mirror of
https://codeberg.org/streams/streams.git
synced 2024-09-19 21:55:15 +00:00
479 lines
13 KiB
PHP
479 lines
13 KiB
PHP
<?php
|
|
|
|
use Code\Lib\Libzot;
|
|
use Code\Lib\SConfig;
|
|
use Code\Lib\Verify;
|
|
use Code\Lib\Channel;
|
|
use Code\Extend\Hook;
|
|
|
|
function isOWAEnabled($url)
|
|
{
|
|
|
|
// in-memory cache to avoid repeated queries for the same host
|
|
static $remembered = [];
|
|
|
|
$parsedURL = @parse_url($url);
|
|
|
|
if (empty($parsedURL['scheme']) && empty($parsedURL['host'])) {
|
|
return false;
|
|
}
|
|
if (in_array($parsedURL['host'], $remembered)) {
|
|
return true;
|
|
}
|
|
|
|
$url = $parsedURL['scheme'] . '://' . $parsedURL['host'] . (($parsedURL['port']) ? ':' . $parsedURL['port'] : '');
|
|
if (SConfig::Get($url, 'system', 'owa')) {
|
|
$remembered[] = $parsedURL['host'];
|
|
return true;
|
|
}
|
|
|
|
$r = q("select hubloc_url from hubloc where hubloc_host = '%s' and hubloc_network in ('nomad','zot6') and hubloc_deleted = 0 limit 1",
|
|
dbesc($parsedURL['host'])
|
|
);
|
|
|
|
if ($r) {
|
|
$remembered[] = $parsedURL['host'];
|
|
return true;
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* @brief Adds a zid parameter to a url.
|
|
*
|
|
* @param string $s
|
|
* The url to accept the zid
|
|
* @param bool $address
|
|
* $address to use instead of session environment
|
|
* @return string
|
|
*/
|
|
function zid($s, $address = '')
|
|
{
|
|
|
|
if (! strlen($s) || strpos($s, 'zid=')) {
|
|
return $s;
|
|
}
|
|
|
|
$m = parse_url($s);
|
|
$fragment = ((array_key_exists('fragment', $m) && $m['fragment']) ? $m['fragment'] : false);
|
|
if ($fragment !== false) {
|
|
$s = str_replace('#' . $fragment, '', $s);
|
|
}
|
|
|
|
$has_params = ((strpos($s, '?')) ? true : false);
|
|
$num_slashes = substr_count($s, '/');
|
|
if (! $has_params) {
|
|
$has_params = ((strpos($s, '&')) ? true : false);
|
|
}
|
|
|
|
$achar = strpos($s, '?') ? '&' : '?';
|
|
|
|
$mine = Channel::get_my_url();
|
|
$myaddr = (($address) ? $address : Channel::get_my_address());
|
|
|
|
$mine_parsed = parse_url($mine);
|
|
$s_parsed = parse_url($s);
|
|
$url_match = false;
|
|
|
|
if (
|
|
isset($mine_parsed['host']) && isset($s_parsed['host'])
|
|
&& $mine_parsed['host'] === $s_parsed['host']
|
|
) {
|
|
$url_match = true;
|
|
}
|
|
|
|
if ($mine && $myaddr && (! $url_match)) {
|
|
$zurl = $s . (($num_slashes >= 3) ? '' : '/') . (($achar === '?') ? '?f=&' : '&') . 'zid=' . urlencode($myaddr);
|
|
} else {
|
|
$zurl = $s;
|
|
}
|
|
|
|
// put fragment at the end
|
|
|
|
if ($fragment) {
|
|
$zurl .= '#' . $fragment;
|
|
}
|
|
|
|
$arr = [
|
|
'url' => $s,
|
|
'zid' => urlencode($myaddr),
|
|
'result' => $zurl
|
|
];
|
|
/**
|
|
* @hooks zid
|
|
* Called when adding the observer's zid to a URL.
