plugins/generic-sessions/protocol_generic_sessions.c

   1 /*
   2  * ws protocol handler plugin for "generic sessions"
   3  *
   4  * Copyright (C) 2010-2016 Andy Green <andy@warmcat.com>
   5  *
   6  * This program is free software; you can redistribute it and/or
   7  * modify it under the terms of the GNU General Public
   8  * License as published by the Free Software Foundation:
   9  * version 2.1 of the License.
  10  *
  11  * This library is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14  * General Public License for more details.
  15  *
  16  * You should have received a copy of the GNU General Public
  17  * License along with this library; if not, write to the Free Software
  18  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
  19  * MA  02110-1301  USA
  20  */
  21
  22 #include "private-lwsgs.h"
  23
  24 /* keep changes in sync with the enum in lwsgs.h */
  25 static const char * const param_names[] = {
  26         "username",
  27         "password",
  28         "password2",
  29         "email",
  30         "register",
  31         "good",
  32         "bad",
  33         "reg-good",
  34         "reg-bad",
  35         "admin",
  36         "forgot",
  37         "forgot-good",
  38         "forgot-bad",
  39         "forgot-post-good",
  40         "forgot-post-bad",
  41         "change",
  42         "curpw",
  43         "delete"
  44 };
  45
  46 struct lwsgs_fill_args {
  47         char *buf;
  48         int len;
  49 };
  50
  51 static const struct lws_protocols protocols[];
  52
  53 static int
  54 lwsgs_lookup_callback_email(void *priv, int cols, char **col_val,
  55                             char **col_name)
  56 {
  57         struct lwsgs_fill_args *a = (struct lwsgs_fill_args *)priv;
  58         int n;
  59
  60         for (n = 0; n < cols; n++) {
  61                 if (!strcmp(col_name[n], "content")) {
  62                         strncpy(a->buf, col_val[n], a->len - 1);
  63                         a->buf[a->len - 1] = '\0';
  64                         continue;
  65                 }
  66         }
  67         return 0;
  68 }
  69
  70 static int
  71 lwsgs_email_cb_get_body(struct lws_email *email, char *buf, int len)
  72 {
  73         struct per_vhost_data__gs *vhd = (struct per_vhost_data__gs *)email->data;
  74         struct lwsgs_fill_args a;
  75         char ss[150], esc[50];
  76
  77         a.buf = buf;
  78         a.len = len;
  79
  80         snprintf(ss, sizeof(ss) - 1,
  81                  "select content from email where username='%s';",
  82                  lws_sql_purify(esc, vhd->u.username, sizeof(esc) - 1));
  83
  84         strncpy(buf, "failed", len);
  85         if (sqlite3_exec(vhd->pdb, ss, lwsgs_lookup_callback_email, &a,
  86                          NULL) != SQLITE_OK) {
  87                 lwsl_err("Unable to lookup email: %s\n",
  88                          sqlite3_errmsg(vhd->pdb));
  89
  90                 return 1;
  91         }
  92
  93         return 0;
  94 }
  95
  96 static int
  97 lwsgs_email_cb_sent(struct lws_email *email)
  98 {
  99         struct per_vhost_data__gs *vhd = (struct per_vhost_data__gs *)email->data;
 100         char s[200], esc[50];
 101
 102         /* mark the user as having sent the verification email */
 103         snprintf(s, sizeof(s) - 1,
 104                  "update users set verified=1 where username='%s' and verified==0;",
