Streams/streams
Streams/streams
1
0
Fork 0
mirror of https://codeberg.org/streams/streams.git synced 2024-09-19 21:55:15 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

sort out some of the authentication mess - with luck this may fix the DAV auth issue which I simply could not duplicate or find a reason for.

Browse source
This commit is contained in:
redmatrix 2016-07-20 17:55:40 -07:00
parent d54ad98802
commit 3affb2e817
13 changed files with 132 additions and 195 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

85
Zotlabs/Module/Dav.php
View file

@ -48,55 +48,13 @@ class Dav extends \Zotlabs\Web\Controller {
if (! is_dir('store'))
os_mkdir('store', STORAGE_DEFAULT_PERMISSIONS, false);
$which = null;
if (argc() > 1)
$which = argv(1);
profile_load(argv(1),0);
$profile = 0;
\App::$page['htmlhead'] .= '<link rel="alternate" type="application/atom+xml" href="' . z_root() . '/feed/' . $which . '" />' . "\r\n";
if ($which)
profile_load( $which, $profile);
$auth = new \Zotlabs\Storage\BasicAuth();
$auth->setRealm(ucfirst(\Zotlabs\Lib\System::get_platform_name()) . 'WebDAV');
$auth->setRealm(ucfirst(\Zotlabs\Lib\System::get_platform_name()) . ' ' . 'WebDAV');
// $authBackend = new \Sabre\DAV\Auth\Backend\BasicCallBack(function($userName,$password) {
// if(account_verify_password($userName,$password))
// return true;
// return false;
// });
// $ob_hash = get_observer_hash();
// if ($ob_hash) {
// if (local_channel()) {
// $channel = \App::get_channel();
// $auth->setCurrentUser($channel['channel_address']);
// $auth->channel_id = $channel['channel_id'];
// $auth->channel_hash = $channel['channel_hash'];
// $auth->channel_account_id = $channel['channel_account_id'];
// if($channel['channel_timezone'])
// $auth->setTimezone($channel['channel_timezone']);
// }
// $auth->observer = $ob_hash;
// }
// if ($_GET['davguest'])
// $_SESSION['davguest'] = true;
// $_SERVER['QUERY_STRING'] = str_replace(array('?f=', '&f='), array('', ''), $_SERVER['QUERY_STRING']);
// $_SERVER['QUERY_STRING'] = strip_zids($_SERVER['QUERY_STRING']);
// $_SERVER['QUERY_STRING'] = preg_replace('/[\?&]davguest=(.*?)([\?&]|$)/ism', '', $_SERVER['QUERY_STRING']);
//
// $_SERVER['REQUEST_URI'] = str_replace(array('?f=', '&f='), array('', ''), $_SERVER['REQUEST_URI']);
// $_SERVER['REQUEST_URI'] = strip_zids($_SERVER['REQUEST_URI']);
// $_SERVER['REQUEST_URI'] = preg_replace('/[\?&]davguest=(.*?)([\?&]|$)/ism', '', $_SERVER['REQUEST_URI']);
$rootDirectory = new \Zotlabs\Storage\Directory('/', $auth);
// A SabreDAV server-object
@ -113,48 +71,13 @@ class Dav extends \Zotlabs\Web\Controller {
$server->addPlugin($lockPlugin);
// The next section of code allows us to bypass prompting for http-auth if a
// FILE is being accessed anonymously and permissions allow this. This way
// one can create hotlinks to public media files in their cloud and anonymous
// viewers won't get asked to login.
// If a DIRECTORY is accessed or there are permission issues accessing the
// file and we aren't previously authenticated via zot, prompt for HTTP-auth.
// This will be the default case for mounting a DAV directory.
// In order to avoid prompting for passwords for viewing a DIRECTORY, add
// the URL query parameter 'davguest=1'.
// $isapublic_file = false;
// $davguest = ((x($_SESSION, 'davguest')) ? true : false);
// if ((! $auth->observer) && ($_SERVER['REQUEST_METHOD'] === 'GET')) {
// try {
// $x = RedFileData('/' . \App::$cmd, $auth);
// if($x instanceof \Zotlabs\Storage\File)
// $isapublic_file = true;
// }
// catch (Exception $e) {
// $isapublic_file = false;
// }
// }
// if ((! $auth->observer) && (! $isapublic_file) && (! $davguest)) {
// try {
// $auth->Authenticate($server, t('$Projectname channel'));
// }
// catch (Exception $e) {
// logger('mod_cloud: auth exception' . $e->getMessage());
// http_status_exit($e->getHTTPCode(), $e->getMessage());
// }
// }
// require_once('Zotlabs/Storage/Browser.php');
// provide a directory view for the cloud in Hubzilla
$browser = new \Zotlabs\Storage\Browser($auth);
$auth->setBrowserPlugin($browser);
// Experimental QuotaPlugin
// require_once('Zotlabs/Storage/QuotaPlugin.php');
// $server->addPlugin(new \Zotlabs\Storage\QuotaPlugin($auth));
// require_once('Zotlabs/Storage/QuotaPlugin.php');
// $server->addPlugin(new \Zotlabs\Storage\QuotaPlugin($auth));
// All we need to do now, is to fire up the server
$server->exec();

