streams/Code/Module/Owa.php

<?php

namespace Code\Module;

use Code\Web\HTTPSig;
use Code\Lib\Verify;
use Code\Web\Controller;

/**
 * OpenWebAuth verifier and token generator
 * See spec/OpenWebAuth/Home.md
 * Requests to this endpoint should be signed using HTTP Signatures
 * using the 'Authorization: Signature' authentication method
 * If the signature verifies a token is returned.
 *
 * This token may be exchanged for an authenticated cookie.
 */
class Owa extends Controller
{

    public function init()
    {

        $ret = ['success' => false];

        if (array_key_exists('REDIRECT_REMOTE_USER', $_SERVER) && (!array_key_exists('HTTP_AUTHORIZATION', $_SERVER))) {
            $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER['REDIRECT_REMOTE_USER'];
        }


        if (array_key_exists('HTTP_AUTHORIZATION', $_SERVER) && str_starts_with(trim($_SERVER['HTTP_AUTHORIZATION']), 'Signature')) {
            $sigblock = HTTPSig::parse_sigheader($_SERVER['HTTP_AUTHORIZATION']);
            if ($sigblock) {
                $keyId = $sigblock['keyId'];
                if ($keyId) {
                    $r = q(
                        "select * from hubloc left join xchan on hubloc_hash = xchan_hash 
						where ( hubloc_addr = '%s' or hubloc_id_url = '%s' ) and hubloc_deleted = 0 and xchan_pubkey != '' 
						ORDER BY hubloc_id desc",
                        dbesc(str_replace('acct:', '', $keyId)),
                        dbesc($keyId)
                    );
                    if (!$r) {
                        $found = discover_resource(str_replace('acct:', '', $keyId));
                        if ($found) {
                            $r = q(
                                "select * from hubloc left join xchan on hubloc_hash = xchan_hash 
								where ( hubloc_addr = '%s' or hubloc_id_url = '%s' ) and hubloc_deleted = 0 and xchan_pubkey != '' 
								ORDER BY hubloc_id desc",
                                dbesc(str_replace('acct:', '', $keyId)),
                                dbesc($keyId)
                            );
                        }
                    }
                    if ($r) {
                        foreach ($r as $hubloc) {
                            $verified = HTTPSig::verify(file_get_contents('php://input'), $hubloc['xchan_pubkey']);
                            if ($verified && $verified['header_signed'] && $verified['header_valid'] && ($verified['content_valid'] || (!$verified['content_signed']))) {
                                logger('OWA header: ' . print_r($verified, true), LOGGER_DATA);
                                logger('OWA success: ' . $hubloc['hubloc_addr'], LOGGER_DATA);
                                $ret['success'] = true;
                                $token = random_string(32);
                                Verify::create('owt', 0, $token, $hubloc['hubloc_addr']);
                                $result = '';
                                openssl_public_encrypt($token, $result, $hubloc['xchan_pubkey']);
                                $ret['encrypted_token'] = base64url_encode($result);
                                break;
                            } else {
                                logger('OWA fail: ' . $hubloc['hubloc_id'] . ' ' . $hubloc['hubloc_addr']);
                            }
                        }
                    }
                }
            }
        }
        json_return_and_die($ret, 'application/x-nomad+json');
    }
}
owa - first commit 2017-09-08 00:56:02 +00:00			`<?php`

