friendica/src/Module/Magic.php

<?php
/**
 * @copyright Copyright (C) 2010-2023, the Friendica project
 *
 * @license GNU AGPL version 3 or any later version
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <https://www.gnu.org/licenses/>.
 *
 */

namespace Friendica\Module;

use Exception;
use Friendica\App;
use Friendica\BaseModule;
use Friendica\Core\L10n;
use Friendica\Core\Session\Capability\IHandleUserSessions;
use Friendica\Core\System;
use Friendica\Database\Database;
use Friendica\Model\Contact;
use Friendica\Model\GServer;
use Friendica\Model\User;
use Friendica\Network\HTTPClient\Capability\ICanSendHttpRequests;
use Friendica\Network\HTTPClient\Client\HttpClientOptions;
use Friendica\Util\HTTPSignature;
use Friendica\Util\Profiler;
use Friendica\Util\Strings;
use GuzzleHttp\Psr7\Uri;
use Psr\Log\LoggerInterface;

/**
 * Magic Auth (remote authentication) module.
 *
 * Ported from Hubzilla: https://framagit.org/hubzilla/core/blob/master/Zotlabs/Module/Magic.php
 */
class Magic extends BaseModule
{
	/** @var App */
	protected $app;
	/** @var Database */
	protected $dba;
	/** @var ICanSendHttpRequests */
	protected $httpClient;
	/** @var IHandleUserSessions */
	protected $userSession;

	public function __construct(App $app, L10n $l10n, App\BaseURL $baseUrl, App\Arguments $args, LoggerInterface $logger, Profiler $profiler, Response $response, Database $dba, ICanSendHttpRequests $httpClient, IHandleUserSessions $userSession, $server, array $parameters = [])
	{
		parent::__construct($l10n, $baseUrl, $args, $logger, $profiler, $response, $server, $parameters);

		$this->app         = $app;
		$this->dba         = $dba;
		$this->httpClient  = $httpClient;
		$this->userSession = $userSession;
	}

	protected function rawContent(array $request = [])
	{
		if ($_SERVER['REQUEST_METHOD'] == 'HEAD') {
			$this->logger->debug('Got a HEAD request');
			System::exit();
		}

		$this->logger->debug('Invoked', ['request' => $request]);

		$addr  = $request['addr'] ?? '';
		$dest  = $request['dest'] ?? '';
		$bdest = $request['bdest'] ?? '';
		$owa   = intval($request['owa'] ?? 0);

		// bdest is preferred as it is hex-encoded and can survive url rewrite and argument parsing
		if (!empty($bdest)) {
			$dest = hex2bin($bdest);
			$this->logger->debug('bdest detected', ['dest' => $dest]);
		}

		$target = $dest ?: $addr;

		if ($addr ?: $dest) {
			$contact = Contact::getByURL($addr ?: $dest);
		}

		if (empty($contact)) {
			if (!$owa) {
				$this->logger->info('No contact record found, no oWA, redirecting to destination.', ['request' => $request, 'server' => $_SERVER, 'dest' => $dest]);
				$this->app->redirect($dest);
			}
		} else {
			// Redirect if the contact is already authenticated on this site.
			if ($this->app->getContactId() && strpos($contact['nurl'], Strings::normaliseLink($this->baseUrl)) !== false) {
				$this->logger->info('Contact is already authenticated, redirecting to destination.', ['dest' => $dest]);
				System::externalRedirect($dest);
			}

			$this->logger->debug('Contact found', ['url' => $contact['url']]);
		}

		if (!$this->userSession->getLocalUserId() || !$owa) {
			$this->logger->notice('Not logged in or not OWA, redirecting to destination.', ['uid' => $this->userSession->getLocalUserId(), 'owa' => $owa, 'dest' => $dest]);
			$this->app->redirect($dest);
		}

		// OpenWebAuth
		$owner = User::getOwnerDataById($this->userSession->getLocalUserId());

		if (!empty($contact['gsid'])) {
			$gserver = $this->dba->selectFirst('gserver', ['url'], ['id' => $contact['gsid']]);
			if (empty($gserver)) {
				$this->logger->notice('Server not found, redirecting to destination.', ['gsid' => $contact['gsid'], 'dest' => $dest]);
				System::externalRedirect($dest);
			}

			$basepath = $gserver['url'];
		} elseif (GServer::check($target)) {
			$basepath = (string)GServer::cleanUri(new Uri($target));
		} else {
			$this->logger->notice('The target is not a server path, redirecting to destination.', ['target' => $target]);
			System::externalRedirect($dest);
		}

