X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=cgi-auth-flexible.git;a=blobdiff_plain;f=cgi-auth-hybrid.pm;h=21a8fb523e875ef82339283e2de05542ca332edf;hp=4f74cded4fe0e89a99f258640757b1cc4f03e000;hb=5a7abf23fbc32d553a0e9369f6827f1b83c2ab43;hpb=016d95d834dee8987e9baeb7fb44683ab401dbe5 diff --git a/cgi-auth-hybrid.pm b/cgi-auth-hybrid.pm index 4f74cde..21a8fb5 100644 --- a/cgi-auth-hybrid.pm +++ b/cgi-auth-hybrid.pm @@ -37,9 +37,11 @@ BEGIN { our @EXPORT_OK; use DBI; -use CGI; +use CGI qw/escapeHTML/; use Locale::gettext; use URI; +use IO::File; +use Data::Dumper; #---------- public utilities ---------- @@ -90,11 +92,9 @@ sub login_ok_password ($$) { sub do_redirect_cgi ($$$$) { my ($c, $r, $new_url, $cookie) = @_; - my @ha = ('text/html', - -status => '303 See other', - -location => $new_url); - push @ha, (-cookie => $cookie) if defined $cookie; - $r->_print($c->header(@ha), + $r->_print($c->header($r->_cgi_header_args($cookie, + -status => '303 See other', + -location => $new_url)), $r->_ch('gen_start_html',$r->_gt('Redirection')), '', $r->_gt("If you aren't redirected, click to continue."), @@ -106,20 +106,20 @@ sub gen_plain_login_form ($$) { my ($c,$r, $params) = @_; my @form; push @form, ('
'. ''); my $sz = 'size="'.$r->{S}{form_entry_size}.'"'; foreach my $up (@{ $r->{S}{username_param_names}}) { push @form, ('', - ''); + ''); } push @form, ('', ''); push @form, ('', '
',$r->_gt(ucfirst $up),'
'.$r->_gt('Password'),'
', '
'); foreach my $n (keys %$params) { @@ -154,6 +154,7 @@ sub new_verifier { associdlen => 128, # bits login_timeout => 86400, # seconds assoc_param_name => 'cah_associd', + cookie_name => "cah_associd", password_param_name => 'password', username_param_names => [qw(username)], form_entry_size => 60, @@ -176,12 +177,13 @@ sub new_verifier { do_redirect => \&do_redirect_cgi, # this hook is allowed to throw cookie_path => "/", get_cookie_domain => \&get_cookie_domain, - encrypted_only => 0, + encrypted_only => 1, gen_start_html => sub { $_[0]->start_html($_[2]); }, gen_end_html => sub { $_[0]->end_html(); }, gen_login_form => \&gen_plain_login_form, gen_login_link => \&gen_plain_login_link, gettext => sub { gettext($_[2]); }, + print => sub { print $_[2] or die $!; }, }, Dbh => undef, }; @@ -238,26 +240,26 @@ sub _db_transaction ($$) { my $retries = 10; my $rv; my $dbh = $v->{Dbh}; -#print STDERR "DT entry\n"; +print STDERR "DT entry\n"; for (;;) { -#print STDERR "DT loop\n"; +print STDERR "DT loop\n"; if (!eval { $rv = $fn->(); -#print STDERR "DT fn ok\n"; +print STDERR "DT fn ok\n"; 1; }) { -#print STDERR "DT fn error\n"; +print STDERR "DT fn error\n"; { local ($@); $dbh->rollback(); } -#print STDERR "DT fn throwing\n"; +print STDERR "DT fn throwing\n"; die $@; } -#print STDERR "DT fn eval ok\n"; +print STDERR "DT fn eval ok\n"; if (eval { $dbh->commit(); print STDERR "DT commit ok\n"; 1; }) { -print STDERR "DT commit eval ok\n"; +print STDERR "DT commit eval ok $rv\n"; return $rv; } print STDERR "DT commit throw?\n"; @@ -287,6 +289,7 @@ sub new_request { sub _ch ($$@) { # calls an application hook my ($r,$methname, @args) = @_; my $methfunc = $r->{S}{$methname}; + die "$methname ?" unless $methfunc; return $methfunc->($r->{Cgi}, $r, @args); } @@ -303,14 +306,15 @@ sub construct_cookie ($$$) { my ($r, $cookv) = @_; return undef unless $cookv; my $c = $r->{Cgi}; - my $cookt = $c->cookie(-name => $r->{S}{cookie_name}, +my @ca = (-name => $r->{S}{cookie_name}, -value => $cookv, -path => $r->{S}{cookie_path}, -domain => $r->_ch('get_cookie_domain'), -expires => '+'.$r->{S}{login_timeout}.'s', -secure => $r->{S}{encrypted_only}); -print STDERR "CC $r $c $cookv $cookt\n"; - return $cookt; + my $cookie = $c->cookie(@ca); +print STDERR "CC $r $c $cookv $cookie (@ca).