From 4fdf5d28caa5d4af2bc6dfc088fdd51111baf390 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Mon, 13 Aug 2018 17:24:48 -0700 Subject: minor oauth2 updates - renamed zot webbie to 'webfinger' and zothash to 'portable_id', fixed/simplified cgi auth mode --- Zotlabs/Identity/OAuth2Storage.php | 35 +++++++++++++++--------- Zotlabs/Module/Authorize.php | 6 ++--- include/api_auth.php | 37 ++++++++++---------------- library/certs/lets-encrypt-x3-cross-signed.pem | 28 +++++++++++++++++++ 4 files changed, 68 insertions(+), 38 deletions(-) diff --git a/Zotlabs/Identity/OAuth2Storage.php b/Zotlabs/Identity/OAuth2Storage.php index a50b21a70..bbf61cf2b 100644 --- a/Zotlabs/Identity/OAuth2Storage.php +++ b/Zotlabs/Identity/OAuth2Storage.php @@ -55,15 +55,22 @@ class OAuth2Storage extends \OAuth2\Storage\Pdo { return false; } + $a = q("select * from account where account_id = %d", + intval($x['channel_account_id']) + ); + + $n = explode(' ', $x['channel_name']); + return( [ - 'webbie' => $x['channel_address'].'@'.\App::get_hostname(), - 'zothash' => $x['channel_hash'], - 'username' => $x['channel_address'], - 'user_id' => $x['channel_id'], - 'name' => $x['channel_name'], - 'firstName' => $x['channel_name'], - 'lastName' => '', - 'password' => 'NotARealPassword' + 'webfinger' => channel_reddress($x), + 'portable_id' => $x['channel_hash'], + 'email' => $a['account_email'], + 'username' => $x['channel_address'], + 'user_id' => $x['channel_id'], + 'name' => $x['channel_name'], + 'firstName' => ((count($n) > 1) ? $n[1] : $n[0]), + 'lastName' => ((count($n) > 2) ? $n[count($n) - 1] : ''), + 'picture' => $x['xchan_photo_l'] ] ); } @@ -91,12 +98,16 @@ class OAuth2Storage extends \OAuth2\Storage\Pdo { $userClaims = Array(); $claims = explode (' ', trim($claims)); - $validclaims = Array ("name","preferred_username","zothash"); + $validclaims = Array ("name","preferred_username","webfinger","portable_id","email","picture","firstName","lastName"); $claimsmap = Array ( - "zotwebbie" => 'webbie', - "zothash" => 'zothash', + "webfinger" => 'webfinger', + "portable_id" => 'portable_id', "name" => 'name', - "preferred_username" => "username" + "email" => 'email', + "preferred_username" => 'username', + "picture" => 'picture', + "given_name" => 'firstName', + "family_name" => 'lastName' ); $userinfo = $this->getUser($user_id); foreach ($validclaims as $validclaim) { diff --git a/Zotlabs/Module/Authorize.php b/Zotlabs/Module/Authorize.php index e042848d8..265dea661 100644 --- a/Zotlabs/Module/Authorize.php +++ b/Zotlabs/Module/Authorize.php @@ -14,9 +14,9 @@ class Authorize extends \Zotlabs\Web\Controller { // OpenID Connect Dynamic Client Registration 1.0 Client Metadata // http://openid.net/specs/openid-connect-registration-1_0.html $app = array( - 'name' => (x($_REQUEST, 'client_name') ? urldecode($_REQUEST['client_name']) : t('Unknown App')), - 'icon' => (x($_REQUEST, 'logo_uri') ? urldecode($_REQUEST['logo_uri']) : z_root() . '/images/icons/plugin.png'), - 'url' => (x($_REQUEST, 'client_uri') ? urldecode($_REQUEST['client_uri']) : ''), + 'name' => (x($_REQUEST, 'client_id') ? $_REQUEST['client_id'] : t('Unknown App')), + 'icon' => (x($_REQUEST, 'logo_uri') ? $_REQUEST['logo_uri'] : z_root() . '/images/icons/plugin.png'), + 'url' => (x($_REQUEST, 'client_uri') ? $_REQUEST['client_uri'] : ''), ); $o .