use httpsig auth for getfile
This commit is contained in:
zotlabs
parent
455720ae93
commit
5abcb8c978
@ -28,17 +28,51 @@ class Getfile extends \Zotlabs\Web\Controller {
|
||||
|
||||
function post() {
|
||||
|
||||
logger('post: ' . print_r($_POST,true),LOGGER_DEBUG,LOG_INFO);
|
||||
|
||||
$header_verification = false;
|
||||
|
||||
$hash = $_POST['hash'];
|
||||
$time = $_POST['time'];
|
||||
$sig = $_POST['signature'];
|
||||
$resource = $_POST['resource'];
|
||||
$revision = intval($_POST['revision']);
|
||||
$resolution = (-1);
|
||||
|
||||
|
||||
if(! $hash)
|
||||
killme();
|
||||
|
||||
foreach([ 'REDIRECT_REMOTE_USER', 'HTTP_AUTHORIZATION' ] as $head) {
|
||||
if(array_key_exists($head,$_SERVER) && substr(trim($_SERVER[$head]),0,9) === 'Signature') {
|
||||
if($head !== 'HTTP_AUTHORIZATION') {
|
||||
$_SERVER['HTTP_AUTHORIZATION'] = $_SERVER[$head];
|
||||
continue;
|
||||
}
|
||||
|
||||
$sigblock = \Zotlabs\Web\HTTPSig::parse_sigheader($_SERVER[$head]);
|
||||
if($sigblock) {
|
||||
$keyId = $sigblock['keyId'];
|
||||
|
||||
if($keyId) {
|
||||
$r = q("select * from hubloc left join xchan on hubloc_hash = xchan_hash
|
||||
where hubloc_addr = '%s' limit 1",
|
||||
dbesc(str_replace('acct:','',$keyId))
|
||||
);
|
||||
if($r) {
|
||||
$hubloc = $r[0];
|
||||
$verified = \Zotlabs\Web\HTTPSig::verify('',$hubloc['xchan_pubkey']);
|
||||
if($verified && $verified['header_signed'] && $verified['header_valid'] && $hash == $hubloc['hubloc_hash']) {
|
||||
$header_verified = true;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
logger('post: ' . print_r($_POST,true),LOGGER_DEBUG,LOG_INFO);
|
||||
if($header_verified) {
|
||||
logger('HTTPSig verified');
|
||||
}
|
||||
|
||||
$channel = channelx_by_hash($hash);
|
||||
|
||||
@ -59,16 +93,17 @@ class Getfile extends \Zotlabs\Web\Controller {
|
||||
$d1 = datetime_convert('UTC','UTC',"now + $slop minutes");
|
||||
$d2 = datetime_convert('UTC','UTC',"now - $slop minutes");
|
||||
|
||||
if(($time > $d1) || ($time < $d2)) {
|
||||
logger('time outside allowable range');
|
||||
killme();
|
||||
}
|
||||
if(! $header_verified) {
|
||||
if(($time > $d1) || ($time < $d2)) {
|
||||
logger('time outside allowable range');
|
||||
killme();
|
||||
}
|
||||
|
||||
if(! rsa_verify($hash . '.' . $time,base64url_decode($sig),$channel['channel_pubkey'])) {
|
||||
logger('verify failed.');
|
||||
killme();
|
||||
if(! rsa_verify($hash . '.' . $time,base64url_decode($sig),$channel['channel_pubkey'])) {
|
||||
logger('verify failed.');
|
||||
killme();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
if($resolution > 0) {
|
||||
$r = q("select * from photo where resource_id = '%s' and uid = %d limit 1",
|
||||
|
||||
@ -1199,7 +1199,14 @@ function sync_files($channel, $files) {
|
||||
continue;
|
||||
}
|
||||
$redirects = 0;
|
||||
$x = z_post_url($fetch_url,$parr,$redirects,array('filep' => $fp));
|
||||
|
||||
|
||||
$headers = [];
|
||||
$headers['Accept'] = 'application/x-zot+json' ;
|
||||
$headers['Sigtoken'] = random_string();
|
||||
$headers = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'], 'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false,true,'sha512');
|
||||
|
||||
$x = z_post_url($fetch_url,$parr,$redirects,[ 'filep' => $fp, 'headers' => $headers]);
|
||||
fclose($fp);
|
||||
|
||||
if($x['success']) {
|
||||
|
||||
Reference in New Issue
Block a user