aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorredmatrix <git@macgirvin.com>2016-07-20 17:55:40 -0700
committerredmatrix <git@macgirvin.com>2016-07-20 17:55:40 -0700
commit3affb2e8172b4cc673aafe9551c21dad6f606d87 (patch)
tree446d143aa2b47b8fd710b5a4920ee63196b8fe34
parentd54ad9880252cf8c6d2c61a01680279741735a36 (diff)
downloadvolse-hubzilla-3affb2e8172b4cc673aafe9551c21dad6f606d87.tar.gz
volse-hubzilla-3affb2e8172b4cc673aafe9551c21dad6f606d87.tar.bz2
volse-hubzilla-3affb2e8172b4cc673aafe9551c21dad6f606d87.zip
sort out some of the authentication mess - with luck this may fix the DAV auth issue which I simply could not duplicate or find a reason for.
-rw-r--r--Zotlabs/Module/Dav.php85
-rw-r--r--Zotlabs/Module/Login.php3
-rw-r--r--Zotlabs/Module/Openid.php2
-rw-r--r--Zotlabs/Module/Register.php2
-rw-r--r--Zotlabs/Module/Removeaccount.php3
-rw-r--r--Zotlabs/Module/Removeme.php4
-rw-r--r--Zotlabs/Storage/BasicAuth.php37
-rw-r--r--include/account.php2
-rw-r--r--include/api_auth.php14
-rw-r--r--include/auth.php139
-rw-r--r--include/oauth.php2
-rw-r--r--include/security.php29
-rwxr-xr-xutil/fresh7
13 files changed, 133 insertions, 196 deletions
diff --git a/Zotlabs/Module/Dav.php b/Zotlabs/Module/Dav.php
index ba2394388..aaf69844c 100644
--- a/Zotlabs/Module/Dav.php
+++ b/Zotlabs/Module/Dav.php
@@ -48,55 +48,13 @@ class Dav extends \Zotlabs\Web\Controller {
if (! is_dir('store'))
os_mkdir('store', STORAGE_DEFAULT_PERMISSIONS, false);
- $which = null;
if (argc() > 1)
- $which = argv(1);
+ profile_load(argv(1),0);
- $profile = 0;
-
- \App::$page['htmlhead'] .= '<link rel="alternate" type="application/atom+xml" href="' . z_root() . '/feed/' . $which . '" />' . "\r\n";
-
- if ($which)
- profile_load( $which, $profile);
-
-
-
$auth = new \Zotlabs\Storage\BasicAuth();
- $auth->setRealm(ucfirst(\Zotlabs\Lib\System::get_platform_name()) . 'WebDAV');
-
-// $authBackend = new \Sabre\DAV\Auth\Backend\BasicCallBack(function($userName,$password) {
-// if(account_verify_password($userName,$password))
-// return true;
-// return false;
-// });
+ $auth->setRealm(ucfirst(\Zotlabs\Lib\System::get_platform_name()) . ' ' . 'WebDAV');
-// $ob_hash = get_observer_hash();
-
-// if ($ob_hash) {
-// if (local_channel()) {
-// $channel = \App::get_channel();
-// $auth->setCurrentUser($channel['channel_address']);
-// $auth->channel_id = $channel['channel_id'];
-// $auth->channel_hash = $channel['channel_hash'];
-// $auth->channel_account_id = $channel['channel_account_id'];
-// if($channel['channel_timezone'])
-// $auth->setTimezone($channel['channel_timezone']);
-// }
-// $auth->observer = $ob_hash;
-// }
-
-// if ($_GET['davguest'])
-// $_SESSION['davguest'] = true;
-
-// $_SERVER['QUERY_STRING'] = str_replace(array('?f=', '&f='), array('', ''), $_SERVER['QUERY_STRING']);
-// $_SERVER['QUERY_STRING'] = strip_zids($_SERVER['QUERY_STRING']);
-// $_SERVER['QUERY_STRING'] = preg_replace('/[\?&]davguest=(.*?)([\?&]|$)/ism', '', $_SERVER['QUERY_STRING']);
-//
-// $_SERVER['REQUEST_URI'] = str_replace(array('?f=', '&f='), array('', ''), $_SERVER['REQUEST_URI']);
-// $_SERVER['REQUEST_URI'] = strip_zids($_SERVER['REQUEST_URI']);
-// $_SERVER['REQUEST_URI'] = preg_replace('/[\?&]davguest=(.*?)([\?&]|$)/ism', '', $_SERVER['REQUEST_URI']);
-
$rootDirectory = new \Zotlabs\Storage\Directory('/', $auth);
// A SabreDAV server-object
@@ -113,48 +71,13 @@ class Dav extends \Zotlabs\Web\Controller {
$server->addPlugin($lockPlugin);
- // The next section of code allows us to bypass prompting for http-auth if a
- // FILE is being accessed anonymously and permissions allow this. This way
- // one can create hotlinks to public media files in their cloud and anonymous
- // viewers won't get asked to login.
