From fc62f07a089daf698953e6e4197668fbf8aebef9 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Sun, 3 Sep 2017 23:50:18 -0700 Subject: validate the security context --- Zotlabs/Module/Magic.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'Zotlabs/Module/Magic.php') diff --git a/Zotlabs/Module/Magic.php b/Zotlabs/Module/Magic.php index 9ee5f9324..bf3198067 100644 --- a/Zotlabs/Module/Magic.php +++ b/Zotlabs/Module/Magic.php @@ -133,10 +133,10 @@ class Magic extends \Zotlabs\Web\Controller { $channel = \App::get_channel(); $token = random_string(); - $token_sig = base64url_encode(rsa_sign($token,$channel['channel_prvkey'])); +// $token_sig = base64url_encode(rsa_sign($token,$channel['channel_prvkey'])); - $channel['token'] = $token; - $channel['token_sig'] = $token_sig; +// $channel['token'] = $token; +// $channel['token_sig'] = $token_sig; \Zotlabs\Zot\Verify::create('auth',$channel['channel_id'],$token,$x[0]['hubloc_url']); -- cgit v1.2.3 From 61f339a874784d3181f4c884bab9994ec9200f50 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Thu, 7 Sep 2017 17:56:02 -0700 Subject: owa - first commit --- Zotlabs/Module/Magic.php | 32 +++++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) (limited to 'Zotlabs/Module/Magic.php') diff --git a/Zotlabs/Module/Magic.php b/Zotlabs/Module/Magic.php index bf3198067..0eb2f27a1 100644 --- a/Zotlabs/Module/Magic.php +++ b/Zotlabs/Module/Magic.php @@ -17,6 +17,7 @@ class Magic extends \Zotlabs\Web\Controller { $dest = ((x($_REQUEST,'dest')) ? $_REQUEST['dest'] : ''); $test = ((x($_REQUEST,'test')) ? intval($_REQUEST['test']) : 0); $rev = ((x($_REQUEST,'rev')) ? intval($_REQUEST['rev']) : 0); + $owa = ((x($_REQUEST,'owa')) ? intval($_REQUEST['owa']) : 0); $delegate = ((x($_REQUEST,'delegate')) ? $_REQUEST['delegate'] : ''); $parsed = parse_url($dest); @@ -132,12 +133,41 @@ class Magic extends \Zotlabs\Web\Controller { if(local_channel()) { $channel = \App::get_channel(); + // OpenWebAuth + + if($owa) { + + $headers = []; + $headers['Accept'] = 'application/x-zot+json' ; + $headers['X-Open-Web-Auth'] = random_string(); + $headers = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'], + 'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false,true,'sha512'); + + $x = z_fetch_url($basepath . '/owa',false,$redirects,[ 'headers' => $headers ]); + if($x['success']) { + $j = json_decode($x['body'],true); + if($j['success'] && $j['token']) { + $x = strpbrk($dest,'?&'); + $args = (($x) ? '&owt=' . $token : '?f=&owt=' . $token) . (($delegate) ? '&delegate=1' : ''); + goaway($dest . $args); + } + } + goaway($dest); + } + + $token = random_string(); + // $token_sig = base64url_encode(rsa_sign($token,$channel['channel_prvkey'])); - // $channel['token'] = $token; // $channel['token_sig'] = $token_sig; + + + + + + \Zotlabs\Zot\Verify::create('auth',$channel['channel_id'],$token,$x[0]['hubloc_url']); $target_url = $x[0]['hubloc_callback'] . '/?f=&auth=' . urlencode(channel_reddress($channel)) -- cgit v1.2.3 From f09fe8da7814a64e653700b4fe04f165edd90045 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Thu, 7 Sep 2017 18:14:04 -0700 Subject: add logging --- Zotlabs/Module/Magic.php | 3 +++ 1 file changed, 3 insertions(+) (limited to 'Zotlabs/Module/Magic.php') diff --git a/Zotlabs/Module/Magic.php b/Zotlabs/Module/Magic.php index 0eb2f27a1..3fe0e1e35 