provide general purpose verification class, remove include/session.php (no longer used)

2016-04-14 18:51:06 -07:00 · 2016-04-14 18:51:06 -07:00 · a8f7af2079
commit a8f7af2079
parent 7ae7fac234
4 changed files with 48 additions and 187 deletions
--- a/Zotlabs/Zot/Verify.php
+++ b/Zotlabs/Zot/Verify.php
@ -0,0 +1,42 @@
+<?php
+
+namespace Zotlabs\Zot;
+
+
+class Verify {
+
+	function create($type,$channel_id,$token,$meta) {
+		return q("insert into verify ( type, channel, token, meta, created ) values ( '%s', %d, '%s', '%s', '%s' )",
+			dbesc($type),
+			intval($channel_id),
+			dbesc($token),
+			dbesc($meta),
+			dbesc(datetime_convert())
+		);
+	}
+
+	function match($type,$channel_id,$token,$meta) {
+		$r = q("select id from verify where type = '%s' and channel = %d and token = '%s' and meta = '%s' limit 1",
+			dbesc($type),
+			intval($channel_id),
+			dbesc($token),
+			dbesc($meta)
+		);
+		if($r) {
+			q("delete from verify where id = %d",
+				intval($r[0]['id'])
+			);
+			return true; 
+		}
+		return false;
+	}
+
+	function purge($type,$interval) {
+		q("delete from verify where type = '%s' and created < %s - INTERVAL %s",
+			dbesc($type),
+			db_utcnow(),
+			db_quoteinterval($interval)
+		);
+	}
+
+}
--- a/include/session.php
+++ b/include/session.php
@ -1,169 +0,0 @@
-<?php
-
-/**
- * @file include/session.php
- *
- * @brief This file includes session related functions.
- *
- * Session management functions. These provide database storage of PHP
- * session info.
- */
-
-$session_exists = 0;
-$session_expire = 180000;
-
-
-/**
- * @brief Resets the current session.
- *
- * @return void
- */
-
-function nuke_session() {
-	new_cookie(0); // 0 means delete on browser exit
-
-	unset($_SESSION['authenticated']);
-	unset($_SESSION['account_id']);
-	unset($_SESSION['uid']);
-	unset($_SESSION['visitor_id']);
-	unset($_SESSION['administrator']);
-	unset($_SESSION['cid']);
-	unset($_SESSION['theme']);
-	unset($_SESSION['mobile_theme']);
-	unset($_SESSION['show_mobile']);
-	unset($_SESSION['page_flags']);
-	unset($_SESSION['delegate']);
-	unset($_SESSION['delegate_channel']);
-	unset($_SESSION['my_url']);
-	unset($_SESSION['my_address']);
-	unset($_SESSION['addr']);
-	unset($_SESSION['return_url']);
-	unset($_SESSION['remote_service_class']);
-	unset($_SESSION['remote_hub']);
-}
-
-
-
-function new_cookie($time) {
-
-	$old_sid = session_id();
-
-	// ??? This shouldn't have any effect if called after session_start()
-	// We probably need to set the session expiration and change the PHPSESSID cookie.
-	//	session_set_cookie_params($time);
-
-	session_regenerate_id(false);
-
-	q("UPDATE session SET sid = '%s' WHERE sid = '%s'",
-			dbesc(session_id()),
-			dbesc($old_sid)
-	);
-
-	if (x($_COOKIE, 'jsAvailable')) {
-		if ($time) {
-			$expires = time() + $time;
-		} else {
-			$expires = 0;
-		}
-		setcookie('jsAvailable', $_COOKIE['jsAvailable'], $expires);
-	}
-	setcookie(session_name(),session_id(),$expires);
-}
-
-
-function ref_session_open ($s, $n) {
-	return true;
-}
-
-
-function ref_session_read ($id) {
-	global $session_exists;
-	if(x($id))
-		$r = q("SELECT `data` FROM `session` WHERE `sid`= '%s'", dbesc($id));
-
-	if(count($r)) {
-		$session_exists = true;
-		return $r[0]['data'];
-	}
-
-	return '';
-}
-
-
-function ref_session_write ($id, $data) {
-	global $session_exists, $session_expire;
-
-	if(! $id || ! $data) {
-		return false;
-	}
-
-	$expire = time() + $session_expire;
-	$default_expire = time() + 300;
-
-	if($session_exists) {
-		q("UPDATE `session`
-				SET `data` = '%s', `expire` = '%s' WHERE `sid` = '%s'",
-				dbesc($data),
-				dbesc($expire),
-				dbesc($id)
-		);
-	} else {
-		q("INSERT INTO `session` (sid, expire, data) values ('%s', '%s', '%s')",
-				//SET `sid` = '%s', `expire` = '%s', `data` = '%s'",
-				dbesc($id),
-				dbesc($default_expire),
-				dbesc($data)
-		);
-	}
-
-	return true;
-}
-
-
-function ref_session_close() {
-	return true;
-}
-
-
-function ref_session_destroy ($id) {
-	q("DELETE FROM `session` WHERE `sid` = '%s'", dbesc($id));
-	return true;
-}
-
-
-function ref_session_gc($expire) {
-	q("DELETE FROM session WHERE expire < %d", dbesc(time()));
-	return true;
-}
-
-$gc_probability = 50;
-
-ini_set('session.gc_probability', $gc_probability);
-ini_set('session.use_only_cookies', 1);
-ini_set('session.cookie_httponly', 1);
-
-/*
- * Set our session storage functions.
- */
-
-session_set_save_handler(
-		'ref_session_open',
-		'ref_session_close',
-		'ref_session_read',
-		'ref_session_write',
-		'ref_session_destroy',
-		'ref_session_gc'
-);
-
-
-   // Force cookies to be secure (https only) if this site is SSL enabled. Must be done before session_start().
-
-    if(intval(App::$config['system']['ssl_cookie_protection'])) {
-        $arr = session_get_cookie_params();
-        session_set_cookie_params(
-            ((isset($arr['lifetime']))  ? $arr['lifetime'] : 0),
-            ((isset($arr['path']))      ? $arr['path']     : '/'),
-            ((isset($arr['domain']))    ? $arr['domain']   : App::get_hostname()),
-            ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),
-            ((isset($arr['httponly']))  ? $arr['httponly'] : true));
-    }
--- a/include/zot.php
+++ b/include/zot.php
@ -4289,9 +4289,7 @@ function zot_reply_auth_check($data,$encrypted_packet) {
 	// the web server. We should probably convert this to webserver time rather than DB time so 
 	// that the different clocks won't affect it and allow us to keep the time short. 