 105                  lws_sql_purify(esc, vhd->u.username, sizeof(esc) - 1));
 106         if (sqlite3_exec(vhd->pdb, s, NULL, NULL, NULL) != SQLITE_OK) {
 107                 lwsl_err("%s: Unable to update user: %s\n", __func__,
 108                          sqlite3_errmsg(vhd->pdb));
 109                 return 1;
 110         }
 111
 112         snprintf(s, sizeof(s) - 1,
 113                  "delete from email where username='%s';",
 114                  lws_sql_purify(esc, vhd->u.username, sizeof(esc) - 1));
 115         if (sqlite3_exec(vhd->pdb, s, NULL, NULL, NULL) != SQLITE_OK) {
 116                 lwsl_err("%s: Unable to delete email text: %s\n", __func__,
 117                          sqlite3_errmsg(vhd->pdb));
 118                 return 1;
 119         }
 120
 121         return 0;
 122 }
 123
 124 static int
 125 lwsgs_email_cb_on_next(struct lws_email *email)
 126 {
 127         struct per_vhost_data__gs *vhd = lws_container_of(email,
 128                         struct per_vhost_data__gs, email);
 129         char s[LWSGS_EMAIL_CONTENT_SIZE], esc[50];
 130         time_t now = lws_now_secs();
 131
 132         /*
 133          * users not verified in 24h get deleted
 134          */
 135         snprintf(s, sizeof(s) - 1, "delete from users where ((verified != %d)"
 136                  " and (creation_time <= %lu));", LWSGS_VERIFIED_ACCEPTED,
 137                  (unsigned long)now - vhd->timeout_email_secs);
 138         if (sqlite3_exec(vhd->pdb, s, NULL, NULL, NULL) != SQLITE_OK) {
 139                 lwsl_err("Unable to expire users: %s\n",
 140                          sqlite3_errmsg(vhd->pdb));
 141                 return 1;
 142         }
 143
 144         snprintf(s, sizeof(s) - 1, "update users set token_time=0 where "
 145                  "(token_time <= %lu);",
 146                  (unsigned long)now - vhd->timeout_email_secs);
 147         if (sqlite3_exec(vhd->pdb, s, NULL, NULL, NULL) != SQLITE_OK) {
 148                 lwsl_err("Unable to expire users: %s\n",
 149                          sqlite3_errmsg(vhd->pdb));
 150                 return 1;
 151         }
 152
 153         vhd->u.username[0] = '\0';
 154         snprintf(s, sizeof(s) - 1, "select username from email limit 1;");
 155         if (sqlite3_exec(vhd->pdb, s, lwsgs_lookup_callback_user, &vhd->u,
 156                          NULL) != SQLITE_OK) {
 157                 lwsl_err("Unable to lookup user: %s\n", sqlite3_errmsg(vhd->pdb));
 158                 return 1;
 159         }
 160
 161         snprintf(s, sizeof(s) - 1,
 162                  "select username, creation_time, email, ip, verified, token"
 163                  " from users where username='%s' limit 1;",
 164                  lws_sql_purify(esc, vhd->u.username, sizeof(esc) - 1));
 165         if (sqlite3_exec(vhd->pdb, s, lwsgs_lookup_callback_user, &vhd->u,
 166                          NULL) != SQLITE_OK) {
 167                 lwsl_err("Unable to lookup user: %s\n",
 168                          sqlite3_errmsg(vhd->pdb));
 169                 return 1;
 170         }
 171
 172         if (!vhd->u.username[0])
 173                 /*
 174                  * nothing to do, we are idle and no suitable
 175                  * accounts waiting for verification.  When a new user
 176                  * is added we will get kicked to try again.
