diff options
author | redmatrix <git@macgirvin.com> | 2016-07-20 17:55:40 -0700 |
---|---|---|
committer | redmatrix <git@macgirvin.com> | 2016-07-20 17:57:17 -0700 |
commit | bc8c74eb422387a5537eb923c90a34c1196ce568 (patch) | |
tree | 4f8ba641908fd18cc810ee0086684a4041062231 | |
parent | eac35c05e9059ba57aefc878cc669eb0efbbd086 (diff) | |
download | volse-hubzilla-bc8c74eb422387a5537eb923c90a34c1196ce568.tar.gz volse-hubzilla-bc8c74eb422387a5537eb923c90a34c1196ce568.tar.bz2 volse-hubzilla-bc8c74eb422387a5537eb923c90a34c1196ce568.zip |
sort out some of the authentication mess - with luck this may fix the DAV auth issue which I simply could not duplicate or find a reason for.
-rw-r--r-- | Zotlabs/Module/Dav.php | 85 | ||||
-rw-r--r-- | Zotlabs/Module/Login.php | 3 | ||||
-rw-r--r-- | Zotlabs/Module/Openid.php | 2 | ||||
-rw-r--r-- | Zotlabs/Module/Register.php | 2 | ||||
-rw-r--r-- | Zotlabs/Module/Removeaccount.php | 3 | ||||
-rw-r--r-- | Zotlabs/Module/Removeme.php | 4 | ||||
-rw-r--r-- | Zotlabs/Storage/BasicAuth.php | 37 | ||||
-rw-r--r-- | include/account.php | 2 | ||||
-rw-r--r-- | include/api_auth.php | 14 | ||||
-rw-r--r-- | include/auth.php | 139 | ||||
-rw-r--r-- | include/oauth.php | 2 | ||||
-rw-r--r-- | include/security.php | 29 | ||||
-rwxr-xr-x | util/fresh | 7 |
13 files changed, 133 insertions, 196 deletions
diff --git a/Zotlabs/Module/Dav.php b/Zotlabs/Module/Dav.php index ba2394388..aaf69844c 100644 --- a/Zotlabs/Module/Dav.php +++ b/Zotlabs/Module/Dav.php @@ -48,55 +48,13 @@ class Dav extends \Zotlabs\Web\Controller { if (! is_dir('store')) os_mkdir('store', STORAGE_DEFAULT_PERMISSIONS, false); - $which = null; if (argc() > 1) - $which = argv(1); + profile_load(argv(1),0); - $profile = 0; - - \App::$page['htmlhead'] .= '<link rel="alternate" type="application/atom+xml" href="' . z_root() . '/feed/' . $which . '" />' . "\r\n"; - - if ($which) - profile_load( $which, $profile); - - - $auth = new \Zotlabs\Storage\BasicAuth(); - $auth->setRealm(ucfirst(\Zotlabs\Lib\System::get_platform_name()) . 'WebDAV'); - -// $authBackend = new \Sabre\DAV\Auth\Backend\BasicCallBack(function($userName,$password) { -// if(account_verify_password($userName,$password)) -// return true; -// return false; -// }); + $auth->setRealm(ucfirst(\Zotlabs\Lib\System::get_platform_name()) . ' ' . 'WebDAV'); -// $ob_hash = get_observer_hash(); - -// if ($ob_hash) { -// if (local_channel()) { -// $channel = \App::get_channel(); -// $auth->setCurrentUser($channel['channel_address']); -// $auth->channel_id = $channel['channel_id']; -// $auth->channel_hash = $channel['channel_hash']; -// $auth->channel_account_id = $channel['channel_account_id']; -// if($channel['channel_timezone']) -// $auth->setTimezone($channel['channel_timezone']); -// } -// $auth->observer = $ob_hash; -// } - -// if ($_GET['davguest']) -// $_SESSION['davguest'] = true; - -// $_SERVER['QUERY_STRING'] = str_replace(array('?f=', '&f='), array('', ''), $_SERVER['QUERY_STRING']); -// $_SERVER['QUERY_STRING'] = strip_zids($_SERVER['QUERY_STRING']); -// $_SERVER['QUERY_STRING'] = preg_replace('/[\?&]davguest=(.*?)([\?&]|$)/ism', '', $_SERVER['QUERY_STRING']); -// -// $_SERVER['REQUEST_URI'] = str_replace(array('?f=', '&f='), array('', ''), $_SERVER['REQUEST_URI']); -// $_SERVER['REQUEST_URI'] = strip_zids($_SERVER['REQUEST_URI']); -// $_SERVER['REQUEST_URI'] = preg_replace('/[\?&]davguest=(.*?)([\?