Cory McWilliams
4c3299ead0
All checks were successful
Build Tilde Friends / Build-All (push) Successful in 31m13s
538 lines
18 KiB
C
538 lines
18 KiB
C
#include "httpd.js.h"
|
|
|
|
#include "file.js.h"
|
|
#include "http.h"
|
|
#include "mem.h"
|
|
#include "ssb.db.h"
|
|
#include "ssb.h"
|
|
#include "task.h"
|
|
#include "util.js.h"
|
|
|
|
#include "ow-crypt.h"
|
|
#include "sodium/utils.h"
|
|
|
|
#include <inttypes.h>
|
|
#include <stdlib.h>
|
|
|
|
#if !defined(__APPLE__) && !defined(__OpenBSD__) && !defined(_WIN32)
|
|
#include <alloca.h>
|
|
#endif
|
|
|
|
typedef struct _login_request_t
|
|
{
|
|
tf_http_request_t* request;
|
|
const char* name;
|
|
const char* error;
|
|
const char* settings;
|
|
const char* code_of_conduct;
|
|
bool have_administrator;
|
|
bool session_is_new;
|
|
|
|
char location_header[1024];
|
|
const char* set_cookie_header;
|
|
|
|
int pending;
|
|
} login_request_t;
|
|
|
|
const char* tf_httpd_make_set_session_cookie_header(tf_http_request_t* request, const char* session_cookie)
|
|
{
|
|
const char* k_pattern = "session=%s; path=/; Max-Age=%" PRId64 "; %sSameSite=Strict; HttpOnly";
|
|
int length = session_cookie ? snprintf(NULL, 0, k_pattern, session_cookie, k_httpd_auth_refresh_interval, request->is_tls ? "Secure; " : "") : 0;
|
|
char* cookie = length ? tf_malloc(length + 1) : NULL;
|
|
if (cookie)
|
|
{
|
|
snprintf(cookie, length + 1, k_pattern, session_cookie, k_httpd_auth_refresh_interval, request->is_tls ? "Secure; " : "");
|
|
}
|
|
return cookie;
|
|
}
|
|
|
|
static void _login_release(login_request_t* login)
|
|
{
|
|
int ref_count = --login->pending;
|
|
if (ref_count == 0)
|
|
{
|
|
tf_free((void*)login->name);
|
|
tf_free((void*)login->code_of_conduct);
|
|
tf_free((void*)login->set_cookie_header);
|
|
tf_free(login);
|
|
}
|
|
}
|
|
|
|
static void _httpd_endpoint_login_file_read_callback(tf_task_t* task, const char* path, int result, const void* data, void* user_data)
|
|
{
|
|
login_request_t* login = user_data;
|
|
tf_http_request_t* request = login->request;
|
|
if (result >= 0)
|
|
{
|
|
const char* headers[] = {
|
|
"Content-Type",
|
|
"text/html; charset=utf-8",
|
|
"Set-Cookie",
|
|
login->set_cookie_header ? login->set_cookie_header : "",
|
|
};
|
|
const char* replace_me = "$AUTH_DATA";
|
|
const char* auth = strstr(data, replace_me);
|
|
if (auth)
|
|
{
|
|
JSContext* context = tf_task_get_context(task);
|
|
JSValue object = JS_NewObject(context);
|
|
JS_SetPropertyStr(context, object, "session_is_new", JS_NewBool(context, login->session_is_new));
|
|
JS_SetPropertyStr(context, object, "name", login->name ? JS_NewString(context, login->name) : JS_UNDEFINED);
|
|
JS_SetPropertyStr(context, object, "error", login->error ? JS_NewString(context, login->error) : JS_UNDEFINED);
|
|
JS_SetPropertyStr(context, object, "code_of_conduct", login->code_of_conduct ? JS_NewString(context, login->code_of_conduct) : JS_UNDEFINED);
|
|
JS_SetPropertyStr(context, object, "have_administrator", JS_NewBool(context, login->have_administrator));
|
|
JSValue object_json = JS_JSONStringify(context, object, JS_NULL, JS_NULL);
|
|
size_t json_length = 0;
|
|
const char* json = JS_ToCStringLen(context, &json_length, object_json);