 177                  */
 178                 return 1;
 179
 180         strncpy(email->email_to, vhd->u.email, sizeof(email->email_to) - 1);
 181
 182         return 0;
 183 }
 184
 185
 186 struct lwsgs_subst_args
 187 {
 188         struct per_session_data__gs *pss;
 189         struct per_vhost_data__gs *vhd;
 190         struct lws *wsi;
 191 };
 192
 193 static const char *
 194 lwsgs_subst(void *data, int index)
 195 {
 196         struct lwsgs_subst_args *a = (struct lwsgs_subst_args *)data;
 197         struct lwsgs_user u;
 198         lwsgw_hash sid;
 199         char esc[50], s[100];
 200         int n;
 201
 202         a->pss->result[0] = '\0';
 203         u.email[0] = '\0';
 204         if (!lwsgs_get_sid_from_wsi(a->wsi, &sid)) {
 205                 if (lwsgs_lookup_session(a->vhd, &sid, a->pss->result, 31)) {
 206                         lwsl_notice("sid lookup for %s failed\n", sid.id);
 207                         a->pss->delete_session = sid;
 208                         return NULL;
 209                 }
 210                 snprintf(s, sizeof(s) - 1, "select username,email "
 211                          "from users where username = '%s';",
 212                          lws_sql_purify(esc, a->pss->result, sizeof(esc) - 1));
 213                 if (sqlite3_exec(a->vhd->pdb, s, lwsgs_lookup_callback_user,
 214                                  &u, NULL) != SQLITE_OK) {
 215                         lwsl_err("Unable to lookup token: %s\n",
 216                                  sqlite3_errmsg(a->vhd->pdb));
 217                         a->pss->delete_session = sid;
 218                         return NULL;
 219                 }
 220         } else
 221                 lwsl_notice("no sid\n");
 222
 223         strncpy(a->pss->result + 32, u.email, 100);
 224
 225         switch (index) {
 226         case 0:
 227                 return a->pss->result;
 228
 229         case 1:
 230                 n = lwsgs_get_auth_level(a->vhd, a->pss->result);
 231                 sprintf(a->pss->result, "%d", n);
 232                 return a->pss->result;
 233         case 2:
 234                 return a->pss->result + 32;
 235         }
 236
 237         return NULL;
 238 }
 239
 240 static int
 241 callback_generic_sessions(struct lws *wsi, enum lws_callback_reasons reason,
 242                           void *user, void *in, size_t len)
 243 {
 244         struct per_session_data__gs *pss = (struct per_session_data__gs *)user;
 245         const struct lws_protocol_vhost_options *pvo;
 246         struct per_vhost_data__gs *vhd = (struct per_vhost_data__gs *)
 247                         lws_protocol_vh_priv_get(lws_get_vhost(wsi),
 248                                         &protocols[0]);
 249         char cookie[1024], username[32], *pc = cookie;
 250         unsigned char buffer[LWS_PRE + LWSGS_EMAIL_CONTENT_SIZE];
 251         struct lws_process_html_args *args;
 252         struct lws_session_info *sinfo;
 253         char s[LWSGS_EMAIL_CONTENT_SIZE];
 254         unsigned char *p, *start, *end;
 255         sqlite3_stmt *sm;
 256         lwsgw_hash sid;
 257         const char *cp;
 258         int n;
 259
 260         switch (reason) {
 261         case LWS_CALLBACK_PROTOCOL_INIT: /* per vhost */
 262
 263                 vhd = lws_protocol_vh_priv_zalloc(lws_get_vhost(wsi),
 264                         &protocols[0], sizeof(struct per_vhost_data__gs));
 265                 if (!vhd)
 266                         return 1;
 267                 vhd->context = lws_get_context(wsi);
 268
 269                 /* defaults */
 270                 vhd->timeout_idle_secs = 600;
 271                 vhd->timeout_absolute_secs = 36000;
 272                 vhd->timeout_anon_absolute_secs = 1200;
 273                 vhd->timeout_email_secs = 24 * 3600;
 274                 strcpy(vhd->email.email_helo, "unconfigured.com");
 275                 strcpy(vhd->email.email_from, "noreply@unconfigured.com");
 276                 strcpy(vhd->email_title, "Registration Email from unconfigured");
 277                 strcpy(vhd->email.email_smtp_ip, "127.0.0.1");
 278
 279                 vhd->email.on_next = lwsgs_email_cb_on_next;
 280                 vhd->email.on_get_body = lwsgs_email_cb_get_body;
 281                 vhd->email.on_sent = lwsgs_email_cb_sent;
 282                 vhd->email.data = (void *)vhd;
 283
 284                 pvo = (const struct lws_protocol_vhost_options *)in;
 285                 while (pvo) {
 286                         if (!strcmp(pvo->name, "admin-user"))
 287                                 strncpy(vhd->admin_user, pvo->value,
