bug fixes and improvements

2012-04-14 18:23:42 +02:00 · 2012-04-14 18:23:42 +02:00 · af99d51a7c
parent 05c8b71d13
commit af99d51a7c
3 changed files with 196 additions and 120 deletions
--- a/jappixmini/README
+++ b/jappixmini/README
@ -10,6 +10,9 @@ address of a BOSH proxy that works with your account.
 The addon has an experimental autosubscribe and autosuggest functionality which tries
 to add your Friendica contacts to your roster automatically.
 Limitations:
 - can only handle Jabber passwords that are at most 39 characters long
 Installation
 ------------
--- a/jappixmini/jappixmini.php
+++ b/jappixmini/jappixmini.php
@ -23,7 +23,8 @@ and not to the server (at least as soon as the user is logged in). It can be sto
 This encryption key could be the friendica password, but then this password would be stored in the browser in cleartext.
 It is better to use a hash of the password.
 The server should not be able to reconstruct the password, so we can't take the same hash the server stores. But we can
- use hash("some_prefix"+password). This will however not work with OpenID logins.
+ use hash("some_prefix"+password). This will however not work with OpenID logins, for this type of login the password must
 be queried manually.
 Problem:
 How to discover the jabber addresses of the friendica contacts?
@ -37,17 +38,23 @@ We do not want to make the jabber address public.
 Solution:
 When two friendica users connect using DFRN, the relation gets a DFRN ID and a keypair is generated.
-Using this keypair, we can provide the jabber address only to contacs:
+Using this keypair, we can provide the jabber address only to contacts:
-Case 1: Alice has prvkey, Bob has pubkey.
+Alice:
-  Alice encrypts request
+  signed_address = openssl_*_encrypt(alice_jabber_address)
-  Bob decrypts the request, send jabber address unencrypted
+send signed_address to Bob, who does
-  Alice reads address
+  trusted_address = openssl_*_decrypt(signed_address)
  save trusted_address
  encrypted_address = openssl_*_encrypt(bob_jabber_address)
 reply with encrypted_address to Alice, who does
  decrypted_address = openssl_*_decrypt(encrypted_address)
  save decrypted_address
-Case 2: Alice has prvkey, Bob has pubkey
+Interface for this:
-  Alice send request
+GET /jappixmini/?role=%s&signed_address=%s&dfrn_id=%s
-  Bob encrypts jabber address
+
-  Alice decrypts jabber address
+Response:
 json({"status":"ok", "encrypted_address":"%s"})
 */
@ -78,6 +85,8 @@ unregister_hook('about_hook', 'addon/jappixmini/jappixmini.php', 'jappixmini_dow
 }
 function jappixmini_plugin_admin(&$a, &$o) {
 	// display instructions and warnings on addon settings page for admin
 	if (!file_exists("addon/jappixmini/jappix")) {
 		$o .= '<p><strong>You need to install the Jappix application, adapted for Friendica (see README).</strong></p>';
 	}
@ -91,81 +100,80 @@ function jappixmini_plugin_admin_post(&$a) {
 function jappixmini_module() {}
 function jappixmini_init(&$a) {
-	// Here, other friendica sites can fetch the jabber address of local users.
+	// module page where other Friendica sites can submit Jabber addresses to and also can query Jabber addresses
-	// Because we do not want to publish the addresses publicly, they are encrypted so
+        // of local users
-	// that only contacts can read it.
