aboutsummaryrefslogtreecommitdiffstats
path: root/mod
diff options
context:
space:
mode:
Diffstat (limited to 'mod')
-rw-r--r--mod/chanview.php2
-rw-r--r--mod/connections.php2
-rw-r--r--mod/magic.php2
-rw-r--r--mod/post.php70
4 files changed, 48 insertions, 28 deletions
diff --git a/mod/chanview.php b/mod/chanview.php
index 92ed757f9..b01eab869 100644
--- a/mod/chanview.php
+++ b/mod/chanview.php
@@ -76,7 +76,7 @@ function chanview_content(&$a) {
}
if($xchan['xchan_hash'])
- $a->set_widget('vcard',vcard_from_xchan($xchan));
+ $a->set_widget('vcard',vcard_from_xchan($xchan,$observer,'chanview'));
$url = (($observer)
? z_root() . '/magic?f=&dest=' . $xchan['xchan_url'] . '&addr=' . $xchan['xchan_addr']
diff --git a/mod/connections.php b/mod/connections.php
index 0a2edb4cd..8a668ad2a 100644
--- a/mod/connections.php
+++ b/mod/connections.php
@@ -28,7 +28,7 @@ function connections_init(&$a) {
function connections_aside(&$a) {
if(x($a->data,'abook')) {
- $a->set_widget('vcard',vcard_from_xchan($a->data['abook']));
+ $a->set_widget('vcard',vcard_from_xchan($a->data['abook'],$a->get_observer()));
}
else {
$a->set_widget('follow', follow_widget());
diff --git a/mod/magic.php b/mod/magic.php
index c5aeb4c8e..d7a6674ee 100644
--- a/mod/magic.php
+++ b/mod/magic.php
@@ -85,7 +85,7 @@ function magic_init(&$a) {
dbesc('auth'),
intval($channel['channel_id']),
dbesc($token),
- dbesc($hubloc['hubloc_hash']),
+ dbesc($x[0]['hubloc_hash']),
dbesc(datetime_convert())
);
diff --git a/mod/post.php b/mod/post.php
index 36b2e1482..8171f1065 100644
--- a/mod/post.php
+++ b/mod/post.php
@@ -44,7 +44,7 @@ function post_init(&$a) {
);
if(! $c) {
logger('mod_zot: auth: unable to find channel ' . $webbie);
- // They'll get a notice when they hit the page, we don't need two.
+ // They'll get a notice when they hit the page, we don't need two of them.
goaway($desturl);
}
@@ -70,33 +70,39 @@ function post_init(&$a) {
// check credentials and access
- // Auth packets MUST use ultra top-secret hush-hush mode
+ // If they are already authenticated and haven't changed credentials,
+ // we can save an expensive network round trip and improve performance.
- $p = zot_build_packet($c[0],$type = 'auth_check',array(array('guid' => $x[0]['hubloc_guid'],'guid_sig' => $x[0]['hubloc_guid_sig'])), $x[0]['hubloc_sitekey'], $sec);
- $result = zot_zot($x[0]['hubloc_callback'],$p);
+ $remote = remote_user();
+ $result = null;
- if($result['success']) {
+ $already_authed = ((($remote) && ($x[0]['hubloc_hash'] == $remote)) ? true : false);
+
+ if(! $already_authed) {
+ // Auth packets MUST use ultra top-secret hush-hush mode
+ $p = zot_build_packet($c[0],$type = 'auth_check',
+ array(array('guid' => $x[0]['hubloc_guid'],'guid_sig' => $x[0]['hubloc_guid_sig'])),
+ $x[0]['hubloc_sitekey'], $sec);
+ $result = zot_zot($x[0]['hubloc_callback'],$p);
+ if(! $result['success'])
+ goaway($desturl);
$j = json_decode($result['body'],true);
- if($j['result']) {
- // everything is good... maybe
- if(local_user()) {
- notice( t('Remote authentication blocked. You are logged into this site locally. Please logout and retry') . EOL);
- goaway($desturl);
- }
- // log them in
- $_SESSION['authenticated'] = 1;
- $_SESSION['visitor_id'] = $x[0]['xchan_hash'];
- $a->set_observer($x[0]);
- require_once('include/security.php');
- $a->set_groups(init_groups_visitor($_SESSION['visitor_id']));
- info(sprintf( t('Welcome %s. Remote authentication successful.'),$x[0]['xchan_name']));
- }
}
-
-
-
-
+ if($already_authed || $j['result']) {
+ // everything is good... maybe
+ if(local_user()) {
+ notice( t('Remote authentication blocked. You are logged into this site locally. Please logout and retry') . EOL);
+ goaway($desturl);
+ }
+ // log them in
+ $_SESSION['authenticated'] = 1;
+ $_SESSION['visitor_id'] = $x[0]['xchan_hash'];
+ $a->set_observer($x[0]);
+ require_once('include/security.php');
+ $a->set_groups(init_groups_visitor($_SESSION['visitor_id']));
+ info(sprintf( t('Welcome %s. Remote authentication successful.'),$x[0]['xchan_name']));
+ }
goaway($desturl);
}
@@ -274,13 +280,22 @@ function post_post(&$a) {
$arr = $data['sender'];
$sender_hash = base64url_encode(hash('whirlpool',$arr['guid'] . $arr['guid_sig'], true));
+ // garbage collect any old unused notifications
+ q("delete from verify where type = 'auth' and created < UTC_TIMESTAMP() - INTERVAL 10 MINUTE");
+
$y = q("select xchan_pubkey from xchan where xchan_hash = '%s' limit 1",
dbesc($sender_hash)
);
+ // We created a unique hash in mod/magic.php when we invoked remote auth, and stored it in
+ // the verify table. It is now coming back to us as 'secret' and is signed by the other site.
+ // First verify their signature.
+
if((! $y) || (! rsa_verify($data['secret'],base64url_decode($data['secret_sig']),$y[0]['xchan_pubkey']))) {
logger('mod_zot: auth_check: sender not found or secret_sig invalid.');
json_return_and_die($ret);
}
+
+ // There should be exactly one recipient
if($data['recipients']) {
$arr = $data['recipients'][0];
@@ -292,9 +307,14 @@ function post_post(&$a) {
logger('mod_zot: auth_check: recipient channel not found.');
json_return_and_die($ret);
}
- $z = q("select id from verify where channel = %d and type = 'auth' and token = '%s' limit 1",
+
+ // This additionally checks for forged senders since we already stored the expected result in meta
+ // and we've already verified that this is them via zot_gethub() and that their key signed our token
+
+ $z = q("select id from verify where channel = %d and type = 'auth' and token = '%s' and meta = '%s' limit 1",
intval($c[0]['channel_id']),
- dbesc($data['secret'])
+ dbesc($data['secret']),
+ dbesc($sender_hash)
);
if(! $z) {
logger('mod_zot: auth_check: verification key not found.');