From b5cea3301d22185e7278a87176901e82419dafbb Mon Sep 17 00:00:00 2001 From: Mario Date: Sat, 2 Oct 2021 12:28:13 +0000 Subject: cleanup api_auth and make it fetch the identity if we do not have it cached yet --- include/api_auth.php | 99 +++++++++++++++++++++++++++++----------------------- 1 file changed, 56 insertions(+), 43 deletions(-) (limited to 'include/api_auth.php') diff --git a/include/api_auth.php b/include/api_auth.php index 4928e6a85..0395dae7a 100644 --- a/include/api_auth.php +++ b/include/api_auth.php @@ -1,19 +1,24 @@ db); - $server = new \Zotlabs\Identity\OAuth2Server($storage); - $request = \OAuth2\Request::createFromGlobals(); + $storage = new OAuth2Storage(DBA::$dba->db); + $server = new OAuth2Server($storage); + $request = Request::createFromGlobals(); if ($server->verifyResourceRequest($request)) { $token = $server->getAccessTokenData($request); - $uid = $token['user_id']; - $r = q("SELECT * FROM channel WHERE channel_id = %d LIMIT 1", + $uid = $token['user_id']; + $r = q("SELECT * FROM channel WHERE channel_id = %d LIMIT 1", intval($uid) ); if (count($r)) { $record = $r[0]; - } else { + } + else { header('HTTP/1.0 401 Unauthorized'); echo('This api requires login'); killme(); } - $_SESSION['uid'] = $record['channel_id']; + $_SESSION['uid'] = $record['channel_id']; $_SESSION['addr'] = $_SERVER['REMOTE_ADDR']; $x = q("select * from account where account_id = %d LIMIT 1", @@ -51,12 +57,13 @@ function api_login(&$a){ call_hooks('logged_in', App::$user); return; } - } else { + } + else { // OAuth 1.0 $oauth = new ZotOAuth1(); - $req = OAuth1Request::from_request(); + $req = OAuth1Request::from_request(); - list($consumer, $token) = $oauth->verify_request($req); + [$consumer, $token] = $oauth->verify_request($req); if (!is_null($token)) { $oauth->loginUser($token->uid); @@ -72,15 +79,14 @@ function api_login(&$a){ logger($e->getMessage()); } - - if(array_key_exists('HTTP_AUTHORIZATION',$_SERVER)) { + if (array_key_exists('HTTP_AUTHORIZATION', $_SERVER)) { /* Basic authentication */ - if (substr(trim($_SERVER['HTTP_AUTHORIZATION']),0,5) === 'Basic') { - $userpass = @base64_decode(substr(trim($_SERVER['HTTP_AUTHORIZATION']),6)) ; - if(strlen($userpass)) { - list($name, $password) = explode(':', $userpass); + if (substr(trim($_SERVER['HTTP_AUTHORIZATION']), 0, 5) === 'Basic') { + $userpass = @base64_decode(substr(trim($_SERVER['HTTP_AUTHORIZATION']), 6)); + if (strlen($userpass)) { + [$name, $password] = explode(':', $userpass); $_SERVER['PHP_AUTH_USER'] = $name; $_SERVER['PHP_AUTH_PW'] = $password; } @@ -88,34 +94,42 @@ function api_login(&$a){ /* OpenWebAuth */ - if(substr(trim($_SERVER['HTTP_AUTHORIZATION']),0,9) === 'Signature') { + if (substr(trim($_SERVER['HTTP_AUTHORIZATION']), 0, 9) === 'Signature') { $record = null; - $sigblock = \Zotlabs\Web\HTTPSig::parse_sigheader($_SERVER['HTTP_AUTHORIZATION']); - if($sigblock) { - $keyId = str_replace('acct:','',$sigblock['keyId']); - if($keyId) { - $r = q("select * from hubloc where ( hubloc_addr = '%s' or hubloc_id_url = '%s' ) limit 1", + $sigblock = HTTPSig::parse_sigheader($_SERVER['HTTP_AUTHORIZATION']); + if ($sigblock) { + $keyId = str_replace('acct:', '', $sigblock['keyId']); + if ($keyId) { + $r = q("select * from hubloc where hubloc_addr = '%s' or hubloc_id_url = '%s'", dbesc($keyId), dbesc($keyId) ); - if($r) { - $c = channelx_by_hash($r[0]['hubloc_hash']); - if($c) { + if (!$r) { + HTTPSig::get_zotfinger_key($keyId); + $r = q("select * from hubloc where hubloc_addr = '%s' or hubloc_id_url = '%s'", + dbesc($keyId), + dbesc($keyId) + ); + } + if ($r) { + $r = Libzot::zot_record_preferred($r); + $c = channelx_by_hash($r['hubloc_hash']); + if ($c) { $a = q("select * from account where account_id = %d limit 1", intval($c['channel_account_id']) ); - if($a) { - $record = [ 'channel' => $c, 'account' => $a[0] ]; + if ($a) { + $record = ['channel' => $c, 'account' => $a[0]]; $channel_login = $c['channel_id']; } } } - if($record) { - $verified = \Zotlabs\Web\HTTPSig::verify('',$record['channel']['channel_pubkey']); - if(! ($verified && $verified['header_signed'] && $verified['header_valid'])) { + if ($record) { + $verified = HTTPSig::verify('', $record['channel']['channel_pubkey']); + if (!($verified && $verified['header_signed'] && $verified['header_valid'])) { $record = null; } } @@ -129,18 +143,18 @@ function api_login(&$a){ // process normal login request - if(isset($_SERVER['PHP_AUTH_USER']) && (! $record)) { + if (isset($_SERVER['PHP_AUTH_USER']) && (!$record)) { $channel_login = 0; - $record = account_verify_password($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']); - if($record && $record['channel']) { + $record = account_verify_password($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']); + if ($record && $record['channel']) { $channel_login = $record['channel']['channel_id']; } } - if($record['account']) { + if ($record['account']) { authenticate_success($record['account']); - if($channel_login) + if ($channel_login) change_channel($channel_login); $_SESSION['allow_api'] = true; @@ -148,16 +162,15 @@ function api_login(&$a){ } else { $_SERVER['PHP_AUTH_PW'] = '*****'; - logger('API_login failure: ' . print_r($_SERVER,true), LOGGER_DEBUG); + logger('API_login failure: ' . print_r($_SERVER, true), LOGGER_DEBUG); log_failed_login('API login failure'); retry_basic_auth(); } } - function retry_basic_auth($method = 'Basic') { - header('WWW-Authenticate: ' . $method . ' realm="Hubzilla"'); + header('WWW-Authenticate: ' . $method . ' realm="' . System::get_platform_name() . '"'); header('HTTP/1.0 401 Unauthorized'); echo('This api requires login'); killme(); -- cgit v1.2.3