Use HTTP-Signature to authenticate when fetching photos.
This commit is contained in:
parent
d32105aa8b
commit
a876c20850
3 changed files with 82 additions and 47 deletions
|
@ -45,6 +45,9 @@ class Photo extends BaseModule
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// @todo Add Authentication to enable fetching of non public content
|
||||||
|
// $requester = HTTPSignature::getSigner('', $_SERVER);
|
||||||
|
|
||||||
$customsize = 0;
|
$customsize = 0;
|
||||||
$photo = false;
|
$photo = false;
|
||||||
switch($a->argc) {
|
switch($a->argc) {
|
||||||
|
|
|
@ -10,8 +10,9 @@ use Friendica\Core\L10n;
|
||||||
use Friendica\Core\System;
|
use Friendica\Core\System;
|
||||||
use Friendica\Model\Photo;
|
use Friendica\Model\Photo;
|
||||||
use Friendica\Object\Image;
|
use Friendica\Object\Image;
|
||||||
use Friendica\Util\Network;
|
use Friendica\Util\HTTPSignature;
|
||||||
use Friendica\Util\Proxy as ProxyUtils;
|
use Friendica\Util\Proxy as ProxyUtils;
|
||||||
|
use Friendica\Core\Logger;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @brief Module Proxy
|
* @brief Module Proxy
|
||||||
|
@ -81,38 +82,35 @@ class Proxy extends BaseModule
|
||||||
// Try to use photo from db
|
// Try to use photo from db
|
||||||
self::responseFromDB($request);
|
self::responseFromDB($request);
|
||||||
|
|
||||||
|
|
||||||
//
|
//
|
||||||
// If script is here, the requested url has never cached before.
|
// If script is here, the requested url has never cached before.
|
||||||
// Let's fetch it, scale it if required, then save it in cache.
|
// Let's fetch it, scale it if required, then save it in cache.
|
||||||
//
|
//
|
||||||
|
|
||||||
|
|
||||||
// It shouldn't happen but it does - spaces in URL
|
// It shouldn't happen but it does - spaces in URL
|
||||||
$request['url'] = str_replace(' ', '+', $request['url']);
|
$request['url'] = str_replace(' ', '+', $request['url']);
|
||||||
$redirects = 0;
|
$fetchResult = HTTPSignature::fetchRaw($request['url'], local_user(), true, ['timeout' => 10]);
|
||||||
$fetchResult = Network::fetchUrlFull($request['url'], true, $redirects, 10);
|
|
||||||
$img_str = $fetchResult->getBody();
|
$img_str = $fetchResult->getBody();
|
||||||
|
|
||||||
$tempfile = tempnam(get_temppath(), 'cache');
|
|
||||||
file_put_contents($tempfile, $img_str);
|
|
||||||
$mime = mime_content_type($tempfile);
|
|
||||||
unlink($tempfile);
|
|
||||||
|
|
||||||
// If there is an error then return a blank image
|
// If there is an error then return a blank image
|
||||||
if ((substr($fetchResult->getReturnCode(), 0, 1) == '4') || (!$img_str)) {
|
if ((substr($fetchResult->getReturnCode(), 0, 1) == '4') || (!$img_str)) {
|
||||||
self::responseError();
|
self::responseError();
|
||||||
// stop.
|
// stop.
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$tempfile = tempnam(get_temppath(), 'cache');
|
||||||
|
file_put_contents($tempfile, $img_str);
|
||||||
|
$mime = mime_content_type($tempfile);
|
||||||
|
unlink($tempfile);
|
||||||
|
|
||||||
$image = new Image($img_str, $mime);
|
$image = new Image($img_str, $mime);
|
||||||
if (!$image->isValid()) {
|
if (!$image->isValid()) {
|
||||||
self::responseError();
|
self::responseError();
|
||||||
// stop.
|
// stop.