100644 --- a/Zotlabs/Module/Magic.php +++ b/Zotlabs/Module/Magic.php @@ -144,6 +144,9 @@ class Magic extends \Zotlabs\Web\Controller { 'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false,true,'sha512'); $x = z_fetch_url($basepath . '/owa',false,$redirects,[ 'headers' => $headers ]); + + logger('owtfetch: ' . print_r($x,true)); + if($x['success']) { $j = json_decode($x['body'],true); if($j['success'] && $j['token']) { -- cgit v1.2.3 From 7e9162ef06b4719723941679e55af079421ae475 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Thu, 7 Sep 2017 18:19:49 -0700 Subject: there's the problem --- Zotlabs/Module/Magic.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Zotlabs/Module/Magic.php') diff --git a/Zotlabs/Module/Magic.php b/Zotlabs/Module/Magic.php index 3fe0e1e35..342c11eb9 100644 --- a/Zotlabs/Module/Magic.php +++ b/Zotlabs/Module/Magic.php @@ -151,7 +151,7 @@ class Magic extends \Zotlabs\Web\Controller { $j = json_decode($x['body'],true); if($j['success'] && $j['token']) { $x = strpbrk($dest,'?&'); - $args = (($x) ? '&owt=' . $token : '?f=&owt=' . $token) . (($delegate) ? '&delegate=1' : ''); + $args = (($x) ? '&owt=' . $j['token'] : '?f=&owt=' . $j['token']) . (($delegate) ? '&delegate=1' : ''); goaway($dest . $args); } } -- cgit v1.2.3 From e2e7bee3cca6f2ffc88aee9c94066e117e7a682b Mon Sep 17 00:00:00 2001 From: zotlabs Date: Sat, 9 Sep 2017 13:34:57 -0700 Subject: owa cleanup --- Zotlabs/Module/Magic.php | 13 ------------- 1 file changed, 13 deletions(-) (limited to 'Zotlabs/Module/Magic.php') diff --git a/Zotlabs/Module/Magic.php b/Zotlabs/Module/Magic.php index 342c11eb9..d1550ec89 100644 --- a/Zotlabs/Module/Magic.php +++ b/Zotlabs/Module/Magic.php @@ -142,11 +142,8 @@ class Magic extends \Zotlabs\Web\Controller { $headers['X-Open-Web-Auth'] = random_string(); $headers = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'], 'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false,true,'sha512'); - $x = z_fetch_url($basepath . '/owa',false,$redirects,[ 'headers' => $headers ]); - logger('owtfetch: ' . print_r($x,true)); - if($x['success']) { $j = json_decode($x['body'],true); if($j['success'] && $j['token']) { @@ -161,16 +158,6 @@ class Magic extends \Zotlabs\Web\Controller { $token = random_string(); -// $token_sig = base64url_encode(rsa_sign($token,$channel['channel_prvkey'])); -// $channel['token'] = $token; -// $channel['token_sig'] = $token_sig; - - - - - - - \Zotlabs\Zot\Verify::create('auth',$channel['channel_id'],$token,$x[0]['hubloc_url']); $target_url = $x[0]['hubloc_callback'] . '/?f=&auth=' . urlencode(channel_reddress($channel)) -- cgit v1.2.3 From 15b9a67c01964b83ac724945fe416dd35f66e914 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Wed, 4 Oct 2017 18:51:37 -0700 Subject: redirect loop with rmagic and owa --- Zotlabs/Module/Magic.php | 1 + 1 file changed, 1 insertion(+) (limited to 'Zotlabs/Module/Magic.php') diff --git a/Zotlabs/Module/Magic.php b/Zotlabs/Module/Magic.php index d1550ec89..879085f96 100644 --- a/Zotlabs/Module/Magic.php +++ b/Zotlabs/Module/Magic.php @@ -149,6 +149,7 @@ class Magic extends \Zotlabs\Web\Controller { if($j['success'] && $j['token']) { $x = strpbrk($dest,'?&'); $args = (($x) ? '&owt=' . $j['token'] : '?f=&owt=' . $j['token']) . (($delegate) ? '&delegate=1' : ''); + goaway($dest . $args); } } -- cgit v1.2.3