+
-	$encrypt_for = $_REQUEST["encrypt_for"];
+	$dfrn_id = $_REQUEST["dfrn_id"];
-	if ($encrypt_for) {
+	if (!$dfrn_id) killme();
-		$r = q("SELECT * FROM `contact` WHERE LENGTH(`pubkey`) AND `dfrn-id` = '%s' LIMIT 1",
+
-			dbesc($encrypt_for)
+	$role = $_REQUEST["role"];
 	if ($role=="pub") {
 		$r = q("SELECT * FROM `contact` WHERE LENGTH(`pubkey`) AND `dfrn-id`='%s' LIMIT 1",
 			dbesc($dfrn_id)
 		);
 		if (!count($r)) killme();
-		// get public key to encrypt address
+		$encrypt_func = openssl_public_encrypt;
-		$pubkey = $r[0]['pubkey'];
+		$decrypt_func = openssl_public_decrypt;
 		$key = $r[0]["pubkey"];
 	} else if ($role=="prv") {
 		$r = q("SELECT * FROM `contact` WHERE LENGTH(`prvkey`) AND `issued-id`='%s' LIMIT 1",
 			dbesc($dfrn_id)
 		);
 		if (!count($r)) killme();
-		// get jabber address
+		$encrypt_func = openssl_private_encrypt;
-		$uid = $r[0]['uid'];
+		$decrypt_func = openssl_private_decrypt;
-		$username = get_pconfig($uid, 'jappixmini', 'username');
+		$key = $r[0]["prvkey"];
-		if (!$username) killme();
+	} else {
 		$server = get_pconfig($uid, 'jappixmini', 'server');
 		if (!$server) killme();
 		$address = $username."@".$server;
 		// encrypt address
 		$encrypted = "";
 		openssl_public_encrypt($address,$encrypted,$pubkey);
 		// calculate hex representation of encrypted address
 		$hex = bin2hex($encrypted);
 		// construct answer
 		$answer = Array("status"=>"ok", "encrypted_address"=>$hex);
 		// return answer as json
 		echo json_encode($answer);
 		killme();
 	}
-	// If we have only a private key, other site sends encrypted request, we answer unencrypted.
+	$uid = $r[0]["uid"];
 	$encrypted_for = $_REQUEST["encrypted_for"];
 	if (!$encrypted_for) killme();
-	$encrypted_request_hex = $_REQUEST["encrypted_request"];
+	// save the Jabber address we received
-	if (!$encrypted_request_hex) killme();
+	try {
-	$encrypted_request = hex2bin($encrypted_request_hex);
+		$signed_address_hex = $_REQUEST["signed_address"];
 		$signed_address = hex2bin($signed_address_hex);
-	$r = q("SELECT * FROM `contact` WHERE LENGTH(`prvkey`) AND `issued-id` = '%s' LIMIT 1",
+		$trusted_address = "";
-		dbesc($encrypted_for)
+		$decrypt_func($signed_address, $trusted_address, $key);
 	);
 	if (!count($r)) killme();
-	// decrypt request, validate it
+		$now = intval(time());
-	$prvkey = $r[0]['prvkey'];
+		set_pconfig($uid, "jappixmini", "id:$dfrn_id", "$now:$trusted_address");
-	$decrypted_request = "";
+	} catch (Exception $e) {
-	openssl_private_decrypt($encrypted_request, $decrypted_request, $prvkey);
+	}
-	if ($decrypted_request!=$encrypted_for) killme();
+	// return the requested Jabber address
 	try {
 		$username = get_pconfig($uid, 'jappixmini', 'username');
 		$server = get_pconfig($uid, 'jappixmini', 'server');
 		$address = "$username@$server";
-	// get jabber address
+		$encrypted_address = "";
-	$uid = $r[0]['uid'];
+		$encrypt_func($address, $encrypted_address, $key);
 	$username = get_pconfig($uid, 'jappixmini', 'username');
 	if (!$username) killme();
 	$server = get_pconfig($uid, 'jappixmini', 'server');
 	if (!$server) killme();
-	$address = $username."@".$server;
+		$encrypted_address_hex = bin2hex($encrypted_address);
-	// construct answer
+		$answer = Array(
-	$answer = Array("status"=>"ok", "address"=>$address);
+			"status"=>"ok",
 			"encrypted_address"=>$encrypted_address_hex
 		);
-	// return answer as json
+		$answer_json = json_encode($answer);
-	echo json_encode($answer);
+		echo $answer_json;
-	killme();
+		killme();
 	} catch (Exception $e) {
 		killme();
 	}
 }
