X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=src%2FModule%2FMagic.php;h=dc0d4f8ad118e5ffaf67069a354eac9f407b4c07;hb=8b02c285472ea28002cf9c8924e2885dd207ccd8;hp=c3a0168b457078920acc17e08658f4b5c938263b;hpb=53e38b03130ea798bba44db44ccb7f331dc4b91d;p=friendica.git

diff --git a/src/Module/Magic.php b/src/Module/Magic.php
index c3a0168b45..dc0d4f8ad1 100644
--- a/src/Module/Magic.php
+++ b/src/Module/Magic.php
@@ -1,6 +1,6 @@
 <?php
 /**
- * @copyright Copyright (C) 2010-2021, the Friendica project
+ * @copyright Copyright (C) 2010-2023, the Friendica project
  *
  * @license GNU AGPL version 3 or any later version
  *
@@ -21,14 +21,23 @@
 
 namespace Friendica\Module;
 
+use Exception;
+use Friendica\App;
 use Friendica\BaseModule;
-use Friendica\Core\Logger;
+use Friendica\Core\L10n;
+use Friendica\Core\Session\Capability\IHandleUserSessions;
 use Friendica\Core\System;
-use Friendica\Database\DBA;
-use Friendica\DI;
+use Friendica\Database\Database;
 use Friendica\Model\Contact;
+use Friendica\Model\GServer;
+use Friendica\Model\User;
+use Friendica\Network\HTTPClient\Capability\ICanSendHttpRequests;
+use Friendica\Network\HTTPClient\Client\HttpClientOptions;
 use Friendica\Util\HTTPSignature;
+use Friendica\Util\Profiler;
 use Friendica\Util\Strings;
+use GuzzleHttp\Psr7\Uri;
+use Psr\Log\LoggerInterface;
 
 /**
  * Magic Auth (remote authentication) module.
@@ -37,99 +46,132 @@ use Friendica\Util\Strings;
  */
 class Magic extends BaseModule
 {
-	public static function init(array $parameters = [])
+	/** @var App */
+	protected $app;
+	/** @var Database */
+	protected $dba;
+	/** @var ICanSendHttpRequests */
+	protected $httpClient;
+	/** @var IHandleUserSessions */
+	protected $userSession;
+
+	public function __construct(App $app, L10n $l10n, App\BaseURL $baseUrl, App\Arguments $args, LoggerInterface $logger, Profiler $profiler, Response $response, Database $dba, ICanSendHttpRequests $httpClient, IHandleUserSessions $userSession, $server, array $parameters = [])
 	{
-		$a = DI::app();
-		$ret = ['success' => false, 'url' => '', 'message' => ''];
-		Logger::info('magic mdule: invoked');
-
-		Logger::debug('args', ['request' => $_REQUEST]);
-
-		$addr = $_REQUEST['addr'] ?? '';
-		$dest = $_REQUEST['dest'] ?? '';
-		$test = (!empty($_REQUEST['test']) ? intval($_REQUEST['test']) : 0);
-		$owa  = (!empty($_REQUEST['owa'])  ? intval($_REQUEST['owa'])  : 0);
-		$cid  = 0;
-
-		if (!empty($addr)) {
-			$cid = Contact::getIdForURL($addr);
-		} elseif (!empty($dest)) {
-			$cid = Contact::getIdForURL($dest);
+		parent::__construct($l10n, $baseUrl, $args, $logger, $profiler, $response, $server, $parameters);
+
+		$this->app         = $app;
+		$this->dba         = $dba;
+		$this->httpClient  = $httpClient;
+		$this->userSession = $userSession;
+	}
+
+	protected function rawContent(array $request = [])
+	{
+		if ($_SERVER['REQUEST_METHOD'] == 'HEAD') {
+			$this->logger->debug('Got a HEAD request');
+			System::exit();
 		}
 
-		if (!$cid) {
-			Logger::info('No contact record found', $_REQUEST);
-			// @TODO Finding a more elegant possibility to redirect to either internal or external URL
-			$a->redirect($dest);
+		$this->logger->debug('Invoked', ['request' => $request]);
+
+		$addr  = $request['addr'] ?? '';
+		$dest  = $request['dest'] ?? '';
+		$bdest = $request['bdest'] ?? '';
+		$owa   = intval($request['owa'] ?? 0);
+
+		// bdest is preferred as it is hex-encoded and can survive url rewrite and argument parsing
+		if (!empty($bdest)) {
+			$dest = hex2bin($bdest);
+			$this->logger->debug('bdest detected', ['dest' => $dest]);
 		}
-		$contact = DBA::selectFirst('contact', ['id', 'nurl', 'url'], ['id' => $cid]);
-
-		// Redirect if the contact is already authenticated on this site.
-		if (!empty($a->contact) && array_key_exists('id', $a->contact) && strpos($contact['nurl'], Strings::normaliseLink(DI::baseUrl()->get())) !== false) {
-			if ($test) {
-				$ret['success'] = true;
-				$ret['message'] .= 'Local site - you are already authenticated.' . EOL;
-				return $ret;
+
+		$target = $dest ?: $addr;
+
+		if ($addr ?: $dest) {
+			$contact = Contact::getByURL($addr ?: $dest);
+		}
+
+		if (empty($contact)) {
+			if (!$owa) {
+				$this->logger->info('No contact record found, no oWA, redirecting to destination.', ['request' => $request, 'server' => $_SERVER, 'dest' => $dest]);
+				$this->app->redirect($dest);
+			}
+		} else {
+			// Redirect if the contact is already authenticated on this site.
+			if ($this->app->getContactId() && strpos($contact['nurl'], Strings::normaliseLink($this->baseUrl)) !== false) {
+				$this->logger->info('Contact is already authenticated, redirecting to destination.', ['dest' => $dest]);
+				System::externalRedirect($dest);
 			}
 
