From 3c8f8b76aa35eed1e612cb20537b8648bef3daca Mon Sep 17 00:00:00 2001
From: Zot <mike@macgirvin.com>
Date: Thu, 25 Apr 2019 11:54:37 +0200
Subject: hubloc confusion in magic auth

---
 include/channel.php | 11 +++++++----
 include/zid.php     | 48 +++++++++++++++++++++++++++++++-----------------
 include/zot.php     | 22 ++++++++++++++++++++++
 3 files changed, 60 insertions(+), 21 deletions(-)

(limited to 'include')

diff --git a/include/channel.php b/include/channel.php
index 654bbdb05..47a7b5a0e 100644
--- a/include/channel.php
+++ b/include/channel.php
@@ -1812,13 +1812,16 @@ function zid_init() {
 		call_hooks('zid_init', $arr);
 
 		if(! local_channel()) {
-			$r = q("select * from hubloc where hubloc_addr = '%s' order by hubloc_connected desc limit 1",
+			$r = q("select * from hubloc where hubloc_addr = '%s' order by hubloc_connected desc",
 				dbesc($tmp_str)
 			);
 			if(! $r) {
 				Master::Summon(array('Gprobe',bin2hex($tmp_str)));
 			}
-			if($r && remote_channel() && remote_channel() === $r[0]['hubloc_hash'])
+			if($r) {
+				$r = zot_record_preferred($r);
+			}
+			if($r && remote_channel() && remote_channel() === $r['hubloc_hash'])
 				return;
 
 			logger('Not authenticated. Invoking reverse magic-auth for ' . $tmp_str);
@@ -1826,8 +1829,8 @@ function zid_init() {
 			$query = App::$query_string;
 			$query = str_replace(array('?zid=','&zid='),array('?rzid=','&rzid='),$query);
 			$dest = '/' . $query;
-			if($r && ($r[0]['hubloc_url'] != z_root()) && (! strstr($dest,'/magic')) && (! strstr($dest,'/rmagic'))) {
-				goaway($r[0]['hubloc_url'] . '/magic' . '?f=&rev=1&owa=1&bdest=' . bin2hex(z_root() . $dest));
+			if($r && ($r['hubloc_url'] != z_root()) && (! strstr($dest,'/magic')) && (! strstr($dest,'/rmagic'))) {
+				goaway($r['hubloc_url'] . '/magic' . '?f=&rev=1&owa=1&bdest=' . bin2hex(z_root() . $dest));
 			}
 			else
 				logger('No hubloc found.');
diff --git a/include/zid.php b/include/zid.php
index 0b12689ef..ed79de76a 100644
--- a/include/zid.php
+++ b/include/zid.php
@@ -1,5 +1,6 @@
 <?php
 
+use Zotlabs\Lib\Verify;
 
 function is_matrix_url($url) {
 
@@ -270,34 +271,45 @@ function red_zrlify_img_callback($matches) {
  */
 function owt_init($token) {
 
-	\Zotlabs\Lib\Verify::purge('owt', '3 MINUTE');
+	Verify::purge('owt', '3 MINUTE');
 
-	$ob_hash = \Zotlabs\Lib\Verify::get_meta('owt', 0, $token);
+	$key = Verify::get_meta('owt', 0, $token);
 
-	if($ob_hash === false) {
+	if($key === false) {
+		return;
+	}
+
+	$parts = explode(',',$key,2);
+	if(count($parts) < 2) {
 		return;
 	}
 
 	$r = q("select * from hubloc left join xchan on xchan_hash = hubloc_hash
-		where hubloc_addr = '%s' order by hubloc_id desc",
-		dbesc($ob_hash)
+		where hubloc_network = '%s' and hubloc_addr = '%s' order by hubloc_id desc",
+		dbesc($parts[0]),
+		dbesc($parts[1])
 	);
 
