From e6c861480138ba871907ed6994d0fb840fd0e77f Mon Sep 17 00:00:00 2001
From: redmatrix <git@macgirvin.com>
Date: Thu, 14 Jul 2016 19:24:15 -0700
Subject: first cut at zot access tokens

---
 include/auth.php     | 76 +++++++++++++++++++++++++++++++++++-----------------
 include/security.php | 33 +++++++++++++++++++++++
 2 files changed, 85 insertions(+), 24 deletions(-)

diff --git a/include/auth.php b/include/auth.php
index 01fcf0094..79d04c728 100644
--- a/include/auth.php
+++ b/include/auth.php
@@ -36,22 +36,33 @@ function account_verify_password($email, $pass) {
 	// you have to verify the email and then go through the account approval workflow before
 	// letting them login.
 
-	if(($email_verify) && ($register_policy == REGISTER_OPEN) && ($record['account_flags'] & ACCOUNT_UNVERIFIED))
-		return null;
+	// @bug there is no record here
+	//if(($email_verify) && ($register_policy == REGISTER_OPEN) && ($record['account_flags'] & ACCOUNT_UNVERIFIED))
+	//	return null;
 
 	$r = q("select * from account where account_email = '%s'",
 		dbesc($email)
 	);
-	if(! ($r && count($r)))
-		return null;
-
-	foreach($r as $record) {
-		if(($record['account_flags'] == ACCOUNT_OK)
-			&& (hash('whirlpool', $record['account_salt'] . $pass) === $record['account_password'])) {
-			logger('password verified for ' . $email);
-			return $record;
+	if($r) {
+
+		foreach($r as $record) {
+			if(($record['account_flags'] == ACCOUNT_OK)
+				&& (hash('whirlpool', $record['account_salt'] . $pass) === $record['account_password'])) {
+				logger('password verified for ' . $email);
+				return $record;
+			}
 		}
 	}
+
+	$x = q("select * from atoken where atoken_name = '%s' and atoken_token = '%s' limit 1",
+		dbesc($email),
+		dbesc($pass)
+	);
+	if($x) {
+		atoken_login($x[0]);		
+		return $x[0];
+	}
+
 	$error = 'password failed for ' . $email;
 	logger($error);
 
@@ -123,10 +134,18 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) &&
 				authenticate_success($x[0], true, true);
 			}
 		}
-
-		$r = q("select * from xchan left join hubloc on xchan_hash = hubloc_hash where xchan_hash = '%s' limit 1",
-			dbesc($_SESSION['visitor_id'])
-		);
+		if(array_key_exists('atoken',$_SESSION)) {
+			$y = q("select * from atoken where atoken_id = %d limit 1",
+				intval($_SESSION['atoken'])
+			);
+			if($y)
+				$r = array(atoken_xchan($y[0]));
+		}
+		else {
+			$r = q("select * from xchan left join hubloc on xchan_hash = hubloc_hash where xchan_hash = '%s' limit 1",
+				dbesc($_SESSION['visitor_id'])
+			);
+		}
 		if($r) {
 			App::set_observer($r[0]);
 		}
@@ -199,20 +218,27 @@ else {
 
 		call_hooks('authenticate', $addon_auth);
 
+		$atoken = false;
+
 		if(($addon_auth['authenticated']) && (count($addon_auth['user_record']))) {
 			$record = $addon_auth['user_record'];
 		}
 		else {
-			$record = App::$account = account_verify_password($_POST['username'], $_POST['password']);
-
-			if(App::$account) {
-				$_SESSION['account_id'] = App::$account['account_id'];
-			}
-			else {
-				notice( t('Failed authentication') . EOL);
+			$x = account_verify_password($_POST['username'], $_POST['password']);
+			if(array_key_exists('atoken',$x))
+				$atoken = true;
+			if(! $atoken) {
+				$record = App::$account = $x;
+
+				if(App::$account) {
+					$_SESSION['account_id'] = App::$account['account_id'];
+				}
+				else {
+					notice( t('Failed authentication') . EOL);
+				}
+
+				logger('authenticate: ' . print_r(App::$account, true), LOGGER_ALL);
 			}
-
-			logger('authenticate: ' . print_r(App::$account, true), LOGGER_ALL);
 		}
 
 		if((! $record) || (! count($record))) {
@@ -252,7 +278,8 @@ else {
 		// if we haven't failed up this point, log them in.
 
 		$_SESSION['last_login_date'] = datetime_convert();
-		authenticate_success($record, true, true);
+		if(! $atoken)
+			authenticate_success($record, true, true);
 	}
 }
 
@@ -270,6 +297,7 @@ else {
  * @return int|bool
  *  Return channel_id from pconfig or false.
  */
+
 function match_openid($authid) {
 	// Query the uid/channel_id from pconfig for a given value.
 	$r = q("SELECT uid FROM pconfig WHERE cat = 'system' AND k = 'openid' AND v = '%s' LIMIT 1",
diff --git a/include/security.php b/include/security.php
index 212690d91..55e9d906f 100644
--- a/include/security.php
+++ b/include/security.php
@@ -82,6 +82,39 @@ function authenticate_success($user_record, $login_initial = false, $interactive
 	/* else just return */
 }
 
+function atoken_login($atoken) {
+	if(! $atoken)
+		return false;
+
+	$xchan = atoken_xchan($atoken);
+
+	$_SESSION['authenticated'] = 1;
+	$_SESSION['visitor_id'] = $xchan['xchan_hash'];
+	$_SESSION['atoken'] = $atoken['atoken_id'];
+
+	\App::set_observer($xchan);
+
+	return [ 'atoken' => true ];
+}
+
+
+function atoken_xchan($atoken) {
+
+	return [ 
+		'xchan_hash' =>  $atoken['atoken_uid'] . '.' . $atoken['atoken_name'],
+		'xchan_network' => 'unknown',
+		'xchan_hidden' => 1,
+		'xchan_photo_mimetype' => 'image/jpeg',
+		'xchan_photo_l' => get_default_profile_photo(300),
+		'xchan_photo_m' => get_default_profile_photo(80),
+		'xchan_photo_s' => get_default_profile_photo(48)
+
+	];
+
+}
+
+
+
 /**
  * @brief Change to another channel with current logged-in account.
  *
-- 
cgit v1.2.3