&]|$)/ism', '', $_SERVER['REQUEST_URI']); - $rootDirectory = new \Zotlabs\Storage\Directory('/', $auth); // A SabreDAV server-object @@ -113,48 +71,13 @@ class Dav extends \Zotlabs\Web\Controller { $server->addPlugin($lockPlugin); - // The next section of code allows us to bypass prompting for http-auth if a - // FILE is being accessed anonymously and permissions allow this. This way - // one can create hotlinks to public media files in their cloud and anonymous - // viewers won't get asked to login. - // If a DIRECTORY is accessed or there are permission issues accessing the - // file and we aren't previously authenticated via zot, prompt for HTTP-auth. - // This will be the default case for mounting a DAV directory. - // In order to avoid prompting for passwords for viewing a DIRECTORY, add - // the URL query parameter 'davguest=1'. - -// $isapublic_file = false; -// $davguest = ((x($_SESSION, 'davguest')) ? true : false); - -// if ((! $auth->observer) && ($_SERVER['REQUEST_METHOD'] === 'GET')) { -// try { -// $x = RedFileData('/' . \App::$cmd, $auth); -// if($x instanceof \Zotlabs\Storage\File) -// $isapublic_file = true; -// } -// catch (Exception $e) { -// $isapublic_file = false; -// } -// } - -// if ((! $auth->observer) && (! $isapublic_file) && (! $davguest)) { -// try { -// $auth->Authenticate($server, t('$Projectname channel')); -// } -// catch (Exception $e) { -// logger('mod_cloud: auth exception' . $e->getMessage()); -// http_status_exit($e->getHTTPCode(), $e->getMessage()); -// } -// } - - // require_once('Zotlabs/Storage/Browser.php'); // provide a directory view for the cloud in Hubzilla $browser = new \Zotlabs\Storage\Browser($auth); $auth->setBrowserPlugin($browser); // Experimental QuotaPlugin - // require_once('Zotlabs/Storage/QuotaPlugin.php'); - // $server->addPlugin(new \Zotlabs\Storage\QuotaPlugin($auth)); + // require_once('Zotlabs/Storage/QuotaPlugin.php'); + // $server->addPlugin(new \Zotlabs\Storage\QuotaPlugin($auth)); // All we need to do now, is to fire up the server $server->exec(); diff --git a/Zotlabs/Module/Login.php b/Zotlabs/Module/Login.php index ff75e5268..ae35b922f 100644 --- a/Zotlabs/Module/Login.php +++ b/Zotlabs/Module/Login.php @@ -7,6 +7,9 @@ class Login extends \Zotlabs\Web\Controller { function get() { if(local_channel()) goaway(z_root()); + if(remote_channel() && $_SESSION['atoken']) + goaway(z_root()); + return login((\App::$config['system']['register_policy'] == REGISTER_CLOSED) ? false : true); } diff --git a/Zotlabs/Module/Openid.php b/Zotlabs/Module/Openid.php index 7a6e4a81f..8cbc6d2fd 100644 --- a/Zotlabs/Module/Openid.php +++ b/Zotlabs/Module/Openid.php @@ -48,7 +48,7 @@ class Openid extends \Zotlabs\Web\Controller { $_SESSION['uid'] = $r[0]['channel_id']; $_SESSION['account_id'] = $r[0]['channel_account_id']; $_SESSION['authenticated'] = true; - authenticate_success($record,true,true,true,true); + authenticate_success($record,$r[0],true,true,true,true); goaway(z_root()); } } diff --git a/Zotlabs/Module/Register.php b/Zotlabs/Module/Register.php index 6afa4a94c..45123b88d 100644 --- a/Zotlabs/Module/Register.php +++ b/Zotlabs/Module/Register.php @@ -146,7 +146,7 @@ class Register extends \Zotlabs\Web\Controller { goaway(z_root()); } - authenticate_success($result['account'],true,false,true); + authenticate_success($result['account'],null,true,false,true); $new_channel = false; $next_page = 'new_channel'; diff --git a/Zotlabs/Module/Removeaccount.php b/Zotlabs/Module/Removeaccount.php index 39e06bb7f..9fac7838e 100644 --- a/Zotlabs/Module/Removeaccount.php +++ b/Zotlabs/Module/Removeaccount.php @@ -25,7 +25,8 @@ class Removeaccount