16 files changed, 74 insertions, 34 deletions

diff --git a/Zotlabs/Module/Admin/Site.php b/Zotlabs/Module/Admin/Site.php
index 292de4c3a..5912a7c97 100644
--- a/Zotlabs/Module/Admin/Site.php
+++ b/Zotlabs/Module/Admin/Site.php
@@ -332,7 +332,7 @@ class Site {
 			'$register_policy'	=> array('register_policy', t("Does this site allow new member registration?"), get_config('system','register_policy'), "", $register_choices),
 			'$invite_only'		=> array('invite_only', t("Invitation only"), get_config('system','invitation_only'), t("Only allow new member registrations with an invitation code. Above register policy must be set to Yes.")),
 			'$minimum_age'		=> array('minimum_age', t("Minimum age"), (x(get_config('system','minimum_age'))?get_config('system','minimum_age'):13), t("Minimum age (in years) for who may register on this site.")),
-			'$access_policy'	=> array('access_policy', t("Which best describes the types of account offered by this hub?"), get_config('system','access_policy'), "This is displayed on the public server site list.", $access_choices),
+			'$access_policy'	=> array('access_policy', t("Which best describes the types of account offered by this hub?"), get_config('system','access_policy'), t("This is displayed on the public server site list."), $access_choices),
 			'$register_text'	=> array('register_text', t("Register text"), htmlspecialchars(get_config('system','register_text'), ENT_QUOTES, 'UTF-8'), t("Will be displayed prominently on the registration page.")),
 			'$role'         => $role,
 			'$frontpage'	=> array('frontpage', t("Site homepage to show visitors (default: login box)"), get_config('system','frontpage'), t("example: 'public' to show public stream, 'page/sys/home' to show a system webpage called 'home' or 'include:home.html' to include a file.")),
diff --git a/Zotlabs/Module/Authorize.php b/Zotlabs/Module/Authorize.php
index bfb76150f..e042848d8 100644
--- a/Zotlabs/Module/Authorize.php
+++ b/Zotlabs/Module/Authorize.php
@@ -60,12 +60,16 @@ class Authorize extends \Zotlabs\Web\Controller {
 		$request = \OAuth2\Request::createFromGlobals();
 		$response = new \OAuth2\Response();
 
+                // Note, "sub" field must match type and content. $user_id is used to populate - make sure it's a string. 
+                $channel = channelx_by_n(local_channel());
+		$user_id = $channel["channel_id"];
+
 		// If the client is not registered, add to the database
 		if (!$client = $storage->getClientDetails($client_id)) {
-			$client_secret = random_string(16);
+                        // Until "Dynamic Client Registration" is pursued - allow new clients to assign their own secret in the REQUEST
+			$client_secret = (isset($_REQUEST["client_secret"])) ? $_REQUEST["client_secret"] : random_string(16);
 			// Client apps are registered per channel
-			$user_id = local_channel();
-			$storage->setClientDetails($client_id, $client_secret, $redirect_uri, 'authorization_code', null, $user_id);
+			$storage->setClientDetails($client_id, $client_secret, $redirect_uri, 'authorization_code', urldecode($_REQUEST["scope"]), $user_id);
 			
 		}
 		if (!$client = $storage->getClientDetails($client_id)) {
@@ -83,7 +87,7 @@ class Authorize extends \Zotlabs\Web\Controller {
 
 		// print the authorization code if the user has authorized your client
 		$is_authorized = ($_POST['authorize'] === 'allow');
-		$s->handleAuthorizeRequest($request, $response, $is_authorized, local_channel());
+		$s->handleAuthorizeRequest($request, $response, $is_authorized, $user_id);
 		if ($is_authorized) {
 			$code = substr($response->getHttpHeader('Location'), strpos($response->getHttpHeader('Location'), 'code=') + 5, 40);
 			logger('Authorization Code: ' .  $code);
diff --git a/Zotlabs/Module/Connedit.php b/Zotlabs/Module/Connedit.php
index cb9c19cf0..712215bc3 100644
--- a/Zotlabs/Module/Connedit.php
+++ b/Zotlabs/Module/Connedit.php
@@ -774,7 +774,7 @@ class Connedit extends \Zotlabs\Web\Controller {
 	
 			$global_perms = \Zotlabs\Access\Permissions::Perms();
 
-			$existing = get_all_perms(local_channel(),$contact['abook_xchan']);
+			$existing = get_all_perms(local_channel(),$contact['abook_xchan'],false);
 	
