validate the security context

Zotlabs/Module/Magic.php

@@ -133,10 +133,10 @@ class Magic extends \Zotlabs\Web\Controller {
 			$channel = \App::get_channel();
 	
 			$token = random_string();
-			$token_sig = base64url_encode(rsa_sign($token,$channel['channel_prvkey']));
+//			$token_sig = base64url_encode(rsa_sign($token,$channel['channel_prvkey']));
 	 
-			$channel['token'] = $token;
-			$channel['token_sig'] = $token_sig;
+//			$channel['token'] = $token;
+//			$channel['token_sig'] = $token_sig;
 	
 			\Zotlabs\Zot\Verify::create('auth',$channel['channel_id'],$token,$x[0]['hubloc_url']);
 	

Zotlabs/Zot/Auth.php

@@ -43,6 +43,12 @@ class Auth {
 			$this->Finalise();
 		}
 
+		if(strpbrk($this->sec,'.:')) {
+			logger('illegal security context');
+			$this->Debug('illegal security context.');
+			$this->Finalise();
+		}
+
 		$x = $this->GetHublocs($this->address);
 
 		if($x) {
@@ -153,6 +159,7 @@ class Auth {
 			dbesc($hubloc['hubloc_url'])
 		);
 
+		// needs a nonce!!!!
 		$p = zot_build_packet($channel,$type = 'auth_check', 
 			array(array('guid' => $hubloc['hubloc_guid'],'guid_sig' => $hubloc['hubloc_guid_sig'])), 
 			$hubloc['hubloc_sitekey'], (($x) ? $x[0]['site_crypto'] : ''), $this->sec);

include/zot.php

@@ -4621,6 +4621,7 @@ function zot_reply_auth_check($data,$encrypted_packet) {
 	// First verify their signature. We will have obtained a zot-info packet from them as part of the sender
 	// verification.
 
+	// needs a nonce!!!!
 	if ((! $y) || (! rsa_verify($data['secret'], base64url_decode($data['secret_sig']),$y[0]['xchan_pubkey']))) {
 		logger('mod_zot: auth_check: sender not found or secret_sig invalid.');
 		$ret['message'] .= 'sender not found or sig invalid ' . print_r($y,true) . EOL;