diff options
| -rw-r--r-- | Zotlabs/Zot/Verify.php | 42 | ||||
| -rw-r--r-- | include/session.php | 169 | ||||
| -rw-r--r-- | include/zot.php | 14 | ||||
| -rw-r--r-- | mod/magic.php | 10 |
4 files changed, 48 insertions, 187 deletions
diff --git a/Zotlabs/Zot/Verify.php b/Zotlabs/Zot/Verify.php new file mode 100644 index 000000000..1192202db --- /dev/null +++ b/Zotlabs/Zot/Verify.php @@ -0,0 +1,42 @@ +<?php + +namespace Zotlabs\Zot; + + +class Verify { + + function create($type,$channel_id,$token,$meta) { + return q("insert into verify ( type, channel, token, meta, created ) values ( '%s', %d, '%s', '%s', '%s' )", + dbesc($type), + intval($channel_id), + dbesc($token), + dbesc($meta), + dbesc(datetime_convert()) + ); + } + + function match($type,$channel_id,$token,$meta) { + $r = q("select id from verify where type = '%s' and channel = %d and token = '%s' and meta = '%s' limit 1", + dbesc($type), + intval($channel_id), + dbesc($token), + dbesc($meta) + ); + if($r) { + q("delete from verify where id = %d", + intval($r[0]['id']) + ); + return true; + } + return false; + } + + function purge($type,$interval) { + q("delete from verify where type = '%s' and created < %s - INTERVAL %s", + dbesc($type), + db_utcnow(), + db_quoteinterval($interval) + ); + } + +}
\ No newline at end of file diff --git a/include/session.php b/include/session.php deleted file mode 100644 index 4a7c8052e..000000000 --- a/include/session.php +++ /dev/null @@ -1,169 +0,0 @@ -<?php - -/** - * @file include/session.php - * - * @brief This file includes session related functions. - * - * Session management functions. These provide database storage of PHP - * session info. - */ - -$session_exists = 0; -$session_expire = 180000; - - -/** - * @brief Resets the current session. - * - * @return void - */ - -function nuke_session() { - new_cookie(0); // 0 means delete on browser exit - - unset($_SESSION['authenticated']); - unset($_SESSION['account_id']); - unset($_SESSION['uid']); - unset($_SESSION['visitor_id']); - unset($_SESSION['administrator']); - unset($_SESSION['cid']); - unset($_SESSION['theme']); - unset($_SESSION['mobile_theme']); - unset($_SESSION['show_mobile']); - unset($_SESSION['page_flags']); - unset($_SESSION['delegate']); - unset($_SESSION['delegate_channel']); - unset($_SESSION['my_url']); - unset($_SESSION['my_address']); - unset($_SESSION['addr']); - unset($_SESSION['return_url']); - unset($_SESSION['remote_service_class']); - unset($_SESSION['remote_hub']); -} - - - -function new_cookie($time) { - - $old_sid = session_id(); - - // ??? This shouldn't have any effect if called after session_start() - // We probably need to set the session expiration and change the PHPSESSID cookie. - // session_set_cookie_params($time); - - session_regenerate_id(false); - - q("UPDATE session SET sid = '%s' WHERE sid = '%s'", - dbesc(session_id()), - dbesc($old_sid) - ); - - if (x($_COOKIE, 'jsAvailable')) { - if ($time) { - $expires = time() + $time; - } else { - $expires = 0; - } - setcookie('jsAvailable', $_COOKIE['jsAvailable'], $expires); - } - setcookie(session_name(),session_id(),$expires); -} - - -function ref_session_open ($s, $n) { - return true; -} - - -function ref_session_read ($id) { - global $session_exists; - if(x($id)) - $r = q("SELECT `data` FROM `session` WHERE `sid`= '%s'", dbesc($id)); - - if(count($r)) { - $session_exists = true; - return $r[0]['data']; - } - - return ''; -} - - -function ref_session_write ($id, $data) { - global $session_exists, $session_expire; - - if(! $id || ! $data) { - return false; - } - - $expire = time() + $session_expire; - $default_expire = time() + 300; - - if($session_exists) { - q("UPDATE `session` - SET `data` = '%s', `expire` = '%s' WHERE `sid` = '%s'", - dbesc($data), - dbesc($expire), - dbesc($id) - ); - } else { - q("INSERT INTO `session` (sid, expire, data) values ('%s', '%s', '%s')", - //SET `sid` = '%s', `expire` = '%s', `data` = '%s'", - dbesc($id), - dbesc($default_expire), - dbesc($data) - ); - } - - return true; -} - - -function ref_session_close() { - return true; -} - - -function ref_session_destroy ($id) { - q("DELETE FROM `session` WHERE `sid` = '%s'", dbesc($id)); - return true; -} - - -function ref_session_gc($expire) { - q("DELETE FROM session WHERE expire < %d", dbesc(time())); - return true; -} - -$gc_probability = 50; - -ini_set('session.gc_probability', $gc_probability); -ini_set('session.use_only_cookies', 1); -ini_set('session.cookie_httponly', 1); - -/* - * Set our session storage functions. - */ - -session_set_save_handler( - 'ref_session_open', - 'ref_session_close', - 'ref_session_read', - 'ref_session_write', - 'ref_session_destroy', - 'ref_session_gc' -); - - - // Force cookies to be secure (https only) if this site is SSL enabled. Must be done before session_start(). - - if(intval(App::$config['system']['ssl_cookie_protection'])) { - $arr = session_get_cookie_params(); - session_set_cookie_params( - ((isset($arr['lifetime'])) ? $arr['lifetime'] : 0), - ((isset($arr['path'])) ? $arr['path'] : '/'), - ((isset($arr['domain'])) ? $arr['domain'] : App::get_hostname()), - ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false), - ((isset($arr['httponly'])) ? $arr['httponly'] : true)); - }
\ No newline at end of file diff --git a/include/zot.php b/include/zot.php index a5ab56154..0cdf7fc87 100644 --- a/include/zot.php +++ b/include/zot.php @@ -4289,9 +4289,7 @@ function zot_reply_auth_check($data,$encrypted_packet) { // the web server. We should probably convert this to webserver time rather than DB time so // that the different clocks won't affect it and allow us to keep the time short. - q("delete from verify where type = 'auth' and created < %s - INTERVAL %s", - db_utcnow(), db_quoteinterval('30 MINUTE') - ); + Zotlabs\Zot\Verify::purge('auth','30 MINUTE'); $y = q("select xchan_pubkey from xchan where xchan_hash = '%s' limit 1", dbesc($sender_hash) @@ -4330,19 +4328,13 @@ function zot_reply_auth_check($data,$encrypted_packet) { // This additionally checks for forged sites since we already stored the expected result in meta // and we've already verified that this is them via zot_gethub() and that their key signed our token - $z = q("select id from verify where channel = %d and type = 'auth' and token = '%s' and meta = '%s' limit 1", - intval($c[0]['channel_id']), - dbesc($data['secret']), - dbesc($data['sender']['url']) - ); + + $z = Zotlabs\Zot\Verify::match('auth',$c[0]['channel_id'],$data['secret'],$data['sender']['url']); if (! $z) { logger('mod_zot: auth_check: verification key not found.'); $ret['message'] .= 'verification key not found' . EOL; json_return_and_die($ret); } - $r = q("delete from verify where id = %d", - intval($z[0]['id']) - ); $u = q("select account_service_class from account where account_id = %d limit 1", intval($c[0]['channel_account_id']) diff --git a/mod/magic.php b/mod/magic.php index 2f746507b..74adbfd6d 100644 --- a/mod/magic.php +++ b/mod/magic.php @@ -135,13 +135,9 @@ function magic_init(&$a) { $channel['token'] = $token; $channel['token_sig'] = $token_sig; - $r = q("insert into verify ( type, channel, token, meta, created) values ('%s','%d','%s','%s','%s')", - dbesc('auth'), - intval($channel['channel_id']), - dbesc($token), - dbesc($x[0]['hubloc_url']), - dbesc(datetime_convert()) - ); + + Zotlabs\Zot\Verify::create('auth',$channel['channel_id'],$token,$x[0]['hubloc_url']); + $target_url = $x[0]['hubloc_callback'] . '/?f=&auth=' . urlencode($channel['channel_address'] . '@' . App::get_hostname()) . '&sec=' . $token . '&dest=' . urlencode($dest) . '&version=' . ZOT_REVISION; |