|
|
* * \e string \b url - url to accept zid
|
|
* * \e string \b zid - urlencoded zid
|
|
* * \e string \b result - the return string we calculated, change it if you want to return something else
|
|
*/
|
|
Hook::call('zid', $arr);
|
|
|
|
return $arr['result'];
|
|
}
|
|
|
|
|
|
function strip_query_param($s, $param)
|
|
{
|
|
return preg_replace('/[\?&]' . $param . '=(.*?)(&|$)/ism', '$2', $s);
|
|
}
|
|
|
|
function strip_zids($s)
|
|
{
|
|
return preg_replace('/[\?&]zid=(.*?)(&|$)/ism', '$2', $s);
|
|
}
|
|
|
|
function strip_owt($s)
|
|
{
|
|
return preg_replace('/[\?&]owt=(.*?)(&|$)/ism', '$2', $s);
|
|
}
|
|
|
|
function strip_zats($s)
|
|
{
|
|
return preg_replace('/[\?&]zat=(.*?)(&|$)/ism', '$2', $s);
|
|
}
|
|
|
|
function strip_escaped_zids($s)
|
|
{
|
|
$x = preg_replace('/&\;zid=(.*?)(&|$)/ism', '$2', $s);
|
|
return strip_query_param($x, 'f');
|
|
}
|
|
|
|
|
|
function clean_query_string($s = '')
|
|
{
|
|
$x = strip_zids(($s) ? $s : App::$query_string);
|
|
$x = strip_owt($x);
|
|
$x = strip_zats($x);
|
|
$x = strip_query_param($x, 'sort');
|
|
|
|
return strip_query_param($x, 'f');
|
|
}
|
|
|
|
|
|
/**
|
|
* zidify_callback() and zidify_links() work together to turn any HTML a tags with class="zrl" into zid links
|
|
* These will typically be generated by a bbcode '[zrl]' tag. This is done inside prepare_text() rather than bbcode()
|
|
* because the latter is used for general purpose conversions and the former is used only when preparing text for
|
|
* immediate display.
|
|
*
|
|
*
|
|
* @param array $match
|
|
* @return string
|
|
*/
|
|
|
|
function zidify_callback($match)
|
|
{
|
|
|
|
$arr = [ 'zid' => ((strpos($match[1], 'zrl') || strpos($match[3], 'zrl')) ? true : false), 'url' => $match[2] ];
|
|
Hook::call('zidify', $arr);
|
|
|
|
$replace = '<a' . $match[1] . ' href="' . (intval($arr['zid']) ? zid($arr['url']) : $arr['url']) . '"' . $match[3] . '>';
|
|
|
|
$x = str_replace($match[0], $replace, $match[0]);
|
|
|
|
return $x;
|
|
}
|
|
|
|
function zidify_img_callback($match)
|
|
{
|
|
|
|
$arr = [ 'zid' => ((strpos($match[1], 'zrl') || strpos($match[3], 'zrl')) ? true : false), 'url' => $match[2] ];
|
|
Hook::call('zidify', $arr);
|
|
|
|
$replace = '<img' . $match[1] . ' src="' . (intval($arr['zid']) ? zid($arr['url']) : $arr['url']) . '"' . $match[3] . '>';
|
|
|
|
$x = str_replace($match[0], $replace, $match[0]);
|
|
|
|
return $x;
|
|
}
|
|
|
|
|
|
function zidify_links($s)
|
|
{
|
|
$s = preg_replace_callback('/\<a(.*?)href\=\"(.*?)\"(.*?)\>/ism', 'zidify_callback', $s);
|
|
$s = preg_replace_callback('/\<img(.*?)src\=\"(.*?)\"(.*?)\>/ism', 'zidify_img_callback', $s);
|
|
|
|
return $s;
|
|
}
|
|
|
|
|
|
function zidify_text_callback($match)
|
|
{
|
|
$is_zid = isOWAEnabled($match[2]);
|
|
$replace = '<a' . $match[1] . ' href="' . (($is_zid) ? zid($match[2]) : $match[2]) . '"' . $match[3] . '>';
|
|
|
|
$x = str_replace($match[0], $replace, $match[0]);
|
|
|
|
return $x;
|
|
}
|
|
|
|
function zidify_text_img_callback($match)
|
|
{
|
|
$is_zid = isOWAEnabled($match[2]);
|
|
$replace = '<img' . $match[1] . ' src="' . (($is_zid) ? zid($match[2]) : $match[2]) . '"' . $match[3] . '>';
|
|
|
|
$x = str_replace($match[0], $replace, $match[0]);
|
|
|
|
return $x;
|
|
}
|
|
|
|
function zidify_text($s)
|
|
{
|
|
|
|
$s = preg_replace_callback('/\<a(.*?)href\=\"(.*?)\"(.*?)\>/ism', 'zidify_text_callback', $s);
|
|
$s = preg_replace_callback('/\<img(.*?)src\=\"(.*?)\"(.*?)\>/ism', 'zidify_text_img_callback', $s);
|
|
|
|
return $s;
|
|
}
|
|
|
|
|
|
/**
|
|
* @brief preg_match function when fixing 'naked' links in mod item.php.
|
|
*
|
|
* Check if we've got a hubloc for the site and use a zrl if we do, a url if we don't.
|
|
* Remove any existing zid= param which may have been pasted by mistake - and will have
|
|
* the author's credentials. zid's are dynamic and can't really be passed around like
|
|
* that.
