From fee65f0c691ebf61b67eead8d85bacd1c967f314 Mon Sep 17 00:00:00 2001 From: Waitman Gobble Date: Wed, 6 Sep 2017 16:12:57 -0500 Subject: [PATCH 01/25] fix bogus semicolon Line 655 should have comma instead of semicolon --- install/schema_mysql.sql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/schema_mysql.sql b/install/schema_mysql.sql index a9950ce21..0988bfa4a 100644 --- a/install/schema_mysql.sql +++ b/install/schema_mysql.sql @@ -652,7 +652,7 @@ CREATE TABLE IF NOT EXISTS `item` ( KEY `received` (`received`), KEY `uid_commented` (`uid`, `commented`), KEY `uid_created` (`uid`, `created`), - KEY `uid_item_unseen` (`uid`, `item_unseen`); + KEY `uid_item_unseen` (`uid`, `item_unseen`), KEY `aid` (`aid`), KEY `owner_xchan` (`owner_xchan`), KEY `author_xchan` (`author_xchan`), From ab9b82e77878e1c904d02ab931f8f6f8c0651a21 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Wed, 6 Sep 2017 16:44:10 -0700 Subject: [PATCH 02/25] ignore diaspora_meta column on item import. --- include/import.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/include/import.php b/include/import.php index 2199400af..4d38c8061 100644 --- a/include/import.php +++ b/include/import.php @@ -602,6 +602,11 @@ function import_items($channel, $items, $sync = false, $relocate = null) { if(! $item) continue; + // deprecated + + if(array_key_exists('diaspora_meta',$item)) + unset($item['diaspora_meta']); + if($relocate && $item['mid'] === $item['parent_mid']) { item_url_replace($channel,$item,$relocate['url'],z_root(),$relocate['channel_address']); } From 318643cf9a8b40fad98df58f6c262d6ae6a0c63b Mon Sep 17 00:00:00 2001 From: zotlabs Date: Wed, 6 Sep 2017 19:55:32 -0700 Subject: [PATCH 03/25] mastodon wraps oembed in an iframe - which we immediately purify our of existence and what we really want to purify is the content. So strip away the iframe, fetch the content and purify that instead. --- include/oembed.php | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/include/oembed.php b/include/oembed.php index 460e0244e..f662d84c7 100755 --- a/include/oembed.php +++ b/include/oembed.php @@ -225,6 +225,17 @@ function oembed_fetch_url($embedurl){ if($j['html']) { $orig = $j['html']; $allow_position = (($is_matrix) ? true : false); + + // some sites wrap their entire embed in an iframe + // which we will purify away and which we provide anyway. + // So if we see this, grab the frame src url and use that + // as the embed content - which will still need to be purified. + + if(preg_match('# Date: Wed, 6 Sep 2017 20:07:53 -0700 Subject: [PATCH 04/25] use array_key_exists() instead of x() in this case as the latter fails on an array that's empty and we unconditionally need to encode the array even if empty --- include/items.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/items.php b/include/items.php index d10d43687..f286015fe 100755 --- a/include/items.php +++ b/include/items.php @@ -2004,17 +2004,17 @@ function item_store_update($arr,$allow_exec = false, $deliver = true) { $arr = $translate['item']; } - if((x($arr,'obj')) && is_array($arr['obj'])) { + if((array_key_exists('obj',$arr)) && is_array($arr['obj'])) { activity_sanitise($arr['obj']); $arr['obj'] = json_encode($arr['obj']); } - if((x($arr,'target')) && is_array($arr['target'])) { + if((array_key_exists('target',$arr)) && is_array($arr['target'])) { activity_sanitise($arr['target']); $arr['target'] = json_encode($arr['target']); } - if((x($arr,'attach')) && is_array($arr['attach'])) { + if((array_key_exists('attach',$arr)) && is_array($arr['attach'])) { activity_sanitise($arr['attach']); $arr['attach'] = json_encode($arr['attach']); } From 607c4146349541565b82b86811c193b4f9da23fe Mon Sep 17 00:00:00 2001 From: Mario Vavti Date: Thu, 7 Sep 2017 10:14:34 +0200 Subject: [PATCH 05/25] remove semicolon from update query - this is probably trivial --- install/update.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/update.php b/install/update.php index b99e4dd9d..ce9a50913 100644 --- a/install/update.php +++ b/install/update.php @@ -2985,7 +2985,7 @@ function update_r1193() { $r1 = q("CREATE INDEX item_uid_unseen ON item (uid, item_unseen)"); } else { - $r1 = q("ALTER TABLE item ADD INDEX uid_item_unseen (uid, item_unseen);"); + $r1 = q("ALTER TABLE item ADD INDEX uid_item_unseen (uid, item_unseen)"); } if($r1) From 6143f490426144fc15cf35c0faa936f487e6c046 Mon Sep 17 00:00:00 2001 From: Mario Vavti Date: Thu, 7 Sep 2017 11:28:42 +0200 Subject: [PATCH 06/25] fix an issue where some encoded mids were not found in /display allthough they existed --- Zotlabs/Module/Display.php | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/Zotlabs/Module/Display.php b/Zotlabs/Module/Display.php index 11c75219d..3ac0a628d 100644 --- a/Zotlabs/Module/Display.php +++ b/Zotlabs/Module/Display.php @@ -133,7 +133,14 @@ class Display extends \Zotlabs\Web\Controller { if((! $update) && (! $load)) { $static = ((local_channel()) ? channel_manual_conv_update(local_channel()) : 1); - + + //if the target item is not a post (eg a like) want to address its thread parent + $mid = (($target_item['verb'] == ACTIVITY_POST) ? $item_hash : $target_item['thr_parent']); + + //if we got a decoded hash we must encode it again before handing to javascript + if($decoded) + $mid = 'b64.' . base64url_encode($mid); + $o .= '
