require token signatures in zot_refresh, also move channel specific stuff into include/channel.php from include/connections.php

2024-09-19 21:35:13 +00:00 · 2016-05-24 23:05:00 -07:00 · 2016-05-24 23:05:00 -07:00 · c37eaff263
commit c37eaff263
parent 80f2ba640e
5 changed files with 50 additions and 23 deletions
--- a/.gitignore
+++ b/.gitignore
@ -14,6 +14,8 @@
 *.rej
 # OSX .DS_Store files
 .DS_Store
+# version scripts (repo master only) 
+.version*
 Thumbs.db


--- a/Zotlabs/Daemon/Queue.php
+++ b/Zotlabs/Daemon/Queue.php
@ -6,6 +6,7 @@ require_once('include/queue_fn.php');
 require_once('include/zot.php');

 class Queue {
+
 	static public function run($argc,$argv) {

 		require_once('include/items.php');
--- a/include/channel.php
+++ b/include/channel.php
@ -1945,3 +1945,26 @@ function get_zcard_embed($channel,$observer_hash = '',$args = array()) {
 	return $o;
 		
 }
+
+
+function channelx_by_nick($nick) {
+	$r = q("SELECT * FROM channel left join xchan on channel_hash = xchan_hash WHERE channel_address = '%s'  and channel_removed = 0 LIMIT 1",
+		dbesc($nick)
+	);
+	return(($r) ? $r[0] : false);
+}
+
+function channelx_by_hash($hash) {
+	$r = q("SELECT * FROM channel left join xchan on channel_hash = xchan_hash WHERE channel_hash = '%s'  and channel_removed = 0 LIMIT 1",
+		dbesc($hash)
+	);
+	return(($r) ? $r[0] : false);
+}
+
+function channelx_by_n($id) {
+	$r = q("SELECT * FROM channel left join xchan on channel_hash = xchan_hash WHERE channel_id = %d  and channel_removed = 0 LIMIT 1",
+		dbesc($id)
+	);
+	return(($r) ? $r[0] : false);
+}
+
--- a/include/connections.php
+++ b/include/connections.php
@ -48,27 +48,6 @@ function abook_self($channel_id) {
 	return(($r) ? $r[0] : array());
 }	

-function channelx_by_nick($nick) {
-	$r = q("SELECT * FROM channel left join xchan on channel_hash = xchan_hash WHERE channel_address = '%s'  and channel_removed = 0 LIMIT 1",
-		dbesc($nick)
-	);
-	return(($r) ? $r[0] : false);
-}
-
-function channelx_by_hash($hash) {
-	$r = q("SELECT * FROM channel left join xchan on channel_hash = xchan_hash WHERE channel_hash = '%s'  and channel_removed = 0 LIMIT 1",
-		dbesc($hash)
-	);
-	return(($r) ? $r[0] : false);
-}
-
-function channelx_by_n($id) {
-	$r = q("SELECT * FROM channel left join xchan on channel_hash = xchan_hash WHERE channel_id = %d  and channel_removed = 0 LIMIT 1",
-		dbesc($id)
-	);
-	return(($r) ? $r[0] : false);
-}
-

 function vcard_from_xchan($xchan, $observer = null, $mode = '') {

--- a/include/zot.php
+++ b/include/zot.php
@ -329,8 +329,12 @@ function zot_refresh($them, $channel = null, $force = false) {
 		return false;
 	}

+	$token = random_string();
+
 	$postvars = array();

+	$postvars['token'] = $token;
+
 	if($channel) {
 		$postvars['target']     = $channel['channel_guid'];
 		$postvars['target_sig'] = $channel['channel_guid_sig'];
@ -343,11 +347,13 @@ function zot_refresh($them, $channel = null, $force = false) {
 		$postvars['guid_hash'] = $them['xchan_hash'];
 	if (array_key_exists('xchan_guid',$them) && $them['xchan_guid']
 		&& array_key_exists('xchan_guid_sig',$them) && $them['xchan_guid_sig']) {
-
 		$postvars['guid'] = $them['xchan_guid'];
 		$postvars['guid_sig'] = $them['xchan_guid_sig'];
+
 	}

+	$token = random_string();
+
 	$rhs = '/.well-known/zot-info';

 	$result = z_post_url($url . $rhs,$postvars);
@ -363,6 +369,22 @@ function zot_refresh($them, $channel = null, $force = false) {
 			return false;
 		}

+		$signed_token = ((is_array($j) && array_key_exists('signed_token',$j)) ? $j['signed_token'] : null);
+		if($signed_token) {
+			$valid = rsa_verify('token.' . $token,base64url_decode($signed_token),$j['key']);
+			if(! $valid) {
+				logger('invalid signed token: ' . $url . $rhs, LOGGER_NORMAL, LOG_WARN);
+				return false;
+			}
+		}
+		else {
+			logger('No signed token from '  . $url . $rhs, LOGGER_NORMAL, LOG_WARN);
+			// after 2017-01-01 this will be a hard error unless you over-ride it.
+			if((time() > 1483228800) && (! get_config('system','allow_unsigned_zotfinger'))) {
+				return false;
+			}
+		}
+
 		$x = import_xchan($j, (($force) ? UPDATE_FLAGS_FORCED : UPDATE_FLAGS_UPDATED));

 		if(! $x['success'])
@ -1493,7 +1515,7 @@ function public_recips($msg) {
 /**
 * @brief
 *
- * This is the second part of public_recipes().
+ * This is the second part of public_recips().
 * We'll find all the channels willing to accept public posts from us, then
 * match them against the sender privacy scope and see who in that list that
 * the sender is allowing.