diff options
Diffstat (limited to 'Zotlabs/Zot')
-rw-r--r-- | Zotlabs/Zot/Auth.php | 1 | ||||
-rw-r--r-- | Zotlabs/Zot/Finger.php | 23 |
2 files changed, 18 insertions, 6 deletions
diff --git a/Zotlabs/Zot/Auth.php b/Zotlabs/Zot/Auth.php index 44f01174e..8d198f506 100644 --- a/Zotlabs/Zot/Auth.php +++ b/Zotlabs/Zot/Auth.php @@ -167,7 +167,6 @@ class Auth { dbesc($hubloc['hubloc_url']) ); - // needs a nonce!!!! $p = zot_build_packet($channel,$type = 'auth_check', array(array('guid' => $hubloc['hubloc_guid'],'guid_sig' => $hubloc['hubloc_guid_sig'])), $hubloc['hubloc_sitekey'], (($x) ? $x[0]['site_crypto'] : ''), $this->sec); diff --git a/Zotlabs/Zot/Finger.php b/Zotlabs/Zot/Finger.php index 9871b5bbd..e205b136f 100644 --- a/Zotlabs/Zot/Finger.php +++ b/Zotlabs/Zot/Finger.php @@ -22,6 +22,7 @@ class Finger { * * @return zotinfo array (with 'success' => true) or array('success' => false); */ + static public function run($webbie, $channel = null, $autofallback = true) { $ret = array('success' => false); @@ -84,18 +85,27 @@ class Finger { 'token' => self::$token ); - $result = z_post_url($url . $rhs,$postvars); + $headers = []; + $headers['X-Zot-Channel'] = $channel['channel_address'] . '@' . \App::get_hostname(); + $headers['X-Zot-Nonce'] = random_string(); + $xhead = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'], + 'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false); + + $retries = 0; + + $result = z_post_url($url . $rhs,$postvars,$retries, [ 'headers' => $xhead ]); if ((! $result['success']) && ($autofallback)) { if ($https) { logger('zot_finger: https failed. falling back to http'); - $result = z_post_url('http://' . $host . $rhs,$postvars); + $result = z_post_url('http://' . $host . $rhs,$postvars, $retries, [ 'headers' => $xhead ]); } } - } else { + } + else { $rhs .= '?f=&address=' . urlencode($address) . '&token=' . self::$token; - $result = z_fetch_url($url . $rhs); + $result = z_fetch_url($url . $rhs); if((! $result['success']) && ($autofallback)) { if($https) { logger('zot_finger: https failed. falling back to http'); @@ -111,7 +121,10 @@ class Finger { } $x = json_decode($result['body'], true); - if($x) { + + $verify = \Zotlabs\Web\HTTPSig::verify($result,(($x) ? $x['key'] : ''); + + if($x && (! $verify['header_valid'])) { $signed_token = ((is_array($x) && array_key_exists('signed_token', $x)) ? $x['signed_token'] : null); if($signed_token) { $valid = rsa_verify('token.' . self::$token, base64url_decode($signed_token), $x['key']); |