' . "\r\n"; $o .= "\r\n"; @@ -165,8 +172,7 @@ class Display extends \Zotlabs\Web\Controller { '$dend' => '', '$dbegin' => '', '$verb' => '', - //if the target item is not a post (eg a like) want to address its thread parent - '$mid' => (($target_item['verb'] == ACTIVITY_POST) ? $item_hash : $target_item['thr_parent']) + '$mid' => $mid )); head_add_link([ @@ -323,6 +329,7 @@ class Display extends \Zotlabs\Web\Controller { $r = q("SELECT id, item_deleted FROM item WHERE mid = '%s' LIMIT 1", dbesc($item_hash) ); + if($r) { if(intval($r[0]['item_deleted'])) { notice( t('Item has been removed.') . EOL ); From 4190a40de8c3cf0c08c2b4e559231e72c1faa1cd Mon Sep 17 00:00:00 2001 From: Mario Vavti Date: Thu, 7 Sep 2017 11:35:24 +0200 Subject: [PATCH 07/25] typo --- Zotlabs/Module/Display.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Zotlabs/Module/Display.php b/Zotlabs/Module/Display.php index 3ac0a628d..bc597364f 100644 --- a/Zotlabs/Module/Display.php +++ b/Zotlabs/Module/Display.php @@ -134,7 +134,7 @@ class Display extends \Zotlabs\Web\Controller { $static = ((local_channel()) ? channel_manual_conv_update(local_channel()) : 1); - //if the target item is not a post (eg a like) want to address its thread parent + //if the target item is not a post (eg a like) we want to address its thread parent $mid = (($target_item['verb'] == ACTIVITY_POST) ? $item_hash : $target_item['thr_parent']); //if we got a decoded hash we must encode it again before handing to javascript From 23e774db8ea25ba8eb8d8d5d6731622998534bbc Mon Sep 17 00:00:00 2001 From: zotlabs Date: Thu, 7 Sep 2017 13:19:13 -0700 Subject: [PATCH 08/25] markdown code blocks not preserving line breaks, removed a bootstrap over-ride which fixes this, but also changed the style to pre-wrap to wrap the text rather than the default horizontal scroll --- view/css/bootstrap-red.css | 4 ---- view/css/conversation.css | 10 ++++++++++ 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/view/css/bootstrap-red.css b/view/css/bootstrap-red.css index a3a8ce0be..e0018989d 100644 --- a/view/css/bootstrap-red.css +++ b/view/css/bootstrap-red.css @@ -71,10 +71,6 @@ nav .dropdown-menu { min-width: auto; } -code { - white-space: normal; -} - label { font-weight: bold; } diff --git a/view/css/conversation.css b/view/css/conversation.css index dcabb5f3c..32870065b 100644 --- a/view/css/conversation.css +++ b/view/css/conversation.css @@ -1,3 +1,4 @@ + /* jot */ .jothidden input[type="text"] { @@ -302,3 +303,12 @@ img.smiley.emoji:hover { #filer_save { margin-left: 15px; } + + + +/* general over-rides */ + +/* prevent horizontal scrollbars in code blocks */ +code { + white-space: pre-wrap; +} From 4d1f5c175283246f0fbf7c7c8a7312e66efded17 Mon Sep 17 00:00:00 2001 From: Mario Vavti Date: Thu, 7 Sep 2017 23:12:58 +0200 Subject: [PATCH 09/25] do not double encode already encoded mids --- view/js/main.js | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/view/js/main.js b/view/js/main.js index ce7a1a07e..cdba8a25d 100644 --- a/view/js/main.js +++ b/view/js/main.js @@ -699,9 +699,11 @@ function updateConvItems(mode,data) { // auto-scroll to a particular comment in a thread (designated by mid) when in single-thread mode // use the same method to generate the submid as we use in ThreadItem, // base64_encode + replace(['+','='],['','']); - var submid = bParam_mid; - var submid_encoded = ((submid.length) ? submid : 'abcdefg'); - submid_encoded = window.btoa(submid_encoded); + + var submid = ((bParam_mid.length) ? bParam_mid : 'abcdefg'); + var encoded = ((submid.substr(0,4) == 'b64.') ? true : false); + var submid_encoded = ((encoded) ? submid.substr(4) : window.btoa(submid)); + submid_encoded = submid_encoded.replace(/[\+\=]/g,''); if($('.item_' + submid_encoded).length && !$('.item_' + submid_encoded).hasClass('toplevel_item') && mode == 'replace') { if($('.collapsed-comments').length) { From 27e9b5618b5a07ebc15fa6b6b0d1d2c78ade8f46 Mon Sep 17 00:00:00 2001 From: Mario Vavti Date: Thu, 7 Sep 2017 23:20:40 +0200 Subject: [PATCH 10/25] use thread parent hash only for like and dislike activity. in all other cases use item hash. this will catch more situations. --- Zotlabs/Module/Display.