 function jappixmini_settings(&$a, &$s) {
    // addon settings for a user
    $activate = get_pconfig(local_user(),'jappixmini','activate');
    $activate = intval($activate) ? ' checked="checked"' : '';
    $username = get_pconfig(local_user(),'jappixmini','username');
    $username = htmlentities($username);
    $server = get_pconfig(local_user(),'jappixmini','server');
@ -177,8 +185,6 @@ function jappixmini_settings(&$a, &$s) {
    $autosubscribe = intval($autosubscribe) ? ' checked="checked"' : '';
    $autoapprove = get_pconfig(local_user(),'jappixmini','autoapprove');
    $autoapprove = intval($autoapprove) ? ' checked="checked"' : '';
    $activate = get_pconfig(local_user(),'jappixmini','activate');
    $activate = intval($activate) ? ' checked="checked"' : '';
    $s .= '<div class="settings-block">';
    $s .= '<h3>Jappix Mini addon settings</h3>';
@ -206,7 +212,7 @@ function jappixmini_settings(&$a, &$s) {
    $s .= '<label for="jappixmini-autosubscribe">Subscribe to Friendica contacts automatically</label>';
    $s .= ' <input id="jappixmini-autosubscribe" type="checkbox" name="jappixmini-autosubscribe" value="1"'.$autosubscribe.' />';
    $s .= '<br />';
-    $s .= '<label for="jappixmini-purge">Purge list of jabber addresses of contacts</label>';
+    $s .= '<label for="jappixmini-purge">Purge internal list of jabber addresses of contacts</label>';
    $s .= ' <input id="jappixmini-purge" type="checkbox" name="jappixmini-purge" value="1" />';
    $s .= '<br />';
    $s .= '<input type="submit" name="jappixmini-submit" value="' . t('Submit') . '" />';
@ -220,20 +226,32 @@ function jappixmini_settings(&$a, &$s) {
 }
 function jappixmini_settings_post(&$a,&$b) {
 	// save addon settings for a user
 	if(! local_user()) return;
 	$uid = local_user();
 	if($_POST['jappixmini-submit']) {
-		set_pconfig(local_user(),'jappixmini','username',trim($b['jappixmini-username']));
+		$purge = intval($b['jappixmini-purge']);
-		set_pconfig(local_user(),'jappixmini','server',trim($b['jappixmini-server']));
+
-		set_pconfig(local_user(),'jappixmini','bosh',trim($b['jappixmini-bosh']));
+		$username = trim($b['jappixmini-username']);
-		set_pconfig(local_user(),'jappixmini','encrypted-password',trim($b['jappixmini-encrypted-password']));
+		$old_username = get_pconfig($uid,'jappixmini','username');
-		set_pconfig(local_user(),'jappixmini','autosubscribe',intval($b['jappixmini-autosubscribe']));
+		if ($username!=$old_username) $purge = 1;
-		set_pconfig(local_user(),'jappixmini','autoapprove',intval($b['jappixmini-autoapprove']));
+
-		set_pconfig(local_user(),'jappixmini','activate',intval($b['jappixmini-activate']));
+		$server = trim($b['jappixmini-server']);
 		$old_server = get_pconfig($uid,'jappixmini','server');
 		if ($server!=$old_server) $purge = 1;
 		set_pconfig($uid,'jappixmini','username',$username);
 		set_pconfig($uid,'jappixmini','server',$server);
 		set_pconfig($uid,'jappixmini','bosh',trim($b['jappixmini-bosh']));
 		set_pconfig($uid,'jappixmini','encrypted-password',trim($b['jappixmini-encrypted-password']));
 		set_pconfig($uid,'jappixmini','autosubscribe',intval($b['jappixmini-autosubscribe']));
 		set_pconfig($uid,'jappixmini','autoapprove',intval($b['jappixmini-autoapprove']));
 		set_pconfig($uid,'jappixmini','activate',intval($b['jappixmini-activate']));
 		info( 'Jappix Mini settings saved.' );
-		if (intval($b['jappixmini-purge'])) {
+		if ($purge) {
 			$uid = local_user();
 			q("DELETE FROM `pconfig` WHERE `uid`=$uid AND `cat`='jappixmini' and `k` LIKE 'id%%'");