-			Logger::info('Contact is already authenticated');
-			System::externalRedirect($dest);
+			$this->logger->debug('Contact found', ['url' => $contact['url']]);
 		}
 
-		if (local_user()) {
-			$user = $a->user;
-
-			// OpenWebAuth
-			if ($owa) {
-				// Extract the basepath
-				// NOTE: we need another solution because this does only work
-				// for friendica contacts :-/ . We should have the basepath
-				// of a contact also in the contact table.
-				$exp = explode('/profile/', $contact['url']);
-				$basepath = $exp[0];
-
-				$header = [];
-				$header['Accept'] = 'application/x-dfrn+json, application/x-zot+json';
-				$header['X-Open-Web-Auth'] = Strings::getRandomHex();
-
-				// Create a header that is signed with the local users private key.
-				$header = HTTPSignature::createSig(
-					$header,
-					$user['prvkey'],
-					'acct:' . $user['nickname'] . '@' . DI::baseUrl()->getHostname() . (DI::baseUrl()->getUrlPath() ? '/' . DI::baseUrl()->getUrlPath() : '')
-				);
-
-				// Try to get an authentication token from the other instance.
-				$curlResult = DI::httpRequest()->get($basepath . '/owa', ['header' => $header]);
-
-				if ($curlResult->isSuccess()) {
-					$j = json_decode($curlResult->getBody(), true);
-
-					if ($j['success']) {
-						$token = '';
-						if ($j['encrypted_token']) {
-							// The token is encrypted. If the local user is really the one the other instance
-							// thinks he/she is, the token can be decrypted with the local users public key.
-							openssl_private_decrypt(Strings::base64UrlDecode($j['encrypted_token']), $token, $user['prvkey']);
-						} else {
-							$token = $j['token'];
-						}
-						$args = (strpbrk($dest, '?&') ? '&' : '?') . 'owt=' . $token;
-
-						Logger::info('Redirecting', ['path' => $dest . $args]);
-						System::externalRedirect($dest . $args);
-					}
-				}
+		if (!$this->userSession->getLocalUserId() || !$owa) {
+			$this->logger->notice('Not logged in or not OWA, redirecting to destination.', ['uid' => $this->userSession->getLocalUserId(), 'owa' => $owa, 'dest' => $dest]);
+			$this->app->redirect($dest);
+		}
+
+		// OpenWebAuth
+		$owner = User::getOwnerDataById($this->userSession->getLocalUserId());
+
+		if (!empty($contact['gsid'])) {
+			$gserver = $this->dba->selectFirst('gserver', ['url'], ['id' => $contact['gsid']]);
+			if (empty($gserver)) {
+				$this->logger->notice('Server not found, redirecting to destination.', ['gsid' => $contact['gsid'], 'dest' => $dest]);
 				System::externalRedirect($dest);
 			}
+
+			$basepath = $gserver['url'];
+		} elseif (GServer::check($target)) {
+			$basepath = (string)GServer::cleanUri(new Uri($target));
+		} else {
+			$this->logger->notice('The target is not a server path, redirecting to destination.', ['target' => $target]);
+			System::externalRedirect($dest);
+		}
+
+		$header = [
+			'Accept'          => 'application/x-dfrn+json, application/x-zot+json',
+			'X-Open-Web-Auth' => Strings::getRandomHex()
+		];
+
+		// Create a header that is signed with the local users private key.
+		$header = HTTPSignature::createSig(
+			$header,
+			$owner['prvkey'],
+			'acct:' . $owner['addr']
+		);
+
+		$this->logger->info('Fetch from remote system', ['basepath' => $basepath, 'headers' => $header]);
+
+		// Try to get an authentication token from the other instance.
+		try {
+			$curlResult = $this->httpClient->request('get', $basepath . '/owa', [HttpClientOptions::HEADERS => $header]);
+		} catch (Exception $exception) {
+			$this->logger->notice('URL is invalid, redirecting to destination.', ['url' => $basepath, 'error' => $exception, 'dest' => $dest]);
+			System::externalRedirect($dest);
+		}
+		if (!$curlResult->isSuccess()) {
+			$this->logger->notice('OWA request failed, redirecting to destination.', ['returncode' => $curlResult->getReturnCode(), 'dest' => $dest]);
+			System::externalRedirect($dest);
+		}
+
+		$j = json_decode($curlResult->getBody(), true);
+		if (empty($j) || !$j['success']) {
+			$this->logger->notice('Invalid JSON, redirecting to destination.', ['json' => $j, 'dest' => $dest]);
+			$this->app->redirect($dest);
 		}
 
-		if ($test) {
-			$ret['message'] = 'Not authenticated or invalid arguments' . EOL;
-			return $ret;
+		if ($j['encrypted_token']) {
+			// The token is encrypted. If the local user is really the one the other instance
+			// thinks they is, the token can be decrypted with the local users public key.
+			$token = '';
+			openssl_private_decrypt(Strings::base64UrlDecode($j['encrypted_token']), $token, $owner['prvkey']);
+		} else {
+			$token = $j['token'];
 		}
+		$args = (strpbrk($dest, '?&') ? '&' : '?') . 'owt=' . $token;
 
-		// @TODO Finding a more elegant possibility to redirect to either internal or external URL
-		$a->redirect($dest);
+		$this->logger->debug('Redirecting', ['path' => $dest . $args]);
+		System::externalRedirect($dest . $args);
 	}
 }