harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

provide general purpose verification class, remove include/session.php (no longer used)

Browse Source
This commit is contained in:
redmatrix 2016-04-14 18:51:06 -07:00
parent 7ae7fac234
commit a8f7af2079
4 changed files with 48 additions and 187 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
Zotlabs/Zot/Verify.php Normal file
View File

@ -0,0 +1,42 @@
<?php
namespace Zotlabs\Zot;
class Verify {
function create($type,$channel_id,$token,$meta) {
return q("insert into verify ( type, channel, token, meta, created ) values ( '%s', %d, '%s', '%s', '%s' )",
dbesc($type),
intval($channel_id),
dbesc($token),
dbesc($meta),
dbesc(datetime_convert())
);
}
function match($type,$channel_id,$token,$meta) {
$r = q("select id from verify where type = '%s' and channel = %d and token = '%s' and meta = '%s' limit 1",
dbesc($type),
intval($channel_id),
dbesc($token),
dbesc($meta)
);
if($r) {
q("delete from verify where id = %d",
intval($r[0]['id'])
);
return true;
}
return false;
}
function purge($type,$interval) {
q("delete from verify where type = '%s' and created < %s - INTERVAL %s",
dbesc($type),
db_utcnow(),
db_quoteinterval($interval)
);
}
}

169
include/session.php
View File

@ -1,169 +0,0 @@
<?php
/**
* @file include/session.php
*
* @brief This file includes session related functions.
*
* Session management functions. These provide database storage of PHP
* session info.
*/
$session_exists = 0;
$session_expire = 180000;
/**
* @brief Resets the current session.
*
* @return void
*/
function nuke_session() {
new_cookie(0); // 0 means delete on browser exit
unset($_SESSION['authenticated']);
unset($_SESSION['account_id']);
unset($_SESSION['uid']);
unset($_SESSION['visitor_id']);
unset($_SESSION['administrator']);
unset($_SESSION['cid']);
unset($_SESSION['theme']);
unset($_SESSION['mobile_theme']);
unset($_SESSION['show_mobile']);
unset($_SESSION['page_flags']);
unset($_SESSION['delegate']);
unset($_SESSION['delegate_channel']);
unset($_SESSION['my_url']);
unset($_SESSION['my_address']);
unset($_SESSION['addr']);
unset($_SESSION['return_url']);
unset($_SESSION['remote_service_class']);
unset($_SESSION['remote_hub']);
}
function new_cookie($time) {
$old_sid = session_id();
// ??? This shouldn't have any effect if called after session_start()
// We probably need to set the session expiration and change the PHPSESSID cookie.
// session_set_cookie_params($time);
session_regenerate_id(false);
q("UPDATE session SET sid = '%s' WHERE sid = '%s'",
dbesc(session_id()),
dbesc($old_sid)
);
if (x($_COOKIE, 'jsAvailable')) {
if ($time) {
$expires = time() + $time;
} else {
$expires = 0;
}
setcookie('jsAvailable', $_COOKIE['jsAvailable'], $expires);
}
setcookie(session_name(),session_id(),$expires);
}
function ref_session_open ($s, $n) {
return true;
}
function ref_session_read ($id) {
global $session_exists;
if(x($id))
$r = q("SELECT `data` FROM `session` WHERE `sid`= '%s'", dbesc($id));
if(count($r)) {
$session_exists = true;
return $r[0]['data'];
}
return '';
}
function ref_session_write ($id, $data) {
global $session_exists, $session_expire;
if(! $id || ! $data) {
return false;
}
$expire = time() + $session_expire;
$default_expire = time() + 300;
if($session_exists) {
q("UPDATE `session`
SET `data` = '%s', `expire` = '%s' WHERE `sid` = '%s'",
dbesc($data),
dbesc($expire),
dbesc($id)
);
} else {
q("INSERT INTO `session` (sid, expire, data) values ('%s', '%s', '%s')",
//SET `sid` = '%s', `expire` = '%s', `data` = '%s'",
dbesc($id),
dbesc($default_expire),
dbesc($data)
);
}
return true;
}
function ref_session_close() {
return true;
}
function ref_session_destroy ($id) {
q("DELETE FROM `session` WHERE `sid` = '%s'", dbesc($id));
return true;
}
function ref_session_gc($expire) {
q("DELETE FROM session WHERE expire < %d", dbesc(time()));
return true;
}
$gc_probability = 50;
ini_set('session.gc_probability', $gc_probability);
ini_set('session.use_only_cookies', 1);
ini_set('session.cookie_httponly', 1);
/*
* Set our session storage functions.
*/
session_set_save_handler(
'ref_session_open',
'ref_session_close',
'ref_session_read',
'ref_session_write',
'ref_session_destroy',
'ref_session_gc'
);
// Force cookies to be secure (https only) if this site is SSL enabled. Must be done before session_start().
if(intval(App::$config['system']['ssl_cookie_protection'])) {
$arr = session_get_cookie_params();
session_set_cookie_params(
((isset($arr['lifetime'])) ? $arr['lifetime'] : 0),
((isset($arr['path'])) ? $arr['path'] : '/'),
((isset($arr['domain'])) ? $arr['domain'] : App::get_hostname()),
((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),
((isset($arr['httponly'])) ? $arr['httponly'] : true));
}

