From 5abcb8c97813d66b63ca697ca626347a9fd8d95c Mon Sep 17 00:00:00 2001
From: zotlabs <mike@macgirvin.com>
Date: Wed, 29 Nov 2017 13:51:54 -0800
Subject: use httpsig auth for getfile

---
 Zotlabs/Module/Getfile.php | 57 +++++++++++++++++++++++++++++++++++++---------
 1 file changed, 46 insertions(+), 11 deletions(-)

(limited to 'Zotlabs/Module/Getfile.php')

diff --git a/Zotlabs/Module/Getfile.php b/Zotlabs/Module/Getfile.php
index 413a68e0c..3f84b4050 100644
--- a/Zotlabs/Module/Getfile.php
+++ b/Zotlabs/Module/Getfile.php
@@ -28,17 +28,51 @@ class Getfile extends \Zotlabs\Web\Controller {
 
 	function post() {
 
-		logger('post: ' . print_r($_POST,true),LOGGER_DEBUG,LOG_INFO);
-	
+		$header_verification = false;
+
 		$hash     = $_POST['hash'];
 		$time     = $_POST['time'];
 		$sig      = $_POST['signature'];
 		$resource = $_POST['resource'];
 		$revision = intval($_POST['revision']);
 		$resolution = (-1);
-	
+
 		if(! $hash)
 			killme();
+
+		foreach([ 'REDIRECT_REMOTE_USER', 'HTTP_AUTHORIZATION' ] as $head) {
+			if(array_key_exists($head,$_SERVER) && substr(trim($_SERVER[$head]),0,9) === 'Signature') {
+				if($head !== 'HTTP_AUTHORIZATION') {
+					$_SERVER['HTTP_AUTHORIZATION'] = $_SERVER[$head];
+					continue;
+				}
+
+				$sigblock = \Zotlabs\Web\HTTPSig::parse_sigheader($_SERVER[$head]);
+				if($sigblock) {
+					$keyId = $sigblock['keyId'];
+
+					if($keyId) {
+						$r = q("select * from hubloc left join xchan on hubloc_hash = xchan_hash 
+							where hubloc_addr = '%s' limit 1",
+							dbesc(str_replace('acct:','',$keyId))
+						);
+						if($r) {
+							$hubloc = $r[0];
+							$verified = \Zotlabs\Web\HTTPSig::verify('',$hubloc['xchan_pubkey']);	
+							if($verified && $verified['header_signed'] && $verified['header_valid'] && $hash == $hubloc['hubloc_hash']) {
+								$header_verified = true;
+							}
+						}
+					}
+				}
+			}
+		}
+
+
+		logger('post: ' . print_r($_POST,true),LOGGER_DEBUG,LOG_INFO);
+		if($header_verified) {
+				logger('HTTPSig verified');
+		}	
 	
 		$channel = channelx_by_hash($hash);
 
@@ -59,16 +93,17 @@ class Getfile extends \Zotlabs\Web\Controller {
 		$d1 = datetime_convert('UTC','UTC',"now + $slop minutes");
 		$d2 = datetime_convert('UTC','UTC',"now - $slop minutes");	
 	
-		if(($time > $d1) || ($time < $d2)) {
-			logger('time outside allowable range');
-			killme();
-		}
+		if(! $header_verified) {
+			if(($time > $d1) || ($time < $d2)) {
+				logger('time outside allowable range');
+				killme();
+			}
 	
-		if(! rsa_verify($hash . '.' . $time,base64url_decode($sig),$channel['channel_pubkey'])) {
-			logger('verify failed.');
-			killme();
+			if(! rsa_verify($hash . '.' . $time,base64url_decode($sig),$channel['channel_pubkey'])) {
+				logger('verify failed.');
+				killme();
+			}
 		}
-		
 
 		if($resolution > 0) {
 			$r = q("select * from photo where resource_id = '%s' and uid = %d limit 1",
-- 
cgit v1.2.3