diff options
-rw-r--r-- | include/auth.php | 2 | ||||
-rw-r--r-- | mod/post.php | 25 |
2 files changed, 23 insertions, 4 deletions
diff --git a/include/auth.php b/include/auth.php index 8eb8bf333..c0002e6c1 100644 --- a/include/auth.php +++ b/include/auth.php @@ -22,6 +22,8 @@ function nuke_session() { unset($_SESSION['my_address']); unset($_SESSION['addr']); unset($_SESSION['return_url']); + unset($_SESSION['remote_service_class']); + unset($_SESSION['remote_hub']); } /** diff --git a/mod/post.php b/mod/post.php index a7143aaf1..e65cb0968 100644 --- a/mod/post.php +++ b/mod/post.php @@ -36,7 +36,7 @@ function post_init(&$a) { * If no information has been recorded about the requesting identity a zot information packet will be retrieved before * continuing. * - * The sender of this packet is a random site channel. The recipients will be a single recipient corresponding + * The sender of this packet is an arbitrary/random site channel. The recipients will be a single recipient corresponding * to the guid and guid_sig we have associated with the requesting auth identity * * @@ -68,12 +68,15 @@ function post_init(&$a) { * { * "success":1, * "confirm":"q0Ysovd1u..." + * "service_class":(optional) * } * * 'confirm' in this case is the base64url encoded RSA signature of the concatenation of 'secret' with the * base64url encoded whirlpool hash of the requestor's guid and guid_sig; signed with the source channel private key. * This prevents a man-in-the-middle from inserting a rogue success packet. Upon receipt and successful * verification of this packet, the destination site will redirect to the original destination URL and indicate a successful remote login. + * Service_class can be used by cooperating sites to provide different access rights based on account rights and subscription plans. It is + * a string whose contents are not defined by protocol. Example: "basic" or "gold". * * * @@ -133,6 +136,8 @@ function post_init(&$a) { $remote = remote_user(); $result = null; + $remote_service_class = ''; + $remote_hub = $x[0]['hubloc_url']; $already_authed = ((($remote) && ($x[0]['hubloc_hash'] == $remote)) ? true : false); @@ -158,6 +163,8 @@ function post_init(&$a) { logger('mod_zot: auth: final confirmation failed.'); goaway($desturl); } + if(array_key_exists('service_class',$j)) + $remote_service_class = $j['service_class']; } // everything is good... maybe if(local_user()) { @@ -172,16 +179,20 @@ function post_init(&$a) { goaway($desturl); } // log them in + $_SESSION['authenticated'] = 1; $_SESSION['visitor_id'] = $x[0]['xchan_hash']; $_SESSION['my_address'] = $address; - $arr = array('xchan' => $x[0], 'url' => $desturl, 'channel_address' => $webbie); + $_SESSION['remote_service_class'] = $remote_service_class; + $_SESSION['remote_hub'] = $remote_hub; + + $arr = array('xchan' => $x[0], 'url' => $desturl, 'session' => $_SESSION); call_hooks('magic_auth_success',$arr); $a->set_observer($x[0]); require_once('include/security.php'); $a->set_groups(init_groups_visitor($_SESSION['visitor_id'])); info(sprintf( t('Welcome %s. Remote authentication successful.'),$x[0]['xchan_name'])); - logger('mod_zot: auth success from ' . $x[0]['xchan_addr'] . ' for ' . $webbie); + logger('mod_zot: auth success from ' . $x[0]['xchan_addr']); } else { logger('mod_zot: magic-auth failure - not authenticated: ' . $x[0]['xchan_addr']); @@ -624,7 +635,7 @@ function post_post(&$a) { $arr = $data['recipients'][0]; $recip_hash = base64url_encode(hash('whirlpool',$arr['guid'] . $arr['guid_sig'], true)); - $c = q("select channel_id, channel_prvkey from channel where channel_hash = '%s' limit 1", + $c = q("select channel_id, channel_account_id, channel_prvkey from channel where channel_hash = '%s' limit 1", dbesc($recip_hash) ); if(! $c) { @@ -650,9 +661,15 @@ function post_post(&$a) { intval($z[0]['id']) ); + $u = q("select account_service_class from account where account_id = %d limit 1", + intval($c[0]['channel_account_id']) + ); + logger('mod_zot: auth_check: success', LOGGER_DEBUG); $ret['success'] = true; $ret['confirm'] = $confirm; + if($u && $u[0]['account_service_class']) + $ret['service_class'] = $u[0]['account_service_class']; json_return_and_die($ret); } |