aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Zotlabs/Module/Magic.php32
-rw-r--r--Zotlabs/Module/Owa.php57
-rw-r--r--Zotlabs/Module/Rmagic.php4
-rw-r--r--Zotlabs/Web/HTTPSig.php8
-rw-r--r--Zotlabs/Web/WebServer.php6
-rw-r--r--Zotlabs/Zot/Verify.php16
-rw-r--r--include/zid.php66
7 files changed, 186 insertions, 3 deletions
diff --git a/Zotlabs/Module/Magic.php b/Zotlabs/Module/Magic.php
index bf3198067..0eb2f27a1 100644
--- a/Zotlabs/Module/Magic.php
+++ b/Zotlabs/Module/Magic.php
@@ -17,6 +17,7 @@ class Magic extends \Zotlabs\Web\Controller {
$dest = ((x($_REQUEST,'dest')) ? $_REQUEST['dest'] : '');
$test = ((x($_REQUEST,'test')) ? intval($_REQUEST['test']) : 0);
$rev = ((x($_REQUEST,'rev')) ? intval($_REQUEST['rev']) : 0);
+ $owa = ((x($_REQUEST,'owa')) ? intval($_REQUEST['owa']) : 0);
$delegate = ((x($_REQUEST,'delegate')) ? $_REQUEST['delegate'] : '');
$parsed = parse_url($dest);
@@ -132,12 +133,41 @@ class Magic extends \Zotlabs\Web\Controller {
if(local_channel()) {
$channel = \App::get_channel();
+ // OpenWebAuth
+
+ if($owa) {
+
+ $headers = [];
+ $headers['Accept'] = 'application/x-zot+json' ;
+ $headers['X-Open-Web-Auth'] = random_string();
+ $headers = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'],
+ 'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false,true,'sha512');
+
+ $x = z_fetch_url($basepath . '/owa',false,$redirects,[ 'headers' => $headers ]);
+ if($x['success']) {
+ $j = json_decode($x['body'],true);
+ if($j['success'] && $j['token']) {
+ $x = strpbrk($dest,'?&');
+ $args = (($x) ? '&owt=' . $token : '?f=&owt=' . $token) . (($delegate) ? '&delegate=1' : '');
+ goaway($dest . $args);
+ }
+ }
+ goaway($dest);
+ }
+
+
$token = random_string();
+
// $token_sig = base64url_encode(rsa_sign($token,$channel['channel_prvkey']));
-
// $channel['token'] = $token;
// $channel['token_sig'] = $token_sig;
+
+
+
+
+
+
\Zotlabs\Zot\Verify::create('auth',$channel['channel_id'],$token,$x[0]['hubloc_url']);
$target_url = $x[0]['hubloc_callback'] . '/?f=&auth=' . urlencode(channel_reddress($channel))
diff --git a/Zotlabs/Module/Owa.php b/Zotlabs/Module/Owa.php
new file mode 100644
index 000000000..f71099599
--- /dev/null
+++ b/Zotlabs/Module/Owa.php
@@ -0,0 +1,57 @@
+<?php
+
+
+namespace Zotlabs\Module;
+
+
+
+class Owa extends \Zotlabs\Web\Controller {
+
+ function init() {
+ foreach([ 'REDIRECT_REMOTE_USER', 'HTTP_AUTHORIZATION' ] as $head) {
+
+ if(array_key_exists($head,$_SERVER) && substr(trim($_SERVER[$head]),0,9) === 'Signature') {
+ if($head !== 'HTTP_AUTHORIZATION') {
+ $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER[$head];
+ continue;
+ }
+
+ $sigblock = \Zotlabs\Web\HTTPSig::parse_sigheader($_SERVER[$head]);
+ if($sigblock) {
+ $keyId = $sigblock['keyId'];
+
+ if($keyId) {
+ $r = q("select * from hubloc left join xchan on hubloc_hash = xchan_hash
+ where hubloc_addr = '%s' limit 1",
+ dbesc(str_replace('acct:','',$keyId))
+ );
+ if($r) {