= replace_macros(get_markup_template('oauth_authorize.tpl'), array( '$title' => t('Authorize'), diff --git a/include/api_auth.php b/include/api_auth.php index e2f7ab155..23ab9c946 100644 --- a/include/api_auth.php +++ b/include/api_auth.php @@ -12,7 +12,13 @@ function api_login(&$a){ require_once('include/oauth.php'); + + if(array_key_exists('REDIRECT_REMOTE_USER',$_SERVER) && (! array_key_exists('HTTP_AUTHORIZATION',$_SERVER))) { + $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER['REDIRECT_REMOTE_USER']; + } + // login with oauth + try { // OAuth 2.0 $storage = new \Zotlabs\Identity\OAuth2Storage(\DBA::$dba->db); @@ -66,32 +72,27 @@ function api_login(&$a){ logger($e->getMessage()); } - // workarounds for HTTP-auth in CGI mode - foreach([ 'REDIRECT_REMOTE_USER', 'HTTP_AUTHORIZATION' ] as $head) { + if(array_key_exists('HTTP_AUTHORIZATION',$_SERVER)) { /* Basic authentication */ - if(array_key_exists($head,$_SERVER) && substr(trim($_SERVER[$head]),0,5) === 'Basic') { - $userpass = @base64_decode(substr(trim($_SERVER[$head]),6)) ; + if (substr(trim($_SERVER['HTTP_AUTHORIZATION']),0,5) === 'Basic') { + $userpass = @base64_decode(substr(trim($_SERVER['HTTP_AUTHORIZATION']),6)) ; if(strlen($userpass)) { list($name, $password) = explode(':', $userpass); $_SERVER['PHP_AUTH_USER'] = $name; $_SERVER['PHP_AUTH_PW'] = $password; } - break; } - /* Signature authentication */ + /* OpenWebAuth */ - if(array_key_exists($head,$_SERVER) && substr(trim($_SERVER[$head]),0,9) === 'Signature') { + if(substr(trim($_SERVER['HTTP_AUTHORIZATION']),0,9) === 'Signature') { - if($head !== 'HTTP_AUTHORIZATION') { - $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER[$head]; - continue; - } + $record = null; - $sigblock = \Zotlabs\Web\HTTPSig::parse_sigheader($_SERVER[$head]); + $sigblock = \Zotlabs\Web\HTTPSig::parse_sigheader($_SERVER['HTTP_AUTHORIZATION']); if($sigblock) { $keyId = str_replace('acct:','',$sigblock['keyId']); if($keyId) { @@ -108,16 +109,7 @@ function api_login(&$a){ $record = [ 'channel' => $c, 'account' => $a[0] ]; $channel_login = $c['channel_id']; } - else { - continue; - } } - else { - continue; - } - } - else { - continue; } if($record) { @@ -125,7 +117,6 @@ function api_login(&$a){ if(! ($verified && $verified['header_signed'] && $verified['header_valid'])) { $record = null; } - break; } } } @@ -137,7 +128,7 @@ function api_login(&$a){ // process normal login request - if(isset($_SERVER['PHP_AUTH_USER'])) { + if(isset($_SERVER['PHP_AUTH_USER']) && (! $record)) { $channel_login = 0; $record = account_verify_password($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']); if($record && $record['channel']) { diff --git a/library/certs/lets-encrypt-x3-cross-signed.pem b/library/certs/lets-encrypt-x3-cross-signed.pem index 0002462ce..6e5176f1e 100644 --- a/library/certs/lets-encrypt-x3-cross-signed.pem +++ b/library/certs/lets-encrypt-x3-cross-signed.pem @@ -25,3 +25,31 @@ X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE----- + +-----BEGIN CERTIFICATE----- +MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ +MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT +DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow +SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT +GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF +q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 +SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 +Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA +a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj +/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T +AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG +CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv +bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k +c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw +VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC +ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz +MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu +Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF +AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo +uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ +wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu +X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG +PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 +KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== +-----END CERTIFICATE----- -- cgit v1.2.3