aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs/Zot
diff options
context:
space:
mode:
Diffstat (limited to 'Zotlabs/Zot')
-rw-r--r--Zotlabs/Zot/Auth.php1
-rw-r--r--Zotlabs/Zot/Finger.php23
2 files changed, 18 insertions, 6 deletions
diff --git a/Zotlabs/Zot/Auth.php b/Zotlabs/Zot/Auth.php
index 44f01174e..8d198f506 100644
--- a/Zotlabs/Zot/Auth.php
+++ b/Zotlabs/Zot/Auth.php
@@ -167,7 +167,6 @@ class Auth {
dbesc($hubloc['hubloc_url'])
);
- // needs a nonce!!!!
$p = zot_build_packet($channel,$type = 'auth_check',
array(array('guid' => $hubloc['hubloc_guid'],'guid_sig' => $hubloc['hubloc_guid_sig'])),
$hubloc['hubloc_sitekey'], (($x) ? $x[0]['site_crypto'] : ''), $this->sec);
diff --git a/Zotlabs/Zot/Finger.php b/Zotlabs/Zot/Finger.php
index 9871b5bbd..e205b136f 100644
--- a/Zotlabs/Zot/Finger.php
+++ b/Zotlabs/Zot/Finger.php
@@ -22,6 +22,7 @@ class Finger {
*
* @return zotinfo array (with 'success' => true) or array('success' => false);
*/
+
static public function run($webbie, $channel = null, $autofallback = true) {
$ret = array('success' => false);
@@ -84,18 +85,27 @@ class Finger {
'token' => self::$token
);
- $result = z_post_url($url . $rhs,$postvars);
+ $headers = [];
+ $headers['X-Zot-Channel'] = $channel['channel_address'] . '@' . \App::get_hostname();
+ $headers['X-Zot-Nonce'] = random_string();
+ $xhead = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'],
+ 'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false);
+
+ $retries = 0;
+
+ $result = z_post_url($url . $rhs,$postvars,$retries, [ 'headers' => $xhead ]);
if ((! $result['success']) && ($autofallback)) {
if ($https) {
logger('zot_finger: https failed. falling back to http');
- $result = z_post_url('http://' . $host . $rhs,$postvars);
+ $result = z_post_url('http://' . $host . $rhs,$postvars, $retries, [ 'headers' => $xhead ]);
}
}
- } else {
+ }
+ else {
$rhs .= '?f=&address=' . urlencode($address) . '&token=' . self::$token;
- $result = z_fetch_url($url . $rhs);
+ $result = z_fetch_url($url . $rhs);
if((! $result['success']) && ($autofallback)) {
if($https) {
logger('zot_finger: https failed. falling back to http');
@@ -111,7 +121,10 @@ class Finger {
}
$x = json_decode($result['body'], true);
- if($x) {
+
+ $verify = \Zotlabs\Web\HTTPSig::verify($result,(($x) ? $x['key'] : '');
+
+ if($x && (! $verify['header_valid'])) {
$signed_token = ((is_array($x) && array_key_exists('signed_token', $x)) ? $x['signed_token'] : null);
if($signed_token) {
$valid = rsa_verify('token.' . self::$token, base64url_decode($signed_token), $x['key']);