harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

use httpsig auth for getfile

Browse Source
This commit is contained in:
zotlabs 2017-11-29 13:51:54 -08:00
parent 455720ae93
commit 5abcb8c978
2 changed files with 54 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
Zotlabs/Module/Getfile.php
View File

@ -28,17 +28,51 @@ class Getfile extends \Zotlabs\Web\Controller {
function post() { function post() {
logger('post: ' . print_r($_POST,true),LOGGER_DEBUG,LOG_INFO); $header_verification = false;
$hash = $_POST['hash']; $hash = $_POST['hash'];
$time = $_POST['time']; $time = $_POST['time'];
$sig = $_POST['signature']; $sig = $_POST['signature'];
$resource = $_POST['resource']; $resource = $_POST['resource'];
$revision = intval($_POST['revision']); $revision = intval($_POST['revision']);
$resolution = (-1); $resolution = (-1);
if(! $hash) if(! $hash)
killme(); killme();
foreach([ 'REDIRECT_REMOTE_USER', 'HTTP_AUTHORIZATION' ] as $head) {
if(array_key_exists($head,$_SERVER) && substr(trim($_SERVER[$head]),0,9) === 'Signature') {
if($head !== 'HTTP_AUTHORIZATION') {
$_SERVER['HTTP_AUTHORIZATION'] = $_SERVER[$head];
continue;
}
$sigblock = \Zotlabs\Web\HTTPSig::parse_sigheader($_SERVER[$head]);
if($sigblock) {
$keyId = $sigblock['keyId'];
if($keyId) {
$r = q("select * from hubloc left join xchan on hubloc_hash = xchan_hash
where hubloc_addr = '%s' limit 1",
dbesc(str_replace('acct:','',$keyId))
);
if($r) {
$hubloc = $r[0];
$verified = \Zotlabs\Web\HTTPSig::verify('',$hubloc['xchan_pubkey']);
if($verified && $verified['header_signed'] && $verified['header_valid'] && $hash == $hubloc['hubloc_hash']) {
$header_verified = true;
}
}
}
}
}
}
logger('post: ' . print_r($_POST,true),LOGGER_DEBUG,LOG_INFO);
if($header_verified) {
logger('HTTPSig verified');
}
$channel = channelx_by_hash($hash); $channel = channelx_by_hash($hash);
@ -59,16 +93,17 @@ class Getfile extends \Zotlabs\Web\Controller {
$d1 = datetime_convert('UTC','UTC',"now + $slop minutes"); $d1 = datetime_convert('UTC','UTC',"now + $slop minutes");
$d2 = datetime_convert('UTC','UTC',"now - $slop minutes"); $d2 = datetime_convert('UTC','UTC',"now - $slop minutes");
if(($time > $d1) || ($time < $d2)) { if(! $header_verified) {
logger('time outside allowable range'); if(($time > $d1) || ($time < $d2)) {
killme(); logger('time outside allowable range');
} killme();
}
if(! rsa_verify($hash . '.' . $time,base64url_decode($sig),$channel['channel_pubkey'])) { if(! rsa_verify($hash . '.' . $time,base64url_decode($sig),$channel['channel_pubkey'])) {
logger('verify failed.'); logger('verify failed.');
killme(); killme();
}
} }
if($resolution > 0) { if($resolution > 0) {
$r = q("select * from photo where resource_id = '%s' and uid = %d limit 1", $r = q("select * from photo where resource_id = '%s' and uid = %d limit 1",

9
include/import.php
View File

@ -1199,7 +1199,14 @@ function sync_files($channel, $files) {
continue; continue;
} }
$redirects = 0; $redirects = 0;
$x = z_post_url($fetch_url,$parr,$redirects,array('filep' => $fp));
$headers = [];
$headers['Accept'] = 'application/x-zot+json' ;
$headers['Sigtoken'] = random_string();
$headers = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'], 'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false,true,'sha512');
$x = z_post_url($fetch_url,$parr,$redirects,[ 'filep' => $fp, 'headers' => $headers]);
fclose($fp); fclose($fp);
if($x['success']) { if($x['success']) {