/* Authenticate a user using the session stored username. This will set HttpRx.authenticated if authentication succeeds. Note: this does not call httpLogin except for auto-login cases where a password is not used. */ PUBLIC bool httpAuthenticate(HttpConn *conn) { HttpRx *rx; HttpAuth *auth; cchar *ip, *username; rx = conn->rx; auth = rx->route->auth; if (!rx->authenticateProbed) { rx->authenticateProbed = 1; ip = httpGetSessionVar(conn, HTTP_SESSION_IP, 0); username = httpGetSessionVar(conn, HTTP_SESSION_USERNAME, 0); if (!smatch(ip, conn->ip) || !username) { if (auth->username && *auth->username) { /* Auto-login */ httpLogin(conn, auth->username, NULL); username = httpGetSessionVar(conn, HTTP_SESSION_USERNAME, 0); } if (!username) { return 0; } } httpTrace(conn, "auth.login.authenticated", "context", "msg: 'Using cached authentication data', username: '******'", username); conn->username = username; rx->authenticated = 1; } return rx->authenticated; }
/* Form login service routine. Called in response to a form-based login request. Only used when httpSetAuthForm is utilized. The password is clear-text so this must be used over SSL to be secure. */ static void loginServiceProc(HttpConn *conn) { HttpAuth *auth; cchar *username, *password, *referrer; auth = conn->rx->route->auth; username = httpGetParam(conn, "username", 0); password = httpGetParam(conn, "password", 0); if (httpLogin(conn, username, password)) { if ((referrer = httpGetSessionVar(conn, "referrer", 0)) != 0) { /* Preserve protocol scheme from existing connection */ HttpUri *where = httpCreateUri(referrer, 0); httpCompleteUri(where, conn->rx->parsedUri); referrer = httpUriToString(where, 0); httpRedirect(conn, HTTP_CODE_MOVED_TEMPORARILY, referrer); } else { if (auth->loggedIn) { httpRedirect(conn, HTTP_CODE_MOVED_TEMPORARILY, auth->loggedIn); } else { httpRedirect(conn, HTTP_CODE_MOVED_TEMPORARILY, "~"); } } } else { httpRedirect(conn, HTTP_CODE_MOVED_TEMPORARILY, auth->loginPage); } }
/* Render a request variable. If a param by the given name is not found, consult the session. */ ssize espRenderVar(HttpConn *conn, cchar *name) { cchar *value; if ((value = espGetParam(conn, name, 0)) == 0) { value = httpGetSessionVar(conn, name, ""); } return espRenderSafeString(conn, value); }
bool espCheckSecurityToken(HttpConn *conn) { HttpRx *rx; cchar *securityToken, *sessionToken; rx = conn->rx; if (!(rx->flags & HTTP_POST)) { return 1; } if (rx->securityToken == 0) { sessionToken = rx->securityToken = sclone(httpGetSessionVar(conn, ESP_SECURITY_TOKEN_NAME, "")); #if UNUSED && KEEP securityTokenName = espGetParam(conn, "SecurityTokenName", ""); #endif securityToken = espGetParam(conn, ESP_SECURITY_TOKEN_NAME, ""); if (!smatch(sessionToken, securityToken)) { httpError(conn, HTTP_CODE_NOT_ACCEPTABLE, "Security token does not match. Potential CSRF attack. Denying request"); return 0; } } return 1; }
PUBLIC cchar *getSessionVar(cchar *key) { return httpGetSessionVar(getStream(), key, 0); }
PUBLIC cchar *getSessionVar(cchar *key) { return httpGetSessionVar(getConn(), key, ""); }