aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Zotlabs/Identity/OAuth2Server.php5
-rw-r--r--Zotlabs/Identity/OAuth2Storage.php51
-rw-r--r--Zotlabs/Module/Admin/Site.php2
-rw-r--r--Zotlabs/Module/Authorize.php12
-rw-r--r--Zotlabs/Module/Settings/Oauth2.php35
-rw-r--r--Zotlabs/Module/Token.php8
-rw-r--r--Zotlabs/Module/Userinfo.php17
-rw-r--r--include/markdown.php42
-rw-r--r--include/nav.php2
-rw-r--r--install/INSTALL.txt7
-rwxr-xr-xview/tpl/settings_oauth2.tpl7
11 files changed, 160 insertions, 28 deletions
diff --git a/Zotlabs/Identity/OAuth2Server.php b/Zotlabs/Identity/OAuth2Server.php
index cbb4748fe..b747b95db 100644
--- a/Zotlabs/Identity/OAuth2Server.php
+++ b/Zotlabs/Identity/OAuth2Server.php
@@ -4,7 +4,7 @@ namespace Zotlabs\Identity;
class OAuth2Server extends \OAuth2\Server {
- public function __construct(OAuth2Storage $storage, $config = []) {
+ public function __construct(OAuth2Storage $storage, $config = null) {
if(! is_array($config)) {
$config = [
@@ -19,7 +19,8 @@ class OAuth2Server extends \OAuth2\Server {
$this->addGrantType(new \OAuth2\GrantType\ClientCredentials($storage));
// Add the "Authorization Code" grant type (this is where the oauth magic happens)
- $this->addGrantType(new \OAuth2\GrantType\AuthorizationCode($storage));
+ // Need to use OpenID\GrantType to return id_token (see:https://github.com/bshaffer/oauth2-server-php/issues/443)
+ $this->addGrantType(new \OAuth2\OpenID\GrantType\AuthorizationCode($storage));
$keyStorage = new \OAuth2\Storage\Memory( [
'keys' => [
diff --git a/Zotlabs/Identity/OAuth2Storage.php b/Zotlabs/Identity/OAuth2Storage.php
index bc6db565c..a50b21a70 100644
--- a/Zotlabs/Identity/OAuth2Storage.php
+++ b/Zotlabs/Identity/OAuth2Storage.php
@@ -50,20 +50,67 @@ class OAuth2Storage extends \OAuth2\Storage\Pdo {
public function getUser($username)
{
- $x = channelx_by_nick($username);
+ $x = channelx_by_n($username);
if(! $x) {
return false;
}
return( [
+ 'webbie' => $x['channel_address'].'@'.\App::get_hostname(),
+ 'zothash' => $x['channel_hash'],
'username' => $x['channel_address'],
'user_id' => $x['channel_id'],
+ 'name' => $x['channel_name'],
'firstName' => $x['channel_name'],
'lastName' => '',
'password' => 'NotARealPassword'
] );
}
+ public function scopeExists($scope) {
+ // Report that the scope is valid even if it's not.
+ // We will only return a very small subset no matter what.
+ // @TODO: Truly validate the scope
+ // see vendor/bshaffer/oauth2-server-php/src/OAuth2/Storage/ScopeInterface.php and
+ // vendor/bshaffer/oauth2-server-php/src/OAuth2/Storage/Pdo.php
+ // for more info.
+ return true;
+ }
+
+ public function getDefaultScope($client_id=null) {
+ // Do not REQUIRE a scope
+ // see vendor/bshaffer/oauth2-server-php/src/OAuth2/Storage/ScopeInterface.php and
+ // for more info.
+ return null;
+ }
+
+ public function getUserClaims ($user_id, $claims) {
+ // Populate the CLAIMS requested (if any).
+ // @TODO: create a more reasonable/comprehensive list.
