aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorzotlabs <mike@macgirvin.com>2018-08-13 17:24:48 -0700
committerzotlabs <mike@macgirvin.com>2018-08-13 17:24:48 -0700
commit4fdf5d28caa5d4af2bc6dfc088fdd51111baf390 (patch)
tree88611d8eb27c4e4501d6c5308d58f0e60f59440f
parentdb1a546abaa82472bd9c8b402db6752e2a3869d0 (diff)
downloadvolse-hubzilla-4fdf5d28caa5d4af2bc6dfc088fdd51111baf390.tar.gz
volse-hubzilla-4fdf5d28caa5d4af2bc6dfc088fdd51111baf390.tar.bz2
volse-hubzilla-4fdf5d28caa5d4af2bc6dfc088fdd51111baf390.zip
minor oauth2 updates - renamed zot webbie to 'webfinger' and zothash to 'portable_id', fixed/simplified cgi auth mode
-rw-r--r--Zotlabs/Identity/OAuth2Storage.php35
-rw-r--r--Zotlabs/Module/Authorize.php6
-rw-r--r--include/api_auth.php37
-rw-r--r--library/certs/lets-encrypt-x3-cross-signed.pem28
4 files changed, 68 insertions, 38 deletions
diff --git a/Zotlabs/Identity/OAuth2Storage.php b/Zotlabs/Identity/OAuth2Storage.php
index a50b21a70..bbf61cf2b 100644
--- a/Zotlabs/Identity/OAuth2Storage.php
+++ b/Zotlabs/Identity/OAuth2Storage.php
@@ -55,15 +55,22 @@ class OAuth2Storage extends \OAuth2\Storage\Pdo {
return false;
}
+ $a = q("select * from account where account_id = %d",
+ intval($x['channel_account_id'])
+ );
+
+ $n = explode(' ', $x['channel_name']);
+
return( [
- 'webbie' => $x['channel_address'].'@'.\App::get_hostname(),
- 'zothash' => $x['channel_hash'],
- 'username' => $x['channel_address'],
- 'user_id' => $x['channel_id'],
- 'name' => $x['channel_name'],
- 'firstName' => $x['channel_name'],
- 'lastName' => '',
- 'password' => 'NotARealPassword'
+ 'webfinger' => channel_reddress($x),
+ 'portable_id' => $x['channel_hash'],
+ 'email' => $a['account_email'],
+ 'username' => $x['channel_address'],
+ 'user_id' => $x['channel_id'],
+ 'name' => $x['channel_name'],
+ 'firstName' => ((count($n) > 1) ? $n[1] : $n[0]),
+ 'lastName' => ((count($n) > 2) ? $n[count($n) - 1] : ''),
+ 'picture' => $x['xchan_photo_l']
] );
}
@@ -91,12 +98,16 @@ class OAuth2Storage extends \OAuth2\Storage\Pdo {
$userClaims = Array();
$claims = explode (' ', trim($claims));
- $validclaims = Array ("name","preferred_username","zothash");
+ $validclaims = Array ("name","preferred_username","webfinger","portable_id","email","picture","firstName","lastName");
$claimsmap = Array (
- "zotwebbie" => 'webbie',
- "zothash" => 'zothash',
+ "webfinger" => 'webfinger',
+ "portable_id" => 'portable_id',
"name" => 'name',
- "preferred_username" => "username"
+ "email" => 'email',
+ "preferred_username" => 'username',
+ "picture" => 'picture',
+ "given_name" => 'firstName',
+ "family_name" => 'lastName'
);
$userinfo = $this->getUser($user_id);
foreach ($validclaims as $validclaim) {
diff --git a/Zotlabs/Module/Authorize.php b/Zotlabs/Module/Authorize.php
index e042848d8..265dea661 100644
--- a/Zotlabs/Module/Authorize.php
+++ b/Zotlabs/Module/Authorize.php
@@ -14,9 +14,9 @@ class Authorize extends \Zotlabs\Web\Controller {
// OpenID Connect Dynamic Client Registration 1.0 Client Metadata
// http://openid.net/specs/openid-connect-registration-1_0.html
$app = array(
- 'name' => (x($_REQUEST, 'client_name') ? urldecode($_REQUEST['client_name']) : t('Unknown App')),
- 'icon' => (x($_REQUEST, 'logo_uri') ? urldecode($_REQUEST['logo_uri']) : z_root() . '/images/icons/plugin.png'),
- 'url' => (x($_REQUEST, 'client_uri') ? urldecode($_REQUEST['client_uri']) : ''),
+ 'name' => (x($_REQUEST, 'client_id') ? $_REQUEST['client_id'] : t('Unknown App')),
+ 'icon' => (x($_REQUEST, 'logo_uri') ? $_REQUEST['logo_uri'] : z_root() . '/images/icons/plugin.png'),
+ 'url' => (x($_REQUEST, 'client_uri') ? $_REQUEST['client_uri'] : ''),
);
$o .= replace_macros(get_markup_template('oauth_authorize.tpl'), array(
'$title' => t('Authorize'),
diff --git a/include/api_auth.php b/include/api_auth.php
index e2f7ab155..23ab9c946 100644
--- a/include/api_auth.php
+++ b/include/api_auth.php
@@ -12,7 +12,13 @@ function api_login(&$a){