 			info( 'List of addresses purged.' );
 		}
@ -241,6 +259,8 @@ function jappixmini_settings_post(&$a,&$b) {
 }
 function jappixmini_script(&$a,&$s) {
    // adds the script to the page header which starts Jappix Mini
    if(! local_user()) return;
    $activate = get_pconfig(local_user(),'jappixmini','activate');
@ -251,6 +271,7 @@ function jappixmini_script(&$a,&$s) {
    $a->page['htmlhead'] .= '<script type="text/javascript" src="' . $a->get_baseurl() . '/addon/jappixmini/jappix/php/get.php?t=js&amp;f=caps.js"></script>'."\r\n";
    $a->page['htmlhead'] .= '<script type="text/javascript" src="' . $a->get_baseurl() . '/addon/jappixmini/jappix/php/get.php?t=js&amp;f=name.js"></script>'."\r\n";
    $a->page['htmlhead'] .= '<script type="text/javascript" src="' . $a->get_baseurl() . '/addon/jappixmini/jappix/php/get.php?t=js&amp;f=roster.js"></script>'."\r\n";
    $a->page['htmlhead'] .= '<script type="text/javascript" src="' . $a->get_baseurl() . '/addon/jappixmini/lib.js"></script>'."\r\n";
@ -271,18 +292,35 @@ function jappixmini_script(&$a,&$s) {
    // get a list of jabber accounts of the contacts
    $contacts = Array();
    $uid = local_user();
-    $rows = q("SELECT `v` FROM `pconfig` WHERE `uid`=$uid AND `cat`='jappixmini' and `k` LIKE 'id%%'");
+    $rows = q("SELECT * FROM `pconfig` WHERE `uid`=$uid AND `cat`='jappixmini' and `k` LIKE 'id%%'");
    foreach ($rows as $row) {
        $key = $row['k'];
 	$pos = strpos($key, ":");
 	$dfrn_id = substr($key, $pos+1);
        $r = q("SELECT `name` FROM `contact` WHERE `uid`=$uid AND `dfrn-id`='%s' OR `issued-id`='%s'",
 		dbesc($dfrn_id),
 		dbesc($dfrn_id)
 	);
 	$name = $r[0]["name"];
        $value = $row['v'];
        $pos = strpos($value, ":");
        $address = substr($value, $pos+1);
-	$contacts[] = $address;
+	if (!$address) continue;
 	if (!$name) $name = $address;
 	$contacts[$address] = $name;
    }
    $contacts_json = json_encode($contacts);
    // get nickname
    $r = q("SELECT `username` FROM `user` WHERE `uid`=$uid");
    $nickname = json_encode($r[0]["username"]);
    // add javascript to start Jappix Mini
    $a->page['htmlhead'] .= "<script type=\"text/javascript\">
        jQuery(document).ready(function() {
-           jappixmini_addon_start('$server', '$username', '$bosh', '$encrypted_password');
+           jappixmini_addon_start('$server', '$username', '$bosh', '$encrypted_password', $nickname);
           jappixmini_manage_roster($contacts_json, $autoapprove, $autosubscribe);
        });
    </script>";
@ -291,7 +329,16 @@ function jappixmini_script(&$a,&$s) {
 }
 function jappixmini_login(&$a, &$o) {
-    // save hash of password using setDB
+    // for setDB, needed by jappixmini_addon_set_client_secret
    $a->page['htmlhead'] .= '<script type="text/javascript" src="' . $a->get_baseurl() . '/addon/jappixmini/jappix/php/get.php?t=js&amp;f=datastore.js"></script>'."\r\n";
    // for str_sha1, needed by jappixmini_addon_set_client_secret
    $a->page['htmlhead'] .= '<script type="text/javascript" src="' . $a->get_baseurl() . '/addon/jappixmini/jappix/php/get.php?t=js&amp;f=jsjac.js"></script>'."\r\n";
    // for jappixmini_addon_set_client_secret
    $a->page['htmlhead'] .= '<script type="text/javascript" src="' . $a->get_baseurl() . '/addon/jappixmini/lib.js"></script>'."\r\n";
    // save hash of password
    $o = str_replace("<form ", "<form onsubmit=\"jappixmini_addon_set_client_secret(this.elements['id_password'].value);return true;\" ", $o);
 }
@ -311,10 +358,17 @@ function jappixmini_cron(&$a, $d) {
 			if (!$request) continue;
