preg_replace_callback('/\<a(.*?)href\=\"(.*?)\"/ism','zidify_callback',$s);
$s = preg_replace_callback('/\<img(.*?)src\=\"(.*?)\"/ism','zidify_img_callback',$s);
return $s;
}
function zidify_text_callback($match) {
$is_zid = is_matrix_url($match[2]);
$replace = '<a' . $match[1] . ' href="' . (($is_zid) ? zid($match[2]) : $match[2]) . '"';
$x = str_replace($match[0], $replace, $match[0]);
return $x;
}
function zidify_text_img_callback($match) {
$is_zid = is_matrix_url($match[2]);
$replace = '<img' . $match[1] . ' src="' . (($is_zid) ? zid($match[2]) : $match[2]) . '"';
$x = str_replace($match[0], $replace, $match[0]);
return $x;
}
function zidify_text($s) {
$s = preg_replace_callback('/\<a(.*?)href\=\"(.*?)\"/ism','zidify_text_callback',$s);
$s = preg_replace_callback('/\<img(.*?)src\=\"(.*?)\"/ism','zidify_text_img_callback',$s);
return $s;
}
/**
* @brief preg_match function when fixing 'naked' links in mod item.php.
*
* Check if we've got a hubloc for the site and use a zrl if we do, a url if we don't.
* Remove any existing zid= param which may have been pasted by mistake - and will have
* the author's credentials. zid's are dynamic and can't really be passed around like
* that.
*
* @param array $matches
* @return string
*/
function red_zrl_callback($matches) {
$zrl = is_matrix_url($matches[2]);
$t = strip_zids($matches[2]);
if($t !== $matches[2]) {
$zrl = true;
$matches[2] = $t;
}
if($matches[1] === '#^')
$matches[1] = '';
if($zrl)
return $matches[1] . '#^[zrl=' . $matches[2] . ']' . $matches[2] . '[/zrl]';
return $matches[1] . '#^[url=' . $matches[2] . ']' . $matches[2] . '[/url]';
}
/**
* If we've got a url or zrl tag with a naked url somewhere in the link text,
* escape it with quotes unless the naked url is a linked photo.
*
* @param array $matches
* @return string
*/
function red_escape_zrl_callback($matches) {
// Uncertain why the url/zrl forms weren't picked up by the non-greedy regex.
if((strpos($matches[3], 'zmg') !== false) || (strpos($matches[3], 'img') !== false) || (strpos($matches[3],'zrl') !== false) || (strpos($matches[3],'url') !== false))
return $matches[0];
return '[' . $matches[1] . 'rl' . $matches[2] . ']' . $matches[3] . '"' . $matches[4] . '"' . $matches[5] . '[/' . $matches[6] . 'rl]';
}
function red_escape_codeblock($m) {
return '[$b64' . $m[2] . base64_encode($m[1]) . '[/' . $m[2] . ']';
}
function red_unescape_codeblock($m) {
return '[' . $m[2] . base64_decode($m[1]) . '[/' . $m[2] . ']';
}
function red_zrlify_img_callback($matches) {
$zrl = is_matrix_url($matches[2]);
$t = strip_zids($matches[2]);
if($t !== $matches[2]) {
$zrl = true;
$matches[2] = $t;
}
if($zrl)
return '[zmg' . $matches[1] . ']' . $matches[2] . '[/zmg]';
return $matches[0];
}
/**
* @brief OpenWebAuth authentication.
*
* @param string $token
*/
function owt_init($token) {
\Zotlabs\Zot\Verify::purge('owt', '3 MINUTE');
$ob_hash = \Zotlabs\Zot\Verify::get_meta('owt', 0, $token);
if($ob_hash === false) {
return;
}
$r = q("select * from hubloc left join xchan on xchan_hash = hubloc_hash
where hubloc_addr = '%s' order by hubloc_id desc",
dbesc($ob_hash)
);
if(! $r) {
// finger them if they can't be found.
$j = \Zotlabs\Zot\Finger::run($ob_hash, null);
if ($j['success']) {
import_xchan($j);
$r = q("select * from hubloc left join xchan on xchan_hash = hubloc_hash
where hubloc_addr = '%s' order by hubloc_id desc",
dbesc($ob_hash)
);
}
}
if(! $r) {
logger('owt: unable to finger ' . $ob_hash);
return;
}
$hubloc = $r[0];
$_SESSION['authenticated'] = 1;
$delegate_success = false;
if($_REQUEST['delegate']) {
$r = q("select * from channel left join xchan on channel_hash = xchan_hash where xchan_addr = '%s' limit 1",
dbesc($_REQUEST['delegate'])
);
if ($r && intval($r[0]['channel_id'])) {
$allowed = perm_is_allowed($r[0]['channel_id'],$hubloc['xchan_hash'],'delegate');
if($allowed) {
$_SESSION['delegate_channel'] = $r[0]['channel_id'];
$_SESSION['delegate'] = $hubloc['xchan_hash'];
$_SESSION['account_id'] = intval($r[0]['channel_account_id']);
require_once('include/security.php');
// this will set the local_channel authentication in the session
change_channel($r[0]['channel_id']);
$delegate_success = true;
}
}
}
if (! $delegate_success) {
// normal visitor (remote_channel) login session credentials
$_SESSION['visitor_id'] = $hubloc['xchan_hash'];
$_SESSION['my_url'] = $hubloc['xchan_url'];
$_SESSION['my_address'] = $hubloc['hubloc_addr'];
$_SESSION['remote_hub'] = $hubloc['hubloc_url'];
$_SESSION['DNT'] = 1;
}
$arr = [
'xchan' => $hubloc,
'url' => \App::$query_string,
'session' => $_SESSION
];
/**
* @hooks magic_auth_success
* Called when a magic-auth was successful.
* * \e array \b xchan
* * \e string \b url
* * \e array \b session
*/
call_hooks('magic_auth_success', $arr);
\App::set_observer($hubloc);
require_once('include/security.php');
\App::set_groups(init_groups_visitor($_SESSION['visitor_id']));
if(! get_config('system', 'hide_owa_greeting'))
info(sprintf( t('OpenWebAuth: %1$s welcomes %2$s'),\App::get_hostname(), $hubloc['xchan_name']));
logger('OpenWebAuth: auth success from ' . $hubloc['xchan_addr']);
}