+ // @TODO: present claims on the AUTHORIZATION screen
+
+ $userClaims = Array();
+ $claims = explode (' ', trim($claims));
+ $validclaims = Array ("name","preferred_username","zothash");
+ $claimsmap = Array (
+ "zotwebbie" => 'webbie',
+ "zothash" => 'zothash',
+ "name" => 'name',
+ "preferred_username" => "username"
+ );
+ $userinfo = $this->getUser($user_id);
+ foreach ($validclaims as $validclaim) {
+ if (in_array($validclaim,$claims)) {
+ $claimkey = $claimsmap[$validclaim];
+ $userClaims[$validclaim] = $userinfo[$claimkey];
+ } else {
+ $userClaims[$validclaim] = $validclaim;
+ }
+ }
+ $userClaims["sub"]=$user_id;
+ return $userClaims;
+ }
+
/**
* plaintext passwords are bad! Override this for your application
*
@@ -78,4 +125,4 @@ class OAuth2Storage extends \OAuth2\Storage\Pdo {
return true;
}
-} \ No newline at end of file
+}
diff --git a/Zotlabs/Module/Admin/Site.php b/Zotlabs/Module/Admin/Site.php
index 292de4c3a..5912a7c97 100644
--- a/Zotlabs/Module/Admin/Site.php
+++ b/Zotlabs/Module/Admin/Site.php
@@ -332,7 +332,7 @@ class Site {
'$register_policy' => array('register_policy', t("Does this site allow new member registration?"), get_config('system','register_policy'), "", $register_choices),
'$invite_only' => array('invite_only', t("Invitation only"), get_config('system','invitation_only'), t("Only allow new member registrations with an invitation code. Above register policy must be set to Yes.")),
'$minimum_age' => array('minimum_age', t("Minimum age"), (x(get_config('system','minimum_age'))?get_config('system','minimum_age'):13), t("Minimum age (in years) for who may register on this site.")),
- '$access_policy' => array('access_policy', t("Which best describes the types of account offered by this hub?"), get_config('system','access_policy'), "This is displayed on the public server site list.", $access_choices),
+ '$access_policy' => array('access_policy', t("Which best describes the types of account offered by this hub?"), get_config('system','access_policy'), t("This is displayed on the public server site list."), $access_choices),
'$register_text' => array('register_text', t("Register text"), htmlspecialchars(get_config('system','register_text'), ENT_QUOTES, 'UTF-8'), t("Will be displayed prominently on the registration page.")),
'$role' => $role,
'$frontpage' => array('frontpage', t("Site homepage to show visitors (default: login box)"), get_config('system','frontpage'), t("example: 'public' to show public stream, 'page/sys/home' to show a system webpage called 'home' or 'include:home.html' to include a file.")),
diff --git a/Zotlabs/Module/Authorize.php b/Zotlabs/Module/Authorize.php
index bfb76150f..e042848d8 100644
--- a/Zotlabs/Module/Authorize.php
+++ b/Zotlabs/Module/Authorize.php
@@ -60,12 +60,16 @@ class Authorize extends \Zotlabs\Web\Controller {
$request = \OAuth2\Request::createFromGlobals();
$response = new \OAuth2\Response();
+ // Note, "sub" field must match type and content. $user_id is used to populate - make sure it's a string.
+ $channel = channelx_by_n(local_channel());
+ $user_id = $channel["channel_id"];
+
// If the client is not registered, add to the database
if (!$client = $storage->getClientDetails($client_id)) {
- $client_secret = random_string(16);
+ // Until "Dynamic Client Registration" is pursued - allow new clients to assign their own secret in the REQUEST
+ $client_secret = (isset($_REQUEST["client_secret"])) ? $_REQUEST["client_secret"] : random_string(16);
// Client apps are registered per channel
- $user_id = local_channel();
- $storage->setClientDetails($client_id, $client_secret, $redirect_uri, 'authorization_code', null, $user_id);
+ $storage->setClientDetails($client_id, $client_secret, $redirect_uri, 'authorization_code', urldecode($_REQUEST["scope"]), $user_id);
}
if (!$client = $storage->getClientDetails($client_id)) {
@@ -83,7 +87,7 @@ class Authorize extends \Zotlabs\Web\Controller {
// print the authorization code if the user has authorized your client
$is_authorized = ($_POST['authorize'] === 'allow');