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Zotlabs/Module/Display.php b/Zotlabs/Module/Display.php index bc597364f..190ed3cc5 100644 --- a/Zotlabs/Module/Display.php +++ b/Zotlabs/Module/Display.php @@ -135,7 +135,7 @@ class Display extends \Zotlabs\Web\Controller { $static = ((local_channel()) ? channel_manual_conv_update(local_channel()) : 1); //if the target item is not a post (eg a like) we want to address its thread parent - $mid = (($target_item['verb'] == ACTIVITY_POST) ? $item_hash : $target_item['thr_parent']); + $mid = ((($target_item['verb'] == ACTIVITY_LIKE) || ($target_item['verb'] == ACTIVITY_DISLIKE)) ? $target_item['thr_parent'] : $item_hash); //if we got a decoded hash we must encode it again before handing to javascript if($decoded) From 7b3aa92b5ad09c0820db2b20bc462c975f0d3aba Mon Sep 17 00:00:00 2001 From: Mario Vavti Date: Thu, 7 Sep 2017 23:35:36 +0200 Subject: [PATCH 11/25] use $target_item[mid] to make item highlighting work with shortened mids --- Zotlabs/Module/Display.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Zotlabs/Module/Display.php b/Zotlabs/Module/Display.php index 190ed3cc5..0ea55102e 100644 --- a/Zotlabs/Module/Display.php +++ b/Zotlabs/Module/Display.php @@ -135,7 +135,7 @@ class Display extends \Zotlabs\Web\Controller { $static = ((local_channel()) ? channel_manual_conv_update(local_channel()) : 1); //if the target item is not a post (eg a like) we want to address its thread parent - $mid = ((($target_item['verb'] == ACTIVITY_LIKE) || ($target_item['verb'] == ACTIVITY_DISLIKE)) ? $target_item['thr_parent'] : $item_hash); + $mid = ((($target_item['verb'] == ACTIVITY_LIKE) || ($target_item['verb'] == ACTIVITY_DISLIKE)) ? $target_item['thr_parent'] : $target_item['mid']); //if we got a decoded hash we must encode it again before handing to javascript if($decoded) From 61f339a874784d3181f4c884bab9994ec9200f50 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Thu, 7 Sep 2017 17:56:02 -0700 Subject: [PATCH 12/25] owa - first commit --- Zotlabs/Module/Magic.php | 32 ++++++++++++++++++- Zotlabs/Module/Owa.php | 57 +++++++++++++++++++++++++++++++++ Zotlabs/Module/Rmagic.php | 4 +-- Zotlabs/Web/HTTPSig.php | 8 +++++ Zotlabs/Web/WebServer.php | 6 ++++ Zotlabs/Zot/Verify.php | 16 ++++++++++ include/zid.php | 66 +++++++++++++++++++++++++++++++++++++++ 7 files changed, 186 insertions(+), 3 deletions(-) create mode 100644 Zotlabs/Module/Owa.php diff --git a/Zotlabs/Module/Magic.php b/Zotlabs/Module/Magic.php index bf3198067..0eb2f27a1 100644 --- a/Zotlabs/Module/Magic.php +++ b/Zotlabs/Module/Magic.php @@ -17,6 +17,7 @@ class Magic extends \Zotlabs\Web\Controller { $dest = ((x($_REQUEST,'dest')) ? $_REQUEST['dest'] : ''); $test = ((x($_REQUEST,'test')) ? intval($_REQUEST['test']) : 0); $rev = ((x($_REQUEST,'rev')) ? intval($_REQUEST['rev']) : 0); + $owa = ((x($_REQUEST,'owa')) ? intval($_REQUEST['owa']) : 0); $delegate = ((x($_REQUEST,'delegate')) ? $_REQUEST['delegate'] : ''); $parsed = parse_url($dest); @@ -132,12 +133,41 @@ class Magic extends \Zotlabs\Web\Controller { if(local_channel()) { $channel = \App::get_channel(); + // OpenWebAuth + + if($owa) { + + $headers = []; + $headers['Accept'] = 'application/x-zot+json' ; + $headers['X-Open-Web-Auth'] = random_string(); + $headers = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'], + 'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false,true,'sha512'); + + $x = z_fetch_url($basepath . '/owa',false,$redirects,[ 'headers' => $headers ]); + if($x['success']) { + $j = json_decode($x['body'],true); + if($j['success'] && $j['token']) { + $x = strpbrk($dest,'?&'); + $args = (($x) ? '&owt=' . $token : '?f=&owt=' . $token) . (($delegate) ? '&delegate=1' : ''); + goaway($dest . $args); + } + } + goaway($dest); + } + + $token = random_string(); + // $token_sig = base64url_encode(rsa_sign($token,$channel['channel_prvkey'])); - // $channel['token'] = $token; // $channel['token_sig'] = $token_sig; + + + + + + \Zotlabs\Zot\Verify::create('auth',$channel['channel_id'],$token,$x[0]['hubloc_url']); $target_url = $x[0]['hubloc_callback'] . '/?f=&auth=' . urlencode(channel_reddress($channel)) diff --git a/Zotlabs/Module/Owa.php b/Zotlabs/Module/Owa.php new file mode 100644 index 000000000..f71099599 --- /dev/null +++ b/Zotlabs/Module/Owa.php @@ -0,0 +1,57 @@ + true, 'token' => $token ]); + header('Content-Type: application/x-zot+json'); + echo $x; + killme(); + } + } + } + } + $x = json_encode([ 'success' => false ]); + header('Content-Type: application/x-zot+json'); + echo $x; + killme(); + } + } + + $x = json_encode([ 'success' => false ]); + header('Content-Type: application/x-zot+json'); + echo $x; + killme(); + } +} diff --git a/Zotlabs/Module/Rmagic.php b/Zotlabs/Module/Rmagic.php index 9fcc72441..0c4eb9ae4 100644 --- a/Zotlabs/Module/Rmagic.php +++ b/Zotlabs/Module/Rmagic.php @@ -18,7 +18,7 @@ class Rmagic extends \Zotlabs\Web\Controller { if($r[0]['hubloc_url'] === z_root()) goaway(z_root() . '/login'); $dest = z_root() . '/' . str_replace('zid=','zid_=',\App::$query_string); - goaway($r[0]['hubloc_url'] . '/magic' . '?f=&dest=' . $dest); + goaway($r[0]['hubloc_url'] . '/magic' . '?f=&owa=1&dest=' . $dest); } } } @@ -63,7 +63,7 @@ class Rmagic extends \Zotlabs\Web\Controller { else $dest = urlencode(z_root() . '/' . str_replace('zid=','zid_=',\App::$query_string)); - goaway($url . '/magic' . '?f=&dest=' . $dest); + goaway($url . '/magic' . '?f=&owa=1&dest=' . $dest); } } } diff --git a/Zotlabs/Web/HTTPSig.php b/Zotlabs/Web/HTTPSig.php index 2b139a2a1..fee8aaa41 100644 --- a/Zotlabs/Web/HTTPSig.php +++ b/Zotlabs/Web/HTTPSig.php @@ -91,6 +91,9 @@ class HTTPSig { if($sig_block['algorithm'] === 'rsa-sha256') { $algorithm = 'sha256'; } + if($sig_block['algorithm'] === 'rsa-sha512') { + $algorithm = 'sha512'; + } if(! $key) { $result['signer'] = $sig_block['keyId']; @@ -113,6 +116,8 @@ class HTTPSig { $digest = explode('=', $headers['digest']); if($digest[0] === 'SHA-256') $hashalg = 'sha256'; + if($digest[0] === 'SHA-512') + $hashalg = 'sha512'; // The explode operation will have stripped the '=' padding, so compare against unpadded base64 if(rtrim(base64_encode(hash($hashalg,$body,true)),'=') === $digest[1]) { @@ -164,6 +169,9 @@ class HTTPSig { if($alg === 'sha256') { $algorithm = 'rsa-sha256'; } + if($alg === 'sha512') { + $algorithm = 'rsa-sha512'; + } $x = self::sign($request,$head,$prvkey,$alg); diff --git a/Zotlabs/Web/WebServer.php b/Zotlabs/Web/WebServer.php index a66384c40..8431a2e0e 100644 --- a/Zotlabs/Web/WebServer.php +++ b/Zotlabs/Web/WebServer.php @@ -70,6 +70,12 @@ class WebServer { } } + if((x($_REQUEST,'owt')) && (! \App::$install)) { + $token = $_REQUEST['owt']; + \App::$query_string = strip_query_param(\App::$query_string,'owt'); + owt_init($token); + } + if((x($_SESSION, 'authenticated')) || (x($_POST, 'auth-params')) || (\App::$module === 'login')) require('include/auth.php'); diff --git a/Zotlabs/Zot/Verify.php b/Zotlabs/Zot/Verify.php index 06bd3188c..1f1288aa0 100644 --- a/Zotlabs/Zot/Verify.php +++ b/Zotlabs/Zot/Verify.php @@ -31,6 +31,22 @@ class Verify { return false; } + + function get_meta($type,$channel_id,$token) { + $r = q("select id from verify where vtype = '%s' and channel = %d and token = '%s' limit 1", + dbesc($type), + intval($channel_id), + dbesc($token) + ); + if($r) { + q("delete from verify where id = %d", + intval($r[0]['id']) + ); + return $r[0]['meta']; + } + return false; + } + function purge($type,$interval) { q("delete from verify where vtype = '%s' and created < %s - INTERVAL %s", dbesc($type), diff --git a/include/zid.php b/include/zid.php index ee43fd7c8..5d58ff257 100644 --- a/include/zid.php +++ b/include/zid.php @@ -81,6 +81,10 @@ function zid($s,$address = '') { } +function strip_query_param($s,$param) { + return preg_replace('/[\?&]' . $param . '=(.*?)(&|$)/ism','$2',$s); +} + function strip_zids($s) { return preg_replace('/[\?&]zid=(.*?)(&|$)/ism','$2',$s); } @@ -230,3 +234,65 @@ function red_zrlify_img_callback($matches) { return $matches[0]; } +function owt_init($token) { + + \Zotlabs\Zot\Verify::purge('owt','3 MINUTE'); + + $ob_hash = \Zotlabs\Zot\Verify::get_meta('owt',0,$token); + if($ob_hash === false) { + return; + } + + $r = q("select * from hubloc left join xchan on xchan_hash = hubloc_hash + where hubloc_addr = '%s' order by hubloc_id desc", + dbesc($ob_hash) + ); + + if(! $r) { + // finger them if they can't be found. + $j = Finger::run($ob_hash, null); + if ($j['success']) { + import_xchan($j); + $r = q("select * from hubloc left join xchan on xchan_hash = hubloc_hash + where hubloc_addr = '%s' order by hubloc_id desc", + dbesc($ob_hash) + ); + } + } + if(! $r) { + logger('owt: unable to finger ' . $ob_hash); + return; + } + $hubloc = $r[0]; + + $delegate_success = false; + if($_REQUEST['delegate']) { + $r = q("select * from channel left join xchan on channel_hash = xchan_hash where xchan_addr = '%s' limit 1", + dbesc($_REQUEST['delegate']) + ); + if ($r && intval($r[0]['channel_id'])) { + $allowed = perm_is_allowed($r[0]['channel_id'],$hubloc['xchan_hash'],'delegate'); + if($allowed) { + $_SESSION['delegate_channel'] = $r[0]['channel_id']; + $_SESSION['delegate'] = $hubloc['xchan_hash']; + $_SESSION['account_id'] = intval($r[0]['channel_account_id']); + require_once('include/security.php'); + // this will set the local_channel authentication in the session + change_channel($r[0]['channel_id']); + $delegate_success = true; + } + } + } + + if (! $delegate_success) { + // normal visitor (remote_channel) login session credentials + $_SESSION['visitor_id'] = $hubloc['xchan_hash']; + $_SESSION['my_url'] = $hubloc['xchan_url']; + $_SESSION['my_address'] = $hubloc['hubloc_addr']; + $_SESSION['remote_hub'] = $hubloc['hubloc_url']; + $_SESSION['DNT'] = 1; + } + + logger('owa success!'); + +} \ No newline at end of file From 4d794103be4112a6f1f0d8f54e0d54c0961297b5 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Thu, 7 Sep 2017 18:09:31 -0700 Subject: [PATCH 13/25] testing owa --- include/channel.php | 2 +- include/connections.php | 2 +- include/text.php | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/include/channel.php