require_once('include/oauth.php');
+
+ if(array_key_exists('REDIRECT_REMOTE_USER',$_SERVER) && (! array_key_exists('HTTP_AUTHORIZATION',$_SERVER))) {
+ $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER['REDIRECT_REMOTE_USER'];
+ }
+
// login with oauth
+
try {
// OAuth 2.0
$storage = new \Zotlabs\Identity\OAuth2Storage(\DBA::$dba->db);
@@ -66,32 +72,27 @@ function api_login(&$a){
logger($e->getMessage());
}
- // workarounds for HTTP-auth in CGI mode
- foreach([ 'REDIRECT_REMOTE_USER', 'HTTP_AUTHORIZATION' ] as $head) {
+ if(array_key_exists('HTTP_AUTHORIZATION',$_SERVER)) {
/* Basic authentication */
- if(array_key_exists($head,$_SERVER) && substr(trim($_SERVER[$head]),0,5) === 'Basic') {
- $userpass = @base64_decode(substr(trim($_SERVER[$head]),6)) ;
+ if (substr(trim($_SERVER['HTTP_AUTHORIZATION']),0,5) === 'Basic') {
+ $userpass = @base64_decode(substr(trim($_SERVER['HTTP_AUTHORIZATION']),6)) ;
if(strlen($userpass)) {
list($name, $password) = explode(':', $userpass);
$_SERVER['PHP_AUTH_USER'] = $name;
$_SERVER['PHP_AUTH_PW'] = $password;
}
- break;
}
- /* Signature authentication */
+ /* OpenWebAuth */
- if(array_key_exists($head,$_SERVER) && substr(trim($_SERVER[$head]),0,9) === 'Signature') {
+ if(substr(trim($_SERVER['HTTP_AUTHORIZATION']),0,9) === 'Signature') {
- if($head !== 'HTTP_AUTHORIZATION') {
- $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER[$head];
- continue;
- }
+ $record = null;
- $sigblock = \Zotlabs\Web\HTTPSig::parse_sigheader($_SERVER[$head]);
+ $sigblock = \Zotlabs\Web\HTTPSig::parse_sigheader($_SERVER['HTTP_AUTHORIZATION']);
if($sigblock) {
$keyId = str_replace('acct:','',$sigblock['keyId']);
if($keyId) {
@@ -108,16 +109,7 @@ function api_login(&$a){
$record = [ 'channel' => $c, 'account' => $a[0] ];
$channel_login = $c['channel_id'];
}
- else {
- continue;
- }
}
- else {
- continue;
- }
- }
- else {
- continue;
}
if($record) {
@@ -125,7 +117,6 @@ function api_login(&$a){
if(! ($verified && $verified['header_signed'] && $verified['header_valid'])) {
$record = null;
}
- break;
}
}
}
@@ -137,7 +128,7 @@ function api_login(&$a){
// process normal login request
- if(isset($_SERVER['PHP_AUTH_USER'])) {
+ if(isset($_SERVER['PHP_AUTH_USER']) && (! $record)) {
$channel_login = 0;
$record = account_verify_password($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']);
if($record && $record['channel']) {
diff --git a/library/certs/lets-encrypt-x3-cross-signed.pem b/library/certs/lets-encrypt-x3-cross-signed.pem
index 0002462ce..6e5176f1e 100644
--- a/library/certs/lets-encrypt-x3-cross-signed.pem
+++ b/library/certs/lets-encrypt-x3-cross-signed.pem
@@ -25,3 +25,31 @@ X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
+SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
+GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
+q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
+SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
+Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
+a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
+/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
+AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
+CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
+bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
+c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
+VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
+ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
+MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
+Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
+AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
+uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
+wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
+X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
+PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
+KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
+-----END CERTIFICATE-----