14
include/zot.php
View File

@ -4289,9 +4289,7 @@ function zot_reply_auth_check($data,$encrypted_packet) {
// the web server. We should probably convert this to webserver time rather than DB time so // the web server. We should probably convert this to webserver time rather than DB time so
// that the different clocks won't affect it and allow us to keep the time short. // that the different clocks won't affect it and allow us to keep the time short.
q("delete from verify where type = 'auth' and created < %s - INTERVAL %s", Zotlabs\Zot\Verify::purge('auth','30 MINUTE');
db_utcnow(), db_quoteinterval('30 MINUTE')
);
$y = q("select xchan_pubkey from xchan where xchan_hash = '%s' limit 1", $y = q("select xchan_pubkey from xchan where xchan_hash = '%s' limit 1",
dbesc($sender_hash) dbesc($sender_hash)
@ -4330,19 +4328,13 @@ function zot_reply_auth_check($data,$encrypted_packet) {
// This additionally checks for forged sites since we already stored the expected result in meta // This additionally checks for forged sites since we already stored the expected result in meta
// and we've already verified that this is them via zot_gethub() and that their key signed our token // and we've already verified that this is them via zot_gethub() and that their key signed our token
$z = q("select id from verify where channel = %d and type = 'auth' and token = '%s' and meta = '%s' limit 1",
intval($c[0]['channel_id']), $z = Zotlabs\Zot\Verify::match('auth',$c[0]['channel_id'],$data['secret'],$data['sender']['url']);
dbesc($data['secret']),
dbesc($data['sender']['url'])
);
if (! $z) { if (! $z) {
logger('mod_zot: auth_check: verification key not found.'); logger('mod_zot: auth_check: verification key not found.');
$ret['message'] .= 'verification key not found' . EOL; $ret['message'] .= 'verification key not found' . EOL;
json_return_and_die($ret); json_return_and_die($ret);
} }
$r = q("delete from verify where id = %d",
intval($z[0]['id'])
);
$u = q("select account_service_class from account where account_id = %d limit 1", $u = q("select account_service_class from account where account_id = %d limit 1",
intval($c[0]['channel_account_id']) intval($c[0]['channel_account_id'])

10
mod/magic.php
View File

@ -135,13 +135,9 @@ function magic_init(&$a) {
$channel['token'] = $token; $channel['token'] = $token;
$channel['token_sig'] = $token_sig; $channel['token_sig'] = $token_sig;
$r = q("insert into verify ( type, channel, token, meta, created) values ('%s','%d','%s','%s','%s')",
dbesc('auth'), Zotlabs\Zot\Verify::create('auth',$channel['channel_id'],$token,$x[0]['hubloc_url']);
intval($channel['channel_id']),
dbesc($token),
dbesc($x[0]['hubloc_url']),
dbesc(datetime_convert())
);
$target_url = $x[0]['hubloc_callback'] . '/?f=&auth=' . urlencode($channel['channel_address'] . '@' . App::get_hostname()) $target_url = $x[0]['hubloc_callback'] . '/?f=&auth=' . urlencode($channel['channel_address'] . '@' . App::get_hostname())
. '&sec=' . $token . '&dest=' . urlencode($dest) . '&version=' . ZOT_REVISION; . '&sec=' . $token . '&dest=' . urlencode($dest) . '&version=' . ZOT_REVISION;