plug potential hole in magic auth, add link to chanview to view in dedicated window

include/Contact.php

@@ -1,7 +1,7 @@
 <?php
 
 
-function vcard_from_xchan($xchan) {
+function vcard_from_xchan($xchan, $observer = null, $mode = '') {
 
 	$connect = false;
 	if(local_user()) {
@@ -12,12 +12,20 @@ function vcard_from_xchan($xchan) {
 		if(! $r)
 			$connect = t('Connect');
 	}
-	
+
+	$url = (($observer) 
+		? z_root() . '/magic?f=&dest=' . $xchan['xchan_url'] . '&addr=' . $xchan['xchan_addr'] 
+		: $xchan['xchan_url']
+	);
+					
 	return replace_macros(get_markup_template('xchan_vcard.tpl'),array(
 		'$name'    => $xchan['xchan_name'],
 		'$photo'   => $xchan['xchan_photo_l'],
 		'$follow'  => $xchan['xchan_addr'],
-		'$connect' => $connect
+		'$connect' => $connect,
+		'$newwin'  => (($mode === 'chanview') ? t('New window') : ''),
+		'$newtit'  => t('Open the selected location in a different window or browser tab'),
+		'$url'     => $url,
 	));
 }
 

mod/chanview.php

@@ -76,7 +76,7 @@ function chanview_content(&$a) {
 	}
 
 	if($xchan['xchan_hash'])
-		$a->set_widget('vcard',vcard_from_xchan($xchan));
+		$a->set_widget('vcard',vcard_from_xchan($xchan,$observer,'chanview'));
 				
 	$url = (($observer) 
 		? z_root() . '/magic?f=&dest=' . $xchan['xchan_url'] . '&addr=' . $xchan['xchan_addr'] 

mod/connections.php

@@ -28,7 +28,7 @@ function connections_init(&$a) {
 function connections_aside(&$a) {
 
 	if(x($a->data,'abook')) {
-		$a->set_widget('vcard',vcard_from_xchan($a->data['abook']));
+		$a->set_widget('vcard',vcard_from_xchan($a->data['abook'],$a->get_observer()));
 	}
 	else {
 		$a->set_widget('follow', follow_widget());

mod/magic.php

@@ -85,7 +85,7 @@ function magic_init(&$a) {
 			dbesc('auth'),
 			intval($channel['channel_id']),
 			dbesc($token),
-			dbesc($hubloc['hubloc_hash']),
+			dbesc($x[0]['hubloc_hash']),
 			dbesc(datetime_convert())
 		);
 

mod/post.php

@@ -44,7 +44,7 @@ function post_init(&$a) {
 			);
 			if(! $c) {
 				logger('mod_zot: auth: unable to find channel ' . $webbie);
-				// They'll get a notice when they hit the page, we don't need two. 
+				// They'll get a notice when they hit the page, we don't need two of them. 
 				goaway($desturl);
 			}
 
@@ -70,33 +70,39 @@ function post_init(&$a) {
 
 			// check credentials and access
 
-			// Auth packets MUST use ultra top-secret hush-hush mode 
+			// If they are already authenticated and haven't changed credentials, 
+			// we can save an expensive network round trip and improve performance.
 
-			$p = zot_build_packet($c[0],$type = 'auth_check',array(array('guid' => $x[0]['hubloc_guid'],'guid_sig' => $x[0]['hubloc_guid_sig'])), $x[0]['hubloc_sitekey'], $sec);
-			$result = zot_zot($x[0]['hubloc_callback'],$p);
+			$remote = remote_user();
+			$result = null;
 
