Add cross-site authentication stuff

scc · Aug 7, 2008 · 467a39f · 467a39f
1 parent dd8dcc3
commit 467a39f
Show file tree

Hide file tree

Showing 7 changed files with 106 additions and 23 deletions.
diff --git a/Slash/DB/MySQL/MySQL.pm b/Slash/DB/MySQL/MySQL.pm
@@ -1549,6 +1549,68 @@ sub deleteUser {
 	return $rows;
 }
 
+
+########################################################
+# Get user info from the users table.
+sub getUserCrossSiteAuthenticate {
+	my($self, $site, $params, $user) = @_;
+	$user ||= getCurrentUser();
+	my $gSkin = getCurrentSkin();
+
+	return unless $site->{host} eq $gSkin->{hostname};
+
+	# XXX skip_tstamp_rand is testing
+	unless ($site->{skip_tstamp_rand}) {
+		return unless $params->{tstamp} && $params->{'rand'};
+
+		return unless ( ($params->{tstamp} + 60) >= time() );
+
+		$self->sqlInsert('xsite_auth_log', {
+			site    => $site->{site},
+			ts      => $params->{tstamp},
+			nonce   => $params->{'rand'}
+		}) or return;
+	}
+
+	my $new = 0;
+	my $uid = $self->sqlSelect('uid', 'users_param',
+		"name=" . $self->sqlQuote($site->{auth_param_name}) .
+		" AND value=" . $self->sqlQuote($params->{user_id})
+	);
+
+	if (!$uid) {
+		my $newnick = sprintf($site->{user_name_format}, $params->{shortname} || $params->{user_id});
+		my $matchname = nick2matchname($newnick);
+		my $email = '';
+
+		# no email for now, so skip checks for email (and matchname;
+		# we don't care if someone already has an "sfpudge", that
+		# should not stop us from making a "SF:pudge")
+		$uid = $self->createUser(
+			$matchname, '', $newnick, { skipchecks => 1 }
+		);
+		$new = 1;
+
+		if ($uid) {
+			# XXX consider disallowing these accounts from
+			# authenticating on other domains
+			my $data = {};
+			$data->{creation_ipid} = $user->{ipid};
+			$data->{ $site->{auth_param_name} } = $params->{user_id};
+			$data->{acl}{nopasswd} = 1;
+			$self->setUser($uid, $data);
+		}
+	}
+
+	return unless $uid; # dunno!
+
+	my $logtoken = $self->getLogToken($uid, 1);
+
+	# return UID alone in scalar context
+	return wantarray ? ($uid, $logtoken, $new) : $uid;
+}
+
+
 ########################################################
 # Get user info from the users table.
 sub getUserAuthenticate {
@@ -2386,21 +2448,25 @@ sub existsUid {
 # while this is going on, we won't end up with a half created user.
 # -Brian
 sub createUser {
-	my($self, $matchname, $email, $newuser) = @_;
-	return unless $matchname && $email && $newuser;
+	my($self, $matchname, $email, $newuser, $opts) = @_;
+	return unless $matchname && $newuser;
+	$opts ||= {};
+	return if !$email && !$opts->{skipchecks};
 
 	$email =~ s/\s//g; # strip whitespace from emails
 
-	return if ($self->sqlSelect(
-		"uid", "users",
-		"matchname=" . $self->sqlQuote($matchname)
-	))[0] || $self->existsEmail($email);
+	if (!$opts->{skipchecks}) {
+		return if ($self->sqlSelect(
+			"uid", "users",
+			"matchname=" . $self->sqlQuote($matchname)
+		))[0] || $self->existsEmail($email);
+	}
 
 	$self->sqlDo("SET AUTOCOMMIT=0");
 
 	$self->sqlInsert("users", {
 		uid		=> undef,
-		realemail	=> $email,
+		realemail	=> $email || '',
 		nickname	=> $newuser,
 		matchname	=> $matchname,
 		seclev		=> 1,

diff --git a/Slash/Utility/Environment/Environment.pm b/Slash/Utility/Environment/Environment.pm
@@ -1344,9 +1344,13 @@ sub setCookie {
 	# ".slashdot.org" is OK.  the only way to set a cookie
 	# to a *host* is to leave the domain blank, which is
 	# why we set the first cookie with no domain. -- pudge
+	# unless domain does not match the root domain -- pudge
 
 	# domain must start with a '.' and have one more '.'
-	# embedded in it, else we ignore it
+	# embedded in it, else we ignore it, so you can
+	# enter an *invalid* value in skins.cookiedomain to
+	# override constants.cookiedomain, and *not* have
+	# any domain cookie set -- pudge
 	my $domain = ($cookiedomain && $cookiedomain =~ /^\..+\./)
 		? $cookiedomain
 		: '';
@@ -1362,8 +1366,6 @@ sub setCookie {
 
 	my $cookie = Apache::Cookie->new($r, %cookiehash);
 