extends \Zotlabs\Web\Controller { $account = \App::get_account(); $account_id = get_account_id(); - if(! account_verify_password($account['account_email'],$_POST['qxz_password'])) + $x = account_verify_password($account['account_email'],$_POST['qxz_password']); + if(! ($x && $x['account'])) return; if($account['account_password_changed'] != NULL_DATE) { diff --git a/Zotlabs/Module/Removeme.php b/Zotlabs/Module/Removeme.php index e611d8112..bc18fe0f8 100644 --- a/Zotlabs/Module/Removeme.php +++ b/Zotlabs/Module/Removeme.php @@ -24,7 +24,9 @@ class Removeme extends \Zotlabs\Web\Controller { $account = \App::get_account(); - if(! account_verify_password($account['account_email'],$_POST['qxz_password'])) + + $x = account_verify_password($account['account_email'],$_POST['qxz_password']); + if(! ($x && $x['account'])) return; if($account['account_password_changed'] != NULL_DATE) { diff --git a/Zotlabs/Storage/BasicAuth.php b/Zotlabs/Storage/BasicAuth.php index 60fc2c988..e94a5c1dc 100644 --- a/Zotlabs/Storage/BasicAuth.php +++ b/Zotlabs/Storage/BasicAuth.php @@ -91,33 +91,20 @@ class BasicAuth extends DAV\Auth\Backend\AbstractBasic { require_once('include/auth.php'); $record = account_verify_password($username, $password); - if ($record && $record['account_default_channel']) { - $r = q("SELECT * FROM channel WHERE channel_account_id = %d AND channel_id = %d LIMIT 1", - intval($record['account_id']), - intval($record['account_default_channel']) - ); - if($r && $this->check_module_access($r[0]['channel_id'])) { - return $this->setAuthenticated($r[0]); + if($record && $record['account']) { + if($record['channel']) + $channel = $record['channel']; + else { + $r = q("SELECT * FROM channel WHERE channel_account_id = %d AND channel_id = %d LIMIT 1", + intval($record['account']['account_id']), + intval($record['account']['account_default_channel']) + ); + if($r) + $channel = $r[0]; } } - $r = q("SELECT * FROM channel WHERE channel_address = '%s' LIMIT 1", - dbesc($username) - ); - if ($r) { - $x = q("SELECT account_flags, account_salt, account_password FROM account WHERE account_id = %d LIMIT 1", - intval($r[0]['channel_account_id']) - ); - if ($x) { - // @fixme this foreach should not be needed? - foreach ($x as $record) { - if ((($record['account_flags'] == ACCOUNT_OK) || ($record['account_flags'] == ACCOUNT_UNVERIFIED)) - && (hash('whirlpool', $record['account_salt'] . $password) === $record['account_password'])) { - logger('password verified for ' . $username); - if($this->check_module_access($r[0]['channel_id'])) - return $this->setAuthenticated($r[0]); - } - } - } + if($channel && $this->check_module_access($channel['channel_id'])) { + return $this->setAuthenticated($channel); } if($this->module_disabled) diff --git a/include/account.php b/include/account.php index c02a74928..142ad1bea 100644 --- a/include/account.php +++ b/include/account.php @@ -515,7 +515,7 @@ function account_approve($hash) { auto_channel_create($register[0]['uid']); else { $_SESSION['login_return_url'] = 'new_channel'; - authenticate_success($account[0],true,true,false,true); + authenticate_success($account[0],null,true,true,false,true); } diff --git a/include/api_auth.php b/include/api_auth.php index dc8492b20..7a71bad73 100644 --- a/include/api_auth.php +++ b/include/api_auth.php @@ -59,20 +59,12 @@ function api_login(&$a){ if(isset($_SERVER['PHP_AUTH_USER'])) { $channel_login = 0; $record = account_verify_password($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']); - if(! $record) { - $r = q("select * from channel left join account on account.account_id = channel.channel_account_id - where channel.channel_address = '%s' limit 1", - dbesc($_SERVER['PHP_AUTH_USER']) - ); - if ($r) { - $record = account_verify_password($r[0]['account_email'],$_SERVER['PHP_AUTH_PW']); - if($record) - $channel_login = $r[0]['channel_id']; - } + if($record && $record['channel']) { + $channel_login = $record['channel']['channel_id']; } } - if($record) { + if($record['account']) { authenticate_success($record); if($channel_login) diff --git a/include/auth.php b/include/auth.php index 79d04c728..f8120981a 100644 --- a/include/auth.php +++ b/include/auth.php @@ -20,62 +20,85 @@ require_once('include/security.php'); * attempts. * * @param string $email - * The email address to verify. + * The login to verify (channel address, account email or guest login token). * @param string $pass * The provided password to verify. * @return array|null * Returns account record on success, null on failure. */ -function account_verify_password($email, $pass) { +function account_verify_password($login, $pass) { + + $ret = [ 'account' => null, 'channel' => null, 'xchan' => null ]; $email_verify = get_config('system', 'verify_email'); $register_policy = get_config('system', 'register_policy'); + if(! $login) + return null; + + $account = null; + $channel = null; + $xchan = null; + + if(! strpos($login,'@')) { + $channel = channelx_by_nick($login); + if(! $channel) { + $x = q("select * from atoken where atoken_name = '%s' and atoken_token = '%s' limit 1", + dbesc($login), + dbesc($pass) + ); + if($x) { + $ret['xchan'] = atoken_xchan($x[0]); + return $ret; + } + } + } + if($channel) { + $where = " where account_id = " . intval($channel['channel_account_id']) . " "; + } + else { + $where = " where account_email = '" . dbesc($login) . "' "; + } + + $a = q("select * from account $where"); + if(! $a) { + return null; + } + + $account = $a[0]; + // Currently we only verify email address if there is an open registration policy. // This isn't because of any policy - it's because the workflow gets too complicated if // you have to verify the email and then go through the account approval workflow before // letting them login. - // @bug there is no record here - //if(($email_verify) && ($register_policy == REGISTER_OPEN) && ($record['account_flags'] & ACCOUNT_UNVERIFIED)) - // return null; - - $r = q("select * from account where account_email = '%s'", - dbesc($email) - ); - if($r) { - - foreach($r as $record) { - if(($record['account_flags'] == ACCOUNT_OK) - && (hash('whirlpool', $record['account_salt'] . $pass) === $record['account_password'])) { - logger('password verified for ' . $email); - return $record; - } - } + if(($email_verify) && ($register_policy == REGISTER_OPEN) && ($account['account_flags'] & ACCOUNT_UNVERIFIED)) { + logger('email verification required for ' . $login); + return null; } - $x = q("select * from atoken where atoken_name = '%s' and atoken_token = '%s' limit 1", - dbesc($email), - dbesc($pass) - ); - if($x) { - atoken_login($x[0]); - return $x[0]; + if(($account['account_flags'] == ACCOUNT_OK) + && (hash('whirlpool',$account['account_salt'] . $pass) === $account['account_password'])) { + logger('password verified for ' . $login); + $ret['account'] = $account; + if($channel) + $ret['channel'] = $channel; + return $ret; } - $error = 'password failed for ' . $email; + $error = 'password failed for ' . $login; logger($error); - if($record['account_flags'] & ACCOUNT_UNVERIFIED) - logger('Account