-			if($result['success']) {
+			$already_authed = ((($remote) && ($x[0]['hubloc_hash'] == $remote)) ? true : false); 
+
+			if(! $already_authed) {
+				// Auth packets MUST use ultra top-secret hush-hush mode 
+				$p = zot_build_packet($c[0],$type = 'auth_check',
+					array(array('guid' => $x[0]['hubloc_guid'],'guid_sig' => $x[0]['hubloc_guid_sig'])), 
+					$x[0]['hubloc_sitekey'], $sec);
+				$result = zot_zot($x[0]['hubloc_callback'],$p);
+				if(! $result['success'])
+					goaway($desturl);
 				$j = json_decode($result['body'],true);
-				if($j['result']) {
-					// everything is good... maybe
-					if(local_user()) {
-						notice( t('Remote authentication blocked. You are logged into this site locally. Please logout and retry') . EOL);
-						goaway($desturl);
-					}
-					// log them in
-					$_SESSION['authenticated'] = 1;
-					$_SESSION['visitor_id'] = $x[0]['xchan_hash'];
-					$a->set_observer($x[0]);
-					require_once('include/security.php');
-					$a->set_groups(init_groups_visitor($_SESSION['visitor_id']));
-					info(sprintf( t('Welcome %s. Remote authentication successful.'),$x[0]['xchan_name']));
-				}
 			}
 
-
-
-
-			
+			if($already_authed || $j['result']) {
+				// everything is good... maybe
+				if(local_user()) {
+					notice( t('Remote authentication blocked. You are logged into this site locally. Please logout and retry') . EOL);
+					goaway($desturl);
+				}
+				// log them in
+				$_SESSION['authenticated'] = 1;
+				$_SESSION['visitor_id'] = $x[0]['xchan_hash'];
+				$a->set_observer($x[0]);
+				require_once('include/security.php');
+				$a->set_groups(init_groups_visitor($_SESSION['visitor_id']));
+				info(sprintf( t('Welcome %s. Remote authentication successful.'),$x[0]['xchan_name']));
+			}
 
 			goaway($desturl);
 		}
@@ -274,13 +280,22 @@ function post_post(&$a) {
 		$arr = $data['sender'];
 		$sender_hash = base64url_encode(hash('whirlpool',$arr['guid'] . $arr['guid_sig'], true));
 
+		// garbage collect any old unused notifications
+		q("delete from verify where type = 'auth' and created < UTC_TIMESTAMP() - INTERVAL 10 MINUTE");
+
 		$y = q("select xchan_pubkey from xchan where xchan_hash = '%s' limit 1",
 			dbesc($sender_hash)
 		);
+		// We created a unique hash in mod/magic.php when we invoked remote auth, and stored it in
+		// the verify table. It is now coming back to us as 'secret' and is signed by the other site.
+		// First verify their signature.
+
 		if((! $y) || (! rsa_verify($data['secret'],base64url_decode($data['secret_sig']),$y[0]['xchan_pubkey']))) {
 			logger('mod_zot: auth_check: sender not found or secret_sig invalid.');
 			json_return_and_die($ret);
 		}
+
+		// There should be exactly one recipient
 		if($data['recipients']) {
 
 			$arr = $data['recipients'][0];
@@ -292,9 +307,14 @@ function post_post(&$a) {
 				logger('mod_zot: auth_check: recipient channel not found.');
 				json_return_and_die($ret);
 			}
-			$z = q("select id from verify where channel = %d and type = 'auth' and token = '%s' limit 1",
+
+			// This additionally checks for forged senders since we already stored the expected result in meta
+			// and we've already verified that this is them via zot_gethub() and that their key signed our token
+
+			$z = q("select id from verify where channel = %d and type = 'auth' and token = '%s' and meta = '%s' limit 1",
 				intval($c[0]['channel_id']),
-				dbesc($data['secret'])
+				dbesc($data['secret']),
+				dbesc($sender_hash)
 			);
 			if(! $z) {
 				logger('mod_zot: auth_check: verification key not found.');