3
Zotlabs/Module/Login.php
View file

@ -7,6 +7,9 @@ class Login extends \Zotlabs\Web\Controller {
function get() {
if(local_channel())
goaway(z_root());
if(remote_channel() && $_SESSION['atoken'])
goaway(z_root());
return login((\App::$config['system']['register_policy'] == REGISTER_CLOSED) ? false : true);
}

2
Zotlabs/Module/Openid.php
View file

@ -48,7 +48,7 @@ class Openid extends \Zotlabs\Web\Controller {
$_SESSION['uid'] = $r[0]['channel_id'];
$_SESSION['account_id'] = $r[0]['channel_account_id'];
$_SESSION['authenticated'] = true;
authenticate_success($record,true,true,true,true);
authenticate_success($record,$r[0],true,true,true,true);
goaway(z_root());
}
}

2
Zotlabs/Module/Register.php
View file

@ -146,7 +146,7 @@ class Register extends \Zotlabs\Web\Controller {
goaway(z_root());
}
authenticate_success($result['account'],true,false,true);
authenticate_success($result['account'],null,true,false,true);
$new_channel = false;
$next_page = 'new_channel';

3
Zotlabs/Module/Removeaccount.php
View file

@ -25,7 +25,8 @@ class Removeaccount extends \Zotlabs\Web\Controller {
$account = \App::get_account();
$account_id = get_account_id();
if(! account_verify_password($account['account_email'],$_POST['qxz_password']))
$x = account_verify_password($account['account_email'],$_POST['qxz_password']);
if(! ($x && $x['account']))
return;
if($account['account_password_changed'] != NULL_DATE) {

4
Zotlabs/Module/Removeme.php
View file

@ -24,7 +24,9 @@ class Removeme extends \Zotlabs\Web\Controller {
$account = \App::get_account();
if(! account_verify_password($account['account_email'],$_POST['qxz_password']))
$x = account_verify_password($account['account_email'],$_POST['qxz_password']);
if(! ($x && $x['account']))
return;
if($account['account_password_changed'] != NULL_DATE) {