- // If a DIRECTORY is accessed or there are permission issues accessing the
- // file and we aren't previously authenticated via zot, prompt for HTTP-auth.
- // This will be the default case for mounting a DAV directory.
- // In order to avoid prompting for passwords for viewing a DIRECTORY, add
- // the URL query parameter 'davguest=1'.
-
-// $isapublic_file = false;
-// $davguest = ((x($_SESSION, 'davguest')) ? true : false);
-
-// if ((! $auth->observer) && ($_SERVER['REQUEST_METHOD'] === 'GET')) {
-// try {
-// $x = RedFileData('/' . \App::$cmd, $auth);
-// if($x instanceof \Zotlabs\Storage\File)
-// $isapublic_file = true;
-// }
-// catch (Exception $e) {
-// $isapublic_file = false;
-// }
-// }
-
-// if ((! $auth->observer) && (! $isapublic_file) && (! $davguest)) {
-// try {
-// $auth->Authenticate($server, t('$Projectname channel'));
-// }
-// catch (Exception $e) {
-// logger('mod_cloud: auth exception' . $e->getMessage());
-// http_status_exit($e->getHTTPCode(), $e->getMessage());
-// }
-// }
-
- // require_once('Zotlabs/Storage/Browser.php');
// provide a directory view for the cloud in Hubzilla
$browser = new \Zotlabs\Storage\Browser($auth);
$auth->setBrowserPlugin($browser);
// Experimental QuotaPlugin
- // require_once('Zotlabs/Storage/QuotaPlugin.php');
- // $server->addPlugin(new \Zotlabs\Storage\QuotaPlugin($auth));
+ // require_once('Zotlabs/Storage/QuotaPlugin.php');
+ // $server->addPlugin(new \Zotlabs\Storage\QuotaPlugin($auth));
// All we need to do now, is to fire up the server
$server->exec();
diff --git a/Zotlabs/Module/Login.php b/Zotlabs/Module/Login.php
index ff75e5268..ae35b922f 100644
--- a/Zotlabs/Module/Login.php
+++ b/Zotlabs/Module/Login.php
@@ -7,6 +7,9 @@ class Login extends \Zotlabs\Web\Controller {
function get() {
if(local_channel())
goaway(z_root());
+ if(remote_channel() && $_SESSION['atoken'])
+ goaway(z_root());
+
return login((\App::$config['system']['register_policy'] == REGISTER_CLOSED) ? false : true);
}
diff --git a/Zotlabs/Module/Openid.php b/Zotlabs/Module/Openid.php
index 7a6e4a81f..8cbc6d2fd 100644
--- a/Zotlabs/Module/Openid.php
+++ b/Zotlabs/Module/Openid.php
@@ -48,7 +48,7 @@ class Openid extends \Zotlabs\Web\Controller {
$_SESSION['uid'] = $r[0]['channel_id'];
$_SESSION['account_id'] = $r[0]['channel_account_id'];
$_SESSION['authenticated'] = true;
- authenticate_success($record,true,true,true,true);
+ authenticate_success($record,$r[0],true,true,true,true);
goaway(z_root());
}
}
diff --git a/Zotlabs/Module/Register.php b/Zotlabs/Module/Register.php
index 6afa4a94c..45123b88d 100644
--- a/Zotlabs/Module/Register.php
+++ b/Zotlabs/Module/Register.php