b/include/channel.php index 41feca362..213676f52 100644 --- a/include/channel.php +++ b/include/channel.php @@ -1633,7 +1633,7 @@ function zid_init() { $query = str_replace(array('?zid=','&zid='),array('?rzid=','&rzid='),$query); $dest = '/' . urlencode($query); if($r && ($r[0]['hubloc_url'] != z_root()) && (! strstr($dest,'/magic')) && (! strstr($dest,'/rmagic'))) { - goaway($r[0]['hubloc_url'] . '/magic' . '?f=&rev=1&dest=' . z_root() . $dest); + goaway($r[0]['hubloc_url'] . '/magic' . '?f=&rev=1&owa=1&dest=' . z_root() . $dest); } else logger('zid_init: no hubloc found.'); diff --git a/include/connections.php b/include/connections.php index 8df795190..a9f906649 100644 --- a/include/connections.php +++ b/include/connections.php @@ -115,7 +115,7 @@ function vcard_from_xchan($xchan, $observer = null, $mode = '') { App::$profile_uid = $xchan['channel_id']; $url = (($observer) - ? z_root() . '/magic?f=&dest=' . $xchan['xchan_url'] . '&addr=' . $xchan['xchan_addr'] + ? z_root() . '/magic?f=&owa=1&dest=' . $xchan['xchan_url'] . '&addr=' . $xchan['xchan_addr'] : $xchan['xchan_url'] ); diff --git a/include/text.php b/include/text.php index a3c2bbc08..51d711021 100644 --- a/include/text.php +++ b/include/text.php @@ -987,7 +987,7 @@ function chanlink_cid($d) { function magiclink_url($observer,$myaddr,$url) { return (($observer) - ? z_root() . '/magic?f=&dest=' . $url . '&addr=' . $myaddr + ? z_root() . '/magic?f=&owa=1&dest=' . $url . '&addr=' . $myaddr : $url ); } @@ -1389,7 +1389,7 @@ function theme_attachments(&$item) { if(is_foreigner($item['author_xchan'])) $url = $r['href']; else - $url = z_root() . '/magic?f=&hash=' . $item['author_xchan'] . '&dest=' . $r['href'] . '/' . $r['revision']; + $url = z_root() . '/magic?f=&owa=1&hash=' . $item['author_xchan'] . '&dest=' . $r['href'] . '/' . $r['revision']; //$s .= '' . $icon . ''; $attaches[] = array('label' => $label, 'url' => $url, 'icon' => $icon, 'title' => $title); From f09fe8da7814a64e653700b4fe04f165edd90045 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Thu, 7 Sep 2017 18:14:04 -0700 Subject: [PATCH 14/25] add logging --- Zotlabs/Module/Magic.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Zotlabs/Module/Magic.php b/Zotlabs/Module/Magic.php index 0eb2f27a1..3fe0e1e35 100644 --- a/Zotlabs/Module/Magic.php +++ b/Zotlabs/Module/Magic.php @@ -144,6 +144,9 @@ class Magic extends \Zotlabs\Web\Controller { 'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false,true,'sha512'); $x = z_fetch_url($basepath . '/owa',false,$redirects,[ 'headers' => $headers ]); + + logger('owtfetch: ' . print_r($x,true)); + if($x['success']) { $j = json_decode($x['body'],true); if($j['success'] && $j['token']) { From 7e9162ef06b4719723941679e55af079421ae475 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Thu, 7 Sep 2017 18:19:49 -0700 Subject: [PATCH 15/25] there's the problem --- Zotlabs/Module/Magic.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Zotlabs/Module/Magic.php b/Zotlabs/Module/Magic.php index 3fe0e1e35..342c11eb9 100644 --- a/Zotlabs/Module/Magic.php +++ b/Zotlabs/Module/Magic.php @@ -151,7 +151,7 @@ class Magic extends \Zotlabs\Web\Controller { $j = json_decode($x['body'],true); if($j['success'] && $j['token']) { $x = strpbrk($dest,'?&'); - $args = (($x) ? '&owt=' . $token : '?f=&owt=' . $token) . (($delegate) ? '&delegate=1' : ''); + $args = (($x) ? '&owt=' . $j['token'] : '?f=&owt=' . $j['token']) . (($delegate) ? '&delegate=1' : ''); goaway($dest . $args); } } From 1fbb1e6c2a665159d0085217c9b73d571e360256 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Thu, 7 Sep 2017 18:52:18 -0700 Subject: [PATCH 16/25] initial testing success with owa --- Zotlabs/Module/Owa.php | 2 +- Zotlabs/Zot/Finger.php | 2 +- Zotlabs/Zot/Verify.php | 2 +- include/zid.php | 5 ++++- 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/Zotlabs/Module/Owa.php b/Zotlabs/Module/Owa.php index f71099599..0b625dbe5 100644 --- a/Zotlabs/Module/Owa.php +++ b/Zotlabs/Module/Owa.php @@ -33,7 +33,7 @@ logger('verified: ' . print_r($verified,true)); if($verified && $verified['header_signed'] && $verified['header_valid']) { $token = random_string(32); - \Zotlabs\Zot\Verify::create('owt',0,token,$r[0]['hubloc_hash']); + \Zotlabs\Zot\Verify::create('owt',0,$token,$r[0]['hubloc_addr']); $x = json_encode([ 'success' => true, 'token' => $token ]); header('Content-Type: application/x-zot+json'); echo $x; diff --git a/Zotlabs/Zot/Finger.php b/Zotlabs/Zot/Finger.php index dab7d9e01..348171bdc 100644 --- a/Zotlabs/Zot/Finger.php +++ b/Zotlabs/Zot/Finger.php @@ -123,7 +123,7 @@ class Finger { $x = json_decode($result['body'], true); $verify = \Zotlabs\Web\HTTPSig::verify($result,(($x) ? $x['key'] : '')); - + if($x && (! $verify['header_valid'])) { $signed_token = ((is_array($x) && array_key_exists('signed_token', $x)) ? $x['signed_token'] : null); if($signed_token) { diff --git a/Zotlabs/Zot/Verify.php b/Zotlabs/Zot/Verify.php