		$header = [
			'Accept'          => 'application/x-dfrn+json, application/x-zot+json',
			'X-Open-Web-Auth' => Strings::getRandomHex()
		];

		// Create a header that is signed with the local users private key.
		$header = HTTPSignature::createSig(
			$header,
			$owner['prvkey'],
			'acct:' . $owner['addr']
		);

		$this->logger->info('Fetch from remote system', ['basepath' => $basepath, 'headers' => $header]);

		// Try to get an authentication token from the other instance.
		try {
			$curlResult = $this->httpClient->request('get', $basepath . '/owa', [HttpClientOptions::HEADERS => $header]);
		} catch (Exception $exception) {
			$this->logger->notice('URL is invalid, redirecting to destination.', ['url' => $basepath, 'error' => $exception, 'dest' => $dest]);
			System::externalRedirect($dest);
		}
		if (!$curlResult->isSuccess()) {
			$this->logger->notice('OWA request failed, redirecting to destination.', ['returncode' => $curlResult->getReturnCode(), 'dest' => $dest]);
			System::externalRedirect($dest);
		}

		$j = json_decode($curlResult->getBody(), true);
		if (empty($j) || !$j['success']) {
			$this->logger->notice('Invalid JSON, redirecting to destination.', ['json' => $j, 'dest' => $dest]);
			$this->app->redirect($dest);
		}

		if ($j['encrypted_token']) {
			// The token is encrypted. If the local user is really the one the other instance
			// thinks they is, the token can be decrypted with the local users public key.
			$token = '';
			openssl_private_decrypt(Strings::base64UrlDecode($j['encrypted_token']), $token, $owner['prvkey']);
		} else {
			$token = $j['token'];
		}
		$args = (strpbrk($dest, '?&') ? '&' : '?') . 'owt=' . $token;

		$this->logger->debug('Redirecting', ['path' => $dest . $args]);
		System::externalRedirect($dest . $args);
	}
}
port hubzillas OpenWebAuth - remote authentification 2018-06-18 21:05:44 +00:00			`<?php`
			`/**`
Happy New Year 2023! 2023-01-01 14:36:24 +00:00			`* @copyright Copyright (C) 2010-2023, the Friendica project`
Add license info at Friendica PHP files 2020-02-09 15:18:46 +00:00			`*`
			`* @license GNU AGPL version 3 or any later version`
			`*`
			`* This program is free software: you can redistribute it and/or modify`
			`* it under the terms of the GNU Affero General Public License as`
			`* published by the Free Software Foundation, either version 3 of the`
			`* License, or (at your option) any later version.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU Affero General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU Affero General Public License`
			`* along with this program. If not, see <https://www.gnu.org/licenses/>.`
			`*`
port hubzillas OpenWebAuth - remote authentification 2018-06-18 21:05:44 +00:00			`*/`
Add license info at Friendica PHP files 2020-02-09 15:18:46 +00:00
port hubzillas OpenWebAuth - remote authentification 2018-06-18 21:05:44 +00:00			`namespace Friendica\Module;`