@@ -146,7 +146,7 @@ class Register extends \Zotlabs\Web\Controller {
goaway(z_root());
}
- authenticate_success($result['account'],true,false,true);
+ authenticate_success($result['account'],null,true,false,true);
$new_channel = false;
$next_page = 'new_channel';
diff --git a/Zotlabs/Module/Removeaccount.php b/Zotlabs/Module/Removeaccount.php
index 39e06bb7f..9fac7838e 100644
--- a/Zotlabs/Module/Removeaccount.php
+++ b/Zotlabs/Module/Removeaccount.php
@@ -25,7 +25,8 @@ class Removeaccount extends \Zotlabs\Web\Controller {
$account = \App::get_account();
$account_id = get_account_id();
- if(! account_verify_password($account['account_email'],$_POST['qxz_password']))
+ $x = account_verify_password($account['account_email'],$_POST['qxz_password']);
+ if(! ($x && $x['account']))
return;
if($account['account_password_changed'] != NULL_DATE) {
diff --git a/Zotlabs/Module/Removeme.php b/Zotlabs/Module/Removeme.php
index e611d8112..bc18fe0f8 100644
--- a/Zotlabs/Module/Removeme.php
+++ b/Zotlabs/Module/Removeme.php
@@ -24,7 +24,9 @@ class Removeme extends \Zotlabs\Web\Controller {
$account = \App::get_account();
- if(! account_verify_password($account['account_email'],$_POST['qxz_password']))
+
+ $x = account_verify_password($account['account_email'],$_POST['qxz_password']);
+ if(! ($x && $x['account']))
return;
if($account['account_password_changed'] != NULL_DATE) {
diff --git a/Zotlabs/Storage/BasicAuth.php b/Zotlabs/Storage/BasicAuth.php
index 9c73b47b9..67617b637 100644
--- a/Zotlabs/Storage/BasicAuth.php
+++ b/Zotlabs/Storage/BasicAuth.php
@@ -91,33 +91,20 @@ class BasicAuth extends DAV\Auth\Backend\AbstractBasic {
require_once('include/auth.php');
$record = account_verify_password($username, $password);
- if ($record && $record['account_default_channel']) {
- $r = q("SELECT * FROM channel WHERE channel_account_id = %d AND channel_id = %d LIMIT 1",
- intval($record['account_id']),
- intval($record['account_default_channel'])
- );
- if($r && $this->check_module_access($r[0]['channel_id'])) {
- return $this->setAuthenticated($r[0]);
+ if($record && $record['account']) {
+ if($record['channel'])
+ $channel = $record['channel'];
+ else {
+ $r = q("SELECT * FROM channel WHERE channel_account_id = %d AND channel_id = %d LIMIT 1",
+ intval($record['account']['account_id']),
+ intval($record['account']['account_default_channel'])
+ );
+ if($r)
+ $channel = $r[0];
}
}
- $r = q("SELECT * FROM channel WHERE channel_address = '%s' LIMIT 1",
- dbesc($username)
- );
- if ($r) {
- $x = q("SELECT account_flags, account_salt, account_password FROM account WHERE account_id = %d LIMIT 1",
- intval($r[0]['channel_account_id'])
- );
- if ($x) {
- // @fixme this foreach should not be needed?