\n"; + return $cookie; } # pages/param-sets are @@ -328,7 +332,7 @@ print STDERR "CC $r $c $cookv $cookt\n"; # y, yN value corresponds to logged-in user # n, nN value not in our db # x, xN t or y -# - no value supplied +# - no value supplied (represented in code as $cookt='') # if N differs the case applies only when the two values differ # (eg, a1 y2 does not apply when the logged-in value is supplied twice) @@ -407,8 +411,9 @@ print STDERR "CC $r $c $cookv $cookt\n"; # revoke y2 # treat as -/n n POST # - # -/n n GET n cross-site link but user not logged in + # -/n -/n GET n cross-site link but user not logged in # show login form with redirect to orig params + # generate fresh cookie # # -/n n GET rmu user not logged in # fail @@ -429,6 +434,8 @@ sub _check_divert_core ($) { my ($cookt,$cooku) = $r->_db_lookup($cookv); my $parmt = $r->_db_lookup($parmv); + print STDERR "_c_d_c cookt=$cookt parmt=$parmt\n"; + if ($r->_ch('is_logout')) { $r->_must_be_post(); die unless $parmt; @@ -489,15 +496,17 @@ sub _check_divert_core ($) { if ($cookt ne 'y') { die unless !$cookt || $cookt eq 'n'; die unless !$parmt || $parmt eq 'n' || $parmt eq 'y'; + my $newv = $r->_fresh_cookie(); if ($meth eq 'GET') { return ({ Kind => 'LOGIN-INCOMINGLINK', Message => "You need to log in again.", - CookieVal => $parmv, + CookieVal => $newv, Params => $r->_chain_params() }); } else { + $r->_db_revoke($parmv); return ({ Kind => 'LOGIN-FRESH', Message => "You need to log in again.", - CookieVal => $parmv, + CookieVal => $newv, Params => { } }); } } @@ -519,6 +528,7 @@ sub _check_divert_core ($) { die unless $cookv eq $parmv; $r->{Assoc} = $cookv; $r->{UserOK} = $cooku; + print STDERR "C-D-C OK\n"; return undef; } @@ -587,14 +597,14 @@ sub _db_record_login_ok ($$$) { sub check_divert ($) { my ($r) = @_; - my $divert; if (exists $r->{Divert}) { return $r->{Divert}; } my $dbh = $r->{Dbh}; $r->{Divert} = $r->_db_transaction(sub { $r->_check_divert_core(); }); $dbh->commit(); - return $divert; + print STDERR Dumper($r->{Divert}); + return $r->{Divert}; } sub get_divert ($) { @@ -617,6 +627,14 @@ sub url_with_query_params ($$) { return $uri->as_string(); } +sub _cgi_header_args ($$@) { + my ($r, $cookie, @ha) = @_; + unshift @ha, qw(-type text/html); + push @ha, (-cookie => $cookie) if defined $cookie; + print STDERR "_cgi_header_args ",join('|',@ha),".\n"; + return @ha; +} + sub check_ok ($) { my ($r) = @_; @@ -629,6 +647,7 @@ sub check_ok ($) { my $kind = $divert->{Kind}; my $cookieval = $divert->{CookieVal}; my $params = $divert->{Params}; + my $cookie = $r->construct_cookie($cookieval); if ($kind =~ m/^REDIRECT-/) { # for redirects, we honour stored NextParams and SetCookie, @@ -642,7 +661,6 @@ sub check_ok ($) { die; } my $new_url = $r->url_with_query_params($params); - my $cookie = $r->construct_cookie($r, $cookieval); $r->_ch('do_redirect',$new_url, $cookie); return 0; } @@ -660,9 +678,10 @@ sub check_ok ($) { die $kind; } - $r->_print($r->_ch('start_html',$title), - @body, - $r->_ch('end_html')); + $r->_print($r->{Cgi}->header($r->_cgi_header_args($cookie)), + $r->_ch('gen_start_html',$title), + (join "\n", @body), + $r->_ch('gen_end_html')); return 0; } @@ -678,11 +697,14 @@ sub _random ($$) { $!=0; read($rsf,$bin,$bytes) == $bytes or die "$rsp $!"; close $rsf; - return unpack "H*", $bin; + my $out = unpack "H*", $bin; + print STDERR "_random out $out\n"; + return $out; } sub _fresh_cookie ($) { my ($r) = @_; + print STDERR "_fresh_cookie\n"; my $bytes = ($r->{S}{associdlen} + 7) >> 3; return $r->_random($bytes); } @@ -716,9 +738,9 @@ sub secret_hidden_html ($) { sub secret_cookie ($) { my ($r) = @_; -print STDERR "SC\n"; +#print STDERR "SC\n"; my $cookv = $r->construct_cookie($r->secret_val()); -print STDERR "SC=$cookv\n"; +#print STDERR "SC=$cookv\n"; return $cookv; }