|
|
*
|
|
* @param array $matches
|
|
* @return string
|
|
*/
|
|
function red_zrl_callback($matches)
|
|
{
|
|
|
|
$zrl = isOWAEnabled($matches[2]);
|
|
|
|
$t = strip_zids($matches[2]);
|
|
if ($t !== $matches[2]) {
|
|
$zrl = true;
|
|
$matches[2] = $t;
|
|
}
|
|
|
|
if ($matches[1] === '#^') {
|
|
$matches[1] = '';
|
|
}
|
|
|
|
if ($zrl) {
|
|
return $matches[1] . '[zrl=' . $matches[2] . ']' . $matches[2] . '[/zrl]';
|
|
}
|
|
|
|
return $matches[1] . '[url=' . $matches[2] . ']' . $matches[2] . '[/url]';
|
|
}
|
|
|
|
/**
|
|
* If we've got a url or zrl tag with a naked url somewhere in the link text,
|
|
* escape it with quotes unless the naked url is a linked photo.
|
|
*
|
|
* @param array $matches
|
|
* @return string
|
|
*/
|
|
function red_escape_zrl_callback($matches)
|
|
{
|
|
|
|
// Uncertain why the url/zrl forms weren't picked up by the non-greedy regex.
|
|
|
|
if ((strpos($matches[3], 'zmg') !== false) || (strpos($matches[3], 'img') !== false) || (strpos($matches[3], 'zrl') !== false) || (strpos($matches[3], 'url') !== false)) {
|
|
return $matches[0];
|
|
}
|
|
|
|
return '[' . $matches[1] . 'rl' . $matches[2] . ']' . $matches[3] . '"' . $matches[4] . '"' . $matches[5] . '[/' . $matches[6] . 'rl]';
|
|
}
|
|
|
|
function red_escape_codeblock($m)
|
|
{
|
|
return '[$b64' . $m[2] . base64_encode($m[1]) . '[/' . $m[2] . ']';
|
|
}
|
|
|
|
|
|
function red_unescape_codeblock($m)
|
|
{
|
|
return '[' . $m[2] . base64_decode($m[1]) . '[/' . $m[2] . ']';
|
|
}
|
|
|
|
|
|
function red_zrlify_img_callback($matches)
|
|
{
|
|
|
|
$zrl = isOWAEnabled($matches[2]);
|
|
|
|
$t = strip_zids($matches[2]);
|
|
if ($t !== $matches[2]) {
|
|
$zrl = true;
|
|
$matches[2] = $t;
|
|
}
|
|
|
|
if ($zrl) {
|
|
return '[zmg' . $matches[1] . ']' . $matches[2] . '[/zmg]';
|
|
}
|
|
|
|
return $matches[0];
|
|
}
|
|
|
|
|
|
/**
|
|
* @brief OpenWebAuth authentication.
|
|
*
|
|
* @param string $token
|
|
*/
|
|
function owt_init($token)
|
|
{
|
|
|
|
require_once('include/security.php');
|
|
|
|
Verify::purge('owt', '3 MINUTE');
|
|
|
|
$ob_hash = Verify::get_meta('owt', 0, $token);
|
|
|
|
if ($ob_hash === false) {
|
|
return;
|
|
}
|
|
|
|
$r = q(
|
|
"select * from hubloc left join xchan on xchan_hash = hubloc_hash
|
|
where (hubloc_addr = '%s' or hubloc_id_url = '%s' or hubloc_hash = '%s') and hubloc_deleted = 0 order by hubloc_id desc",
|
|
dbesc($ob_hash),
|
|
dbesc($ob_hash),
|
|
dbesc($ob_hash)
|
|
);
|
|
|
|
if (! $r) {
|
|
// finger them if they can't be found.