 288                                         sizeof(vhd->admin_user) - 1);
 289                         if (!strcmp(pvo->name, "admin-password-sha1"))
 290                                 strncpy(vhd->admin_password_sha1.id, pvo->value,
 291                                         sizeof(vhd->admin_password_sha1.id) - 1);
 292                         if (!strcmp(pvo->name, "session-db"))
 293                                 strncpy(vhd->session_db, pvo->value,
 294                                         sizeof(vhd->session_db) - 1);
 295                         if (!strcmp(pvo->name, "confounder"))
 296                                 strncpy(vhd->confounder, pvo->value,
 297                                         sizeof(vhd->confounder) - 1);
 298                         if (!strcmp(pvo->name, "email-from"))
 299                                 strncpy(vhd->email.email_from, pvo->value,
 300                                         sizeof(vhd->email.email_from) - 1);
 301                         if (!strcmp(pvo->name, "email-helo"))
 302                                 strncpy(vhd->email.email_helo, pvo->value,
 303                                         sizeof(vhd->email.email_helo) - 1);
 304                         if (!strcmp(pvo->name, "email-template"))
 305                                 strncpy(vhd->email_template, pvo->value,
 306                                         sizeof(vhd->email_template) - 1);
 307                         if (!strcmp(pvo->name, "email-title"))
 308                                 strncpy(vhd->email_title, pvo->value,
 309                                         sizeof(vhd->email_title) - 1);
 310                         if (!strcmp(pvo->name, "email-contact-person"))
 311                                 strncpy(vhd->email_contact_person, pvo->value,
 312                                         sizeof(vhd->email_contact_person) - 1);
 313                         if (!strcmp(pvo->name, "email-confirm-url-base"))
 314                                 strncpy(vhd->email_confirm_url, pvo->value,
 315                                         sizeof(vhd->email_confirm_url) - 1);
 316                         if (!strcmp(pvo->name, "email-server-ip"))
 317                                 strncpy(vhd->email.email_smtp_ip, pvo->value,
 318                                         sizeof(vhd->email.email_smtp_ip) - 1);
 319
 320                         if (!strcmp(pvo->name, "timeout-idle-secs"))
 321                                 vhd->timeout_idle_secs = atoi(pvo->value);
 322                         if (!strcmp(pvo->name, "timeout-absolute-secs"))
 323                                 vhd->timeout_absolute_secs = atoi(pvo->value);
 324                         if (!strcmp(pvo->name, "timeout-anon-absolute-secs"))
 325                                 vhd->timeout_anon_absolute_secs = atoi(pvo->value);
 326                         if (!strcmp(pvo->name, "email-expire"))
 327                                 vhd->timeout_email_secs = atoi(pvo->value);
 328                         pvo = pvo->next;
 329                 }
 330                 if (!vhd->admin_user[0] ||
 331                     !vhd->admin_password_sha1.id[0] ||
 332                     !vhd->session_db[0]) {
 333                         lwsl_err("generic-sessions: "
 334                                  "You must give \"admin-user\", "
 335                                  "\"admin-password-sha1\", "
 336                                  "and \"session_db\" per-vhost options\n");
 337                         return 1;
 338                 }
 339
 340                 if (sqlite3_open_v2(vhd->session_db, &vhd->pdb,
 341                                     SQLITE_OPEN_READWRITE |
 342                                     SQLITE_OPEN_CREATE, NULL) != SQLITE_OK) {
 343                         lwsl_err("Unable to open session db %s: %s\n",
 344                                  vhd->session_db, sqlite3_errmsg(vhd->pdb));
 345
 346                         return 1;
 347                 }
 348
 349                 if (sqlite3_prepare(vhd->pdb,
 350                                     "create table if not exists sessions ("
 351                                     " name char(40),"
 352                                     " username varchar(32),"
 353                                     " expire integer"
 354                                     ");",
 355                                     -1, &sm, NULL) != SQLITE_OK) {
 356                         lwsl_err("Unable to prepare session table init: %s\n",