+ $hubloc = $r[0];
+ $verified = \Zotlabs\Web\HTTPSig::verify('',$hubloc['xchan_pubkey']);
+
+logger('verified: ' . print_r($verified,true));
+
+ if($verified && $verified['header_signed'] && $verified['header_valid']) {
+ $token = random_string(32);
+ \Zotlabs\Zot\Verify::create('owt',0,token,$r[0]['hubloc_hash']);
+ $x = json_encode([ 'success' => true, 'token' => $token ]);
+ header('Content-Type: application/x-zot+json');
+ echo $x;
+ killme();
+ }
+ }
+ }
+ }
+ $x = json_encode([ 'success' => false ]);
+ header('Content-Type: application/x-zot+json');
+ echo $x;
+ killme();
+ }
+ }
+
+ $x = json_encode([ 'success' => false ]);
+ header('Content-Type: application/x-zot+json');
+ echo $x;
+ killme();
+ }
+}
diff --git a/Zotlabs/Module/Rmagic.php b/Zotlabs/Module/Rmagic.php
index 9fcc72441..0c4eb9ae4 100644
--- a/Zotlabs/Module/Rmagic.php
+++ b/Zotlabs/Module/Rmagic.php
@@ -18,7 +18,7 @@ class Rmagic extends \Zotlabs\Web\Controller {
if($r[0]['hubloc_url'] === z_root())
goaway(z_root() . '/login');
$dest = z_root() . '/' . str_replace('zid=','zid_=',\App::$query_string);
- goaway($r[0]['hubloc_url'] . '/magic' . '?f=&dest=' . $dest);
+ goaway($r[0]['hubloc_url'] . '/magic' . '?f=&owa=1&dest=' . $dest);
}
}
}
@@ -63,7 +63,7 @@ class Rmagic extends \Zotlabs\Web\Controller {
else
$dest = urlencode(z_root() . '/' . str_replace('zid=','zid_=',\App::$query_string));
- goaway($url . '/magic' . '?f=&dest=' . $dest);
+ goaway($url . '/magic' . '?f=&owa=1&dest=' . $dest);
}
}
}
diff --git a/Zotlabs/Web/HTTPSig.php b/Zotlabs/Web/HTTPSig.php
index 2b139a2a1..fee8aaa41 100644
--- a/Zotlabs/Web/HTTPSig.php
+++ b/Zotlabs/Web/HTTPSig.php
@@ -91,6 +91,9 @@ class HTTPSig {
if($sig_block['algorithm'] === 'rsa-sha256') {
$algorithm = 'sha256';
}
+ if($sig_block['algorithm'] === 'rsa-sha512') {
+ $algorithm = 'sha512';
+ }
if(! $key) {
$result['signer'] = $sig_block['keyId'];
@@ -113,6 +116,8 @@ class HTTPSig {
$digest = explode('=', $headers['digest']);
if($digest[0] === 'SHA-256')
$hashalg = 'sha256';
+ if($digest[0] === 'SHA-512')
+ $hashalg = 'sha512';
// The explode operation will have stripped the '=' padding, so compare against unpadded base64
if(rtrim(base64_encode(hash($hashalg,$body,true)),'=') === $digest[1]) {
@@ -164,6 +169,9 @@ class HTTPSig {
if($alg === 'sha256') {
$algorithm = 'rsa-sha256';
}
+ if($alg === 'sha512') {
+ $algorithm = 'rsa-sha512';
+ }
$x = self::sign($request,$head,$prvkey,$alg);
diff --git a/Zotlabs/Web/WebServer.php b/Zotlabs/Web/WebServer.php
index a66384c40..8431a2e0e 100644
--- a/Zotlabs/Web/WebServer.php
+++ b/Zotlabs/Web/WebServer.php
@@ -70,6 +70,12 @@ class WebServer {
}
}
+ if((x($_REQUEST,'owt')) && (! \App::$install)) {
+ $token = $_REQUEST['owt'];
+ \App::$query_string = strip_query_param(\App::$query_string,'owt');
+ owt_init($token);
+ }
+
if((x($_SESSION, 'authenticated')) || (x($_POST, 'auth-params')) || (\App::$module === 'login'))
require('include/auth.php');
