From 3f784a974a1ccc15f69865f8015b0c36fd7bc1d7 Mon Sep 17 00:00:00 2001
From: Mario Vavti <mario@mariovavti.com>
Date: Sat, 26 Sep 2020 15:05:16 +0200
Subject: deprecate \Zotlabs\Zot\Finger where apropriate

---
 Zotlabs/Module/Magic.php | 237 ++++++++++++++++-------------------------------
 1 file changed, 78 insertions(+), 159 deletions(-)

(limited to 'Zotlabs/Module/Magic.php')

diff --git a/Zotlabs/Module/Magic.php b/Zotlabs/Module/Magic.php
index 6ac656a04..b4372e26d 100644
--- a/Zotlabs/Module/Magic.php
+++ b/Zotlabs/Module/Magic.php
@@ -1,214 +1,133 @@
 <?php
 namespace Zotlabs\Module;
 
+use App;
+use Zotlabs\Web\Controller;
 use Zotlabs\Web\HTTPSig;
+use Zotlabs\Lib\Libzot;
+use Zotlabs\Lib\SConfig;
 
-@require_once('include/zot.php');
-
-
-class Magic extends \Zotlabs\Web\Controller {
+class Magic extends Controller {
 
 	function init() {
+
+		$ret =  [
+			'success' => false,
+			'url'     => '',
+			'message' => ''
+		];
 	
-		$ret = array('success' => false, 'url' => '', 'message' => '');
 		logger('mod_magic: invoked', LOGGER_DEBUG);
-	
-		logger('mod_magic: args: ' . print_r($_REQUEST,true),LOGGER_DATA);
-	
-		$addr = ((x($_REQUEST,'addr')) ? $_REQUEST['addr'] : '');
-		$bdest = ((x($_REQUEST,'bdest')) ? $_REQUEST['bdest'] : '');
-		$dest = ((x($_REQUEST,'dest')) ? $_REQUEST['dest'] : '');
-		$test = ((x($_REQUEST,'test')) ? intval($_REQUEST['test']) : 0);
-		$rev  = ((x($_REQUEST,'rev'))  ? intval($_REQUEST['rev'])  : 0);
-		$owa  = ((x($_REQUEST,'owa'))  ? intval($_REQUEST['owa'])  : 0);
-		$delegate = ((x($_REQUEST,'delegate')) ? $_REQUEST['delegate']  : '');
-
-		if($bdest)
+
+		logger('args: ' . print_r($_REQUEST,true),LOGGER_DATA);
+
+		$addr     = ((x($_REQUEST,'addr'))     ? $_REQUEST['addr']         : '');
+		$bdest    = ((x($_REQUEST,'bdest'))    ? $_REQUEST['bdest']        : '');
+		$dest     = ((x($_REQUEST,'dest'))     ? $_REQUEST['dest']         : '');
+		$rev      = ((x($_REQUEST,'rev'))      ? intval($_REQUEST['rev'])  : 0);
+		$owa      = ((x($_REQUEST,'owa'))      ? intval($_REQUEST['owa'])  : 0);
+		$delegate = ((x($_REQUEST,'delegate')) ? $_REQUEST['delegate']     : '');
+
+		// bdest is preferred as it is hex-encoded and can survive url rewrite and argument parsing
+
+		if ($bdest) {
 			$dest = hex2bin($bdest);
+		}
 