 357                                  sqlite3_errmsg(vhd->pdb));
 358
 359                         return 1;
 360                 }
 361
 362                 if (sqlite3_step(sm) != SQLITE_DONE) {
 363                         lwsl_err("Unable to run session table init: %s\n",
 364                                  sqlite3_errmsg(vhd->pdb));
 365
 366                         return 1;
 367                 }
 368                 sqlite3_finalize(sm);
 369
 370                 if (sqlite3_exec(vhd->pdb,
 371                                  "create table if not exists users ("
 372                                  " username varchar(32),"
 373                                  " creation_time integer,"
 374                                  " ip varchar(46),"
 375                                  " email varchar(100),"
 376                                  " pwhash varchar(42),"
 377                                  " pwsalt varchar(42),"
 378                                  " pwchange_time integer,"
 379                                  " token varchar(42),"
 380                                  " verified integer,"
 381                                  " token_time integer,"
 382                                  " last_forgot_validated integer,"
 383                                  " primary key (username)"
 384                                  ");",
 385                                  NULL, NULL, NULL) != SQLITE_OK) {
 386                         lwsl_err("Unable to create user table: %s\n",
 387                                  sqlite3_errmsg(vhd->pdb));
 388
 389                         return 1;
 390                 }
 391
 392                 sprintf(s, "create table if not exists email ("
 393                                  " username varchar(32),"
 394                                  " content blob,"
 395                                  " primary key (username)"
 396                                  ");");
 397                 if (sqlite3_exec(vhd->pdb, s, NULL, NULL, NULL) != SQLITE_OK) {
 398                         lwsl_err("Unable to create user table: %s\n",
 399                                  sqlite3_errmsg(vhd->pdb));
 400
 401                         return 1;
 402                 }
 403
 404                 lws_email_init(&vhd->email, lws_uv_getloop(vhd->context, 0),
 405                                 LWSGS_EMAIL_CONTENT_SIZE);
 406                 break;
 407
 408         case LWS_CALLBACK_PROTOCOL_DESTROY:
 409                 if (vhd->pdb) {
 410                         sqlite3_close(vhd->pdb);
 411                         vhd->pdb = NULL;
 412                 }
 413                 lws_email_destroy(&vhd->email);
 414                 break;
 415
 416         case LWS_CALLBACK_HTTP:
 417                 lwsl_info("LWS_CALLBACK_HTTP: %s\n", in);
 418
 419                 pss->login_session.id[0] = '\0';
 420                 pss->phs.pos = 0;
 421                 strncpy(pss->onward, (char *)in, sizeof(pss->onward));
 422
 423                 if (!strcmp((const char *)in, "/lwsgs-forgot")) {
 424                         lwsgs_handler_forgot(vhd, wsi, pss);
 425                         goto redirect_with_cookie;
 426                 }
 427
 428                 if (!strcmp((const char *)in, "/lwsgs-confirm")) {
 429                         lwsgs_handler_confirm(vhd, wsi, pss);
 430                         goto redirect_with_cookie;
 431                 }
 432                 if (!strcmp((const char *)in, "/lwsgs-check")) {
 433                         lwsgs_handler_check(vhd, wsi, pss);
 434                         goto try_to_reuse;
 435                 }
 436
 437                 if (!strcmp((const char *)in, "/lwsgs-login"))
 438                         break;
 439                 if (!strcmp((const char *)in, "/lwsgs-logout"))
 440                         break;
 441                 if (!strcmp((const char *)in, "/lwsgs-forgot"))
 442                         break;
 443                 if (!strcmp((const char *)in, "/lwsgs-change"))
 444                         break;
 445
 446                 /* if no legitimate url for GET, return 404 */
 447
 448                 lwsl_err("http doing 404 on %s\n", in);
 449                 lws_return_http_status(wsi, HTTP_STATUS_NOT_FOUND, NULL);
 450                 goto try_to_reuse;
 451
 452         case LWS_CALLBACK_CHECK_ACCESS_RIGHTS:
 453                 n = 0;
 454                 username[0] = '\0';
 455                 sid.id[0] = '\0';
 456                 args = (struct lws_process_html_args *)in;
 457                 lwsl_debug("LWS_CALLBACK_CHECK_ACCESS_RIGHTS\n");