|
||||||
}
|
}
|
||||||
|
|
||||||
$basepath = $a->getBasePath();
|
$basepath = $a->getBasePath();
|
||||||
|
|
||||||
// Store original image
|
// Store original image
|
||||||
if ($direct_cache) {
|
if ($direct_cache) {
|
||||||
// direct cache , store under ./proxy/
|
// direct cache , store under ./proxy/
|
||||||
|
@ -159,8 +157,7 @@ class Proxy extends BaseModule
|
||||||
$a = self::getApp();
|
$a = self::getApp();
|
||||||
$size = 1024;
|
$size = 1024;
|
||||||
$sizetype = '';
|
$sizetype = '';
|
||||||
|
|
||||||
|
|
||||||
// Look for filename in the arguments
|
// Look for filename in the arguments
|
||||||
if (($a->argc > 1) && !isset($_REQUEST['url'])) {
|
if (($a->argc > 1) && !isset($_REQUEST['url'])) {
|
||||||
if (isset($a->argv[3])) {
|
if (isset($a->argv[3])) {
|
||||||
|
@ -211,7 +208,7 @@ class Proxy extends BaseModule
|
||||||
} else {
|
} else {
|
||||||
$url = defaults($_REQUEST, 'url', '');
|
$url = defaults($_REQUEST, 'url', '');
|
||||||
}
|
}
|
||||||
|
|
||||||
return [
|
return [
|
||||||
'url' => $url,
|
'url' => $url,
|
||||||
'urlhash' => 'pic:' . sha1($url),
|
'urlhash' => 'pic:' . sha1($url),
|
||||||
|
@ -239,9 +236,9 @@ class Proxy extends BaseModule
|
||||||
|
|
||||||
// Checking if caching into a folder in the webroot is activated and working
|
// Checking if caching into a folder in the webroot is activated and working
|
||||||
$direct_cache = (is_dir($basepath . '/proxy') && is_writable($basepath . '/proxy'));
|
$direct_cache = (is_dir($basepath . '/proxy') && is_writable($basepath . '/proxy'));
|
||||||
// we don't use direct cache if image url is passed in args and not in querystring
|
// we don't use direct cache if image url is passed in args and not in querystring
|
||||||
$direct_cache = $direct_cache && ($a->argc > 1) && !isset($_REQUEST['url']);
|
$direct_cache = $direct_cache && ($a->argc > 1) && !isset($_REQUEST['url']);
|
||||||
|
|
||||||
return $direct_cache;
|
return $direct_cache;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -277,8 +274,8 @@ class Proxy extends BaseModule
|
||||||
* @throws \Friendica\Network\HTTPException\InternalServerErrorException
|
* @throws \Friendica\Network\HTTPException\InternalServerErrorException
|
||||||
* @throws \ImagickException
|
* @throws \ImagickException
|
||||||
*/
|
*/
|
||||||
private static function responseFromDB(&$request) {
|
private static function responseFromDB(&$request)
|
||||||
|
{
|
||||||
$photo = Photo::getPhoto($request['urlhash']);
|
$photo = Photo::getPhoto($request['urlhash']);
|
||||||
|
|
||||||
if ($photo !== false) {
|
if ($photo !== false) {
|
||||||
|
@ -287,12 +284,13 @@ class Proxy extends BaseModule
|
||||||
// stop.
|
// stop.
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @brief Output a blank image, without cache headers, in case of errors
|
* @brief Output a blank image, without cache headers, in case of errors
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
private static function responseError() {
|
private static function responseError()
|
||||||
|
{
|
||||||
header('Content-type: image/png');
|
header('Content-type: image/png');
|
||||||
echo file_get_contents('images/blank.png');
|
echo file_get_contents('images/blank.png');
|
||||||
exit();
|
exit();
|
||||||
|
@ -319,5 +317,3 @@ class Proxy extends BaseModule
|
||||||
exit();
|
exit();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -328,38 +328,18 @@ class HTTPSignature
|
||||||
*/
|
*/
|
||||||
public static function fetch($request, $uid)
|
public static function fetch($request, $uid)
|
||||||
{
|
{
|
||||||
$owner = User::getOwnerDataById($uid);
|
$opts = ['accept_content' => 'application/activity+json, application/ld+json'];
|
||||||
|
$curlResult = self::fetchRaw($request, $uid, false, $opts);
|
||||||
|
|
||||||
if (!$owner) {
|
if (empty($curlResult)) {
|
||||||
return;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Header data that is about to be signed.