-	q("delete from verify where type = 'auth' and created < %s - INTERVAL %s",
-		db_utcnow(), db_quoteinterval('30 MINUTE')
-	);
+	Zotlabs\Zot\Verify::purge('auth','30 MINUTE');

 	$y = q("select xchan_pubkey from xchan where xchan_hash = '%s' limit 1",
 		dbesc($sender_hash)
@ -4330,19 +4328,13 @@ function zot_reply_auth_check($data,$encrypted_packet) {
 		// This additionally checks for forged sites since we already stored the expected result in meta
 		// and we've already verified that this is them via zot_gethub() and that their key signed our token

-		$z = q("select id from verify where channel = %d and type = 'auth' and token = '%s' and meta = '%s' limit 1",
-			intval($c[0]['channel_id']),
-			dbesc($data['secret']),
-			dbesc($data['sender']['url'])
-		);
+
+		$z = Zotlabs\Zot\Verify::match('auth',$c[0]['channel_id'],$data['secret'],$data['sender']['url']);
 		if (! $z) {
 			logger('mod_zot: auth_check: verification key not found.');
 			$ret['message'] .= 'verification key not found' . EOL;
 			json_return_and_die($ret);
 		}
-		$r = q("delete from verify where id = %d",
-			intval($z[0]['id'])
-		);

 		$u = q("select account_service_class from account where account_id = %d limit 1",
 			intval($c[0]['channel_account_id'])
--- a/mod/magic.php
+++ b/mod/magic.php
@ -135,13 +135,9 @@ function magic_init(&$a) {
 
 		$channel['token'] = $token;
 		$channel['token_sig'] = $token_sig;
-		$r = q("insert into verify ( type, channel, token, meta, created) values ('%s','%d','%s','%s','%s')",
-			dbesc('auth'),
-			intval($channel['channel_id']),
-			dbesc($token),
-			dbesc($x[0]['hubloc_url']),
-			dbesc(datetime_convert())
-		);
+
+		Zotlabs\Zot\Verify::create('auth',$channel['channel_id'],$token,$x[0]['hubloc_url']);
+
 		$target_url = $x[0]['hubloc_callback'] . '/?f=&auth=' . urlencode($channel['channel_address'] . '@' . App::get_hostname())
 			. '&sec=' . $token . '&dest=' . urlencode($dest) . '&version=' . ZOT_REVISION;