 			$dfrn_id = $contact_row["dfrn-id"];
-			$pubkey = $contact_row["pubkey"];
+			if ($dfrn_id) {
-			if (!$dfrn_id) {
+				$key = $contact_row["pubkey"];
 				$encrypt_func = openssl_public_encrypt;
 				$decrypt_func = openssl_public_decrypt;
 				$role = "prv";
 			} else {
 				$dfrn_id = $contact_row["issued-id"];
-				$prvkey = $contact_row["prvkey"];
+				$key = $contact_row["prvkey"];
 				$encrypt_func = openssl_private_encrypt;
 				$decrypt_func = openssl_private_decrypt;
 				$role = "pub";
 			}
 			// check if jabber address already present
@ -334,48 +388,55 @@ function jappixmini_cron(&$a, $d) {
 			$pos = strpos($request, "/dfrn_request/");
 			if ($pos===false) continue;
-			$base = substr($request, 0, $pos)."/jappixmini";
+			$base = substr($request, 0, $pos)."/jappixmini?role=$role";
-			// retrieve address
+			// construct own address
-			if ($prvkey) {
+			$username = get_pconfig($uid, 'jappixmini', 'username');
-				$retrieval_address = $base."?encrypt_for=".urlencode($dfrn_id);
+			if (!$username) continue;
 			$server = get_pconfig($uid, 'jappixmini', 'server');
 			if (!$server) continue;
-				$answer_json = fetch_url($retrieval_address);
+			$address = $username."@".$server;
 			// sign address
 			$signed_address = "";
 			$encrypt_func($address, $signed_address, $key);
 			// construct request url
 			$signed_address_hex = bin2hex($signed_address);
 			$url = $base."&signed_address=$signed_address_hex&dfrn_id=".urlencode($dfrn_id);
 			try {
 				// send request
 				$answer_json = fetch_url($url);
 				// parse answer
 				$answer = json_decode($answer_json);
-				if ($answer->status != "ok") continue;
+				if ($answer->status != "ok") throw new Exception();
 				$encrypted_address_hex = $answer->encrypted_address;
-				if (!$encrypted_address_hex) continue;
+				if (!$encrypted_address_hex) throw new Exception();
 				$encrypted_address = hex2bin($encrypted_address_hex);
 				if (!$encrypted_address) throw new Exception();
 				// decrypt address
 				$decrypted_address = "";
 				$decrypt_func($encrypted_address, $decrypted_address, $key);
 				if (!$decrypted_address) throw new Exception();
 			} catch (Exception $e) {
 				$decrypted_address = "";
 				openssl_private_decrypt($encrypted_address, $decrypted_address, $prvkey);
 				if (!$decrypted_address) continue;
 				$address = $decrypted_address;
 			} else if ($pubkey) {
 				$encrypted_request = "";
 				openssl_public_encrypt($dfrn_id, $encrypted_request, $pubkey);
 				if (!$encrypted_request) continue;
 				$encrypted_request_hex = bin2hex($encrypted_request);
 				$retrieval_address = $base."?encrypted_for=".urlencode($dfrn_id)."&encrypted_request=".urlencode($encrypted_request_hex);
 				$answer_json = fetch_url($retrieval_address);
 				$answer = json_decode($answer_json);
 				if ($answer->status != "ok") continue;
 				$address = $answer->address;
 				if (!$address) continue;
 			}
 			// save address
-			set_pconfig($uid, "jappixmini", "id:$dfrn_id", "$now:$address");
+			set_pconfig($uid, "jappixmini", "id:$dfrn_id", "$now:$decrypted_address");
 		}
 	}
 }
 function jappixmini_download_source(&$a,&$b) {
 	// Jappix Mini source download link on About page
 	$b .= '<h1>Jappix Mini</h1>';
 	$b .= '<p>This site uses Jappix Mini by the <a href="'.$a->get_baseurl().'/addon/jappixmini/jappix/AUTHORS">Jappix authors</a>, which is distributed under the terms of the <a href="'.$a->get_baseurl().'/addon/jappixmini/jappix/COPYING">GNU Affero General Public License</a>.</p>';