OWA: reworked code 2023-05-15 20:46:05 +00:00			`use Exception;`
Revert "Revert "Replace Module::init() with Constructors"" This reverts commit 89d6c89b6775bc37340dd93d747022e2d7db9618. 2021-11-19 19:18:48 +00:00			`use Friendica\App;`
port hubzillas OpenWebAuth - remote authentification 2018-06-18 21:05:44 +00:00			`use Friendica\BaseModule;`
Revert "Revert "Replace Module::init() with Constructors"" This reverts commit 89d6c89b6775bc37340dd93d747022e2d7db9618. 2021-11-19 19:18:48 +00:00			`use Friendica\Core\L10n;`
UserSession class [6] - Refactor src/Module/ files without DI 2022-10-20 21:35:01 +00:00			`use Friendica\Core\Session\Capability\IHandleUserSessions;`
Log function implement log() function. 2018-10-29 21:20:46 +00:00			`use Friendica\Core\System;`
Revert "Revert "Replace Module::init() with Constructors"" This reverts commit 89d6c89b6775bc37340dd93d747022e2d7db9618. 2021-11-19 19:18:48 +00:00			`use Friendica\Database\Database;`
port hubzillas OpenWebAuth - use Contact::getIdForURL to query for contact entry 2018-06-19 14:15:28 +00:00			`use Friendica\Model\Contact;`
Improved basepath detection for Magic Auth 2023-06-18 17:18:40 +00:00			`use Friendica\Model\GServer;`
Get rid of App->user completely 2021-08-08 19:30:21 +00:00			`use Friendica\Model\User;`
Revert "Revert "Replace Module::init() with Constructors"" This reverts commit 89d6c89b6775bc37340dd93d747022e2d7db9618. 2021-11-19 19:18:48 +00:00			`use Friendica\Network\HTTPClient\Capability\ICanSendHttpRequests;`
Restructure HTTPClient for new paradigm 2021-10-23 10:50:31 +00:00			`use Friendica\Network\HTTPClient\Client\HttpClientOptions;`
port hubzillas OpenWebAuth - rename some methods and classes 2018-06-20 16:38:23 +00:00			`use Friendica\Util\HTTPSignature;`
Make `BaseModule` a real entity - Add all dependencies, necessary to run the content (baseUrl, Arguments) - Encapsulate all POST/GET/DELETE/PATCH/PUT methods as protected methods inside the BaseModule - Return Module content ONLY per `BaseModule::run()` (including the Hook logic there as well) 2021-11-20 14:38:03 +00:00			`use Friendica\Util\Profiler;`
random_string calls implement getRandomHex function 2018-11-08 13:45:46 +00:00			`use Friendica\Util\Strings;`
Improved basepath detection for Magic Auth 2023-06-18 17:18:40 +00:00			`use GuzzleHttp\Psr7\Uri;`
Revert "Revert "Replace Module::init() with Constructors"" This reverts commit 89d6c89b6775bc37340dd93d747022e2d7db9618. 2021-11-19 19:18:48 +00:00			`use Psr\Log\LoggerInterface;`
port hubzillas OpenWebAuth - remote authentification 2018-06-18 21:05:44 +00:00
port hubzillas OpenWebAuth - add some notes to the doxygen to refer to hubzilla's source code 2018-06-19 11:30:55 +00:00			`/**`
			`* Magic Auth (remote authentication) module.`
Several more warnings ... (#5340) * Some more warnings removed * Even more warnings ... * Will it ever end? ;-) * Avoid warning in dbstructure * Origin and OStatus ... * There are more warnings solved ... yeah! * And again ... * We are not done yet * And more ... * And some new places ... * And more in the feeds * Avoid some more * And some backend stuff * Notifications cleared * Some more stuff * and again ... * It's getting fewer ... * Some warnings had been hidden in the notifications * Fix the fix * And another missing one ... * We need the owner here, not the user * Forgotten user * And more ... * And some more warnings disappeared ... * Some more frontend warnings * Some backend warnings removed * Fixed sidebar for "vier" * And more ... * Some more ... * And something for "remote self" * Am I stuck in an endless loop? * Fix: Clear tag and file field on update * Preset page content 2018-07-10 12:27:56 +00:00			`*`
port hubzillas OpenWebAuth - add some notes to the doxygen to refer to hubzilla's source code 2018-06-19 11:30:55 +00:00			`* Ported from Hubzilla: https://framagit.org/hubzilla/core/blob/master/Zotlabs/Module/Magic.php`
			`*/`
port hubzillas OpenWebAuth - remote authentification 2018-06-18 21:05:44 +00:00			`class Magic extends BaseModule`
			`{`
Revert "Revert "Replace Module::init() with Constructors"" This reverts commit 89d6c89b6775bc37340dd93d747022e2d7db9618. 2021-11-19 19:18:48 +00:00			`/** @var App */`
			`protected $app;`
			`/** @var Database */`
			`protected $dba;`
			`/** @var ICanSendHttpRequests */`
			`protected $httpClient;`
UserSession class [6] - Refactor src/Module/ files without DI 2022-10-20 21:35:01 +00:00			`/** @var IHandleUserSessions */`
			`protected $userSession;`
Revert "Revert "Replace Module::init() with Constructors"" This reverts commit 89d6c89b6775bc37340dd93d747022e2d7db9618. 2021-11-19 19:18:48 +00:00
UserSession class [6] - Refactor src/Module/ files without DI 2022-10-20 21:35:01 +00:00			`public function __construct(App $app, L10n $l10n, App\BaseURL $baseUrl, App\Arguments $args, LoggerInterface $logger, Profiler $profiler, Response $response, Database $dba, ICanSendHttpRequests $httpClient, IHandleUserSessions $userSession, $server, array $parameters = [])`
port hubzillas OpenWebAuth - remote authentification 2018-06-18 21:05:44 +00:00			`{`
Introduce `Response` for Modules to create a testable way for module responses 2021-11-21 19:06:36 +00:00			`parent::__construct($l10n, $baseUrl, $args, $logger, $profiler, $response, $server, $parameters);`
port hubzillas OpenWebAuth - remote authentification 2018-06-18 21:05:44 +00:00
UserSession class [6] - Refactor src/Module/ files without DI 2022-10-20 21:35:01 +00:00			`$this->app = $app;`
			`$this->dba = $dba;`
			`$this->httpClient = $httpClient;`
			`$this->userSession = $userSession;`
Revert "Revert "Replace Module::init() with Constructors"" This reverts commit 89d6c89b6775bc37340dd93d747022e2d7db9618. 2021-11-19 19:18:48 +00:00			`}`

