/*
Authenticate a user using the session stored username. This will set HttpRx.authenticated if authentication succeeds.
Note: this does not call httpLogin except for auto-login cases where a password is not used.
*/
PUBLIC bool httpAuthenticate(HttpConn *conn)
{
HttpRx *rx;
HttpAuth *auth;
cchar *ip, *username;
rx = conn->rx;
auth = rx->route->auth;
if (!rx->authenticateProbed) {
rx->authenticateProbed = 1;
ip = httpGetSessionVar(conn, HTTP_SESSION_IP, 0);
username = httpGetSessionVar(conn, HTTP_SESSION_USERNAME, 0);
if (!smatch(ip, conn->ip) || !username) {
if (auth->username && *auth->username) {
/* Auto-login */
httpLogin(conn, auth->username, NULL);
username = httpGetSessionVar(conn, HTTP_SESSION_USERNAME, 0);
}
if (!username) {
return 0;
}
}
httpTrace(conn, "auth.login.authenticated", "context",
"msg: 'Using cached authentication data', username: '******'", username);
conn->username = username;
rx->authenticated = 1;
}
return rx->authenticated;
}
/*
Form login service routine. Called in response to a form-based login request. Only used when httpSetAuthForm is utilized.
The password is clear-text so this must be used over SSL to be secure.
*/
static void loginServiceProc(HttpConn *conn)
{
HttpAuth *auth;
cchar *username, *password, *referrer;
auth = conn->rx->route->auth;
username = httpGetParam(conn, "username", 0);
password = httpGetParam(conn, "password", 0);
if (httpLogin(conn, username, password)) {
if ((referrer = httpGetSessionVar(conn, "referrer", 0)) != 0) {
/*
Preserve protocol scheme from existing connection
*/
HttpUri *where = httpCreateUri(referrer, 0);
httpCompleteUri(where, conn->rx->parsedUri);
referrer = httpUriToString(where, 0);
httpRedirect(conn, HTTP_CODE_MOVED_TEMPORARILY, referrer);
} else {
if (auth->loggedIn) {
httpRedirect(conn, HTTP_CODE_MOVED_TEMPORARILY, auth->loggedIn);
} else {
httpRedirect(conn, HTTP_CODE_MOVED_TEMPORARILY, "~");
}
}
} else {
httpRedirect(conn, HTTP_CODE_MOVED_TEMPORARILY, auth->loginPage);
}
}
/*
Render a request variable. If a param by the given name is not found, consult the session.
*/
ssize espRenderVar(HttpConn *conn, cchar *name)
{
cchar *value;
if ((value = espGetParam(conn, name, 0)) == 0) {
value = httpGetSessionVar(conn, name, "");
}
return espRenderSafeString(conn, value);
}
bool espCheckSecurityToken(HttpConn *conn)
{
HttpRx *rx;
cchar *securityToken, *sessionToken;
rx = conn->rx;
if (!(rx->flags & HTTP_POST)) {
return 1;
}
if (rx->securityToken == 0) {
sessionToken = rx->securityToken = sclone(httpGetSessionVar(conn, ESP_SECURITY_TOKEN_NAME, ""));
#if UNUSED && KEEP
securityTokenName = espGetParam(conn, "SecurityTokenName", "");
#endif
securityToken = espGetParam(conn, ESP_SECURITY_TOKEN_NAME, "");
if (!smatch(sessionToken, securityToken)) {
httpError(conn, HTTP_CODE_NOT_ACCEPTABLE,
"Security token does not match. Potential CSRF attack. Denying request");
return 0;
}
}
return 1;
}
PUBLIC cchar *getSessionVar(cchar *key)
{
return httpGetSessionVar(getStream(), key, 0);
}
PUBLIC cchar *getSessionVar(cchar *key)
{
return httpGetSessionVar(getConn(), key, "");
}