- $s->handleAuthorizeRequest($request, $response, $is_authorized, local_channel());
+ $s->handleAuthorizeRequest($request, $response, $is_authorized, $user_id);
if ($is_authorized) {
$code = substr($response->getHttpHeader('Location'), strpos($response->getHttpHeader('Location'), 'code=') + 5, 40);
logger('Authorization Code: ' . $code);
diff --git a/Zotlabs/Module/Settings/Oauth2.php b/Zotlabs/Module/Settings/Oauth2.php
index f58d01d8c..70fd3a5c3 100644
--- a/Zotlabs/Module/Settings/Oauth2.php
+++ b/Zotlabs/Module/Settings/Oauth2.php
@@ -10,10 +10,19 @@ class Oauth2 {
if(x($_POST,'remove')){
check_form_security_token_redirectOnErr('/settings/oauth2', 'settings_oauth2');
-
+ $name = ((x($_POST,'name')) ? escape_tags(trim($_POST['name'])) : '');
+ logger("REMOVE! ".$name." uid: ".local_channel());
$key = $_POST['remove'];
- q("DELETE FROM tokens WHERE id='%s' AND uid=%d",
- dbesc($key),
+ q("DELETE FROM oauth_authorization_codes WHERE client_id='%s' AND user_id=%d",
+ dbesc($name),
+ intval(local_channel())
+ );
+ q("DELETE FROM oauth_access_tokens WHERE client_id='%s' AND user_id=%d",
+ dbesc($name),
+ intval(local_channel())
+ );
+ q("DELETE FROM oauth_refresh_tokens WHERE client_id='%s' AND user_id=%d",
+ dbesc($name),
intval(local_channel())
);
goaway(z_root()."/settings/oauth2/");
@@ -45,14 +54,15 @@ class Oauth2 {
grant_types = '%s',
scope = '%s',
user_id = %d
- WHERE client_id='%s'",
+ WHERE client_id='%s' and user_id = %s",
dbesc($name),
dbesc($secret),
dbesc($redirect),
dbesc($grant),
dbesc($scope),
intval(local_channel()),
- dbesc($name));
+ dbesc($name),
+ intval(local_channel()));
} else {
$r = q("INSERT INTO oauth_clients (client_id, client_secret, redirect_uri, grant_types, scope, user_id)
VALUES ('%s','%s','%s','%s','%s',%d)",
@@ -128,6 +138,18 @@ class Oauth2 {
dbesc(argv(3)),
intval(local_channel())
);
+ $r = q("DELETE FROM oauth_access_tokens WHERE client_id = '%s' AND user_id = %d",
+ dbesc(argv(3)),
+ intval(local_channel())
+ );
+ $r = q("DELETE FROM oauth_authorization_codes WHERE client_id = '%s' AND user_id = %d",
+ dbesc(argv(3)),
+ intval(local_channel())
+ );
+ $r = q("DELETE FROM oauth_refresh_tokens WHERE client_id = '%s' AND user_id = %d",
+ dbesc(argv(3)),
+ intval(local_channel())
+ );
goaway(z_root()."/settings/oauth2/");
return;
}
@@ -135,7 +157,8 @@ class Oauth2 {
$r = q("SELECT oauth_clients.*, oauth_access_tokens.access_token as oauth_token, (oauth_clients.user_id = %d) AS my
FROM oauth_clients
- LEFT JOIN oauth_access_tokens ON oauth_clients.client_id=oauth_access_tokens.client_id
+ LEFT JOIN oauth_access_tokens ON oauth_clients.client_id=oauth_access_tokens.client_id AND
+ oauth_clients.user_id=oauth_access_tokens.user_id
WHERE oauth_clients.user_id IN (%d,0)",
intval(local_channel()),
intval(local_channel())
diff --git a/Zotlabs/Module/Token.php b/Zotlabs/Module/Token.php
index 32cf95c61..2bd33c761 100644
--- a/Zotlabs/Module/Token.php
+++ b/Zotlabs/Module/Token.php
@@ -27,11 +27,11 @@ class Token extends \Zotlabs\Web\Controller {
$_SERVER['PHP_AUTH_PW'] = $password;
}
}
-
- $s = new \Zotlabs\Identity\OAuth2Server(new OAuth2Storage(\DBA::$dba->db));
+ $storage = new OAuth2Storage(\DBA::$dba->db);
+ $s = new \Zotlabs\Identity\OAuth2Server($storage);
$request = \OAuth2\Request::createFromGlobals();
- $s->handleTokenRequest($request)->send();
-
+ $response = $s->handleTokenRequest($request);
+ $response->send();
killme();
}
diff --git a/Zotlabs/Module/Userinfo.php b/Zotlabs/Module/Userinfo.php
new file mode 100644
index 000000000..6c881f078
--- /dev/null
+++ b/Zotlabs/Module/Userinfo.php
@@ -0,0 +1,17 @@
+<?php
+
+namespace Zotlabs\Module;
+
+use Zotlabs\Identity\OAuth2Storage;
+
+
+class Userinfo extends \Zotlabs\Web\Controller {
+
+ function init() {
+ $s = new \Zotlabs\Identity\OAuth2Server(new OAuth2Storage(\DBA::$dba->db));
+ $request = \OAuth2\Request::createFromGlobals();
+ $s->handleUserInfoRequest($request)->send();
+ killme();
+ }
+
+}
diff --git a/include/markdown.php b/include/markdown.php
index de9862801..058b79909 100644
--- a/include/markdown.php