|
|
$wf = discover_resource($ob_hash, verify: false);
|
|
if ($wf) {
|
|
$r = q(
|
|
"select * from hubloc left join xchan on xchan_hash = hubloc_hash
|
|
where (hubloc_addr = '%s' or hubloc_id_url = '%s' or hubloc_hash = '%s') and hubloc_deleted = 0 order by hubloc_id desc",
|
|
dbesc($ob_hash),
|
|
dbesc($ob_hash),
|
|
dbesc($ob_hash)
|
|
);
|
|
}
|
|
}
|
|
if (! $r) {
|
|
logger('owt: unable to finger ' . $ob_hash);
|
|
return;
|
|
}
|
|
|
|
$r = Libzot::zot_record_preferred($r);
|
|
|
|
$hubloc = $r;
|
|
|
|
$_SESSION['authenticated'] = 1;
|
|
|
|
$delegate_success = false;
|
|
if ($_REQUEST['delegate']) {
|
|
$r = q(
|
|
"select * from channel left join xchan on channel_hash = xchan_hash where xchan_addr = '%s' limit 1",
|
|
dbesc($_REQUEST['delegate'])
|
|
);
|
|
if ($r && intval($r[0]['channel_id'])) {
|
|
$allowed = perm_is_allowed($r[0]['channel_id'], $hubloc['xchan_hash'], 'delegate');
|
|
if ($allowed) {
|
|
$_SESSION['delegate_channel'] = $r[0]['channel_id'];
|
|
$_SESSION['delegate'] = $hubloc['xchan_hash'];
|
|
$_SESSION['account_id'] = intval($r[0]['channel_account_id']);
|
|
// this will set the local_channel authentication in the session
|
|
change_channel($r[0]['channel_id']);
|
|
$delegate_success = true;
|
|
}
|
|
// experimental 2022-03-16
|
|
// $allowed = perm_is_allowed($r[0]['channel_id'], $hubloc['xchan_hash'], 'full_control');
|
|
// if ($allowed) {
|
|
// $_SESSION['account_id'] = intval($r[0]['channel_account_id']);
|
|
// // this will set the local_channel authentication in the session
|
|
// change_channel($r[0]['channel_id']);
|
|
// $delegate_success = true;
|
|
// }
|
|
}
|
|
}
|
|
|
|
if (! $delegate_success) {
|
|
// normal visitor (remote_channel) login session credentials
|
|
$_SESSION['visitor_id'] = $hubloc['xchan_hash'];
|
|
$_SESSION['my_url'] = $hubloc['xchan_url'];
|
|
$_SESSION['my_address'] = $hubloc['hubloc_addr'];
|
|
$_SESSION['remote_hub'] = $hubloc['hubloc_url'];
|
|
$_SESSION['DNT'] = 1;
|
|
}
|
|
|
|
$arr = [
|
|
'xchan' => $hubloc,
|
|
'url' => App::$query_string,
|
|
'session' => $_SESSION
|
|
];
|
|
/**
|
|
* @hooks magic_auth_success
|
|
* Called when a magic-auth was successful.
|
|
* * \e array \b xchan
|
|
* * \e string \b url
|
|
* * \e array \b session
|
|
*/
|
|
Hook::call('magic_auth_success', $arr);
|
|
|
|
App::set_observer($hubloc);
|
|
if (! get_config('system', 'hide_owa_greeting')) {
|
|
info(sprintf(t('OpenWebAuth: %1$s welcomes %2$s'), App::get_hostname(), $hubloc['xchan_name']));
|
|
}
|
|
|
|
logger('OpenWebAuth: auth success from ' . $hubloc['xchan_addr']);
|
|
return;
|
|
}
|
|
|
|
function observer_auth($ob_hash)
|
|
{
|
|
|
|
require_once('include/security.php');
|
|
|
|
if ($ob_hash === false) {
|
|
return;
|
|
}
|
|
|
|
$r = q(
|
|
"select * from hubloc left join xchan on xchan_hash = hubloc_hash
|
|
where (hubloc_addr = '%s' or hubloc_id_url = '%s' or hubloc_hash = '%s') and hubloc_deleted = 0 order by hubloc_id desc",
|
|
dbesc($ob_hash),
|
|
dbesc($ob_hash),
|
|
dbesc($ob_hash)
|
|
);
|
|
|
|
if (! $r) {
|
|
// finger them if they can't be found.
|
|
$wf = discover_resource($ob_hash, verify: false);
|
|
if ($wf) {
|
|
$r = q(
|
|
"select * from hubloc left join xchan on xchan_hash = hubloc_hash
|
|
where (hubloc_addr = '%s' or hubloc_id_url = '%s' or hubloc_hash = '%s') and hubloc_deleted = 0 order by hubloc_id desc",
|
|
dbesc($ob_hash),
|
|
dbesc($ob_hash),
|
|
dbesc($ob_hash)
|
|
);
|
|
}
|
|
}
|
|
if (! $r) {
|
|
logger('unable to finger ' . $ob_hash);
|
|
return;
|
|
}
|
|
|
|
$hubloc = $r[0];
|
|
|
|
$_SESSION['authenticated'] = 1;
|
|
|
|
// normal visitor (remote_channel) login session credentials
|
|
$_SESSION['visitor_id'] = $hubloc['xchan_hash'];
|
|
$_SESSION['my_url'] = $hubloc['xchan_url'];
|
|
|
|
// For now, only enable authenticated link substitution for zot6 channels or
|
|
// those that arrive with a zid.
|
|
// This is to prevent signed ActivityPub fetches from getting zid-enabled links.
|
|
// If a pre-set zid applies, $_SESSION['my_address'] will have been set already
|
|
// in Code\Web\WebServer.php
|
|
|
|
if (isOWAEnabled($hubloc['hubloc_url'])) {
|
|
$_SESSION['my_address'] = $hubloc['hubloc_addr'];
|
|
}
|
|
$_SESSION['remote_hub'] = $hubloc['hubloc_url'];
|
|
$_SESSION['DNT'] = 1;
|
|
|
|
App::set_observer($hubloc);
|
|
}
|