is unverified. account_flags = ' . $record['account_flags']); - if($record['account_flags'] & ACCOUNT_BLOCKED) - logger('Account is blocked. account_flags = ' . $record['account_flags']); - if($record['account_flags'] & ACCOUNT_EXPIRED) - logger('Account is expired. account_flags = ' . $record['account_flags']); - if($record['account_flags'] & ACCOUNT_REMOVED) - logger('Account is removed. account_flags = ' . $record['account_flags']); - if($record['account_flags'] & ACCOUNT_PENDING) - logger('Account is pending. account_flags = ' . $record['account_flags']); + if($account['account_flags'] & ACCOUNT_UNVERIFIED) + logger('Account is unverified. account_flags = ' . $account['account_flags']); + if($account['account_flags'] & ACCOUNT_BLOCKED) + logger('Account is blocked. account_flags = ' . $account['account_flags']); + if($account['account_flags'] & ACCOUNT_EXPIRED) + logger('Account is expired. account_flags = ' . $account['account_flags']); + if($account['account_flags'] & ACCOUNT_REMOVED) + logger('Account is removed. account_flags = ' . $account['account_flags']); + if($account['account_flags'] & ACCOUNT_PENDING) + logger('Account is pending. account_flags = ' . $account['account_flags']); log_failed_login($error); @@ -131,7 +154,7 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) && App::$session->new_cookie(60 * 60 * 24); // one day $_SESSION['last_login_date'] = datetime_convert(); unset($_SESSION['visitor_id']); // no longer a visitor - authenticate_success($x[0], true, true); + authenticate_success($x[0], null, true, true); } } if(array_key_exists('atoken',$_SESSION)) { @@ -177,7 +200,8 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) && App::$session->extend_cookie(); $login_refresh = true; } - authenticate_success($r[0], false, false, false, $login_refresh); + $ch = (($_SESSION['uid']) ? channelx_by_n($_SESSION['uid']) : null); + authenticate_success($r[0], null, $ch, false, false, $login_refresh); } else { $_SESSION['account_id'] = 0; @@ -218,37 +242,38 @@ else { call_hooks('authenticate', $addon_auth); - $atoken = false; + $atoken = null; + $account = null; if(($addon_auth['authenticated']) && (count($addon_auth['user_record']))) { - $record = $addon_auth['user_record']; + $account = $addon_auth['user_record']; } else { - $x = account_verify_password($_POST['username'], $_POST['password']); - if(array_key_exists('atoken',$x)) - $atoken = true; - if(! $atoken) { - $record = App::$account = $x; - - if(App::$account) { - $_SESSION['account_id'] = App::$account['account_id']; - } - else { - notice( t('Failed authentication') . EOL); - } - - logger('authenticate: ' . print_r(App::$account, true), LOGGER_ALL); + $verify = account_verify_password($_POST['username'], $_POST['password']); + if($verify) { + $atoken = $verify['xchan']; + $channel = $verify['channel']; + $account = App::$account = $verify['account']; + } + + if(App::$account) { + $_SESSION['account_id'] = App::$account['account_id']; + } + elseif($atoken) { + atoken_login($atoken); + } + else { + notice( t('Failed authentication') . EOL); } } - if((! $record) || (! count($record))) { + if(! ($account || $atoken)) { $error = 'authenticate: failed login attempt: ' . notags(trim($_POST['username'])) . ' from IP ' . $_SERVER['REMOTE_ADDR']; logger($error); // Also log failed logins to a separate auth log to reduce overhead for server side intrusion prevention $authlog = get_config('system', 'authlog'); if ($authlog) @file_put_contents($authlog, datetime_convert() . ':' . session_id() . ' ' . $error . "\n", FILE_APPEND); - notice( t('Login failed.') . EOL ); goaway(z_root() . '/login'); } @@ -279,7 +304,7 @@ else { $_SESSION['last_login_date'] = datetime_convert(); if(! $atoken) - authenticate_success($record, true, true); + authenticate_success($account,$channel,true, true); } } diff --git a/include/oauth.php b/include/oauth.php index 984e0e6c6..a3c52bf27 100644 --- a/include/oauth.php +++ b/include/oauth.php @@ -170,7 +170,7 @@ class ZotOAuth1 extends OAuth1Server { ); if($x) { require_once('include/security.php'); - authenticate_success($x[0],true,false,true,true); + authenticate_success($x[0],null,true,false,true,true); $_SESSION['allow_api'] = true; } } diff --git a/include/security.php b/include/security.php index e345636e7..2107ed819 100644 --- a/include/security.php +++ b/include/security.php @@ -12,7 +12,7 @@ * @param bool $return * @param bool $update_lastlog */ -function authenticate_success($user_record, $login_initial = false, $interactive = false, $return = false, $update_lastlog = false) { +function authenticate_success($user_record, $channel = null, $login_initial = false, $interactive = false, $return = false, $update_lastlog = false) { $_SESSION['addr'] = $_SERVER['REMOTE_ADDR']; @@ -23,11 +23,15 @@ function authenticate_success($user_record, $login_initial = false, $interactive $_SESSION['account_id'] = $user_record['account_id']; $_SESSION['authenticated'] = 1; + if($channel) + $uid_to_load = $channel['channel_id']; - $uid_to_load = (((x($_SESSION,'uid')) && (intval($_SESSION['uid']))) - ? intval($_SESSION['uid']) - : intval(App::$account['account_default_channel']) - ); + if(! $uid_to_load) { + $uid_to_load = (((x($_SESSION,'uid')) && (intval($_SESSION['uid']))) + ? intval($_SESSION['uid']) + : intval(App::$account['account_default_channel']) + ); + } if($uid_to_load) { change_channel($uid_to_load); @@ -85,16 +89,12 @@ function authenticate_success($user_record, $login_initial = false, $interactive function atoken_login($atoken) { if(! $atoken) return false; - - $xchan = atoken_xchan($atoken); - $_SESSION['authenticated'] = 1; - $_SESSION['visitor_id'] = $xchan['xchan_hash']; + $_SESSION['visitor_id'] = $atoken['xchan_hash']; $_SESSION['atoken'] = $atoken['atoken_id']; - \App::set_observer($xchan); - - return [ 'atoken' => true ]; + \App::set_observer($atoken); + return true; } @@ -102,7 +102,8 @@ function atoken_xchan($atoken) { $c = channelx_by_n($atoken['atoken_uid']); if($c) { - return [ + return [ + 'atoken_id' => $atoken['atoken_id'], 'xchan_hash' => substr($c['channel_hash'],0,16) . '.' . $atoken['atoken_name'], 'xchan_name' => $atoken['atoken_name'], 'xchan_addr' => t('guest:') . $atoken['atoken_name'] . '@' . \App::get_hostname(), @@ -115,7 +116,7 @@ function atoken_xchan($atoken) { ]; } - + return null; } diff --git a/util/fresh b/util/fresh index 9d74ea584..7f57931aa 100755 --- a/util/fresh +++ b/util/fresh @@ -82,12 +82,15 @@ function process_command($line) { exec('/bin/stty echo'); echo "\n"; require_once('include/auth.php'); - $record = App::$account = account_verify_password(argv(1),trim($x,"\n")); + $record = null; + $x = account_verify_password(argv(1),trim($x,"\n")); + if($x['account']) + $record = App::$account = $x['account']; if($record) { $_SESSION['account_id'] = App::$account['account_id']; $_SESSION['last_login_date'] = datetime_convert(); - authenticate_success($record, true, true); + authenticate_success($record, $x['channel'], true, true); echo 'logged in'; $channel = App::get_channel(); if($channel) |