diff --git a/Zotlabs/Zot/Verify.php b/Zotlabs/Zot/Verify.php
index 06bd3188c..1f1288aa0 100644
--- a/Zotlabs/Zot/Verify.php
+++ b/Zotlabs/Zot/Verify.php
@@ -31,6 +31,22 @@ class Verify {
return false;
}
+
+ function get_meta($type,$channel_id,$token) {
+ $r = q("select id from verify where vtype = '%s' and channel = %d and token = '%s' limit 1",
+ dbesc($type),
+ intval($channel_id),
+ dbesc($token)
+ );
+ if($r) {
+ q("delete from verify where id = %d",
+ intval($r[0]['id'])
+ );
+ return $r[0]['meta'];
+ }
+ return false;
+ }
+
function purge($type,$interval) {
q("delete from verify where vtype = '%s' and created < %s - INTERVAL %s",
dbesc($type),
diff --git a/include/zid.php b/include/zid.php
index ee43fd7c8..5d58ff257 100644
--- a/include/zid.php
+++ b/include/zid.php
@@ -81,6 +81,10 @@ function zid($s,$address = '') {
}
+function strip_query_param($s,$param) {
+ return preg_replace('/[\?&]' . $param . '=(.*?)(&|$)/ism','$2',$s);
+}
+
function strip_zids($s) {
return preg_replace('/[\?&]zid=(.*?)(&|$)/ism','$2',$s);
}
@@ -230,3 +234,65 @@ function red_zrlify_img_callback($matches) {
return $matches[0];
}
+function owt_init($token) {
+
+ \Zotlabs\Zot\Verify::purge('owt','3 MINUTE');
+
+ $ob_hash = \Zotlabs\Zot\Verify::get_meta('owt',0,$token);
+ if($ob_hash === false) {
+ return;
+ }
+
+ $r = q("select * from hubloc left join xchan on xchan_hash = hubloc_hash
+ where hubloc_addr = '%s' order by hubloc_id desc",
+ dbesc($ob_hash)
+ );
+
+ if(! $r) {
+ // finger them if they can't be found.
+ $j = Finger::run($ob_hash, null);
+ if ($j['success']) {
+ import_xchan($j);
+ $r = q("select * from hubloc left join xchan on xchan_hash = hubloc_hash
+ where hubloc_addr = '%s' order by hubloc_id desc",
+ dbesc($ob_hash)
+ );
+ }
+ }
+ if(! $r) {
+ logger('owt: unable to finger ' . $ob_hash);
+ return;
+ }
+ $hubloc = $r[0];
+
+ $delegate_success = false;
+ if($_REQUEST['delegate']) {
+ $r = q("select * from channel left join xchan on channel_hash = xchan_hash where xchan_addr = '%s' limit 1",
+ dbesc($_REQUEST['delegate'])
+ );
+ if ($r && intval($r[0]['channel_id'])) {
+ $allowed = perm_is_allowed($r[0]['channel_id'],$hubloc['xchan_hash'],'delegate');
+ if($allowed) {
+ $_SESSION['delegate_channel'] = $r[0]['channel_id'];
+ $_SESSION['delegate'] = $hubloc['xchan_hash'];
+ $_SESSION['account_id'] = intval($r[0]['channel_account_id']);
+ require_once('include/security.php');
+ // this will set the local_channel authentication in the session
+ change_channel($r[0]['channel_id']);
+ $delegate_success = true;
+ }
+ }
+ }
+
+ if (! $delegate_success) {
+ // normal visitor (remote_channel) login session credentials
+ $_SESSION['visitor_id'] = $hubloc['xchan_hash'];
+ $_SESSION['my_url'] = $hubloc['xchan_url'];
+ $_SESSION['my_address'] = $hubloc['hubloc_addr'];
+ $_SESSION['remote_hub'] = $hubloc['hubloc_url'];
+ $_SESSION['DNT'] = 1;
+ }
+
+ logger('owa success!');
+
+} \ No newline at end of file