|
|
|
|
char* copy = tf_malloc(result + json_length);
|
|
int replace_start = (auth - (const char*)data);
|
|
int replace_end = (auth - (const char*)data) + (int)strlen(replace_me);
|
|
memcpy(copy, data, replace_start);
|
|
memcpy(copy + replace_start, json, json_length);
|
|
memcpy(copy + replace_start + json_length, ((const char*)data) + replace_end, result - replace_end);
|
|
tf_http_respond(request, 200, headers, tf_countof(headers) / 2, copy, replace_start + json_length + (result - replace_end));
|
|
tf_free(copy);
|
|
|
|
JS_FreeCString(context, json);
|
|
JS_FreeValue(context, object_json);
|
|
JS_FreeValue(context, object);
|
|
}
|
|
else
|
|
{
|
|
tf_http_respond(request, 200, headers, tf_countof(headers) / 2, data, result);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
const char* k_payload = tf_http_status_text(404);
|
|
tf_http_respond(request, 404, NULL, 0, k_payload, strlen(k_payload));
|
|
}
|
|
tf_http_request_unref(request);
|
|
_login_release(login);
|
|
}
|
|
|
|
static bool _session_is_authenticated_as_user(JSContext* context, JSValue session)
|
|
{
|
|
bool result = false;
|
|
JSValue user = JS_GetPropertyStr(context, session, "name");
|
|
const char* user_string = JS_ToCString(context, user);
|
|
result = user_string && strcmp(user_string, "guest") != 0;
|
|
JS_FreeCString(context, user_string);
|
|
JS_FreeValue(context, user);
|
|
return result;
|
|
}
|
|
|
|
static bool _make_administrator_if_first(tf_ssb_t* ssb, JSContext* context, const char* account_name_copy, bool may_become_first_admin)
|
|
{
|
|
const char* settings = tf_ssb_db_get_property(ssb, "core", "settings");
|
|
JSValue settings_value = settings && *settings ? JS_ParseJSON(context, settings, strlen(settings), NULL) : JS_UNDEFINED;
|
|
if (JS_IsUndefined(settings_value))
|
|
{
|
|
settings_value = JS_NewObject(context);
|
|
}
|
|
|
|
bool have_administrator = false;
|
|
JSValue permissions = JS_GetPropertyStr(context, settings_value, "permissions");
|
|
|
|
JSPropertyEnum* ptab = NULL;
|
|
uint32_t plen = 0;
|
|
JS_GetOwnPropertyNames(context, &ptab, &plen, permissions, JS_GPN_STRING_MASK);
|
|
for (int i = 0; i < (int)plen; i++)
|
|
{
|
|
JSPropertyDescriptor desc = { 0 };
|
|
if (JS_GetOwnProperty(context, &desc, permissions, ptab[i].atom) == 1)
|
|
{
|
|
int permission_length = tf_util_get_length(context, desc.value);
|
|
for (int i = 0; i < permission_length; i++)
|
|
{
|
|
JSValue entry = JS_GetPropertyUint32(context, desc.value, i);
|
|
const char* permission = JS_ToCString(context, entry);
|
|
if (permission && strcmp(permission, "administration") == 0)
|
|
{
|
|
have_administrator = true;
|
|
}
|
|
JS_FreeCString(context, permission);
|
|
JS_FreeValue(context, entry);
|
|
}
|
|
JS_FreeValue(context, desc.setter);
|
|
JS_FreeValue(context, desc.getter);
|
|
JS_FreeValue(context, desc.value);
|
|
}
|
|
}
|
|
for (uint32_t i = 0; i < plen; ++i)
|
|
{
|
|
JS_FreeAtom(context, ptab[i].atom);
|
|
}
|
|
js_free(context, ptab);
|
|
|
|
if (!have_administrator && may_become_first_admin)
|
|
{
|
|
if (JS_IsUndefined(permissions))
|
|
{
|
|
permissions = JS_NewObject(context);
|
|
JS_SetPropertyStr(context, settings_value, "permissions", JS_DupValue(context, permissions));
