use Friendica\Core\Config\Cache\IConfigCache;
use Friendica\Core\Config\Configuration;
use Friendica\Database\DBA;
+use Friendica\Model\Profile;
use Friendica\Network\HTTPException\InternalServerErrorException;
+use Friendica\Util\HTTPSignature;
use Friendica\Util\Profiler;
use Psr\Log\LoggerInterface;
Core\Worker::executeIfIdle();
}
+ if ($this->getMode()->isNormal()) {
+ $requester = HTTPSignature::getSigner('', $_SERVER);
+ if (!empty($requester)) {
+ Profile::addVisitorCookieForHandle($requester);
+ }
+ }
+
// ZRL
if (!empty($_GET['zrl']) && $this->getMode()->isNormal()) {
$this->query_string = Model\Profile::stripZrls($this->query_string);
}
/**
- * OpenWebAuth authentication.
- *
- * Ported from Hubzilla: https://framagit.org/hubzilla/core/blob/master/include/zid.php
+ * Set the visitor cookies (see remote_user()) for the given handle
*
- * @param string $token
- * @throws \Friendica\Network\HTTPException\InternalServerErrorException
- * @throws \ImagickException
+ * @param string $handle Visitor handle
+ * @return array Visitor contact array
*/
- public static function openWebAuthInit($token)
+ public static function addVisitorCookieForHandle($handle)
{
- $a = \get_app();
-
- // Clean old OpenWebAuthToken entries.
- OpenWebAuthToken::purge('owt', '3 MINUTE');
-
- // Check if the token we got is the same one
- // we have stored in the database.
- $visitor_handle = OpenWebAuthToken::getMeta('owt', 0, $token);
-
- if($visitor_handle === false) {
- return;
- }
-
// Try to find the public contact entry of the visitor.
- $cid = Contact::getIdForURL($visitor_handle);
- if(!$cid) {
- Logger::log('owt: unable to finger ' . $visitor_handle, Logger::DEBUG);
- return;
+ $cid = Contact::getIdForURL($handle);
+ if (!$cid) {
+ Logger::log('unable to finger ' . $handle, Logger::DEBUG);
+ return [];
}
$visitor = DBA::selectFirst('contact', [], ['id' => $cid]);
$_SESSION['remote'][] = ['cid' => $contact['id'], 'uid' => $contact['uid'], 'url' => $visitor['url']];
}
+
+ $a->contact = $visitor;
+
+ Logger::info('Authenticated visitor', ['url' => $visitor['url']]);
+
+ return $visitor;
+ }
+
+ /**
+ * OpenWebAuth authentication.
+ *
+ * Ported from Hubzilla: https://framagit.org/hubzilla/core/blob/master/include/zid.php
+ *
+ * @param string $token
+ * @throws \Friendica\Network\HTTPException\InternalServerErrorException
+ * @throws \ImagickException
+ */
+ public static function openWebAuthInit($token)
+ {
+ $a = \get_app();
+
+ // Clean old OpenWebAuthToken entries.
+ OpenWebAuthToken::purge('owt', '3 MINUTE');
+
+ // Check if the token we got is the same one
+ // we have stored in the database.
+ $visitor_handle = OpenWebAuthToken::getMeta('owt', 0, $token);
+
+ if ($visitor_handle === false) {
+ return;
+ }
+
+ $visitor = self::addVisitorCookieForHandle($visitor_handle);
+ if (empty($visitor)) {
+ return;
+ }
+
$arr = [
'visitor' => $visitor,
'url' => $a->query_string
return false;
}
+ $hasGoodSignedContent = false;
+
// Check the digest when it is part of the signed data
- if (in_array('digest', $sig_block['headers'])) {
+ if (!empty($content) && in_array('digest', $sig_block['headers'])) {
$digest = explode('=', $headers['digest'], 2);
if ($digest[0] === 'SHA-256') {
$hashalg = 'sha256';
if (!empty($hashalg) && base64_encode(hash($hashalg, $content, true)) != $digest[1]) {
return false;
}
+
+ $hasGoodSignedContent = true;
}
// Check if the signed date field is in an acceptable range
Logger::log("Header date '" . $headers['date'] . "' is with " . $diff . " seconds out of the 300 second frame. The signature is invalid.");
return false;
}
+ $hasGoodSignedContent = true;
}
// Check the content-length when it is part of the signed data
}
}
+ // Ensure that the authentication had been done with some content
+ // Without this check someone could authenticate with fakeable data
+ if (!$hasGoodSignedContent) {
+ return false;
+ }
+
return $key['url'];
}
projects / friendica.git / commitdiff