+++ b/include/markdown.php
@@ -74,8 +74,11 @@ function markdown_to_bb($s, $use_zrl = false, $options = []) {
// Convert everything that looks like a link to a link
if($use_zrl) {
- $s = str_replace(['[img', '/img]'], ['[zmg', '/zmg]'], $s);
- $s = preg_replace("/([^\]\=\{]|^)(https?\:\/\/)([a-zA-Z0-9\pL\:\/\-\?\&\;\.\=\_\~\#\%\$\!\+\,\@\(\)]+)/ismu", '$1[zrl=$2$3]$2$3[/zrl]',$s);
+ if (strpos($s,'[/img]') !== false) {
+ $s = preg_replace_callback("/\[img\](.*?)\[\/img\]/ism", 'use_zrl_cb_img', $s);
+ $s = preg_replace_callback("/\[img\=([0-9]*)x([0-9]*)\](.*?)\[\/img\]/ism", 'use_zrl_cb_img_x', $s);
+ }
+ $s = preg_replace_callback("/([^\]\=\{]|^)(https?\:\/\/)([a-zA-Z0-9\pL\:\/\-\?\&\;\.\=\_\~\#\%\$\!\+\,\@\(\)]+)/ismu", 'use_zrl_cb_link',$s);
}
else {
$s = preg_replace("/([^\]\=\{]|^)(https?\:\/\/)([a-zA-Z0-9\pL\:\/\-\?\&\;\.\=\_\~\#\%\$\!\+\,\@\(\)]+)/ismu", '$1[url=$2$3]$2$3[/url]',$s);
@@ -96,6 +99,41 @@ function markdown_to_bb($s, $use_zrl = false, $options = []) {
return $s;
}
+function use_zrl_cb_link($match) {
+ $res = '';
+ $is_zid = is_matrix_url(trim($match[0]));
+
+ if($is_zid)
+ $res = $match[1] . '[zrl=' . $match[2] . $match[3] . ']' . $match[2] . $match[3] . '[/zrl]';
+ else
+ $res = $match[1] . '[url=' . $match[2] . $match[3] . ']' . $match[2] . $match[3] . '[/url]';
+
+ return $res;
+}
+
+function use_zrl_cb_img($match) {
+ $res = '';
+ $is_zid = is_matrix_url(trim($match[1]));
+
+ if($is_zid)
+ $res = '[zmg]' . $match[1] . '[/zmg]';
+ else
+ $res = $match[0];
+
+ return $res;
+}
+
+function use_zrl_cb_img_x($match) {
+ $res = '';
+ $is_zid = is_matrix_url(trim($match[3]));
+
+ if($is_zid)
+ $res = '[zmg=' . $match[1] . 'x' . $match[2] . ']' . $match[3] . '[/zmg]';
+ else
+ $res = $match[0];
+
+ return $res;
+}
/**
* @brief
diff --git a/include/nav.php b/include/nav.php
index 05d2d199f..56fe9b901 100644
--- a/include/nav.php
+++ b/include/nav.php
@@ -175,7 +175,7 @@ function nav($template = 'default') {
$search_form_action = 'network';
break;
case 'channel':
- $search_form_action = 'channel';
+ $search_form_action = 'channel/' . App::$profile['channel_address'];
break;
default:
$search_form_action = 'search';
diff --git a/install/INSTALL.txt b/install/INSTALL.txt
index c39c8ad8b..421656023 100644
--- a/install/INSTALL.txt
+++ b/install/INSTALL.txt
@@ -89,9 +89,10 @@ web server platforms.
php.ini file - and with no hosting provider restrictions on the use of
exec() and proc_open().
- - curl, gd (with at least jpeg and png support), mysqli, mbstring, xml, zip
- and openssl extensions. The imagick extension MAY be used instead of gd,
- but is not required and MAY also be disabled via configuration option.
+ - curl, gd (with at least jpeg and png support), mysqli, mbstring, xml,
+ xmlreader (FreeBSD), zip and openssl extensions. The imagick extension MAY be used
+ instead of gd, but is not required and MAY also be disabled via
+ configuration option.
- some form of email server or email gateway such that PHP mail() works.
diff --git a/view/tpl/settings_oauth2.tpl b/view/tpl/settings_oauth2.tpl
index 882d34ea9..f3bf59a12 100755
--- a/view/tpl/settings_oauth2.tpl
+++ b/view/tpl/settings_oauth2.tpl
@@ -4,8 +4,6 @@
</div>
<div class="section-content-tools-wrapper">
-<form action="settings/oauth2" method="post" autocomplete="off">
-<input type='hidden' name='form_security_token' value='{{$form_security_token}}'>
<div id="profile-edit-links">
<ul>
@@ -16,6 +14,9 @@
</div>
{{foreach $apps as $app}}
+<form action="settings/oauth2" method="post" autocomplete="off">
+<input type='hidden' name='form_security_token' value='{{$form_security_token}}'>
+<input type='hidden' name='name' value='{{$app.client_id}}'>
<div class='oauthapp'>
{{if $app.client_id}}<h4>{{$app.client_id}}</h4>{{else}}<h4>{{$noname}}</h4>{{/if}}
{{if $app.my}}
@@ -28,8 +29,8 @@
<a href="{{$baseurl}}/settings/oauth2/delete/{{$app.client_id}}?t={{$form_security_token}}" title="{{$delete}}"><i class="fa fa-trash-o btn btn-outline-secondary"></i></a>
{{/if}}
</div>
+</form>
{{/foreach}}
-</form>
</div>
</div>