|
|
}
|
|
JSValue user = JS_GetPropertyStr(context, permissions, account_name_copy);
|
|
if (JS_IsUndefined(user))
|
|
{
|
|
user = JS_NewArray(context);
|
|
JS_SetPropertyStr(context, permissions, account_name_copy, JS_DupValue(context, user));
|
|
}
|
|
JS_SetPropertyUint32(context, user, tf_util_get_length(context, user), JS_NewString(context, "administration"));
|
|
JS_FreeValue(context, user);
|
|
|
|
JSValue settings_json = JS_JSONStringify(context, settings_value, JS_NULL, JS_NULL);
|
|
const char* settings_string = JS_ToCString(context, settings_json);
|
|
tf_ssb_db_set_property(ssb, "core", "settings", settings_string);
|
|
JS_FreeCString(context, settings_string);
|
|
JS_FreeValue(context, settings_json);
|
|
}
|
|
|
|
JS_FreeValue(context, permissions);
|
|
JS_FreeValue(context, settings_value);
|
|
tf_free((void*)settings);
|
|
return have_administrator;
|
|
}
|
|
|
|
static bool _verify_password(const char* password, const char* hash)
|
|
{
|
|
char buffer[7 + 22 + 31 + 1];
|
|
const char* out_hash = crypt_rn(password, hash, buffer, sizeof(buffer));
|
|
return out_hash && strcmp(hash, out_hash) == 0;
|
|
}
|
|
|
|
static void _httpd_endpoint_login_work(tf_ssb_t* ssb, void* user_data)
|
|
{
|
|
login_request_t* login = user_data;
|
|
tf_http_request_t* request = login->request;
|
|
|
|
JSMallocFunctions funcs = { 0 };
|
|
tf_get_js_malloc_functions(&funcs);
|
|
JSRuntime* runtime = JS_NewRuntime2(&funcs, NULL);
|
|
JSContext* context = JS_NewContext(runtime);
|
|
|
|
const char* session = tf_http_get_cookie(tf_http_request_get_header(request, "cookie"), "session");
|
|
const char** form_data = tf_httpd_form_data_decode(request->query, request->query ? strlen(request->query) : 0);
|
|
const char* account_name_copy = NULL;
|
|
JSValue jwt = tf_httpd_authenticate_jwt(ssb, context, session);
|
|
|
|
if (_session_is_authenticated_as_user(context, jwt))
|
|
{
|
|
const char* return_url = tf_httpd_form_data_get(form_data, "return");
|
|
if (return_url)
|
|
{
|
|
tf_string_set(login->location_header, sizeof(login->location_header), return_url);
|
|
}
|
|
else
|
|
{
|
|
snprintf(login->location_header, sizeof(login->location_header), "%s%s/", request->is_tls ? "https://" : "http://", tf_http_request_get_header(request, "host"));
|
|
}
|
|
goto done;
|
|
}
|
|
|
|
const char* send_session = tf_strdup(session);
|
|
bool session_is_new = false;
|
|
const char* login_error = NULL;
|
|
bool may_become_first_admin = false;
|
|
if (strcmp(request->method, "POST") == 0)
|
|
{
|
|
session_is_new = true;
|
|
const char** post_form_data = tf_httpd_form_data_decode(request->body, request->content_length);
|
|
const char* submit = tf_httpd_form_data_get(post_form_data, "submit");
|
|
if (submit && strcmp(submit, "Login") == 0)
|
|
{
|
|
const char* account_name = tf_httpd_form_data_get(post_form_data, "name");
|
|
account_name_copy = tf_strdup(account_name);
|
|
const char* password = tf_httpd_form_data_get(post_form_data, "password");
|
|
const char* new_password = tf_httpd_form_data_get(post_form_data, "new_password");
|
|
const char* confirm = tf_httpd_form_data_get(post_form_data, "confirm");
|
|
const char* change = tf_httpd_form_data_get(post_form_data, "change");