- foreach ($x as $record) {
- if ((($record['account_flags'] == ACCOUNT_OK) || ($record['account_flags'] == ACCOUNT_UNVERIFIED))
- && (hash('whirlpool', $record['account_salt'] . $password) === $record['account_password'])) {
- logger('password verified for ' . $username);
- if($this->check_module_access($r[0]['channel_id']))
- return $this->setAuthenticated($r[0]);
- }
- }
- }
+ if($channel && $this->check_module_access($channel['channel_id'])) {
+ return $this->setAuthenticated($channel);
}
if($this->module_disabled)
diff --git a/include/account.php b/include/account.php
index c02a74928..142ad1bea 100644
--- a/include/account.php
+++ b/include/account.php
@@ -515,7 +515,7 @@ function account_approve($hash) {
auto_channel_create($register[0]['uid']);
else {
$_SESSION['login_return_url'] = 'new_channel';
- authenticate_success($account[0],true,true,false,true);
+ authenticate_success($account[0],null,true,true,false,true);
}
diff --git a/include/api_auth.php b/include/api_auth.php
index dc8492b20..7a71bad73 100644
--- a/include/api_auth.php
+++ b/include/api_auth.php
@@ -59,20 +59,12 @@ function api_login(&$a){
if(isset($_SERVER['PHP_AUTH_USER'])) {
$channel_login = 0;
$record = account_verify_password($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']);
- if(! $record) {
- $r = q("select * from channel left join account on account.account_id = channel.channel_account_id
- where channel.channel_address = '%s' limit 1",
- dbesc($_SERVER['PHP_AUTH_USER'])
- );
- if ($r) {
- $record = account_verify_password($r[0]['account_email'],$_SERVER['PHP_AUTH_PW']);
- if($record)
- $channel_login = $r[0]['channel_id'];
- }
+ if($record && $record['channel']) {
+ $channel_login = $record['channel']['channel_id'];
}
}
- if($record) {
+ if($record['account']) {
authenticate_success($record);
if($channel_login)
diff --git a/include/auth.php b/include/auth.php
index 79d04c728..f8120981a 100644
--- a/include/auth.php
+++ b/include/auth.php
@@ -20,62 +20,85 @@ require_once('include/security.php');
* attempts.
*
* @param string $email
- * The email address to verify.
+ * The login to verify (channel address, account email or guest login token).
* @param string $pass
* The provided password to verify.
* @return array|null
* Returns account record on success, null on failure.
*/
-function account_verify_password($email, $pass) {
+function account_verify_password($login, $pass) {
+
+ $ret = [ 'account' => null, 'channel' => null, 'xchan' => null ];
$email_verify = get_config('system', 'verify_email');
$register_policy = get_config('system', 'register_policy');
+ if(! $login)
+ return null;
+
+ $account = null;
+ $channel = null;
+ $xchan = null;
+
+ if(! strpos($login,'@')) {
+ $channel = channelx_by_nick($login);
+ if(! $channel) {
+ $x = q("select * from atoken where atoken_name = '%s' and atoken_token = '%s' limit 1",
+ dbesc($login),
+ dbesc($pass)
+ );
+ if($x) {
+ $ret['xchan'] = atoken_xchan($x[0]);
+ return $ret;
+ }
+ }
+ }
+ if($channel) {
+ $where = " where account_id = " . intval($channel['channel_account_id']) . " ";
+ }
+ else {
+ $where = " where account_email = '" . dbesc($login) . "' ";
+ }
+
+ $a = q("select * from account $where");
+ if(! $a) {
+ return null;
+ }
+
+ $account = $a[0];
+
// Currently we only verify email address if there is an open registration policy.
// This isn't because of any policy - it's because the workflow gets too complicated if
// you have to verify the email and then go through the account approval workflow before
// letting them login.
- // @bug there is no record here
- //if(($email_verify) && ($register_policy == REGISTER_OPEN) && ($record['account_flags'] & ACCOUNT_UNVERIFIED))
- // return null;
-
- $r = q("select * from account where account_email = '%s'",
- dbesc($email)
- );
- if($r) {
-
- foreach($r as $record) {
- if(($record['account_flags'] == ACCOUNT_OK)
- && (hash('whirlpool', $record['account_salt'] . $pass) === $record['account_password'])) {