37
Zotlabs/Storage/BasicAuth.php
View file

@ -91,33 +91,20 @@ class BasicAuth extends DAV\Auth\Backend\AbstractBasic {
require_once('include/auth.php');
$record = account_verify_password($username, $password);
if ($record && $record['account_default_channel']) {
$r = q("SELECT * FROM channel WHERE channel_account_id = %d AND channel_id = %d LIMIT 1",
intval($record['account_id']),
intval($record['account_default_channel'])
);
if($r && $this->check_module_access($r[0]['channel_id'])) {
return $this->setAuthenticated($r[0]);
if($record && $record['account']) {
if($record['channel'])
$channel = $record['channel'];
else {
$r = q("SELECT * FROM channel WHERE channel_account_id = %d AND channel_id = %d LIMIT 1",
intval($record['account']['account_id']),
intval($record['account']['account_default_channel'])
);
if($r)
$channel = $r[0];
}
}
$r = q("SELECT * FROM channel WHERE channel_address = '%s' LIMIT 1",
dbesc($username)
);
if ($r) {
$x = q("SELECT account_flags, account_salt, account_password FROM account WHERE account_id = %d LIMIT 1",
intval($r[0]['channel_account_id'])
);
if ($x) {
// @fixme this foreach should not be needed?
foreach ($x as $record) {
if ((($record['account_flags'] == ACCOUNT_OK) || ($record['account_flags'] == ACCOUNT_UNVERIFIED))
&& (hash('whirlpool', $record['account_salt'] . $password) === $record['account_password'])) {
logger('password verified for ' . $username);
if($this->check_module_access($r[0]['channel_id']))
return $this->setAuthenticated($r[0]);
}
}
}
if($channel && $this->check_module_access($channel['channel_id'])) {
return $this->setAuthenticated($channel);
}
if($this->module_disabled)

2
include/account.php
View file

@ -515,7 +515,7 @@ function account_approve($hash) {
auto_channel_create($register[0]['uid']);
else {
$_SESSION['login_return_url'] = 'new_channel';
authenticate_success($account[0],true,true,false,true);
authenticate_success($account[0],null,true,true,false,true);
}

14
include/api_auth.php
View file

@ -59,20 +59,12 @@ function api_login(&$a){
if(isset($_SERVER['PHP_AUTH_USER'])) {
$channel_login = 0;
$record = account_verify_password($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']);
if(! $record) {
$r = q("select * from channel left join account on account.account_id = channel.channel_account_id
where channel.channel_address = '%s' limit 1",
dbesc($_SERVER['PHP_AUTH_USER'])
);
if ($r) {
$record = account_verify_password($r[0]['account_email'],$_SERVER['PHP_AUTH_PW']);
if($record)
$channel_login = $r[0]['channel_id'];
}
if($record && $record['channel']) {
$channel_login = $record['channel']['channel_id'];
}
}
if($record) {
if($record['account']) {
authenticate_success($record);
if($channel_login)