 			$unapproved = array('pending', t('Approve this connection'), '', t('Accept connection to allow communication'), array(t('No'),('Yes')));
 	
diff --git a/Zotlabs/Module/Defperms.php b/Zotlabs/Module/Defperms.php
index 97d9cfd1d..63acc9795 100644
--- a/Zotlabs/Module/Defperms.php
+++ b/Zotlabs/Module/Defperms.php
@@ -209,7 +209,6 @@ class Defperms extends \Zotlabs\Web\Controller {
 	
 			$global_perms = \Zotlabs\Access\Permissions::Perms();
 
-			$existing = get_all_perms(local_channel(),$contact['abook_xchan']);
 			$hidden_perms = [];
 	
 			foreach($global_perms as $k => $v) {
diff --git a/Zotlabs/Module/Magic.php b/Zotlabs/Module/Magic.php
index 25c318f30..be6866592 100644
--- a/Zotlabs/Module/Magic.php
+++ b/Zotlabs/Module/Magic.php
@@ -14,15 +14,15 @@ class Magic extends \Zotlabs\Web\Controller {
 		logger('mod_magic: args: ' . print_r($_REQUEST,true),LOGGER_DATA);
 	
 		$addr = ((x($_REQUEST,'addr')) ? $_REQUEST['addr'] : '');
+		$bdest = ((x($_REQUEST,'bdest')) ? $_REQUEST['bdest'] : '');
 		$dest = ((x($_REQUEST,'dest')) ? $_REQUEST['dest'] : '');
 		$test = ((x($_REQUEST,'test')) ? intval($_REQUEST['test']) : 0);
 		$rev  = ((x($_REQUEST,'rev'))  ? intval($_REQUEST['rev'])  : 0);
 		$owa  = ((x($_REQUEST,'owa'))  ? intval($_REQUEST['owa'])  : 0);
 		$delegate = ((x($_REQUEST,'delegate')) ? $_REQUEST['delegate']  : '');
 
-		// Apache(?) appears to perform an htmlentities() operation on this variable
-
-		$dest = html_entity_decode($dest);	
+		if($bdest)
+			$dest = hex2bin($bdest);
 
 		$parsed = parse_url($dest);
 		if(! $parsed) {
diff --git a/Zotlabs/Module/Manage.php b/Zotlabs/Module/Manage.php
index 9c5c32294..2c88a4df0 100644
--- a/Zotlabs/Module/Manage.php
+++ b/Zotlabs/Module/Manage.php
@@ -156,7 +156,7 @@ class Manage extends \Zotlabs\Web\Controller {
 	
 		if($delegates) {
 			for($x = 0; $x < count($delegates); $x ++) {
-				$delegates[$x]['link'] = 'magic?f=&dest=' . urlencode($delegates[$x]['xchan_url']) 
+				$delegates[$x]['link'] = 'magic?f=&bdest=' . bin2hex($delegates[$x]['xchan_url']) 
 				. '&delegate=' . urlencode($delegates[$x]['xchan_addr']);
 				$delegates[$x]['channel_name'] = $delegates[$x]['xchan_name'];
 				$delegates[$x]['delegate'] = 1;
diff --git a/Zotlabs/Module/Nojs.php b/Zotlabs/Module/Nojs.php
index 6fd6d8106..5f3d80ecd 100644
--- a/Zotlabs/Module/Nojs.php
+++ b/Zotlabs/Module/Nojs.php
@@ -7,8 +7,8 @@ class Nojs extends \Zotlabs\Web\Controller {
 	function init() {
 		$n = ((argc() > 1) ? intval(argv(1)) : 1);
 		setcookie('jsdisabled', $n, 0, '/');
-		$p = $_GET['redir'];
-		$hasq = strpos($p,'?');
+		$p = hex2bin($_GET['redir']);
+		$hasq = strpbrk($p,'?&');
 		goaway(z_root() . (($p) ? '/' . $p : '') . (($hasq) ? '' : '?f=' ) . '&jsdisabled=' . $n);
 	
 	}
diff --git a/Zotlabs/Module/Probe.php b/Zotlabs/Module/Probe.php
index 2e65f107c..2c67c6aae 100644
--- a/Zotlabs/Module/Probe.php
+++ b/Zotlabs/Module/Probe.php
@@ -27,12 +27,11 @@ class Probe extends \Zotlabs\Web\Controller {
 