it's done 2022-02-16 04:08:28 +00:00			`namespace Code\Module;`
owa - first commit 2017-09-08 00:56:02 +00:00
it's done 2022-02-16 04:08:28 +00:00			`use Code\Web\HTTPSig;`
			`use Code\Lib\Verify;`
			`use Code\Web\Controller;`
make owa work for zot urls 2018-06-19 02:10:49 +00:00
owa: missed the set-observer stuff 2017-09-08 23:00:27 +00:00			`/**`
			`* OpenWebAuth verifier and token generator`
issues with autoperms, rewrite owa, upstream fixes to main.js 2019-01-23 22:27:51 +00:00			`* See spec/OpenWebAuth/Home.md`
owa: missed the set-observer stuff 2017-09-08 23:00:27 +00:00			`* Requests to this endpoint should be signed using HTTP Signatures`
			`* using the 'Authorization: Signature' authentication method`
psr12 rewrites, continued 2021-12-03 03:01:39 +00:00			`* If the signature verifies a token is returned.`
owa: missed the set-observer stuff 2017-09-08 23:00:27 +00:00			`*`
psr12 rewrites, continued 2021-12-03 03:01:39 +00:00			`* This token may be exchanged for an authenticated cookie.`
owa: missed the set-observer stuff 2017-09-08 23:00:27 +00:00			`*/`
psr12 updates 2021-12-02 23:02:31 +00:00			`class Owa extends Controller`
			`{`
owa - first commit 2017-09-08 00:56:02 +00:00
psr12 updates 2021-12-02 23:02:31 +00:00			`public function init()`
			`{`
owa - first commit 2017-09-08 00:56:02 +00:00
psr12 updates 2021-12-02 23:02:31 +00:00			`$ret = ['success' => false];`
owa - first commit 2017-09-08 00:56:02 +00:00
psr12 updates 2021-12-02 23:02:31 +00:00			`if (array_key_exists('REDIRECT_REMOTE_USER', $_SERVER) && (!array_key_exists('HTTP_AUTHORIZATION', $_SERVER))) {`
			`$_SERVER['HTTP_AUTHORIZATION'] = $_SERVER['REDIRECT_REMOTE_USER'];`
			`}`
owa cleanup 2017-09-09 20:34:57 +00:00
owa issues 2018-08-03 23:03:16 +00:00
cleanup 2022-09-04 00:01:52 +00:00			`if (array_key_exists('HTTP_AUTHORIZATION', $_SERVER) && str_starts_with(trim($_SERVER['HTTP_AUTHORIZATION']), 'Signature')) {`
psr12 updates 2021-12-02 23:02:31 +00:00			`$sigblock = HTTPSig::parse_sigheader($_SERVER['HTTP_AUTHORIZATION']);`
			`if ($sigblock) {`
			`$keyId = $sigblock['keyId'];`
			`if ($keyId) {`
psr12 rewrites, continued 2021-12-03 03:01:39 +00:00			`$r = q(`
			`"select * from hubloc left join xchan on hubloc_hash = xchan_hash`
fix a few more places where hubloc_addr confusion can potentially occur. 2022-12-31 20:02:03 +00:00			`where ( hubloc_addr = '%s' or hubloc_id_url = '%s' ) and hubloc_deleted = 0 and xchan_pubkey != ''`
			`ORDER BY hubloc_id desc",`
psr12 updates 2021-12-02 23:02:31 +00:00			`dbesc(str_replace('acct:', '', $keyId)),`
			`dbesc($keyId)`
			`);`
			`if (!$r) {`
rename discover_by_webbie() to discover_resource() 2022-09-03 21:30:13 +00:00			`$found = discover_resource(str_replace('acct:', '', $keyId));`
psr12 updates 2021-12-02 23:02:31 +00:00			`if ($found) {`
psr12 rewrites, continued 2021-12-03 03:01:39 +00:00			`$r = q(`
			`"select * from hubloc left join xchan on hubloc_hash = xchan_hash`
fix a few more places where hubloc_addr confusion can potentially occur. 2022-12-31 20:02:03 +00:00			`where ( hubloc_addr = '%s' or hubloc_id_url = '%s' ) and hubloc_deleted = 0 and xchan_pubkey != ''`
			`ORDER BY hubloc_id desc",`
psr12 updates 2021-12-02 23:02:31 +00:00			`dbesc(str_replace('acct:', '', $keyId)),`
			`dbesc($keyId)`
			`);`
			`}`
			`}`
			`if ($r) {`
			`foreach ($r as $hubloc) {`
			`$verified = HTTPSig::verify(file_get_contents('php://input'), $hubloc['xchan_pubkey']);`
			`if ($verified && $verified['header_signed'] && $verified['header_valid'] && ($verified['content_valid'] \|\| (!$verified['content_signed']))) {`
			`logger('OWA header: ' . print_r($verified, true), LOGGER_DATA);`
			`logger('OWA success: ' . $hubloc['hubloc_addr'], LOGGER_DATA);`
			`$ret['success'] = true;`
			`$token = random_string(32);`
			`Verify::create('owt', 0, $token, $hubloc['hubloc_addr']);`
			`$result = '';`
			`openssl_public_encrypt($token, $result, $hubloc['xchan_pubkey']);`
			`$ret['encrypted_token'] = base64url_encode($result);`
			`break;`
			`} else {`
			`logger('OWA fail: ' . $hubloc['hubloc_id'] . ' ' . $hubloc['hubloc_addr']);`
			`}`
			`}`
			`}`
			`}`
			`}`
			`}`
Merge branch 'dev' of /home/macgirvin/roadhouse into dev 2021-12-06 21:19:19 +00:00			`json_return_and_die($ret, 'application/x-nomad+json');`
psr12 updates 2021-12-02 23:02:31 +00:00			`}`
owa - first commit 2017-09-08 00:56:02 +00:00			`}`