Make `BaseModule` a real entity - Add all dependencies, necessary to run the content (baseUrl, Arguments) - Encapsulate all POST/GET/DELETE/PATCH/PUT methods as protected methods inside the BaseModule - Return Module content ONLY per `BaseModule::run()` (including the Hook logic there as well) 2021-11-20 14:38:03 +00:00			`protected function rawContent(array $request = [])`
Revert "Revert "Replace Module::init() with Constructors"" This reverts commit 89d6c89b6775bc37340dd93d747022e2d7db9618. 2021-11-19 19:18:48 +00:00			`{`
OWA: reworked code 2023-05-15 20:46:05 +00:00			`if ($_SERVER['REQUEST_METHOD'] == 'HEAD') {`
			`$this->logger->debug('Got a HEAD request');`
			`System::exit();`
			`}`
Revert "Revert "Replace Module::init() with Constructors"" This reverts commit 89d6c89b6775bc37340dd93d747022e2d7db9618. 2021-11-19 19:18:48 +00:00
OWA: reworked code 2023-05-15 20:46:05 +00:00			`$this->logger->debug('Invoked', ['request' => $request]);`
port hubzillas OpenWebAuth - remote authentification 2018-06-18 21:05:44 +00:00
Update src/Module/Magic.php Co-authored-by: Hypolite Petovan <hypolite@mrpetovan.com> 2023-05-05 13:58:25 +00:00			`$addr = $request['addr'] ?? '';`
			`$dest = $request['dest'] ?? '';`
			`$bdest = $request['bdest'] ?? '';`
			`$owa = intval($request['owa'] ?? 0);`
port hubzillas OpenWebAuth - remote authentification 2018-06-18 21:05:44 +00:00
OWA: reworked code 2023-05-15 20:46:05 +00:00			`// bdest is preferred as it is hex-encoded and can survive url rewrite and argument parsing`
Remote auth works from Streams 2023-05-05 10:46:30 +00:00			`if (!empty($bdest)) {`
			`$dest = hex2bin($bdest);`
OWA: reworked code 2023-05-15 20:46:05 +00:00			`$this->logger->debug('bdest detected', ['dest' => $dest]);`
Remote auth works from Streams 2023-05-05 10:46:30 +00:00			`}`
OWA: reworked code 2023-05-15 20:46:05 +00:00
Improved basepath detection for Magic Auth 2023-06-18 17:18:40 +00:00			`$target = $dest ?: $addr;`

Update src/Module/Magic.php Co-authored-by: Hypolite Petovan <hypolite@mrpetovan.com> 2023-05-16 11:54:46 +00:00			`if ($addr ?: $dest) {`
OWA: reworked code 2023-05-15 20:46:05 +00:00			`$contact = Contact::getByURL($addr ?: $dest);`
port hubzillas OpenWebAuth - remote authentification 2018-06-18 21:05:44 +00:00			`}`
port hubzillas OpenWebAuth - use Contact::getIdForURL to query for contact entry 2018-06-19 14:15:28 +00:00
OWA: reworked code 2023-05-15 20:46:05 +00:00			`if (empty($contact)) {`
Remote auth works from Streams 2023-05-05 10:46:30 +00:00			`if (!$owa) {`
OWA: reworked code 2023-05-15 20:46:05 +00:00			`$this->logger->info('No contact record found, no oWA, redirecting to destination.', ['request' => $request, 'server' => $_SERVER, 'dest' => $dest]);`
Remote auth works from Streams 2023-05-05 10:46:30 +00:00			`$this->app->redirect($dest);`
			`}`
			`} else {`
			`// Redirect if the contact is already authenticated on this site.`
			`if ($this->app->getContactId() && strpos($contact['nurl'], Strings::normaliseLink($this->baseUrl)) !== false) {`
OWA: reworked code 2023-05-15 20:46:05 +00:00			`$this->logger->info('Contact is already authenticated, redirecting to destination.', ['dest' => $dest]);`
Remote auth works from Streams 2023-05-05 10:46:30 +00:00			`System::externalRedirect($dest);`
			`}`