 		$parsed = parse_url($dest);
-		if(! $parsed) {
-			if($test) {
-				$ret['message'] .= 'could not parse ' . $dest . EOL;
-				return($ret);
-			}
+
+		if (! $parsed) {
 			goaway($dest);
 		}
-	
+
 		$basepath = $parsed['scheme'] . '://' . $parsed['host'] . (($parsed['port']) ? ':' . $parsed['port'] : ''); 
-	
-		$x = q("select * from hubloc where hubloc_url = '%s' order by hubloc_connected desc limit 1",
-			dbesc($basepath)
-		);
-		
-		if(! $x) {
-	
-			/*
-			 * We have no records for, or prior communications with this hub. 
-			 * If an address was supplied, let's finger them to create a hub record. 
-			 * Otherwise we'll use the special address '[system]' which will return
-			 * either a system channel or the first available normal channel. We don't
-			 * really care about what channel is returned - we need the hub information 
-			 * from that response so that we can create signed auth packets destined 
-			 * for that hub.
-			 *
-			 */
-	
-			$j = \Zotlabs\Zot\Finger::run((($addr) ? $addr : '[system]@' . $parsed['host']),null);
-			if($j['success']) {
-				import_xchan($j);
-	
-				// Now try again
-	
-				$x = q("select * from hubloc where hubloc_url = '%s' order by hubloc_connected desc limit 1",
-					dbesc($basepath)
-				);
-			}
-		}
-	
-		if(! $x) {
-			if($rev)
-				goaway($dest);
-			else {
-				logger('mod_magic: no channels found for requested hub.' . print_r($_REQUEST,true));
-				if($test) {
-					$ret['message'] .= 'This site has no previous connections with ' . $basepath . EOL;
-					return $ret;
-				} 
-				notice( t('Hub not found.') . EOL);
-				return;
-			}
-		}
-	
+		$owapath = SConfig::get($basepath,'system','openwebauth', $basepath . '/owa');
+
 		// This is ready-made for a plugin that provides a blacklist or "ask me" before blindly authenticating. 
 		// By default, we'll proceed without asking.
-	
-		$arr = array(
-			'channel_id' => local_channel(),
-			'xchan' => $x[0],
+
+		$arr = [
+			'channel_id'  => local_channel(),
 			'destination' => $dest, 
-			'proceed' => true
-		);
-	
+			'proceed'     => true
+		];
+
 		call_hooks('magic_auth',$arr);
 		$dest = $arr['destination'];
-		if(! $arr['proceed']) {
-			if($test) {
-				$ret['message'] .= 'cancelled by plugin.' . EOL;
-				return $ret;
-			}
+		if (! $arr['proceed']) {
 			goaway($dest);
 		}
-	
-		if((get_observer_hash()) && ($x[0]['hubloc_url'] === z_root())) {
+
+		if((get_observer_hash()) && (stripos($dest,z_root()) === 0)) {
+
 			// We are already authenticated on this site and a registered observer.
-			// Just redirect.
-			if($test) {
-				$ret['success'] = true;
-				$ret['message'] .= 'Local site - you are already authenticated.' . EOL;
-				return $ret;
-			}
-	
-			$delegation_success = false;
-			if($delegate) {
+			// First check if this is a delegate request on the local system and process accordingly.
+			// Otherwise redirect.
+
+			if ($delegate) {
+
 				$r = q("select * from channel left join hubloc on channel_hash = hubloc_hash where hubloc_addr = '%s' limit 1",
 					dbesc($delegate)
 				);
-	
-				if($r && intval($r[0]['channel_id'])) {
-					$allowed = perm_is_allowed($r[0]['channel_id'],get_observer_hash(),'delegate');
-					if($allowed) {
+
+				if ($r) {
+					$c = array_shift($r);
+					if (perm_is_allowed($c['channel_id'],get_observer_hash(),'delegate')) {
 						$tmp = $_SESSION;
-						$_SESSION['delegate_push'] = $tmp;
-						$_SESSION['delegate_channel'] = $r[0]['channel_id'];
-						$_SESSION['delegate'] = get_observer_hash();
-						$_SESSION['account_id'] = intval($r[0]['channel_account_id']);
-						change_channel($r[0]['channel_id']);
-	
-						$delegation_success = true;
+						$_SESSION['delegate_push']    = $tmp;
+						$_SESSION['delegate_channel'] = $c['channel_id'];
+						$_SESSION['delegate']         = get_observer_hash();
+						$_SESSION['account_id']       = intval($c['channel_account_id']);
+
+						change_channel($c['channel_id']);
 					}
 				}
 			}
-				
-	
-	
-			// FIXME: check and honour local delegation
-	
-	
+
 			goaway($dest);
 		}
-	
-		if(local_channel()) {
-			$channel = \App::get_channel();
-	
+
+		if (local_channel()) {
+			$channel = App::get_channel();
+
 			// OpenWebAuth
 