version.inc

@@ -1 +1 @@
-2013-01-22.208
+2013-01-23.209

view/tpl/smarty3/jot-header.tpl

@@ -134,7 +134,7 @@ function enableOnUser(){
 
 		var uploader = new window.AjaxUpload(
 			'wall-image-upload',
-			{ action: 'wall_upload/{{$nickname}}',
+			{ action: '{{$baseurl}}/wall_upload/{{$nickname}}',
 				name: 'userfile',
 				onSubmit: function(file,ext) { $('#profile-rotator').show(); },
 				onComplete: function(file,response) {
@@ -145,7 +145,7 @@ function enableOnUser(){
 		);
 		var file_uploader = new window.AjaxUpload(
 			'wall-file-upload',
-			{ action: 'wall_attach/{{$nickname}}',
+			{ action: '{{$baseurl}}/wall_attach/{{$nickname}}',
 				name: 'userfile',
 				onSubmit: function(file,ext) { $('#profile-rotator').show(); },
 				onComplete: function(file,response) {
@@ -181,7 +181,7 @@ function enableOnUser(){
 		if(reply && reply.length) {
 			reply = bin2hex(reply);
 			$('#profile-rotator').show();
-			$.get('parse_url?binurl=' + reply, function(data) {
+			$.get('{{$baseurl}}/parse_url?binurl=' + reply, function(data) {
 				addeditortext(data);
 				$('#profile-rotator').hide();
 			});
@@ -214,7 +214,7 @@ function enableOnUser(){
 		if ($('#jot-popup').length != 0) $('#jot-popup').show();
 
 		$('#like-rotator-' + id).show();
-		$.get('share/' + id, function(data) {
+		$.get('{{$baseurl}}/share/' + id, function(data) {
 			if (!editor) $("#profile-jot-text").val("");
 			initEditor(function(){
 				addeditortext(data);
@@ -238,7 +238,7 @@ function enableOnUser(){
 		if(reply && reply.length) {
 			reply = bin2hex(reply);
 			$('#profile-rotator').show();
-			$.get('parse_url?binurl=' + reply, function(data) {
+			$.get('{{$baseurl}}/parse_url?binurl=' + reply, function(data) {
 				if (!editor) $("#profile-jot-text").val("");
 				initEditor(function(){
 					addeditortext(data);
@@ -257,7 +257,7 @@ function enableOnUser(){
 				commentBusy = true;
 				$('body').css('cursor', 'wait');
 
-				$.get('tagger/' + id + '?term=' + reply);
+				$.get('{{$baseurl}}/tagger/' + id + '?term=' + reply);
 				if(timer) clearTimeout(timer);
 				timer = setTimeout(NavUpdate,3000);
 				liking = 1;
@@ -284,7 +284,7 @@ function enableOnUser(){
 				if(reply && reply.length) {
 					commentBusy = true;
 					$('body').css('cursor', 'wait');
-					$.get('filer/' + id + '?term=' + reply, NavUpdate);
+					$.get('{{$baseurl}}/filer/' + id + '?term=' + reply, NavUpdate);
 //					if(timer) clearTimeout(timer);
 //					timer = setTimeout(NavUpdate,3000);
 					liking = 1;

view/tpl/smarty3/xchan_vcard.tpl

@@ -10,6 +10,11 @@
 {{if $connect}}
 	<li><a id="follow-link" href="follow?f=&url={{$follow}}">{{$connect}}</a></li>
 {{/if}}
+{{if $newwin}}
+	<li><a id="visit-chan-link" href="{{$url}}" title="{{$newtit}}" target="_blank" >{{$newwin}}</a></li>
+{{/if}}
 </ul>
+
+
 </div>
 

view/tpl/xchan_vcard.tpl

@@ -10,6 +10,11 @@
 {{ if $connect }}
 	<li><a id="follow-link" href="follow?f=&url=$follow">$connect</a></li>
 {{ endif }}
+{{ if $newwin }}
+	<li><a id="visit-chan-link" href="$url" title="$newtit" target="_blank" >$newwin</a></li>
+{{ endif }}
 </ul>
+
+
 </div>