 458                 if (!lwsgs_get_sid_from_wsi(wsi, &sid)) {
 459                         if (lwsgs_lookup_session(vhd, &sid, username, sizeof(username))) {
 460                                 static const char * const oprot[] = {
 461                                         "http://", "https://"
 462                                 };
 463                                 lwsl_notice("session lookup for %s failed, probably expired\n", sid.id);
 464                                 pss->delete_session = sid;
 465                                 args->final = 1; /* signal we dealt with it */
 466                                 if (lws_hdr_copy(wsi, cookie, sizeof(cookie) - 1,
 467                                              WSI_TOKEN_HOST) < 0)
 468                                         return 1;
 469                                 snprintf(pss->onward, sizeof(pss->onward) - 1,
 470                                          "%s%s%s", oprot[lws_is_ssl(wsi)],
 471                                             cookie, args->p);
 472                                 lwsl_notice("redirecting to ourselves with cookie refresh\n");
 473                                 /* we need a redirect to ourselves, session cookie is expired */
 474                                 goto redirect_with_cookie;
 475                         }
 476                 } else
 477                         lwsl_notice("failed to get sid from wsi\n");
 478
 479                 n = lwsgs_get_auth_level(vhd, username);
 480
 481                 if ((args->max_len & n) != args->max_len) {
 482                         lwsl_notice("Access rights fail 0x%X vs 0x%X (cookie %s)\n",
 483                                         args->max_len, n, sid.id);
 484                         return 1;
 485                 }
 486                 lwsl_debug("Access rights OK\n");
 487                 break;
 488
 489         case LWS_CALLBACK_SESSION_INFO:
 490         {
 491                 struct lwsgs_user u;
 492                 sinfo = (struct lws_session_info *)in;
 493                 sinfo->username[0] = '\0';
 494                 sinfo->email[0] = '\0';
 495                 sinfo->ip[0] = '\0';
 496                 sinfo->session[0] = '\0';
 497                 sinfo->mask = 0;
 498
 499                 sid.id[0] = '\0';
 500                 lwsl_debug("LWS_CALLBACK_SESSION_INFO\n");
 501                 if (lwsgs_get_sid_from_wsi(wsi, &sid))
 502                         break;
 503                 if (lwsgs_lookup_session(vhd, &sid, username, sizeof(username)))
 504                         break;
 505
 506                 snprintf(s, sizeof(s) - 1,
 507                          "select username, email from users where username='%s';",
 508                          username);
 509                 if (sqlite3_exec(vhd->pdb, s, lwsgs_lookup_callback_user, &u, NULL) !=
 510                     SQLITE_OK) {
 511                         lwsl_err("Unable to lookup token: %s\n",
 512                                  sqlite3_errmsg(vhd->pdb));
 513                         break;
 514                 }
 515                 strncpy(sinfo->username, u.username, sizeof(sinfo->username));
 516                 strncpy(sinfo->email, u.email, sizeof(sinfo->email));
 517                 strncpy(sinfo->session, sid.id, sizeof(sinfo->session));
 518                 sinfo->mask = lwsgs_get_auth_level(vhd, username);
 519                 lws_get_peer_simple(wsi, sinfo->ip, sizeof(sinfo->ip));
 520         }
 521
 522                 break;
 523
 524         case LWS_CALLBACK_PROCESS_HTML:
 525
 526                 args = (struct lws_process_html_args *)in;
 527                 {
 528                         static const char * const vars[] = {
 529                                 "$lwsgs_user",
 530                                 "$lwsgs_auth",
 531                                 "$lwsgs_email"
 532                         };
 533                         struct lwsgs_subst_args a;
 534
 535                         a.vhd = vhd;
 536                         a.pss = pss;
 537                         a.wsi = wsi;
 538
 539                         pss->phs.vars = vars;
 540                         pss->phs.count_vars = ARRAY_SIZE(vars);
 541                         pss->phs.replace = lwsgs_subst;
 542                         pss->phs.data = &a;
 543
 544                         if (lws_chunked_html_process(args, &pss->phs))
 545                                 return -1;
 546                 }
 547                 break;
 548
 549         case LWS_CALLBACK_HTTP_BODY:
 550                 if (len < 2)
 551                         break;