index 1f1288aa0..1d9e6de3f 100644 --- a/Zotlabs/Zot/Verify.php +++ b/Zotlabs/Zot/Verify.php @@ -33,7 +33,7 @@ class Verify { function get_meta($type,$channel_id,$token) { - $r = q("select id from verify where vtype = '%s' and channel = %d and token = '%s' limit 1", + $r = q("select id, meta from verify where vtype = '%s' and channel = %d and token = '%s' limit 1", dbesc($type), intval($channel_id), dbesc($token) diff --git a/include/zid.php b/include/zid.php index 5d58ff257..d5d863be6 100644 --- a/include/zid.php +++ b/include/zid.php @@ -239,6 +239,7 @@ function owt_init($token) { \Zotlabs\Zot\Verify::purge('owt','3 MINUTE'); $ob_hash = \Zotlabs\Zot\Verify::get_meta('owt',0,$token); + if($ob_hash === false) { return; } @@ -250,7 +251,7 @@ function owt_init($token) { if(! $r) { // finger them if they can't be found. - $j = Finger::run($ob_hash, null); + $j = \Zotlabs\Zot\Finger::run($ob_hash, null); if ($j['success']) { import_xchan($j); $r = q("select * from hubloc left join xchan on xchan_hash = hubloc_hash @@ -265,6 +266,8 @@ function owt_init($token) { } $hubloc = $r[0]; + $_SESSION['authenticated'] = 1; + $delegate_success = false; if($_REQUEST['delegate']) { $r = q("select * from channel left join xchan on channel_hash = xchan_hash where xchan_addr = '%s' limit 1", From 048a8c5f44eee9b201cb3f6a71a5ed7e865e446e Mon Sep 17 00:00:00 2001 From: zotlabs Date: Thu, 7 Sep 2017 19:04:35 -0700 Subject: [PATCH 17/25] provide owa discovery --- Zotlabs/Module/Wfinger.php | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Zotlabs/Module/Wfinger.php b/Zotlabs/Module/Wfinger.php index 07a7b7735..de67522b3 100644 --- a/Zotlabs/Module/Wfinger.php +++ b/Zotlabs/Module/Wfinger.php @@ -124,6 +124,13 @@ class Wfinger extends \Zotlabs\Web\Controller { 'rel' => 'http://purl.org/zot/protocol', 'href' => z_root() . '/.well-known/zot-info' . '?address=' . $r[0]['xchan_addr'], ], + + [ + 'rel' => 'http://purl.org/openwebauth/v1', + 'type' => 'application/x-zot+json', + 'href' => z_root() . '/owa', + ], + [ 'rel' => 'magic-public-key', From f2dc55244c0741505e5de891fae97d67f31381d2 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Thu, 7 Sep 2017 20:42:03 -0700 Subject: [PATCH 18/25] provide root discovery for owa --- Zotlabs/Module/Wfinger.php | 35 +++++++++++++++++++++++++++++++---- 1 file changed, 31 insertions(+), 4 deletions(-) diff --git a/Zotlabs/Module/Wfinger.php b/Zotlabs/Module/Wfinger.php index de67522b3..d0c4d73d2 100644 --- a/Zotlabs/Module/Wfinger.php +++ b/Zotlabs/Module/Wfinger.php @@ -30,9 +30,15 @@ class Wfinger extends \Zotlabs\Web\Controller { $resource = $_REQUEST['resource']; logger('webfinger: ' . $resource,LOGGER_DEBUG); + + $root_resource = false; + + if(strcasecmp(rtrim($resource,'/'),z_root()) === 0) + $root_resource = true; + $r = null; - if($resource) { + if(($resource) && (! $root_resource)) { if(strpos($resource,'acct:') === 0) { $channel = str_replace('acct:','',$resource); @@ -60,7 +66,25 @@ class Wfinger extends \Zotlabs\Web\Controller { header('Access-Control-Allow-Origin: *'); + + if($root_resource) { + $result['subject'] = $resource; + $result['properties'] = [ + 'https://w3id.org/security/v1#publicKeyPem' => get_config('system','pubkey') + ]; + $result['links'] = [ + [ + 'rel' => 'http://purl.org/openwebauth/v1', + 'type' => 'application/x-zot+json', + 'href' => z_root() . '/owa', + ], + ]; + + + + } + if($resource && $r) { $h = q("select hubloc_addr from hubloc where hubloc_hash = '%s' and hubloc_deleted = 0", @@ -84,7 +108,8 @@ class Wfinger extends \Zotlabs\Web\Controller { $result['properties'] = [ 'http://webfinger.net/ns/name' => $r[0]['channel_name'], - 'http://xmlns.com/foaf/0.1/name' => $r[0]['channel_name'] + 'http://xmlns.com/foaf/0.1/name' => $r[0]['channel_name'], + 'https://w3id.org/security/v1#publicKeyPem' => $r[0]['xchan_pubkey'] ]; foreach($aliases as $alias) @@ -143,14 +168,16 @@ class Wfinger extends \Zotlabs\Web\Controller { $result['zot'] = zotinfo( [ 'address' => $r[0]['xchan_addr'] ]); } } - else { + + if(! $result) { header($_SERVER["SERVER_PROTOCOL"] . ' ' . 400 . ' ' . 'Bad Request'); killme(); } $arr = [ 'channel' => $r[0], 'request' => $_REQUEST, 'result' => $result ]; call_hooks('webfinger',$arr); - + + json_return_and_die($arr['result'],'application/jrd+json'); } From 1104e2652f15aaa405208b6dec9e439fb8c39537 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Thu, 7 Sep 2017 21:29:32 -0700 Subject: [PATCH 19/25] improve the code block styling a wee bit --- view/css/conversation.css | 10 +--------- view/theme/redbasic/css/style.css | 2 ++ 2 files changed, 3 insertions(+), 9 deletions(-) diff --git a/view/css/conversation.css b/view/css/conversation.css index 32870065b..a5a847676 100644 --- a/view/css/conversation.css +++ b/view/css/conversation.css @@ -274,6 +274,7 @@ code { font-size: 1em; padding: 1em 1.5em; display: block; + white-space: pre-wrap; } code.inline-code { @@ -303,12 +304,3 @@ img.smiley.emoji:hover { #filer_save { margin-left: 15px; } - - - -/* general over-rides */ - -/* prevent horizontal scrollbars in code blocks */ -code { - white-space: pre-wrap; -} diff --git a/view/theme/redbasic/css/style.css b/view/theme/redbasic/css/style.css index 621fa2781..b508b2576 100644 --- a/view/theme/redbasic/css/style.css +++ b/view/theme/redbasic/css/style.css @@ -136,6 +136,8 @@ input, optgroup, select, textarea { pre code { border: none; + padding: 1em 1.5em; + border-radius: $radius; } code { From 9b542c5bcf127e67374bb63a41c2d0da818cd987 Mon Sep 17 00:00:00 2001 From: Mario Vavti Date: Fri, 8 Sep 2017 09:43:25 +0200 Subject: [PATCH 20/25] fix radius --- view/theme/redbasic/css/style.css | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/view/theme/redbasic/css/style.css b/view/theme/redbasic/css/style.css index b508b2576..3e457c621 100644 --- a/view/theme/redbasic/css/style.css +++ b/view/theme/redbasic/css/style.css @@ -137,7 +137,6 @@ input, optgroup, select, textarea { pre code { border: none; padding: 1em 1.5em; - border-radius: $radius; } code { @@ -149,6 +148,7 @@ pre { background: #F5F5F5; color: #333; border:1px solid #ccc; + border-radius: $radius; } .heart { From 84c86f01c853f87be93807b3e190f954aca2e6e6 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Fri, 8 Sep 2017 16:00:27 -0700 Subject: [PATCH 21/25] owa: missed the set-observer stuff --- Zotlabs/Module/Owa.php | 18 +++++++++--------- include/zid.php | 9 ++++++++- 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/Zotlabs/Module/Owa.php b/Zotlabs/Module/Owa.php index 0b625dbe5..900ab9f85 100644 --- a/Zotlabs/Module/Owa.php +++ b/Zotlabs/Module/Owa.php @@ -1,9 +1,16 @@ false ]); - header('Content-Type: application/x-zot+json'); - echo $x; - killme(); } } - $x = json_encode([ 'success' => false ]); header('Content-Type: application/x-zot+json'); echo $x; diff --git a/include/zid.php b/include/zid.php index d5d863be6..08d8f061b 100644 --- a/include/zid.php +++ b/include/zid.php @@ -296,6 +296,13 @@ function owt_init($token) { $_SESSION['DNT'] = 1; } - logger('owa success!'); + $arr = array('xchan' => $hubloc, 'url' => \App::query_string, 'session' => $_SESSION); + call_hooks('magic_auth_success',$arr); + \App::set_observer($hubloc); + require_once('include/security.php'); + \App::set_groups(init_groups_visitor($_SESSION['visitor_id'])); + info(sprintf( t('Welcome %s. Remote authentication successful.'),$hubloc['xchan_name'])); + logger('OpenWebAuth: auth success from ' . $hubloc['xchan_addr']); + } \ No newline at end of file From ccc9cc8202b271d5b9b4126a10f997af17ade6d3 Mon Sep 17 00:00:00 2001 From: Andrew Manning Date: Sat, 9 Sep 2017 08:23:30 -0400 Subject: [PATCH 22/25] Added context help for apps and appman in English --- .gitignore | 3 ++- doc/context/en/appman/help.html | 4 ++++ doc/context/en/apps/edit/help.html | 4 ++++ doc/context/en/apps/help.html | 6 ++++++ 4 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 doc/context/en/appman/help.html create mode 100644 doc/context/en/apps/edit/help.html create mode 100644 doc/context/en/apps/help.html diff --git a/.gitignore b/.gitignore index 050902f17..0e5233eaf 100755 --- a/.gitignore +++ b/.gitignore @@ -14,7 +14,7 @@ *.rej # OSX .DS_Store files .DS_Store -# version scripts (repo master only) +# version scripts (repo master only) .version* Thumbs.db @@ -27,6 +27,7 @@ custom/ /store/ # site apps apps/ +!doc/context/*/apps # default startpage home.html # page header plugin diff --git a/doc/context/en/appman/help.html b/doc/context/en/appman/help.html new file mode 100644 index 000000000..27cb03624 --- /dev/null +++ b/doc/context/en/appman/help.html @@ -0,0 +1,4 @@ +
+
General
+
Edit individual properties of the app you selected. Categories allow you to sort your apps to help you find them in the list more easily. Support for custom apps you or your administrator may choose to create includes fields such as "Price of app" and "Location for purchase" that are not applicable to core Hubzilla apps.
+
\ No newline at end of file diff --git a/doc/context/en/apps/edit/help.html b/doc/context/en/apps/edit/help.html new file mode 100644 index 000000000..1d378f962 --- /dev/null +++ b/doc/context/en/apps/edit/help.html @@ -0,0 +1,4 @@ +
+
General
+
Edit or delete your apps using the control buttons beside each app icon in the list.
+
\ No newline at end of file diff --git a/doc/context/en/apps/help.html b/doc/context/en/apps/help.html new file mode 100644 index 000000000..ad6daade5 --- /dev/null +++ b/doc/context/en/apps/help.html @@ -0,0 +1,6 @@ +
+
General
+
This page shows you what apps are available to your channel, including both core apps and those supplied by addons. To add an app to the app menu "star" the app in the list below.
+
Manage Apps
+
Press the "Manage Apps" button to open a page where you can edit the name, categories, and other properties of your apps.