|
|
const char* form_register = tf_httpd_form_data_get(post_form_data, "register");
|
|
char account_passwd[256] = { 0 };
|
|
bool have_account = tf_ssb_db_get_account_password_hash(ssb, tf_httpd_form_data_get(post_form_data, "name"), account_passwd, sizeof(account_passwd));
|
|
|
|
if (form_register && strcmp(form_register, "1") == 0)
|
|
{
|
|
bool registered = false;
|
|
if (!tf_httpd_is_name_valid(account_name))
|
|
{
|
|
login_error = "Invalid username. Usernames must contain only letters from the English alphabet and digits and must start with a letter.";
|
|
}
|
|
else
|
|
{
|
|
if (!have_account && tf_httpd_is_name_valid(account_name) && password && confirm && strcmp(password, confirm) == 0)
|
|
{
|
|
sqlite3* db = tf_ssb_acquire_db_writer(ssb);
|
|
registered = tf_ssb_db_register_account(tf_ssb_get_loop(ssb), db, context, account_name, password);
|
|
tf_ssb_release_db_writer(ssb, db);
|
|
if (registered)
|
|
{
|
|
tf_free((void*)send_session);
|
|
send_session = tf_httpd_make_session_jwt(context, ssb, account_name);
|
|
may_become_first_admin = true;
|
|
}
|
|
}
|
|
}
|
|
if (!registered && !login_error)
|
|
{
|
|
login_error = "Error registering account.";
|
|
}
|
|
}
|
|
else if (change && strcmp(change, "1") == 0)
|
|
{
|
|
bool set = false;
|
|
if (have_account && tf_httpd_is_name_valid(account_name) && new_password && confirm && strcmp(new_password, confirm) == 0 &&
|
|
_verify_password(password, account_passwd))
|
|
{
|
|
sqlite3* db = tf_ssb_acquire_db_writer(ssb);
|
|
set = tf_ssb_db_set_account_password(tf_ssb_get_loop(ssb), db, context, account_name, new_password);
|
|
tf_ssb_release_db_writer(ssb, db);
|
|
if (set)
|
|
{
|
|
tf_free((void*)send_session);
|
|
send_session = tf_httpd_make_session_jwt(context, ssb, account_name);
|
|
}
|
|
}
|
|
if (!set)
|
|
{
|
|
login_error = "Error changing password.";
|
|
}
|
|
}
|
|
else
|
|
{
|
|
if (have_account && *account_passwd && _verify_password(password, account_passwd))
|
|
{
|
|
tf_free((void*)send_session);
|
|
send_session = tf_httpd_make_session_jwt(context, ssb, account_name);
|
|
may_become_first_admin = true;
|
|
}
|
|
else
|
|
{
|
|
login_error = "Invalid username or password.";
|
|
}
|
|
}
|
|
}
|
|
else
|
|
{
|
|
tf_free((void*)send_session);
|
|
send_session = tf_httpd_make_session_jwt(context, ssb, "guest");
|
|
}
|
|
tf_free(post_form_data);
|
|
}
|
|
|
|
bool have_administrator = _make_administrator_if_first(ssb, context, account_name_copy, may_become_first_admin);
|
|
|
|
if (session_is_new && tf_httpd_form_data_get(form_data, "return") && !login_error)
|
|
{
|
|
const char* return_url = tf_httpd_form_data_get(form_data, "return");
|
|
if (return_url)
|
|
{
|
|
tf_string_set(login->location_header, sizeof(login->location_header), return_url);
|
|
}
|
|
else
|
|
{
|
|
snprintf(login->location_header, sizeof(login->location_header), "%s%s/", request->is_tls ? "https://" : "http://", tf_http_request_get_header(request, "host"));
|
|
}
|
|
login->set_cookie_header = tf_httpd_make_set_session_cookie_header(request, send_session);
|
|
tf_free((void*)send_session);
|
|
}
|
|
else
|
|
{
|
|
|
|
login->name = account_name_copy;
|
|
login->error = login_error;
|
|