 	$b .= '<p>You can download the <a href="'.$a->get_baseurl().'/addon/jappixmini/jappix.zip">source code</a>.</p>';
--- a/jappixmini/lib.js
+++ b/jappixmini/lib.js
@ -15,14 +15,23 @@ function jappixmini_addon_xor(str1, str2) {
 }
 function jappixmini_addon_set_client_secret(password) {
-	client_secret = str_sha1("client_secret:"+password);
+	if (!password) return;
 	salt1 = "h8doCRekWto0njyQohKpdx6BN0UTyC6N";
 	salt2 = "jdX8OwFC1kWAq3s9uOyAcE8g3UNNO5t3";
 	client_secret1 = str_sha1(salt1+password);
 	client_secret2 = str_sha1(salt2+password);
 	client_secret = client_secret1 + client_secret2;
 	setDB('jappix-mini', 'client_secret', client_secret);
 	console.log("client secret set");
 }
 function jappixmini_addon_get_client_secret() {
 	client_secret = getDB('jappix-mini', 'client_secret');
 	if (client_secret===null) {
-		div = $('<div style="position:fixed;padding:1em;background-color:#F00;color:#fff;top:50px;left:50px;" id="x123">Reintroduce your Friendica password for chatting:</div>');
+		div = $('<div style="position:fixed;padding:1em;background-color:#F00;color:#fff;top:50px;left:50px;">Retype your Friendica password for chatting:</div>');
 		div.append($("<br>"));
 		input = $('<input type="password">')
 		div.append(input);
@ -43,7 +52,7 @@ function jappixmini_addon_encrypt_password(password) {
 	client_secret = jappixmini_addon_get_client_secret();
 	// add \0 to password until it has the same length as secret
-	if (client_secret.length<password.length) throw "password too long";
+	if (password.length>client_secret.length-1) throw "password too long";
 	while (password.length<client_secret.length) {
 		password += "\0";
 	}
@ -60,7 +69,7 @@ function jappixmini_addon_decrypt_password(encrypted_password) {
 	client_secret = jappixmini_addon_get_client_secret();
-	// xor encrypted password with secret
+	// xor password with secret
 	password = jappixmini_addon_xor(client_secret, encrypted_password);
        // remove \0
@ -80,12 +89,12 @@ function jappixmini_manage_roster(contacts, autoapprove, autosubscribe) {
 		var xid = bareXID(from);
 		approve = true;
-		if ((!autoapprove) || ($.inArray(xid, contacts) == -1))
+		if ((!autoapprove) || contacts[xid]===undefined)
 			approve = confirm("Accept "+xid+" for chat?");
 		if (approve) {
-			acceptSubscribe(xid);
+			acceptSubscribe(xid, contacts[xid]);
-			//alert("Accepted "+xid+" for chat.");
+			console.log("Accepted "+xid+" for chat.");
 		}
 	});
@ -94,16 +103,18 @@ function jappixmini_manage_roster(contacts, autoapprove, autosubscribe) {
 		for (i=0; i<contacts.length; i++) {
 			xid = contacts[i];
 			sendSubscribe(xid, "subscribe");
 			console.log("Subscribed to "+xid);
 		}
 	}
 }
-function jappixmini_addon_start(server, username, bosh, encrypted_password) {
+function jappixmini_addon_start(server, username, bosh, encrypted_password, nickname) {
    // check if settings have changed, reinitialize jappix mini if this is the case
    settings_identifier = str_sha1(server);
    settings_identifier += str_sha1(username);
    settings_identifier += str_sha1(bosh);
    settings_identifier += str_sha1(encrypted_password);
    settings_identifier += str_sha1(nickname);
    saved_identifier = getDB("jappix-mini", "settings_identifier");
    if (saved_identifier != settings_identifier) removeDB('jappix-mini', 'dom');
@ -116,5 +127,6 @@ function jappixmini_addon_start(server, username, bosh, encrypted_password) {
    password = jappixmini_addon_decrypt_password(encrypted_password);
    // start jappix mini
    MINI_NICKNAME = nickname;
    launchMini(true, false, server, username, password);
 }