- logger('password verified for ' . $email);
- return $record;
- }
- }
+ if(($email_verify) && ($register_policy == REGISTER_OPEN) && ($account['account_flags'] & ACCOUNT_UNVERIFIED)) {
+ logger('email verification required for ' . $login);
+ return null;
}
- $x = q("select * from atoken where atoken_name = '%s' and atoken_token = '%s' limit 1",
- dbesc($email),
- dbesc($pass)
- );
- if($x) {
- atoken_login($x[0]);
- return $x[0];
+ if(($account['account_flags'] == ACCOUNT_OK)
+ && (hash('whirlpool',$account['account_salt'] . $pass) === $account['account_password'])) {
+ logger('password verified for ' . $login);
+ $ret['account'] = $account;
+ if($channel)
+ $ret['channel'] = $channel;
+ return $ret;
}
- $error = 'password failed for ' . $email;
+ $error = 'password failed for ' . $login;
logger($error);
- if($record['account_flags'] & ACCOUNT_UNVERIFIED)
- logger('Account is unverified. account_flags = ' . $record['account_flags']);
- if($record['account_flags'] & ACCOUNT_BLOCKED)
- logger('Account is blocked. account_flags = ' . $record['account_flags']);
- if($record['account_flags'] & ACCOUNT_EXPIRED)
- logger('Account is expired. account_flags = ' . $record['account_flags']);
- if($record['account_flags'] & ACCOUNT_REMOVED)
- logger('Account is removed. account_flags = ' . $record['account_flags']);
- if($record['account_flags'] & ACCOUNT_PENDING)
- logger('Account is pending. account_flags = ' . $record['account_flags']);
+ if($account['account_flags'] & ACCOUNT_UNVERIFIED)
+ logger('Account is unverified. account_flags = ' . $account['account_flags']);
+ if($account['account_flags'] & ACCOUNT_BLOCKED)
+ logger('Account is blocked. account_flags = ' . $account['account_flags']);
+ if($account['account_flags'] & ACCOUNT_EXPIRED)
+ logger('Account is expired. account_flags = ' . $account['account_flags']);
+ if($account['account_flags'] & ACCOUNT_REMOVED)
+ logger('Account is removed. account_flags = ' . $account['account_flags']);
+ if($account['account_flags'] & ACCOUNT_PENDING)
+ logger('Account is pending. account_flags = ' . $account['account_flags']);
log_failed_login($error);
@@ -131,7 +154,7 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) &&
App::$session->new_cookie(60 * 60 * 24); // one day
$_SESSION['last_login_date'] = datetime_convert();
unset($_SESSION['visitor_id']); // no longer a visitor
- authenticate_success($x[0], true, true);
+ authenticate_success($x[0], null, true, true);
}
}
if(array_key_exists('atoken',$_SESSION)) {
@@ -177,7 +200,8 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) &&
App::$session->extend_cookie();
$login_refresh = true;
}
- authenticate_success($r[0], false, false, false, $login_refresh);
+ $ch = (($_SESSION['uid']) ? channelx_by_n($_SESSION['uid']) : null);
+ authenticate_success($r[0], null, $ch, false, false, $login_refresh);
}
else {
$_SESSION['account_id'] = 0;
@@ -218,37 +242,38 @@ else {
call_hooks('authenticate', $addon_auth);
- $atoken = false;
+ $atoken = null;
+ $account = null;
if(($addon_auth['authenticated']) && (count($addon_auth['user_record']))) {
- $record = $addon_auth['user_record'];
+ $account = $addon_auth['user_record'];
}
else {
- $x = account_verify_password($_POST['username'], $_POST['password']);
- if(array_key_exists('atoken',$x))
- $atoken = true;
- if(! $atoken) {
- $record = App::$account = $x;
-
- if(App::$account) {
- $_SESSION['account_id'] = App::$account['account_id'];
- }
- else {
- notice( t('Failed authentication') . EOL);
- }
-
- logger('authenticate: ' . print_r(App::$account, true), LOGGER_ALL);
+ $verify = account_verify_password($_POST['username'], $_POST['password']);
+ if($verify) {
+ $atoken = $verify['xchan'];
+ $channel = $verify['channel'];
+ $account = App::$account = $verify['account'];
+ }
+
+ if(App::$account) {
+ $_SESSION['account_id'] = App::$account['account_id'];
+ }
+ elseif($atoken) {
+ atoken_login($atoken);
+ }
+ else {
+ notice( t('Failed authentication') . EOL);
}
}