 			$o .= '<pre>';
 			if(! $j['success']) {
-				$o .= sprintf( t('Fetching URL returns error: %1$s'),$res['error'] . "\r\n\r\n");
 				$o .= "<strong>https connection failed. Trying again with auto failover to http.</strong>\r\n\r\n";
 				$j = \Zotlabs\Zot\Finger::run($addr,$channel,true);
-				if(! $j['success']) 
-					$o .= sprintf( t('Fetching URL returns error: %1$s'),$res['error'] . "\r\n\r\n");
-	
+				if(! $j['success']) {
+					return $o;	
+				}
 			}
 			if($do_import && $j)
 				$x = import_xchan($j);
diff --git a/Zotlabs/Module/Rmagic.php b/Zotlabs/Module/Rmagic.php
index bfc03f6ec..33a6689ca 100644
--- a/Zotlabs/Module/Rmagic.php
+++ b/Zotlabs/Module/Rmagic.php
@@ -17,8 +17,8 @@ class Rmagic extends \Zotlabs\Web\Controller {
 			if($r) {	
 				if($r[0]['hubloc_url'] === z_root())
 					goaway(z_root() . '/login');
-				$dest = z_root() . '/' . str_replace(['rmagic','zid='],['','zid_='],\App::$query_string);
-				goaway($r[0]['hubloc_url'] . '/magic' . '?f=&owa=1&dest=' . $dest);
+				$dest = bin2hex(z_root() . '/' . str_replace(['rmagic','zid='],['','zid_='],\App::$query_string));
+				goaway($r[0]['hubloc_url'] . '/magic' . '?f=&owa=1&bdest=' . $dest);
 			}
 		}
 	}
@@ -59,11 +59,11 @@ class Rmagic extends \Zotlabs\Web\Controller {
 	
 			if($url) {	
 				if($_SESSION['return_url']) 
-					$dest = urlencode(z_root() . '/' . str_replace('zid=','zid_=',$_SESSION['return_url']));
+					$dest = bin2hex(z_root() . '/' . str_replace('zid=','zid_=',$_SESSION['return_url']));
 				else
-					$dest = urlencode(z_root() . '/' . str_replace([ 'rmagic', 'zid=' ] ,[ '', 'zid_='],\App::$query_string));
+					$dest = bin2hex(z_root() . '/' . str_replace([ 'rmagic', 'zid=' ] ,[ '', 'zid_='],\App::$query_string));
 	
-				goaway($url . '/magic' . '?f=&owa=1&dest=' . $dest);
+				goaway($url . '/magic' . '?f=&owa=1&bdest=' . $dest);
 			}
 		}
 	}
diff --git a/Zotlabs/Module/Settings/Oauth2.php b/Zotlabs/Module/Settings/Oauth2.php
index 91abd1de3..70fd3a5c3 100644
--- a/Zotlabs/Module/Settings/Oauth2.php
+++ b/Zotlabs/Module/Settings/Oauth2.php
@@ -125,8 +125,8 @@ class Oauth2 {
 				'$name'		=> array('name', t('Name'), $app['client_id'], t('Name of application')),
 				'$secret'	=> array('secret', t('Consumer Secret'), $app['client_secret'], t('Automatically generated - change if desired. Max length 20')),
 				'$redirect'	=> array('redirect', t('Redirect'), $app['redirect_uri'], t('Redirect URI - leave blank unless your application specifically requires this')),
-				'$grant'     => array('grant', t('Grant Types'), $app['grant_types'], t('leave blank unless your application sepcifically requires this')),
-				'$scope'     => array('scope', t('Authorization scope'), $app['scope'], t('leave blank unless your application sepcifically requires this')),
+				'$grant'     => array('grant', t('Grant Types'), $app['grant_types'], t('leave blank unless your application specifically requires this')),
+				'$scope'     => array('scope', t('Authorization scope'), $app['scope'], t('leave blank unless your application specifically requires this')),
 			));
 			return $o;
 		}
diff --git a/Zotlabs/Module/Settings/Tokens.php b/Zotlabs/Module/Settings/Tokens.php
index 619c8b5ba..e59cf8d1c 100644
--- a/Zotlabs/Module/Settings/Tokens.php
+++ b/Zotlabs/Module/Settings/Tokens.php
@@ -117,7 +117,7 @@ class Tokens {
 		$global_perms = \Zotlabs\Access\Permissions::Perms();
 		$their_perms = [];
 
