X-Git-Url: https://git.ucc.asn.au/?a=blobdiff_plain;f=server%2Flogin.c;h=5e2128f3ab0a828834a7b849f594269254c96bd3;hb=826791abc3a3bb383c2908d7d39618b99ad7665c;hp=a616af2c0a4ab627987a2edbb2bc9e91be47c60a;hpb=29cdd749c2c6c87a23287a398035a103086aa224;p=matches%2FMCTX3420.git diff --git a/server/login.c b/server/login.c index a616af2..5e2128f 100644 --- a/server/login.c +++ b/server/login.c @@ -149,8 +149,9 @@ int Login_LDAP_Bind(const char * uri, const char * dn, const char * pass) * @param params - Parameter string, UNUSED */ void Logout_Handler(FCGIContext * context, char * params) -{ +{ FCGI_ReleaseControl(context); + FCGI_AcceptJSON(context, "Logged out", "0"); } @@ -161,16 +162,8 @@ void Logout_Handler(FCGIContext * context, char * params) */ void Login_Handler(FCGIContext * context, char * params) { - - if (context->control_key[0] != '\0') - { - FCGI_RejectJSON(context, "Already logged in."); - return; - } - - char * user = ""; // The username supplied through CGI - char * pass = ""; // The password supplied through CGI - //TODO: Make sure these are passed through HTTPS, *not* HTTP .... otherwise people can eavesdrop on the passwords + char * user; // The username supplied through CGI + char * pass; // The password supplied through CGI FCGIValue values[] = { {"user", &user, FCGI_REQUIRED(FCGI_STRING_T)}, @@ -191,17 +184,14 @@ void Login_Handler(FCGIContext * context, char * params) return; } - - // Trim leading whitespace (the BUFSIZ check is to make sure incorrectly terminated strings don't cause an infinite loop) + // Trim leading whitespace int i = 0; - for (i = 0; i < BUFSIZ && isspace(user[0]) && user[0] != '\0'; ++i,++user); + for (i = 0; isspace(user[0]) && user[0] != '\0'; ++i, ++user); // Truncate string at first non alphanumeric character - for (i = 0; i < BUFSIZ && isalnum(user[i]) && user[i] != '\0'; ++i); + for (i = 0; isalnum(user[i]) && user[i] != '\0'; ++i); user[i] = '\0'; - - bool authenticated = true; @@ -230,6 +220,7 @@ void Login_Handler(FCGIContext * context, char * params) if (len >= BUFSIZ) { FCGI_RejectJSON(context, "DN too long! Recompile with increased BUFSIZ"); + return; } authenticated = (Login_LDAP_Bind(g_options.auth_uri, dn, pass) == LDAP_SUCCESS); @@ -251,14 +242,22 @@ void Login_Handler(FCGIContext * context, char * params) if (!authenticated) { - FCGI_RejectJSON(context, "Authentication failure."); - return; + FCGI_RejectJSONEx(context, STATUS_UNAUTHORIZED, "Authentication failure."); } + else + { + if (FCGI_LockControl(context, false)) + { + //Todo: change this to something better than the username if using LDAP. + snprintf(context->friendly_name, 31, "%s", user); + FCGI_EscapeText(context->friendly_name); //Don't break javascript pls - FCGI_LockControl(context, false); - - // Give the user a cookie - FCGI_PrintRaw("Content-type: text\r\n"); - FCGI_PrintRaw("Set-Cookie: %s\r\n\r\n", context->control_key); - + // Give the user a cookie + FCGI_AcceptJSON(context, "Logged in", context->control_key); + } + else + { + FCGI_RejectJSON(context, "Someone else is already logged in"); + } + } }