- if((! $record) || (! count($record))) {
+ if(! ($account || $atoken)) {
$error = 'authenticate: failed login attempt: ' . notags(trim($_POST['username'])) . ' from IP ' . $_SERVER['REMOTE_ADDR'];
logger($error);
// Also log failed logins to a separate auth log to reduce overhead for server side intrusion prevention
$authlog = get_config('system', 'authlog');
if ($authlog)
@file_put_contents($authlog, datetime_convert() . ':' . session_id() . ' ' . $error . "\n", FILE_APPEND);
-
notice( t('Login failed.') . EOL );
goaway(z_root() . '/login');
}
@@ -279,7 +304,7 @@ else {
$_SESSION['last_login_date'] = datetime_convert();
if(! $atoken)
- authenticate_success($record, true, true);
+ authenticate_success($account,$channel,true, true);
}
}
diff --git a/include/oauth.php b/include/oauth.php
index 984e0e6c6..a3c52bf27 100644
--- a/include/oauth.php
+++ b/include/oauth.php
@@ -170,7 +170,7 @@ class ZotOAuth1 extends OAuth1Server {
);
if($x) {
require_once('include/security.php');
- authenticate_success($x[0],true,false,true,true);
+ authenticate_success($x[0],null,true,false,true,true);
$_SESSION['allow_api'] = true;
}
}
diff --git a/include/security.php b/include/security.php
index e345636e7..2107ed819 100644
--- a/include/security.php
+++ b/include/security.php
@@ -12,7 +12,7 @@
* @param bool $return
* @param bool $update_lastlog
*/
-function authenticate_success($user_record, $login_initial = false, $interactive = false, $return = false, $update_lastlog = false) {
+function authenticate_success($user_record, $channel = null, $login_initial = false, $interactive = false, $return = false, $update_lastlog = false) {
$_SESSION['addr'] = $_SERVER['REMOTE_ADDR'];
@@ -23,11 +23,15 @@ function authenticate_success($user_record, $login_initial = false, $interactive
$_SESSION['account_id'] = $user_record['account_id'];
$_SESSION['authenticated'] = 1;
+ if($channel)
+ $uid_to_load = $channel['channel_id'];
- $uid_to_load = (((x($_SESSION,'uid')) && (intval($_SESSION['uid'])))
- ? intval($_SESSION['uid'])
- : intval(App::$account['account_default_channel'])
- );
+ if(! $uid_to_load) {
+ $uid_to_load = (((x($_SESSION,'uid')) && (intval($_SESSION['uid'])))
+ ? intval($_SESSION['uid'])
+ : intval(App::$account['account_default_channel'])
+ );
+ }
if($uid_to_load) {
change_channel($uid_to_load);
@@ -85,16 +89,12 @@ function authenticate_success($user_record, $login_initial = false, $interactive
function atoken_login($atoken) {
if(! $atoken)
return false;
-
- $xchan = atoken_xchan($atoken);
-
$_SESSION['authenticated'] = 1;
- $_SESSION['visitor_id'] = $xchan['xchan_hash'];
+ $_SESSION['visitor_id'] = $atoken['xchan_hash'];
$_SESSION['atoken'] = $atoken['atoken_id'];
- \App::set_observer($xchan);
-
- return [ 'atoken' => true ];
+ \App::set_observer($atoken);
+ return true;
}
@@ -102,7 +102,8 @@ function atoken_xchan($atoken) {
$c = channelx_by_n($atoken['atoken_uid']);
if($c) {
- return [
+ return [
+ 'atoken_id' => $atoken['atoken_id'],
'xchan_hash' => substr($c['channel_hash'],0,16) . '.' . $atoken['atoken_name'],
'xchan_name' => $atoken['atoken_name'],
'xchan_addr' => t('guest:') . $atoken['atoken_name'] . '@' . \App::get_hostname(),
@@ -115,7 +116,7 @@ function atoken_xchan($atoken) {
];
}
-
+ return null;
}
diff --git a/util/fresh b/util/fresh
index 9d74ea584..7f57931aa 100755
--- a/util/fresh
+++ b/util/fresh
@@ -82,12 +82,15 @@ function process_command($line) {
exec('/bin/stty echo');
echo "\n";
require_once('include/auth.php');
- $record = App::$account = account_verify_password(argv(1),trim($x,"\n"));
+ $record = null;
+ $x = account_verify_password(argv(1),trim($x,"\n"));
+ if($x['account'])
+ $record = App::$account = $x['account'];
if($record) {
$_SESSION['account_id'] = App::$account['account_id'];
$_SESSION['last_login_date'] = datetime_convert();
- authenticate_success($record, true, true);
+ authenticate_success($record, $x['channel'], true, true);
echo 'logged in';
$channel = App::get_channel();
if($channel)