137
include/auth.php
View file

@ -20,62 +20,85 @@ require_once('include/security.php');
* attempts.
*
* @param string $email
* The email address to verify.
* The login to verify (channel address, account email or guest login token).
* @param string $pass
* The provided password to verify.
* @return array|null
* Returns account record on success, null on failure.
*/
function account_verify_password($email, $pass) {
function account_verify_password($login, $pass) {
$ret = [ 'account' => null, 'channel' => null, 'xchan' => null ];
$email_verify = get_config('system', 'verify_email');
$register_policy = get_config('system', 'register_policy');
if(! $login)
return null;
$account = null;
$channel = null;
$xchan = null;
if(! strpos($login,'@')) {
$channel = channelx_by_nick($login);
if(! $channel) {
$x = q("select * from atoken where atoken_name = '%s' and atoken_token = '%s' limit 1",
dbesc($login),
dbesc($pass)
);
if($x) {
$ret['xchan'] = atoken_xchan($x[0]);
return $ret;
}
}
}
if($channel) {
$where = " where account_id = " . intval($channel['channel_account_id']) . " ";
}
else {
$where = " where account_email = '" . dbesc($login) . "' ";
}
$a = q("select * from account $where");
if(! $a) {
return null;
}
$account = $a[0];
// Currently we only verify email address if there is an open registration policy.
// This isn't because of any policy - it's because the workflow gets too complicated if
// you have to verify the email and then go through the account approval workflow before
// letting them login.
// @bug there is no record here
//if(($email_verify) && ($register_policy == REGISTER_OPEN) && ($record['account_flags'] & ACCOUNT_UNVERIFIED))
// return null;
$r = q("select * from account where account_email = '%s'",
dbesc($email)
);
if($r) {
foreach($r as $record) {
if(($record['account_flags'] == ACCOUNT_OK)
&& (hash('whirlpool', $record['account_salt'] . $pass) === $record['account_password'])) {
logger('password verified for ' . $email);
return $record;
}
}
if(($email_verify) && ($register_policy == REGISTER_OPEN) && ($account['account_flags'] & ACCOUNT_UNVERIFIED)) {
logger('email verification required for ' . $login);
return null;
}
$x = q("select * from atoken where atoken_name = '%s' and atoken_token = '%s' limit 1",
dbesc($email),
dbesc($pass)
);
if($x) {
atoken_login($x[0]);
return $x[0];
if(($account['account_flags'] == ACCOUNT_OK)
&& (hash('whirlpool',$account['account_salt'] . $pass) === $account['account_password'])) {
logger('password verified for ' . $login);
$ret['account'] = $account;
if($channel)
$ret['channel'] = $channel;
return $ret;
}
$error = 'password failed for ' . $email;
$error = 'password failed for ' . $login;
logger($error);
if($record['account_flags'] & ACCOUNT_UNVERIFIED)
logger('Account is unverified. account_flags = ' . $record['account_flags']);
if($record['account_flags'] & ACCOUNT_BLOCKED)
logger('Account is blocked. account_flags = ' . $record['account_flags']);
if($record['account_flags'] & ACCOUNT_EXPIRED)
logger('Account is expired. account_flags = ' . $record['account_flags']);
if($record['account_flags'] & ACCOUNT_REMOVED)
logger('Account is removed. account_flags = ' . $record['account_flags']);
if($record['account_flags'] & ACCOUNT_PENDING)
logger('Account is pending. account_flags = ' . $record['account_flags']);
if($account['account_flags'] & ACCOUNT_UNVERIFIED)
logger('Account is unverified. account_flags = ' . $account['account_flags']);
if($account['account_flags'] & ACCOUNT_BLOCKED)
logger('Account is blocked. account_flags = ' . $account['account_flags']);
if($account['account_flags'] & ACCOUNT_EXPIRED)
logger('Account is expired. account_flags = ' . $account['account_flags']);
if($account['account_flags'] & ACCOUNT_REMOVED)
logger('Account is removed. account_flags = ' . $account['account_flags']);
if($account['account_flags'] & ACCOUNT_PENDING)
logger('Account is pending. account_flags = ' . $account['account_flags']);
log_failed_login($error);
@ -131,7 +154,7 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) &&
App::$session->new_cookie(60 * 60 * 24); // one day
$_SESSION['last_login_date'] = datetime_convert();
unset($_SESSION['visitor_id']); // no longer a visitor
authenticate_success($x[0], true, true);
authenticate_success($x[0], null, true, true);
}
}
if(array_key_exists('atoken',$_SESSION)) {
@ -177,7 +200,8 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) &&
App::$session->extend_cookie();
$login_refresh = true;
}
authenticate_success($r[0], false, false, false, $login_refresh);
$ch = (($_SESSION['uid']) ? channelx_by_n($_SESSION['uid']) : null);
authenticate_success($r[0], null, $ch, false, false, $login_refresh);
}
else {
$_SESSION['account_id'] = 0;
@ -218,37 +242,38 @@ else {
call_hooks('authenticate', $addon_auth);
$atoken = false;
$atoken = null;
$account = null;
if(($addon_auth['authenticated']) && (count($addon_auth['user_record']))) {
$record = $addon_auth['user_record'];
$account = $addon_auth['user_record'];
}
else {
$x = account_verify_password($_POST['username'], $_POST['password']);
if(array_key_exists('atoken',$x))
$atoken = true;
if(! $atoken) {
$record = App::$account = $x;
$verify = account_verify_password($_POST['username'], $_POST['password']);
if($verify) {
$atoken = $verify['xchan'];
$channel = $verify['channel'];
$account = App::$account = $verify['account'];
}
if(App::$account) {
$_SESSION['account_id'] = App::$account['account_id'];
}
else {
notice( t('Failed authentication') . EOL);
}
logger('authenticate: ' . print_r(App::$account, true), LOGGER_ALL);
if(App::$account) {
$_SESSION['account_id'] = App::$account['account_id'];
}
elseif($atoken) {
atoken_login($atoken);
}
else {
notice( t('Failed authentication') . EOL);
}
}
if((! $record) || (! count($record))) {
if(! ($account || $atoken)) {
$error = 'authenticate: failed login attempt: ' . notags(trim($_POST['username'])) . ' from IP ' . $_SERVER['REMOTE_ADDR'];
logger($error);
// Also log failed logins to a separate auth log to reduce overhead for server side intrusion prevention
$authlog = get_config('system', 'authlog');
if ($authlog)
@file_put_contents($authlog, datetime_convert() . ':' . session_id() . ' ' . $error . "\n", FILE_APPEND);
notice( t('Login failed.') . EOL );
goaway(z_root() . '/login');
}
@ -279,7 +304,7 @@ else {
$_SESSION['last_login_date'] = datetime_convert();
if(! $atoken)
authenticate_success($record, true, true);
authenticate_success($account,$channel,true, true);
}
}