 	if(! $r) {
+
 		// finger them if they can't be found.
-		$j = \Zotlabs\Zot\Finger::run($ob_hash, null);
+		// @todo check that this is still needed. Discovery should have been performed in the Owa module.
+		
+		$j = \Zotlabs\Zot\Finger::run($parts[1], null);
 		if ($j['success']) {
 			import_xchan($j);
 			$r = q("select * from hubloc left join xchan on xchan_hash = hubloc_hash
-				where hubloc_addr = '%s' order by hubloc_id desc",
-				dbesc($ob_hash)
+				where hubloc_network = '%s' and hubloc_addr = '%s' order by hubloc_id desc",
+				dbesc($parts[0]),
+				dbesc($parts[1])
 			);
 		}
 	}
 	if(! $r) {
-		logger('owt: unable to finger ' . $ob_hash);
+		logger('owt: unable to finger ' . $key);
 		return;
 	}
+	
 	$hubloc = $r[0];
 
 	$_SESSION['authenticated'] = 1;
@@ -324,7 +336,7 @@ function owt_init($token) {
 	if (! $delegate_success) {
 		// normal visitor (remote_channel) login session credentials
 		$_SESSION['visitor_id'] = $hubloc['xchan_hash'];
-		$_SESSION['my_url'] = $hubloc['xchan_url'];
+		$_SESSION['my_url']     = $hubloc['xchan_url'];
 		$_SESSION['my_address'] = $hubloc['hubloc_addr'];
 		$_SESSION['remote_hub'] = $hubloc['hubloc_url'];
 		$_SESSION['DNT'] = 1;
@@ -332,7 +344,7 @@ function owt_init($token) {
 
 	$arr = [
 			'xchan' => $hubloc,
-			'url' => \App::$query_string,
+			'url' => App::$query_string,
 			'session' => $_SESSION
 	];
 	/**
@@ -344,11 +356,11 @@ function owt_init($token) {
 	 */
 	call_hooks('magic_auth_success', $arr);
 
-	\App::set_observer($hubloc);
+	App::set_observer($hubloc);
 	require_once('include/security.php');
-	\App::set_groups(init_groups_visitor($_SESSION['visitor_id']));
+	App::set_groups(init_groups_visitor($_SESSION['visitor_id']));
 	if(! get_config('system', 'hide_owa_greeting'))
-		info(sprintf( t('OpenWebAuth: %1$s welcomes %2$s'),\App::get_hostname(), $hubloc['xchan_name']));
+		info(sprintf( t('OpenWebAuth: %1$s welcomes %2$s'),App::get_hostname(), $hubloc['xchan_name']));
 
 	logger('OpenWebAuth: auth success from ' . $hubloc['xchan_addr']);
 }
@@ -384,7 +396,9 @@ function observer_auth($ob_hash) {
 		return;
 	}
 
-	$hubloc = $r[0];
+	// Note: this has no Libzot namespace so prefers zot over zot6
+	
+	$hubloc = zot_record_preferred($r);
 
 	$_SESSION['authenticated'] = 1;
 
@@ -395,8 +409,8 @@ function observer_auth($ob_hash) {
 	$_SESSION['remote_hub'] = $hubloc['hubloc_url'];
 	$_SESSION['DNT'] = 1;
 
-	\App::set_observer($hubloc);
+	App::set_observer($hubloc);
 	require_once('include/security.php');
-	\App::set_groups(init_groups_visitor($_SESSION['visitor_id']));
+	App::set_groups(init_groups_visitor($_SESSION['visitor_id']));
 
 }
diff --git a/include/zot.php b/include/zot.php
index 9f2321bc4..983b73072 100644
--- a/include/zot.php
+++ b/include/zot.php
@@ -5286,3 +5286,25 @@ function zot_reply_notify($data) {
 	$ret['success'] = true;
 	json_return_and_die($ret);
 }
+
+
+function zot_record_preferred($arr, $check = 'hubloc_network') {
+
+	if(! $arr) {
+		return $arr;
+	}
+
+	foreach($arr as $v) {
+		if($v[$check] === 'zot') {
+			return $v;
+		}
+	}
+	foreach($arr as $v) {
+		if($v[$check] === 'zot6') {
+			return $v;
+		}
+	}
+
+	return $arr[0];
+
+}
-- 
cgit v1.2.3