-	# this should be fine, but if there is a problem, comment the following
-	# lines, and uncomment the one right above "bake"
 	if (!$val) {
 		$cookie->expires('-1y');  # delete
 	} elsif ($session && $session =~ /^\+\d+[mhdy]$/) {

diff --git a/plugins/Ajax/htdocs/ajax.pl b/plugins/Ajax/htdocs/ajax.pl
@@ -69,7 +69,7 @@ sub main {
 			# feel free to send msgdiv => 'thisdivhere' to the ajax call,
 			# and any reskey error messages will be sent to it
 			if ($form->{msgdiv}) {
-				header_ajax({ content_type => 'application/json' });
+				http_send({ content_type => 'application/json' });
 				(my $msgdiv = $form->{msgdiv}) =~ s/[^\w-]+//g;
 				print Data::JavaScript::Anon->anon_dump({
 					html	  => { $msgdiv => $rkey->errstr },
@@ -89,7 +89,7 @@ sub main {
 #	print STDERR "AJAX7 $$: $user->{uid}, $op ($retval)\n";
 
 	if ($retval) {
-		header_ajax($options);
+		http_send($options);
 		print $retval;
 	}
 
@@ -1095,17 +1095,6 @@ sub saveModalPrefs {
 ##################################################################
 sub default { }
 
-##################################################################
-sub header_ajax {
-	my($options) = @_;
-	my $ct = $options->{content_type} || 'text/plain';
-
-	my $r = Apache->request;
-	$r->content_type($ct);
-	$r->header_out('Cache-Control', 'no-cache');
-	$r->send_http_header;
-}
-
 ##################################################################
 sub getOps {
 	my $slashdb   = getCurrentDB();

diff --git a/plugins/Login/login.pl b/plugins/Login/login.pl
@@ -217,6 +217,11 @@ sub mailPasswd {
 
 	my $user_send = $reader->getUser($uid);
 
+	if ($user->{acl}{nopasswd}) {
+		push @note, getData('mail_acl_nopasswd');
+		$error = 1;
+	}
+
 	if (!$error) {
 		# A user coming from a srcid that's been marked as not
 		# acceptable for posting from also does not get to

diff --git a/plugins/Login/templates/data;login;default b/plugins/Login/templates/data;login;default
@@ -112,6 +112,10 @@ __template__
 	password mailed to you</a>.
 
 
+[% CASE 'mail_acl_nopasswd' %]
+	[% returnme.data_constant = 1 %]
+	This account is not allowed to log in normally.  No password was mailed.
+
 [% CASE 'mail_nonickname' %]
 	[% returnme.data_constant = 1 %]
 	User was not found.  No password was mailed.

diff --git a/sql/mysql/slashschema_create.sql b/sql/mysql/slashschema_create.sql
@@ -1554,6 +1554,15 @@ CREATE TABLE vars (
 	PRIMARY KEY (name)
 ) TYPE=InnoDB;
 
+DROP TABLE IF EXISTS xsite_auth_log;
+CREATE TABLE xsite_auth_log (
+	site VARCHAR(30) DEFAULT '' NOT NULL,
+	ts DATETIME DEFAULT '0000-00-00 00:00' NOT NULL,
+	nonce VARCHAR(30) DEFAULT '' NOT NULL,
+	UNIQUE KEY (site,ts,nonce)
+) TYPE=InnoDB;
+
+
 #ALTER TABLE backup_blocks ADD FOREIGN KEY (bid) REFERENCES blocks(bid);
 #ALTER TABLE comment_text ADD FOREIGN KEY (cid) REFERENCES comments(cid);
 #ALTER TABLE discussions ADD FOREIGN KEY (topic) REFERENCES topics(tid);

diff --git a/sql/mysql/upgrades b/sql/mysql/upgrades
@@ -5442,3 +5442,11 @@ UPDATE vars SET value = 'T_2_5_0_214' WHERE name = 'cvs_tag_currentcode';
 
 # for plugins/FireHose
 ALTER TABLE firehose MODIFY type ENUM("submission","journal","bookmark","feed","story","vendor","misc", "comment","discussion","project") default 'submission';
+
+DROP TABLE IF EXISTS xsite_auth_log;
+CREATE TABLE xsite_auth_log (
+	site VARCHAR(30) DEFAULT '' NOT NULL,
+	ts DATETIME DEFAULT '0000-00-00 00:00' NOT NULL,
+	nonce VARCHAR(30) DEFAULT '' NOT NULL,
+	UNIQUE KEY (site,ts,nonce)
+) TYPE=InnoDB;