From e411a4bdc27cd443abf613a0044effb4604223f0 Mon Sep 17 00:00:00 2001 From: friendica Date: Sun, 14 Apr 2013 20:41:58 -0700 Subject: IMPORTANT: magic-auth protocol update, plus 'zrl' bbcode tag for the privacy-is-more-important-than-ease-of-use folks. --- mod/post.php | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'mod/post.php') diff --git a/mod/post.php b/mod/post.php index 5b002eb36..5919ed2b4 100644 --- a/mod/post.php +++ b/mod/post.php @@ -96,6 +96,13 @@ function post_init(&$a) { } if($already_authed || $j['success']) { + if($j['success']) { + // legit response, but we do need to check that this wasn't answered by a man-in-middle + if(! rsa_verify($sec . $x[0]['xchan_hash'],base64url_decode($j['confirm']),$x[0]['xchan_pubkey'])) { + logger('mod_zot: auth: final confirmation failed.'); + goaway($desturl); + } + } // everything is good... maybe if(local_user()) { @@ -386,7 +393,7 @@ function post_post(&$a) { $arr = $data['recipients'][0]; $recip_hash = base64url_encode(hash('whirlpool',$arr['guid'] . $arr['guid_sig'], true)); - $c = q("select channel_id from channel where channel_hash = '%s' limit 1", + $c = q("select channel_id, channel_prvkey from channel where channel_hash = '%s' limit 1", dbesc($recip_hash) ); if(! $c) { @@ -394,6 +401,8 @@ function post_post(&$a) { json_return_and_die($ret); } + $confirm = base64url_encode(rsa_sign($data['secret'] . $recip_hash,$c[0]['channel_prvkey'])); + // This additionally checks for forged senders since we already stored the expected result in meta // and we've already verified that this is them via zot_gethub() and that their key signed our token @@ -412,6 +421,7 @@ function post_post(&$a) { logger('mod_zot: auth_check: success', LOGGER_DEBUG); $ret['success'] = true; + $ret['confirm'] = $confirm; json_return_and_die($ret); } -- cgit v1.2.3