-		$existing = get_all_perms(local_channel(),(($atoken_xchan) ? $atoken_xchan : ''));
+		$existing = get_all_perms(local_channel(),(($atoken_xchan) ? $atoken_xchan : ''),false);
 
 		if($atoken_xchan) {
 			$theirs = q("select * from abconfig where chan = %d and xchan = '%s' and cat = 'their_perms'",
diff --git a/Zotlabs/Module/Siteinfo.php b/Zotlabs/Module/Siteinfo.php
index 25276815d..79b94662d 100644
--- a/Zotlabs/Module/Siteinfo.php
+++ b/Zotlabs/Module/Siteinfo.php
@@ -32,7 +32,7 @@ class Siteinfo extends \Zotlabs\Web\Controller {
 				'$transport_link' => '<a href="https://zotlabs.com">https://zotlabs.com</a>',
 
 				'$additional_text' => t('Additional federated transport protocols:'),
-				'$additional_fed' => implode(',',$federated),
+				'$additional_fed' => implode(', ',array_unique($federated)),
 				'$prj_version' => ((get_config('system','hidden_version_siteinfo')) ? '' : sprintf( t('Version %s'), \Zotlabs\Lib\System::get_project_version())),
 				'$prj_linktxt' => t('Project homepage'),
 				'$prj_srctxt' => t('Developer homepage'),
diff --git a/Zotlabs/Module/Token.php b/Zotlabs/Module/Token.php
index 32cf95c61..2bd33c761 100644
--- a/Zotlabs/Module/Token.php
+++ b/Zotlabs/Module/Token.php
@@ -27,11 +27,11 @@ class Token extends \Zotlabs\Web\Controller {
 				$_SERVER['PHP_AUTH_PW'] = $password;
 			}
 		}
-
-		$s = new \Zotlabs\Identity\OAuth2Server(new OAuth2Storage(\DBA::$dba->db));
+                $storage = new OAuth2Storage(\DBA::$dba->db);
+		$s = new \Zotlabs\Identity\OAuth2Server($storage);
 		$request = \OAuth2\Request::createFromGlobals();
-		$s->handleTokenRequest($request)->send();
-
+		$response = $s->handleTokenRequest($request);
+                $response->send();
 		killme();
 	}
 
diff --git a/Zotlabs/Module/Userinfo.php b/Zotlabs/Module/Userinfo.php
new file mode 100644
index 000000000..6c881f078
--- /dev/null
+++ b/Zotlabs/Module/Userinfo.php
@@ -0,0 +1,17 @@
+<?php
+
+namespace Zotlabs\Module;
+
+use Zotlabs\Identity\OAuth2Storage;
+
+
+class Userinfo extends \Zotlabs\Web\Controller {
+
+	function init() {
+		$s = new \Zotlabs\Identity\OAuth2Server(new OAuth2Storage(\DBA::$dba->db));
+		$request = \OAuth2\Request::createFromGlobals();
+		$s->handleUserInfoRequest($request)->send();
+		killme();
+	}
+
+}
diff --git a/Zotlabs/Module/Zfinger.php b/Zotlabs/Module/Zfinger.php
index 0f7f6a64b..6ed001df5 100644
--- a/Zotlabs/Module/Zfinger.php
+++ b/Zotlabs/Module/Zfinger.php
@@ -36,10 +36,6 @@ class Zfinger extends \Zotlabs\Web\Controller {
 
 		echo $ret;
 		killme();
-
-
-
-		json_return_and_die($x);
 	
 	}
 	
diff --git a/Zotlabs/Module/Zot.php b/Zotlabs/Module/Zot.php
new file mode 100644
index 000000000..8c34dced1
--- /dev/null
+++ b/Zotlabs/Module/Zot.php
@@ -0,0 +1,25 @@
+<?php
+/**
+ * @file Zotlabs/Module/Zot.php
+ *
+ * @brief Zot endpoint.
+ *
+ */
+
+namespace Zotlabs\Module;
+
+use Zotlabs\Zot6 as ZotProtocol;
+
+/**
+ * @brief Zot module.
+ *
+ */
+
+class Zot extends \Zotlabs\Web\Controller {
+
+	function init() {
+		$zot = new ZotProtocol\Receiver(new ZotProtocol\Zot6Handler());
+		json_return_and_die($zot->run(),'application/x-zot+jzon');
+	}
+
+}