2
include/oauth.php
View file

@ -170,7 +170,7 @@ class ZotOAuth1 extends OAuth1Server {
);
if($x) {
require_once('include/security.php');
authenticate_success($x[0],true,false,true,true);
authenticate_success($x[0],null,true,false,true,true);
$_SESSION['allow_api'] = true;
}
}

29
include/security.php
View file

@ -12,7 +12,7 @@
* @param bool $return
* @param bool $update_lastlog
*/
function authenticate_success($user_record, $login_initial = false, $interactive = false, $return = false, $update_lastlog = false) {
function authenticate_success($user_record, $channel = null, $login_initial = false, $interactive = false, $return = false, $update_lastlog = false) {
$_SESSION['addr'] = $_SERVER['REMOTE_ADDR'];
@ -23,11 +23,15 @@ function authenticate_success($user_record, $login_initial = false, $interactive
$_SESSION['account_id'] = $user_record['account_id'];
$_SESSION['authenticated'] = 1;
if($channel)
$uid_to_load = $channel['channel_id'];
$uid_to_load = (((x($_SESSION,'uid')) && (intval($_SESSION['uid'])))
? intval($_SESSION['uid'])
: intval(App::$account['account_default_channel'])
);
if(! $uid_to_load) {
$uid_to_load = (((x($_SESSION,'uid')) && (intval($_SESSION['uid'])))
? intval($_SESSION['uid'])
: intval(App::$account['account_default_channel'])
);
}
if($uid_to_load) {
change_channel($uid_to_load);
@ -85,16 +89,12 @@ function authenticate_success($user_record, $login_initial = false, $interactive
function atoken_login($atoken) {
if(! $atoken)
return false;
$xchan = atoken_xchan($atoken);
$_SESSION['authenticated'] = 1;
$_SESSION['visitor_id'] = $xchan['xchan_hash'];
$_SESSION['visitor_id'] = $atoken['xchan_hash'];
$_SESSION['atoken'] = $atoken['atoken_id'];
\App::set_observer($xchan);
return [ 'atoken' => true ];
\App::set_observer($atoken);
return true;
}
@ -102,7 +102,8 @@ function atoken_xchan($atoken) {
$c = channelx_by_n($atoken['atoken_uid']);
if($c) {
return [
return [
'atoken_id' => $atoken['atoken_id'],
'xchan_hash' => substr($c['channel_hash'],0,16) . '.' . $atoken['atoken_name'],
'xchan_name' => $atoken['atoken_name'],
'xchan_addr' => t('guest:') . $atoken['atoken_name'] . '@' . \App::get_hostname(),
@ -115,7 +116,7 @@ function atoken_xchan($atoken) {
];
}
return null;
}

7
util/fresh
View file

@ -82,12 +82,15 @@ function process_command($line) {
exec('/bin/stty echo');
echo "\n";
require_once('include/auth.php');
$record = App::$account = account_verify_password(argv(1),trim($x,"\n"));
$record = null;
$x = account_verify_password(argv(1),trim($x,"\n"));
if($x['account'])
$record = App::$account = $x['account'];
if($record) {
$_SESSION['account_id'] = App::$account['account_id'];
$_SESSION['last_login_date'] = datetime_convert();
authenticate_success($record, true, true);
authenticate_success($record, $x['channel'], true, true);
echo 'logged in';
$channel = App::get_channel();
if($channel)