-			if($owa) {
+			if ($owa) {
 
 				$dest = strip_zids($dest);
 				$dest = strip_query_param($dest,'f');
 
+				// We now post to the OWA endpoint. This improves security by providing a signed digest
+
 				$data = json_encode([ 'OpenWebAuth' => random_string() ]);
 
 				$headers = [];
 				$headers['Accept'] = 'application/x-zot+json' ;
+				$headers['Content-Type'] = 'application/x-zot+json' ;
 				$headers['X-Open-Web-Auth'] = random_string();
-				$headers['Host'] = $parsed['host'];
 				$headers['Digest'] = HTTPSig::generate_digest_header($data);
+				$headers['Host'] = $parsed['host'];
+				$headers['(request-target)'] = 'post ' . '/owa';
 
-				$headers = HTTPSig::create_sig($headers,$channel['channel_prvkey'], 'acct:' . channel_reddress($channel),true,'sha512');
-				$x = z_post_url($basepath . '/owa',$data,$redirects,[ 'headers' => $headers ]);
-
-				if($x['success']) {
+				$headers = HTTPSig::create_sig($headers,$channel['channel_prvkey'], channel_url($channel),true,'sha512');
+				$x = z_post_url($owapath,$data,$redirects,[ 'headers' => $headers ]);
+				logger('owa fetch returned: ' . print_r($x,true),LOGGER_DATA);
+				if ($x['success']) {
 					$j = json_decode($x['body'],true);
-					if($j['success']) {
+					if ($j['success'] && $j['encrypted_token']) {
+						// decrypt the token using our private key
 						$token = '';
-						if($j['encrypted_token']) {
-							openssl_private_decrypt(base64url_decode($j['encrypted_token']),$token,$channel['channel_prvkey']);
-						}
-						else {
-							$token = $j['token'];
-						}
-						
-						$strp = strpbrk($dest,'?&');
-						$args = (($strp) ? '&owt=' . $token : '?f=&owt=' . $token) . (($delegate) ? '&delegate=1' : '');
+						openssl_private_decrypt(base64url_decode($j['encrypted_token']),$token,$channel['channel_prvkey']);
+						$x = strpbrk($dest,'?&');
+						// redirect using the encrypted token which will be exchanged for an authenticated session
+						$args = (($x) ? '&owt=' . $token : '?f=&owt=' . $token) . (($delegate) ? '&delegate=1' : '');
 						goaway($dest . $args);
 					}
 				}
-				goaway($dest);
-			}
-
-
-			$token = random_string();
-
-			\Zotlabs\Lib\Verify::create('auth',$channel['channel_id'],$token,$x[0]['hubloc_url']);
-	
-			$target_url = $x[0]['hubloc_callback'] . '/?f=&auth=' . urlencode(channel_reddress($channel))
-				. '&sec=' . $token . '&dest=' . urlencode($dest) . '&version=' . ZOT_REVISION;
-	
-			if($delegate)
-				$target_url .= '&delegate=' . urlencode($delegate);
-	
-			logger('mod_magic: redirecting to: ' . $target_url, LOGGER_DEBUG); 
-	
-			if($test) {
-				$ret['success'] = true;
-				$ret['url'] = $target_url;
-				$ret['message'] = 'token ' . $token . ' created for channel ' . $channel['channel_id'] . ' for url ' . $x[0]['hubloc_url'] . EOL;
-				return $ret;
 			}
-	
-			goaway($target_url);
-				
 		}
-	
-		if($test) {
-			$ret['message'] = 'Not authenticated or invalid arguments to mod_magic' . EOL;
-			return $ret;
-		}
-	
+
 		goaway($dest);
-	
 	}
-	
+
 }
-- 
cgit v1.2.3