aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs/Module/Magic.php
diff options
context:
space:
mode:
authorMario Vavti <mario@mariovavti.com>2024-11-18 23:15:29 +0100
committerMario Vavti <mario@mariovavti.com>2024-11-18 23:15:29 +0100
commit9acc73b273bbe12b334703e3a0f4c1a6f16aef5b (patch)
tree098781dd1a37ae4fc22425387ee56c43fd918500 /Zotlabs/Module/Magic.php
parent5cfb3842f188b5f684882716c06dfb32ac957108 (diff)
downloadvolse-hubzilla-9acc73b273bbe12b334703e3a0f4c1a6f16aef5b.tar.gz
volse-hubzilla-9acc73b273bbe12b334703e3a0f4c1a6f16aef5b.tar.bz2
volse-hubzilla-9acc73b273bbe12b334703e3a0f4c1a6f16aef5b.zip
some cleanup for mod magic
Diffstat (limited to 'Zotlabs/Module/Magic.php')
-rw-r--r--Zotlabs/Module/Magic.php53
1 files changed, 30 insertions, 23 deletions
diff --git a/Zotlabs/Module/Magic.php b/Zotlabs/Module/Magic.php
index deda4255d..e722a7161 100644
--- a/Zotlabs/Module/Magic.php
+++ b/Zotlabs/Module/Magic.php
@@ -11,33 +11,34 @@ class Magic extends Controller {
function init() {
- $ret = [
- 'success' => false,
- 'url' => '',
- 'message' => ''
- ];
-
logger('mod_magic: invoked', LOGGER_DEBUG);
- logger('args: ' . print_r($_REQUEST,true),LOGGER_DATA);
+ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+ $data = $_POST;
+ } elseif ($_SERVER['REQUEST_METHOD'] === 'GET') {
+ $data = $_GET;
+ } else {
+ http_status_exit(405, 'Method Not Allowed');
+ }
+
+ logger('request method: ' . print_r($_SERVER['REQUEST_METHOD'], true), LOGGER_DATA);
+ logger('args: ' . print_r($data, true), LOGGER_DATA);
- $addr = ((x($_REQUEST,'addr')) ? $_REQUEST['addr'] : '');
- $bdest = ((x($_REQUEST,'bdest')) ? $_REQUEST['bdest'] : '');
- $dest = ((x($_REQUEST,'dest')) ? $_REQUEST['dest'] : '');
- $rev = ((x($_REQUEST,'rev')) ? intval($_REQUEST['rev']) : 0);
- $owa = ((x($_REQUEST,'owa')) ? intval($_REQUEST['owa']) : 0);
- $delegate = ((x($_REQUEST,'delegate')) ? $_REQUEST['delegate'] : '');
+ $bdest = $data['bdest'] ?? '';
+ $owa = $data['owa'] ?? 0;
+ $delegate = $data['delegate'] ?? '';
// bdest is preferred as it is hex-encoded and can survive url rewrite and argument parsing
- if ($bdest) {
- $dest = hex2bin($bdest);
+ if (!$bdest) {
+ http_status_exit(400, 'Bad Request');
}
+ $dest = hex2bin($bdest);
$parsed = parse_url($dest);
- if (! $parsed) {
- goaway($dest);
+ if (!$parsed) {
+ http_status_exit(400, 'Bad Request');
}
$basepath = unparse_url(array_filter(
@@ -45,7 +46,8 @@ class Magic extends Controller {
fn (string $key) => in_array($key, ['scheme', 'host', 'port']),
ARRAY_FILTER_USE_KEY
));
- $owapath = SConfig::get($basepath,'system','openwebauth', $basepath . '/owa');
+
+ $owapath = SConfig::get($basepath, 'system', 'openwebauth', $basepath . '/owa');
// This is ready-made for a plugin that provides a blacklist or "ask me" before blindly authenticating.
// By default, we'll proceed without asking.
@@ -57,12 +59,14 @@ class Magic extends Controller {
];
call_hooks('magic_auth',$arr);
+
$dest = $arr['destination'];
- if (! $arr['proceed']) {
+
+ if (!$arr['proceed']) {
goaway($dest);
}
- if((get_observer_hash()) && (stripos($dest,z_root()) === 0)) {
+ if (get_observer_hash() && str_starts_with($dest, z_root())) {
// We are already authenticated on this site and a registered observer.
// First check if this is a delegate request on the local system and process accordingly.
@@ -114,25 +118,28 @@ class Magic extends Controller {
$headers = HTTPSig::create_sig($headers,$channel['channel_prvkey'], channel_url($channel),true,'sha512');
$redirects = 0;
+
$x = z_fetch_url($owapath, false, $redirects, ['headers' => $headers]);
logger('owa fetch returned: ' . print_r($x,true),LOGGER_DATA);
+
if ($x['success']) {
$j = json_decode($x['body'],true);
if ($j['success'] && $j['encrypted_token']) {
// decrypt the token using our private key
$token = '';
- openssl_private_decrypt(base64url_decode($j['encrypted_token']),$token,$channel['channel_prvkey']);
+ openssl_private_decrypt(base64url_decode($j['encrypted_token']), $token, $channel['channel_prvkey']);
$x = strpbrk($dest,'?&');
// redirect using the encrypted token which will be exchanged for an authenticated session
- $args = (($x) ? '&owt=' . $token : '?f=&owt=' . $token) . (($delegate) ? '&delegate=1' : '');
+ $args = (($x) ? '&owt=' . $token : '?owt=' . $token) . (($delegate) ? '&delegate=1' : '');
goaway($dest . $args);
}
}
}
}
- goaway($dest);
+ killme();
+
}
}