|
|
||||||
$host = parse_url($request, PHP_URL_HOST);
|
|
||||||
$path = parse_url($request, PHP_URL_PATH);
|
|
||||||
$date = DateTimeFormat::utcNow(DateTimeFormat::HTTP);
|
|
||||||
|
|
||||||
$headers = ['Date: ' . $date, 'Host: ' . $host];
|
|
||||||
|
|
||||||
$signed_data = "(request-target): get " . $path . "\ndate: ". $date . "\nhost: " . $host;
|
|
||||||
|
|
||||||
$signature = base64_encode(Crypto::rsaSign($signed_data, $owner['uprvkey'], 'sha256'));
|
|
||||||
|
|
||||||
$headers[] = 'Signature: keyId="' . $owner['url'] . '#main-key' . '",algorithm="rsa-sha256",headers="(request-target) date host",signature="' . $signature . '"';
|
|
||||||
|
|
||||||
$headers[] = 'Accept: application/activity+json, application/ld+json';
|
|
||||||
|
|
||||||
$curlResult = Network::curl($request, false, $redirects, ['header' => $headers]);
|
|
||||||
$return_code = $curlResult->getReturnCode();
|
|
||||||
|
|
||||||
Logger::log('Fetched for user ' . $uid . ' from ' . $request . ' returned ' . $return_code, Logger::DEBUG);
|
|
||||||
|
|
||||||
if (!$curlResult->isSuccess() || empty($curlResult->getBody())) {
|
if (!$curlResult->isSuccess() || empty($curlResult->getBody())) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
$content = json_decode($curlResult->getBody(), true);
|
$content = json_decode($curlResult->getBody(), true);
|
||||||
|
|
||||||
if (empty($content) || !is_array($content)) {
|
if (empty($content) || !is_array($content)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
@ -367,6 +347,62 @@ class HTTPSignature
|
||||||
return $content;
|
return $content;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @brief Fetches raw data for a user
|
||||||
|
*
|
||||||
|
* @param string $request request url
|
||||||
|
* @param integer $uid User id of the requester
|
||||||
|
* @param boolean $binary TRUE if asked to return binary results (file download) (default is "false")
|
||||||
|
* @param array $opts (optional parameters) assoziative array with:
|
||||||
|
* 'accept_content' => supply Accept: header with 'accept_content' as the value
|
||||||
|
* 'timeout' => int Timeout in seconds, default system config value or 60 seconds
|
||||||
|
* 'http_auth' => username:password
|
||||||
|
* 'novalidate' => do not validate SSL certs, default is to validate using our CA list
|
||||||
|
* 'nobody' => only return the header
|
||||||
|
* 'cookiejar' => path to cookie jar file
|
||||||
|
*
|
||||||
|
* @return object CurlResult
|
||||||
|
* @throws \Friendica\Network\HTTPException\InternalServerErrorException
|
||||||
|
*/
|
||||||
|
public static function fetchRaw($request, $uid = 0, $binary = false, $opts = [])
|
||||||
|
{
|
||||||
|
if (!empty($uid)) {
|
||||||
|
$owner = User::getOwnerDataById($uid);
|
||||||
|
if (!$owner) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Header data that is about to be signed.
|
||||||
|
$host = parse_url($request, PHP_URL_HOST);
|
||||||
|
$path = parse_url($request, PHP_URL_PATH);
|
||||||
|
$date = DateTimeFormat::utcNow(DateTimeFormat::HTTP);
|
||||||
|
|
||||||
|
$headers = ['Date: ' . $date, 'Host: ' . $host];
|
||||||
|
|
||||||
|
$signed_data = "(request-target): get " . $path . "\ndate: ". $date . "\nhost: " . $host;
|
||||||
|
|
||||||
|
$signature = base64_encode(Crypto::rsaSign($signed_data, $owner['uprvkey'], 'sha256'));
|
||||||
|
|
||||||
|
$headers[] = 'Signature: keyId="' . $owner['url'] . '#main-key' . '",algorithm="rsa-sha256",headers="(request-target) date host",signature="' . $signature . '"';
|
||||||
|
} else {
|
||||||
|
$headers = [];
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!empty($opts['accept_content'])) {
|
||||||
|
$headers[] = 'Accept: ' . $opts['accept_content'];
|
||||||
|
}
|
||||||
|
|
||||||
|
$curl_opts = $opts;
|
||||||
|
$curl_opts['header'] = $headers;
|
||||||
|
|
||||||
|
$curlResult = Network::curl($request, false, $redirects, $curl_opts);
|
||||||
|
$return_code = $curlResult->getReturnCode();
|
||||||
|
|
||||||
|
Logger::log('Fetched for user ' . $uid . ' from ' . $request . ' returned ' . $return_code, Logger::DEBUG);
|
||||||
|
|
||||||
|
return $curlResult;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @brief Gets a signer from a given HTTP request
|
* @brief Gets a signer from a given HTTP request
|
||||||
*
|
*
|
||||||
|
|
Loading…
Reference in a new issue