diff options
author | friendica <info@friendica.com> | 2013-04-14 20:41:58 -0700 |
---|---|---|
committer | friendica <info@friendica.com> | 2013-04-14 20:41:58 -0700 |
commit | e411a4bdc27cd443abf613a0044effb4604223f0 (patch) | |
tree | e3a501db8f394bd6fd56cd76bfd137f56008cacc /mod | |
parent | 2942155797ed46be0d0bd71c89add14404a4bb47 (diff) | |
download | volse-hubzilla-e411a4bdc27cd443abf613a0044effb4604223f0.tar.gz volse-hubzilla-e411a4bdc27cd443abf613a0044effb4604223f0.tar.bz2 volse-hubzilla-e411a4bdc27cd443abf613a0044effb4604223f0.zip |
IMPORTANT: magic-auth protocol update, plus 'zrl' bbcode tag for the privacy-is-more-important-than-ease-of-use folks.
Diffstat (limited to 'mod')
-rw-r--r-- | mod/post.php | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/mod/post.php b/mod/post.php index 5b002eb36..5919ed2b4 100644 --- a/mod/post.php +++ b/mod/post.php @@ -96,6 +96,13 @@ function post_init(&$a) { } if($already_authed || $j['success']) { + if($j['success']) { + // legit response, but we do need to check that this wasn't answered by a man-in-middle + if(! rsa_verify($sec . $x[0]['xchan_hash'],base64url_decode($j['confirm']),$x[0]['xchan_pubkey'])) { + logger('mod_zot: auth: final confirmation failed.'); + goaway($desturl); + } + } // everything is good... maybe if(local_user()) { @@ -386,7 +393,7 @@ function post_post(&$a) { $arr = $data['recipients'][0]; $recip_hash = base64url_encode(hash('whirlpool',$arr['guid'] . $arr['guid_sig'], true)); - $c = q("select channel_id from channel where channel_hash = '%s' limit 1", + $c = q("select channel_id, channel_prvkey from channel where channel_hash = '%s' limit 1", dbesc($recip_hash) ); if(! $c) { @@ -394,6 +401,8 @@ function post_post(&$a) { json_return_and_die($ret); } + $confirm = base64url_encode(rsa_sign($data['secret'] . $recip_hash,$c[0]['channel_prvkey'])); + // This additionally checks for forged senders since we already stored the expected result in meta // and we've already verified that this is them via zot_gethub() and that their key signed our token @@ -412,6 +421,7 @@ function post_post(&$a) { logger('mod_zot: auth_check: success', LOGGER_DEBUG); $ret['success'] = true; + $ret['confirm'] = $confirm; json_return_and_die($ret); } |