+
\ No newline at end of file From e2e7bee3cca6f2ffc88aee9c94066e117e7a682b Mon Sep 17 00:00:00 2001 From: zotlabs Date: Sat, 9 Sep 2017 13:34:57 -0700 Subject: [PATCH 23/25] owa cleanup --- Zotlabs/Module/Magic.php | 13 ------------- Zotlabs/Module/Owa.php | 18 +++++++----------- include/zid.php | 5 +++-- 3 files changed, 10 insertions(+), 26 deletions(-) diff --git a/Zotlabs/Module/Magic.php b/Zotlabs/Module/Magic.php index 342c11eb9..d1550ec89 100644 --- a/Zotlabs/Module/Magic.php +++ b/Zotlabs/Module/Magic.php @@ -142,11 +142,8 @@ class Magic extends \Zotlabs\Web\Controller { $headers['X-Open-Web-Auth'] = random_string(); $headers = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'], 'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false,true,'sha512'); - $x = z_fetch_url($basepath . '/owa',false,$redirects,[ 'headers' => $headers ]); - logger('owtfetch: ' . print_r($x,true)); - if($x['success']) { $j = json_decode($x['body'],true); if($j['success'] && $j['token']) { @@ -161,16 +158,6 @@ class Magic extends \Zotlabs\Web\Controller { $token = random_string(); -// $token_sig = base64url_encode(rsa_sign($token,$channel['channel_prvkey'])); -// $channel['token'] = $token; -// $channel['token_sig'] = $token_sig; - - - - - - - \Zotlabs\Zot\Verify::create('auth',$channel['channel_id'],$token,$x[0]['hubloc_url']); $target_url = $x[0]['hubloc_callback'] . '/?f=&auth=' . urlencode(channel_reddress($channel)) diff --git a/Zotlabs/Module/Owa.php b/Zotlabs/Module/Owa.php index 900ab9f85..4b0d855c5 100644 --- a/Zotlabs/Module/Owa.php +++ b/Zotlabs/Module/Owa.php @@ -15,8 +15,10 @@ namespace Zotlabs\Module; class Owa extends \Zotlabs\Web\Controller { function init() { - foreach([ 'REDIRECT_REMOTE_USER', 'HTTP_AUTHORIZATION' ] as $head) { + $ret = [ 'success' => false ]; + + foreach([ 'REDIRECT_REMOTE_USER', 'HTTP_AUTHORIZATION' ] as $head) { if(array_key_exists($head,$_SERVER) && substr(trim($_SERVER[$head]),0,9) === 'Signature') { if($head !== 'HTTP_AUTHORIZATION') { $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER[$head]; @@ -34,24 +36,18 @@ class Owa extends \Zotlabs\Web\Controller { ); if($r) { $hubloc = $r[0]; - $verified = \Zotlabs\Web\HTTPSig::verify('',$hubloc['xchan_pubkey']); - + $verified = \Zotlabs\Web\HTTPSig::verify('',$hubloc['xchan_pubkey']); if($verified && $verified['header_signed'] && $verified['header_valid']) { + $ret['success'] = true; $token = random_string(32); \Zotlabs\Zot\Verify::create('owt',0,$token,$r[0]['hubloc_addr']); - $x = json_encode([ 'success' => true, 'token' => $token ]); - header('Content-Type: application/x-zot+json'); - echo $x; - killme(); + $ret['token'] = $token; } } } } } } - $x = json_encode([ 'success' => false ]); - header('Content-Type: application/x-zot+json'); - echo $x; - killme(); + json_return_and_die($ret,'application/x-zot+json'); } } diff --git a/include/zid.php b/include/zid.php index 08d8f061b..ce9f70385 100644 --- a/include/zid.php +++ b/include/zid.php @@ -296,12 +296,13 @@ function owt_init($token) { $_SESSION['DNT'] = 1; } - $arr = array('xchan' => $hubloc, 'url' => \App::query_string, 'session' => $_SESSION); + $arr = array('xchan' => $hubloc, 'url' => \App::$query_string, 'session' => $_SESSION); call_hooks('magic_auth_success',$arr); \App::set_observer($hubloc); require_once('include/security.php'); \App::set_groups(init_groups_visitor($_SESSION['visitor_id'])); - info(sprintf( t('Welcome %s. Remote authentication successful.'),$hubloc['xchan_name'])); + if(! get_config('system','hide_owa_greeting')) + info(sprintf( t('OpenWebAuth: %1$s welcomes %2$s'),\App::get_hostname(), $hubloc['xchan_name'])); logger('OpenWebAuth: auth success from ' . $hubloc['xchan_addr']); From c5950c0370fbf079c4a034c21ea083085f2d3f4c Mon Sep 17 00:00:00 2001 From: Andrew Manning Date: Sat, 9 Sep 2017 19:45:42 -0400 Subject: [PATCH 24/25] Update help.html --- doc/context/en/wiki/help.html | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/doc/context/en/wiki/help.html b/doc/context/en/wiki/help.html index 5ac9b22ae..5dee85375 100644 --- a/doc/context/en/wiki/help.html +++ b/doc/context/en/wiki/help.html @@ -1,12 +1,10 @@
General
Each wiki is a collection of pages, composed as Markdown-formatted text files.
-
Wiki List
+
Wiki List
Wikis owned by the channel that you have permission to view are listed in the side panel.
-
Page History
+
Page History
Every revision of a page is saved to allow quick reversion. Click the History tab to view a history of page revisions, including the date and author of each. The revert button will load the selected revision but will not automatically save the page.
-
Pages
+
Pages
The list of pages in the wiki are listed in the Wiki Pages panel. Prior to saving page edits using the Page control dropdown menu, you may enter a custom message to be displayed in the Page History viewer along with the revision.
-
Channel Content Tabs
-
The channel content tabs are links to other content published by the channel. The About tab links to the channel profile. The Photos tab links to the channel photo galleries. The Files tab links to the general shared files published by the channel.
-
\ No newline at end of file + From 754329097f87f7274665442cb7663f51d24e9304 Mon Sep 17 00:00:00 2001 From: Andrew Manning Date: Sat, 9 Sep 2017 19:47:39 -0400 Subject: [PATCH 25/25] More content tab help removed in context help --- doc/context/en/channel/help.html | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/doc/context/en/channel/help.html b/doc/context/en/channel/help.html index 6e3181cbf..0c5b99754 100644 --- a/doc/context/en/channel/help.html +++ b/doc/context/en/channel/help.html @@ -3,6 +3,4 @@
This is the home page of a channel. It is similar to someone's profile "wall" in a social network context. Posts created by the channel are displayed according to the observer's viewing permissions.
Create a Post
If you have permission to create posts on the channel page, then you will see the post editor at the top.
-
Channel Content Tabs
-
The channel content tabs are links to other content published by the channel. The About tab links to the channel profile. The Photos tab links to the channel photo galleries. The Files tab links to the general shared files published by the channel.
- \ No newline at end of file +