 552
 553                 if (!pss->spa) {
 554                         pss->spa = lws_spa_create(wsi, param_names,
 555                                                 ARRAY_SIZE(param_names), 1024,
 556                                                 NULL, NULL);
 557                         if (!pss->spa)
 558                                 return -1;
 559                 }
 560
 561                 if (lws_spa_process(pss->spa, in, len)) {
 562                         lwsl_notice("spa process blew\n");
 563                         return -1;
 564                 }
 565                 break;
 566
 567         case LWS_CALLBACK_HTTP_BODY_COMPLETION:
 568
 569                 if (!pss->spa)
 570                         break;
 571
 572                 lwsl_info("LWS_CALLBACK_HTTP_BODY_COMPLETION: %s\n", pss->onward);
 573                 lws_spa_finalize(pss->spa);
 574
 575                 if (!strcmp((char *)pss->onward, "/lwsgs-change")) {
 576                         if (!lwsgs_handler_change_password(vhd, wsi, pss)) {
 577                                 cp = lws_spa_get_string(pss->spa, FGS_GOOD);
 578                                 goto pass;
 579                         }
 580
 581                         cp = lws_spa_get_string(pss->spa, FGS_BAD);
 582                         lwsl_notice("user/password no good %s\n",
 583                                 lws_spa_get_string(pss->spa, FGS_USERNAME));
 584                         strncpy(pss->onward, cp, sizeof(pss->onward) - 1);
 585                         pss->onward[sizeof(pss->onward) - 1] = '\0';
 586                         goto completion_flow;
 587                 }
 588
 589                 if (!strcmp((char *)pss->onward, "/lwsgs-login")) {
 590                         if (lws_spa_get_string(pss->spa, FGS_FORGOT) &&
 591                             lws_spa_get_string(pss->spa, FGS_FORGOT)[0]) {
 592                                 if (lwsgs_handler_forgot_pw_form(vhd, wsi, pss)) {
 593                                         n = FGS_FORGOT_BAD;
 594                                         goto reg_done;
 595                                 }
 596                                 /* get the email monitor to take a look */
 597                                 lws_email_check(&vhd->email);
 598                                 n = FGS_FORGOT_GOOD;
 599                                 goto reg_done;
 600                         }
 601
 602                         if (!lws_spa_get_string(pss->spa, FGS_USERNAME) ||
 603                             !lws_spa_get_string(pss->spa, FGS_PASSWORD)) {
 604                                 lwsl_notice("username '%s' or pw '%s' missing\n",
 605                                                 lws_spa_get_string(pss->spa, FGS_USERNAME),
 606                                                 lws_spa_get_string(pss->spa, FGS_PASSWORD));
 607                                 return -1;
 608                         }
 609
 610                         if (lws_spa_get_string(pss->spa, FGS_REGISTER) &&
 611                             lws_spa_get_string(pss->spa, FGS_REGISTER)[0]) {
 612
 613                                 if (lwsgs_handler_register_form(vhd, wsi, pss))
 614                                         n = FGS_REG_BAD;
 615                                 else {
 616                                         n = FGS_REG_GOOD;
 617
 618                                         /* get the email monitor to take a look */
 619                                         lws_email_check(&vhd->email);
 620                                 }
 621 reg_done:
 622                                 strncpy(pss->onward, lws_spa_get_string(pss->spa, n),
 623                                         sizeof(pss->onward) - 1);
 624                                 pss->onward[sizeof(pss->onward) - 1] = '\0';
 625                                 pss->login_expires = 0;
 626                                 pss->logging_out = 1;
 627                                 goto completion_flow;
 628                         }
 629
 630                         /* we have the username and password... check if admin */
 631                         if (lwsgw_check_admin(vhd, lws_spa_get_string(pss->spa, FGS_USERNAME),
 632                                               lws_spa_get_string(pss->spa, FGS_PASSWORD))) {
 633                                 if (lws_spa_get_string(pss->spa, FGS_ADMIN))
 634                                         cp = lws_spa_get_string(pss->spa, FGS_ADMIN);
 635                                 else
