harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

on successful magic-auth, put remote_service_class and remote_hub into the session

Browse Source
This commit is contained in:
friendica 2013-12-03 16:31:05 -08:00
parent 6c321be03c
commit f57909d190
2 changed files with 23 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/auth.php
View File

@ -22,6 +22,8 @@ function nuke_session() {
unset($_SESSION['my_address']); unset($_SESSION['my_address']);
unset($_SESSION['addr']); unset($_SESSION['addr']);
unset($_SESSION['return_url']); unset($_SESSION['return_url']);
unset($_SESSION['remote_service_class']);
unset($_SESSION['remote_hub']);
} }
/** /**

25
mod/post.php
View File

@ -36,7 +36,7 @@ function post_init(&$a) {
* If no information has been recorded about the requesting identity a zot information packet will be retrieved before * If no information has been recorded about the requesting identity a zot information packet will be retrieved before
* continuing. * continuing.
* *
* The sender of this packet is a random site channel. The recipients will be a single recipient corresponding * The sender of this packet is an arbitrary/random site channel. The recipients will be a single recipient corresponding
* to the guid and guid_sig we have associated with the requesting auth identity * to the guid and guid_sig we have associated with the requesting auth identity
* *
* *
@ -68,12 +68,15 @@ function post_init(&$a) {
* { * {
* "success":1, * "success":1,
* "confirm":"q0Ysovd1u..." * "confirm":"q0Ysovd1u..."
* "service_class":(optional)
* } * }
* *
* 'confirm' in this case is the base64url encoded RSA signature of the concatenation of 'secret' with the * 'confirm' in this case is the base64url encoded RSA signature of the concatenation of 'secret' with the
* base64url encoded whirlpool hash of the requestor's guid and guid_sig; signed with the source channel private key. * base64url encoded whirlpool hash of the requestor's guid and guid_sig; signed with the source channel private key.
* This prevents a man-in-the-middle from inserting a rogue success packet. Upon receipt and successful * This prevents a man-in-the-middle from inserting a rogue success packet. Upon receipt and successful
* verification of this packet, the destination site will redirect to the original destination URL and indicate a successful remote login. * verification of this packet, the destination site will redirect to the original destination URL and indicate a successful remote login.
* Service_class can be used by cooperating sites to provide different access rights based on account rights and subscription plans. It is
* a string whose contents are not defined by protocol. Example: "basic" or "gold".
* *
* *
* *
@ -133,6 +136,8 @@ function post_init(&$a) {
$remote = remote_user(); $remote = remote_user();
$result = null; $result = null;
$remote_service_class = '';
$remote_hub = $x[0]['hubloc_url'];
$already_authed = ((($remote) && ($x[0]['hubloc_hash'] == $remote)) ? true : false); $already_authed = ((($remote) && ($x[0]['hubloc_hash'] == $remote)) ? true : false);
@ -158,6 +163,8 @@ function post_init(&$a) {
logger('mod_zot: auth: final confirmation failed.'); logger('mod_zot: auth: final confirmation failed.');
goaway($desturl); goaway($desturl);
} }
if(array_key_exists('service_class',$j))
$remote_service_class = $j['service_class'];
} }
// everything is good... maybe // everything is good... maybe
if(local_user()) { if(local_user()) {
@ -172,16 +179,20 @@ function post_init(&$a) {
goaway($desturl); goaway($desturl);
} }
// log them in // log them in
$_SESSION['authenticated'] = 1; $_SESSION['authenticated'] = 1;
$_SESSION['visitor_id'] = $x[0]['xchan_hash']; $_SESSION['visitor_id'] = $x[0]['xchan_hash'];
$_SESSION['my_address'] = $address; $_SESSION['my_address'] = $address;
$arr = array('xchan' => $x[0], 'url' => $desturl, 'channel_address' => $webbie); $_SESSION['remote_service_class'] = $remote_service_class;
$_SESSION['remote_hub'] = $remote_hub;
$arr = array('xchan' => $x[0], 'url' => $desturl, 'session' => $_SESSION);
call_hooks('magic_auth_success',$arr); call_hooks('magic_auth_success',$arr);
$a->set_observer($x[0]); $a->set_observer($x[0]);
require_once('include/security.php'); require_once('include/security.php');
$a->set_groups(init_groups_visitor($_SESSION['visitor_id'])); $a->set_groups(init_groups_visitor($_SESSION['visitor_id']));
info(sprintf( t('Welcome %s. Remote authentication successful.'),$x[0]['xchan_name'])); info(sprintf( t('Welcome %s. Remote authentication successful.'),$x[0]['xchan_name']));
logger('mod_zot: auth success from ' . $x[0]['xchan_addr'] . ' for ' . $webbie); logger('mod_zot: auth success from ' . $x[0]['xchan_addr']);
} else { } else {
logger('mod_zot: magic-auth failure - not authenticated: ' . $x[0]['xchan_addr']); logger('mod_zot: magic-auth failure - not authenticated: ' . $x[0]['xchan_addr']);
@ -624,7 +635,7 @@ function post_post(&$a) {
$arr = $data['recipients'][0]; $arr = $data['recipients'][0];
$recip_hash = base64url_encode(hash('whirlpool',$arr['guid'] . $arr['guid_sig'], true)); $recip_hash = base64url_encode(hash('whirlpool',$arr['guid'] . $arr['guid_sig'], true));
$c = q("select channel_id, channel_prvkey from channel where channel_hash = '%s' limit 1", $c = q("select channel_id, channel_account_id, channel_prvkey from channel where channel_hash = '%s' limit 1",
dbesc($recip_hash) dbesc($recip_hash)
); );
if(! $c) { if(! $c) {
@ -650,9 +661,15 @@ function post_post(&$a) {
intval($z[0]['id']) intval($z[0]['id'])
); );
$u = q("select account_service_class from account where account_id = %d limit 1",
intval($c[0]['channel_account_id'])
);
logger('mod_zot: auth_check: success', LOGGER_DEBUG); logger('mod_zot: auth_check: success', LOGGER_DEBUG);
$ret['success'] = true; $ret['success'] = true;
$ret['confirm'] = $confirm; $ret['confirm'] = $confirm;
if($u && $u[0]['account_service_class'])
$ret['service_class'] = $u[0]['account_service_class'];
json_return_and_die($ret); json_return_and_die($ret);
} }