login->set_cookie_header = tf_httpd_make_set_session_cookie_header(request, send_session);
|
|
tf_free((void*)send_session);
|
|
login->session_is_new = session_is_new;
|
|
login->have_administrator = have_administrator;
|
|
login->settings = tf_ssb_db_get_property(ssb, "core", "settings");
|
|
|
|
if (login->settings)
|
|
{
|
|
JSValue settings_value = JS_ParseJSON(context, login->settings, strlen(login->settings), NULL);
|
|
JSValue code_of_conduct_value = JS_GetPropertyStr(context, settings_value, "code_of_conduct");
|
|
const char* code_of_conduct = JS_ToCString(context, code_of_conduct_value);
|
|
const char* result = tf_strdup(code_of_conduct);
|
|
JS_FreeCString(context, code_of_conduct);
|
|
JS_FreeValue(context, code_of_conduct_value);
|
|
JS_FreeValue(context, settings_value);
|
|
tf_free((void*)login->settings);
|
|
login->settings = NULL;
|
|
login->code_of_conduct = result;
|
|
}
|
|
|
|
login->pending++;
|
|
tf_http_request_ref(request);
|
|
tf_file_read(login->request->user_data, "core/auth.html", _httpd_endpoint_login_file_read_callback, login);
|
|
|
|
account_name_copy = NULL;
|
|
}
|
|
|
|
done:
|
|
tf_free((void*)session);
|
|
tf_free(form_data);
|
|
tf_free((void*)account_name_copy);
|
|
JS_FreeValue(context, jwt);
|
|
|
|
JS_FreeContext(context);
|
|
JS_FreeRuntime(runtime);
|
|
}
|
|
|
|
static void _httpd_endpoint_login_after_work(tf_ssb_t* ssb, int status, void* user_data)
|
|
{
|
|
login_request_t* login = user_data;
|
|
tf_http_request_t* request = login->request;
|
|
if (login->pending == 1)
|
|
{
|
|
if (*login->location_header)
|
|
{
|
|
const char* headers[] = {
|
|
"Location",
|
|
login->location_header,
|
|
"Set-Cookie",
|
|
login->set_cookie_header ? login->set_cookie_header : "",
|
|
};
|
|
tf_http_respond(request, 303, headers, tf_countof(headers) / 2, NULL, 0);
|
|
}
|
|
}
|
|
tf_http_request_unref(request);
|
|
_login_release(login);
|
|
}
|
|
|
|
void tf_httpd_endpoint_login(tf_http_request_t* request)
|
|
{
|
|
tf_task_t* task = request->user_data;
|
|
tf_http_request_ref(request);
|
|
|
|
tf_ssb_t* ssb = tf_task_get_ssb(task);
|
|
login_request_t* login = tf_malloc(sizeof(login_request_t));
|
|
*login = (login_request_t) {
|
|
.request = request,
|
|
};
|
|
login->pending++;
|
|
tf_ssb_run_work(ssb, _httpd_endpoint_login_work, _httpd_endpoint_login_after_work, login);
|
|
}
|
|
|
|
void tf_httpd_endpoint_logout(tf_http_request_t* request)
|
|
{
|
|
const char* k_set_cookie = request->is_tls ? "session=; path=/; Secure; SameSite=Strict; expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly"
|
|
: "session=; path=/; SameSite=Strict; expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly";
|
|
const char* k_location_format = "/login%s%s";
|
|
int length = snprintf(NULL, 0, k_location_format, request->query ? "?" : "", request->query);
|
|
char* location = alloca(length + 1);
|
|
snprintf(location, length + 1, k_location_format, request->query ? "?" : "", request->query ? request->query : "");
|
|
const char* headers[] = {
|
|
"Set-Cookie",
|
|
k_set_cookie,
|
|
"Location",
|
|
location,
|
|
};
|
|
tf_http_respond(request, 303, headers, tf_countof(headers) / 2, NULL, 0);
|
|
}
|
|
|
|
typedef struct _auto_login_t