OWA: reworked code 2023-05-15 20:46:05 +00:00			`$this->logger->debug('Contact found', ['url' => $contact['url']]);`
			`}`

			`if (!$this->userSession->getLocalUserId() \|\| !$owa) {`
			`$this->logger->notice('Not logged in or not OWA, redirecting to destination.', ['uid' => $this->userSession->getLocalUserId(), 'owa' => $owa, 'dest' => $dest]);`
			`$this->app->redirect($dest);`
port hubzillas OpenWebAuth - remote authentification 2018-06-18 21:05:44 +00:00			`}`

Get rid of App->user completely 2021-08-08 19:30:21 +00:00			`// OpenWebAuth`
OWA: reworked code 2023-05-15 20:46:05 +00:00			`$owner = User::getOwnerDataById($this->userSession->getLocalUserId());`
Get rid of App->user completely 2021-08-08 19:30:21 +00:00
Improved basepath detection for Magic Auth 2023-06-18 17:18:40 +00:00			`if (!empty($contact['gsid'])) {`
			`$gserver = $this->dba->selectFirst('gserver', ['url'], ['id' => $contact['gsid']]);`
			`if (empty($gserver)) {`
			`$this->logger->notice('Server not found, redirecting to destination.', ['gsid' => $contact['gsid'], 'dest' => $dest]);`
			`System::externalRedirect($dest);`
			`}`

			`$basepath = $gserver['url'];`
			`} elseif (GServer::check($target)) {`
			`$basepath = (string)GServer::cleanUri(new Uri($target));`
			`} else {`
			`$this->logger->notice('The target is not a server path, redirecting to destination.', ['target' => $target]);`
OWA: reworked code 2023-05-15 20:46:05 +00:00			`System::externalRedirect($dest);`
			`}`

			`$header = [`
fix issue #13174 2023-06-17 20:31:25 +00:00			`'Accept' => 'application/x-dfrn+json, application/x-zot+json',`
			`'X-Open-Web-Auth' => Strings::getRandomHex()`
OWA: reworked code 2023-05-15 20:46:05 +00:00			`];`

			`// Create a header that is signed with the local users private key.`
			`$header = HTTPSignature::createSig(`
			`$header,`
			`$owner['prvkey'],`
			`'acct:' . $owner['addr']`
			`);`

			`$this->logger->info('Fetch from remote system', ['basepath' => $basepath, 'headers' => $header]);`

			`// Try to get an authentication token from the other instance.`
			`try {`
			`$curlResult = $this->httpClient->request('get', $basepath . '/owa', [HttpClientOptions::HEADERS => $header]);`
			`} catch (Exception $exception) {`
			`$this->logger->notice('URL is invalid, redirecting to destination.', ['url' => $basepath, 'error' => $exception, 'dest' => $dest]);`
			`System::externalRedirect($dest);`
			`}`
			`if (!$curlResult->isSuccess()) {`
			`$this->logger->notice('OWA request failed, redirecting to destination.', ['returncode' => $curlResult->getReturnCode(), 'dest' => $dest]);`
Get rid of App->user completely 2021-08-08 19:30:21 +00:00			`System::externalRedirect($dest);`
port hubzillas OpenWebAuth - remote authentification 2018-06-18 21:05:44 +00:00			`}`

OWA: reworked code 2023-05-15 20:46:05 +00:00			`$j = json_decode($curlResult->getBody(), true);`
			`if (empty($j) \|\| !$j['success']) {`
			`$this->logger->notice('Invalid JSON, redirecting to destination.', ['json' => $j, 'dest' => $dest]);`
			`$this->app->redirect($dest);`
			`}`

			`if ($j['encrypted_token']) {`
			`// The token is encrypted. If the local user is really the one the other instance`
			`// thinks they is, the token can be decrypted with the local users public key.`
			`$token = '';`
			`openssl_private_decrypt(Strings::base64UrlDecode($j['encrypted_token']), $token, $owner['prvkey']);`
			`} else {`
			`$token = $j['token'];`
			`}`
			`$args = (strpbrk($dest, '?&') ? '&' : '?') . 'owt=' . $token;`

			`$this->logger->debug('Redirecting', ['path' => $dest . $args]);`
			`System::externalRedirect($dest . $args);`
port hubzillas OpenWebAuth - remote authentification 2018-06-18 21:05:44 +00:00			`}`
			`}`