diff options
| author | friendica <info@friendica.com> | 2013-01-23 16:06:01 -0800 |
|---|---|---|
| committer | friendica <info@friendica.com> | 2013-01-23 16:06:01 -0800 |
| commit | f63997f61877bf03b9c85cbfaa00b8300c8cb770 (patch) | |
| tree | a6757907fbf13668e7e7d92cd66c241bd882c964 /mod/post.php | |
| parent | 0b18dd15c5377da121f0fb781c0530ca0d328eb9 (diff) | |
| download | volse-hubzilla-f63997f61877bf03b9c85cbfaa00b8300c8cb770.tar.gz volse-hubzilla-f63997f61877bf03b9c85cbfaa00b8300c8cb770.tar.bz2 volse-hubzilla-f63997f61877bf03b9c85cbfaa00b8300c8cb770.zip | |
plug potential hole in magic auth, add link to chanview to view in dedicated window
Diffstat (limited to 'mod/post.php')
| -rw-r--r-- | mod/post.php | 70 |
1 files changed, 45 insertions, 25 deletions
diff --git a/mod/post.php b/mod/post.php index 36b2e1482..8171f1065 100644 --- a/mod/post.php +++ b/mod/post.php @@ -44,7 +44,7 @@ function post_init(&$a) { ); if(! $c) { logger('mod_zot: auth: unable to find channel ' . $webbie); - // They'll get a notice when they hit the page, we don't need two. + // They'll get a notice when they hit the page, we don't need two of them. goaway($desturl); } @@ -70,33 +70,39 @@ function post_init(&$a) { // check credentials and access - // Auth packets MUST use ultra top-secret hush-hush mode + // If they are already authenticated and haven't changed credentials, + // we can save an expensive network round trip and improve performance. - $p = zot_build_packet($c[0],$type = 'auth_check',array(array('guid' => $x[0]['hubloc_guid'],'guid_sig' => $x[0]['hubloc_guid_sig'])), $x[0]['hubloc_sitekey'], $sec); - $result = zot_zot($x[0]['hubloc_callback'],$p); + $remote = remote_user(); + $result = null; - if($result['success']) { + $already_authed = ((($remote) && ($x[0]['hubloc_hash'] == $remote)) ? true : false); + + if(! $already_authed) { + // Auth packets MUST use ultra top-secret hush-hush mode + $p = zot_build_packet($c[0],$type = 'auth_check', + array(array('guid' => $x[0]['hubloc_guid'],'guid_sig' => $x[0]['hubloc_guid_sig'])), + $x[0]['hubloc_sitekey'], $sec); + $result = zot_zot($x[0]['hubloc_callback'],$p); + if(! $result['success']) + goaway($desturl); $j = json_decode($result['body'],true); - if($j['result']) { - // everything is good... maybe - if(local_user()) { - notice( t('Remote authentication blocked. You are logged into this site locally. Please logout and retry') . EOL); - goaway($desturl); - } - // log them in - $_SESSION['authenticated'] = 1; - $_SESSION['visitor_id'] = $x[0]['xchan_hash']; - $a->set_observer($x[0]); - require_once('include/security.php'); - $a->set_groups(init_groups_visitor($_SESSION['visitor_id'])); - info(sprintf( t('Welcome %s. Remote authentication successful.'),$x[0]['xchan_name'])); - } } - - - - + if($already_authed || $j['result']) { + // everything is good... maybe + if(local_user()) { + notice( t('Remote authentication blocked. You are logged into this site locally. Please logout and retry') . EOL); + goaway($desturl); + } + // log them in + $_SESSION['authenticated'] = 1; + $_SESSION['visitor_id'] = $x[0]['xchan_hash']; + $a->set_observer($x[0]); + require_once('include/security.php'); + $a->set_groups(init_groups_visitor($_SESSION['visitor_id'])); + info(sprintf( t('Welcome %s. Remote authentication successful.'),$x[0]['xchan_name'])); + } goaway($desturl); } @@ -274,13 +280,22 @@ function post_post(&$a) { $arr = $data['sender']; $sender_hash = base64url_encode(hash('whirlpool',$arr['guid'] . $arr['guid_sig'], true)); + // garbage collect any old unused notifications + q("delete from verify where type = 'auth' and created < UTC_TIMESTAMP() - INTERVAL 10 MINUTE"); + $y = q("select xchan_pubkey from xchan where xchan_hash = '%s' limit 1", dbesc($sender_hash) ); + // We created a unique hash in mod/magic.php when we invoked remote auth, and stored it in + // the verify table. It is now coming back to us as 'secret' and is signed by the other site. + // First verify their signature. + if((! $y) || (! rsa_verify($data['secret'],base64url_decode($data['secret_sig']),$y[0]['xchan_pubkey']))) { logger('mod_zot: auth_check: sender not found or secret_sig invalid.'); json_return_and_die($ret); } + + // There should be exactly one recipient if($data['recipients']) { $arr = $data['recipients'][0]; @@ -292,9 +307,14 @@ function post_post(&$a) { logger('mod_zot: auth_check: recipient channel not found.'); json_return_and_die($ret); } - $z = q("select id from verify where channel = %d and type = 'auth' and token = '%s' limit 1", + + // This additionally checks for forged senders since we already stored the expected result in meta + // and we've already verified that this is them via zot_gethub() and that their key signed our token + + $z = q("select id from verify where channel = %d and type = 'auth' and token = '%s' and meta = '%s' limit 1", intval($c[0]['channel_id']), - dbesc($data['secret']) + dbesc($data['secret']), + dbesc($sender_hash) ); if(! $z) { logger('mod_zot: auth_check: verification key not found.'); |