|
|
{
|
|
tf_http_request_t* request;
|
|
bool autologin;
|
|
const char* users;
|
|
} auto_login_t;
|
|
|
|
static void _httpd_auto_login_work(tf_ssb_t* ssb, void* user_data)
|
|
{
|
|
auto_login_t* request = user_data;
|
|
sqlite3* db = tf_ssb_acquire_db_reader(ssb);
|
|
tf_ssb_db_get_global_setting_bool(db, "autologin", &request->autologin);
|
|
tf_ssb_release_db_reader(ssb, db);
|
|
|
|
if (request->autologin)
|
|
{
|
|
request->users = tf_ssb_db_get_property(ssb, "auth", "users");
|
|
if (request->users && strcmp(request->users, "[]") == 0)
|
|
{
|
|
tf_free((void*)request->users);
|
|
request->users = NULL;
|
|
}
|
|
|
|
if (!request->users)
|
|
{
|
|
JSMallocFunctions funcs = { 0 };
|
|
tf_get_js_malloc_functions(&funcs);
|
|
JSRuntime* runtime = JS_NewRuntime2(&funcs, NULL);
|
|
JSContext* context = JS_NewContext(runtime);
|
|
static const char* k_account_name = "mobile";
|
|
sqlite3* db = tf_ssb_acquire_db_writer(ssb);
|
|
bool registered = tf_ssb_db_register_account(tf_ssb_get_loop(ssb), db, context, k_account_name, k_account_name);
|
|
tf_ssb_release_db_writer(ssb, db);
|
|
if (registered)
|
|
{
|
|
_make_administrator_if_first(ssb, context, k_account_name, true);
|
|
}
|
|
JS_FreeContext(context);
|
|
JS_FreeRuntime(runtime);
|
|
|
|
request->users = tf_ssb_db_get_property(ssb, "auth", "users");
|
|
}
|
|
}
|
|
}
|
|
|
|
static void _httpd_auto_login_after_work(tf_ssb_t* ssb, int status, void* user_data)
|
|
{
|
|
auto_login_t* work = user_data;
|
|
JSContext* context = tf_ssb_get_context(ssb);
|
|
const char* session_token = NULL;
|
|
if (!work->autologin)
|
|
{
|
|
const char* k_payload = tf_http_status_text(404);
|
|
tf_http_respond(work->request, 404, NULL, 0, k_payload, strlen(k_payload));
|
|
}
|
|
else
|
|
{
|
|
if (work->users)
|
|
{
|
|
JSValue json = JS_ParseJSON(context, work->users, strlen(work->users), NULL);
|
|
JSValue user = JS_GetPropertyUint32(context, json, 0);
|
|
const char* user_string = JS_ToCString(context, user);
|
|
session_token = tf_httpd_make_session_jwt(context, ssb, user_string);
|
|
JS_FreeCString(context, user_string);
|
|
JS_FreeValue(context, user);
|
|
JS_FreeValue(context, json);
|
|
}
|
|
if (session_token)
|
|
{
|
|
const char* cookie = tf_httpd_make_set_session_cookie_header(work->request, session_token);
|
|
tf_free((void*)session_token);
|
|
const char* headers[] = {
|
|
"Set-Cookie",
|
|
cookie,
|
|
"Location",
|
|
"/",
|
|
};
|
|
tf_http_respond(work->request, 303, headers, tf_countof(headers) / 2, NULL, 0);
|
|
tf_free((void*)cookie);
|
|
}
|
|
else
|
|
{
|
|
const char* headers[] = {
|
|
"Location",
|
|
"/",
|
|
};
|
|
tf_http_respond(work->request, 303, headers, tf_countof(headers) / 2, NULL, 0);
|
|
}
|
|
}
|
|
tf_http_request_unref(work->request);
|
|
tf_free((void*)work->users);
|
|
tf_free(work);
|
|
}
|
|
|
|
void tf_httpd_endpoint_login_auto(tf_http_request_t* request)
|
|
{
|
|
tf_task_t* task = request->user_data;
|
|
tf_http_request_ref(request);
|
|
tf_ssb_t* ssb = tf_task_get_ssb(task);
|
|
|
|
auto_login_t* work = tf_malloc(sizeof(auto_login_t));
|
|
*work = (auto_login_t) { .request = request };
|
|
tf_ssb_run_work(ssb, _httpd_auto_login_work, _httpd_auto_login_after_work, work);
|
|
}
|