 636                                         if (lws_spa_get_string(pss->spa, FGS_GOOD))
 637                                                 cp = lws_spa_get_string(pss->spa, FGS_GOOD);
 638                                         else {
 639                                                 lwsl_info("No admin or good target url in form\n");
 640                                                 return -1;
 641                                         }
 642                                 lwsl_debug("admin\n");
 643                                 goto pass;
 644                         }
 645
 646                         /* check users in database */
 647
 648                         if (!lwsgs_check_credentials(vhd, lws_spa_get_string(pss->spa, FGS_USERNAME),
 649                                                      lws_spa_get_string(pss->spa, FGS_PASSWORD))) {
 650                                 lwsl_info("pw hash check met\n");
 651                                 cp = lws_spa_get_string(pss->spa, FGS_GOOD);
 652                                 goto pass;
 653                         } else
 654                                 lwsl_notice("user/password no good %s\n",
 655                                                 lws_spa_get_string(pss->spa, FGS_USERNAME));
 656
 657                         if (!lws_spa_get_string(pss->spa, FGS_BAD)) {
 658                                 lwsl_info("No admin or good target url in form\n");
 659                                 return -1;
 660                         }
 661
 662                         strncpy(pss->onward, lws_spa_get_string(pss->spa, FGS_BAD),
 663                                 sizeof(pss->onward) - 1);
 664                         pss->onward[sizeof(pss->onward) - 1] = '\0';
 665                         lwsl_debug("failed\n");
 666
 667                         goto completion_flow;
 668                 }
 669
 670                 if (!strcmp((char *)pss->onward, "/lwsgs-logout")) {
 671
 672                         lwsl_notice("/logout\n");
 673
 674                         if (lwsgs_get_sid_from_wsi(wsi, &pss->login_session)) {
 675                                 lwsl_notice("not logged in...\n");
 676                                 return 1;
 677                         }
 678
 679                         lwsgw_update_session(vhd, &pss->login_session, "");
 680
 681                         if (!lws_spa_get_string(pss->spa, FGS_GOOD)) {
 682                                 lwsl_info("No admin or good target url in form\n");
 683                                 return -1;
 684                         }
 685
 686                         strncpy(pss->onward, lws_spa_get_string(pss->spa, FGS_GOOD), sizeof(pss->onward) - 1);
 687                         pss->onward[sizeof(pss->onward) - 1] = '\0';
 688
 689                         pss->login_expires = 0;
 690                         pss->logging_out = 1;
 691
 692                         goto completion_flow;
 693                 }
 694
 695                 break;
 696
 697 pass:
 698                 strncpy(pss->onward, cp, sizeof(pss->onward) - 1);
 699                 pss->onward[sizeof(pss->onward) - 1] = '\0';
 700
 701                 if (lwsgs_get_sid_from_wsi(wsi, &sid))
 702                         sid.id[0] = '\0';
 703
 704                 pss->login_expires = lws_now_secs() +
 705                                      vhd->timeout_absolute_secs;
 706
 707                 if (!sid.id[0]) {
 708                         /* we need to create a new, authorized session */
 709
 710                         if (lwsgs_new_session_id(vhd, &pss->login_session,
 711                                                  lws_spa_get_string(pss->spa, FGS_USERNAME),
 712                                                  pss->login_expires))
 713                                 goto try_to_reuse;
 714
 715                         lwsl_info("Creating new session: %s\n",
 716                                     pss->login_session.id);
 717                 } else {
 718                         /*
 719                          * we can just update the existing session to be
 720                          * authorized
 721                          */
 722                         lwsl_info("Authorizing existing session %s", sid.id);
 723                         lwsgw_update_session(vhd, &sid,
 724                                 lws_spa_get_string(pss->spa, FGS_USERNAME));
 725                         pss->login_session = sid;
 726                 }
 727
 728 completion_flow:
 729                 lwsgw_expire_old_sessions(vhd);
 730                 goto redirect_with_cookie;
 731
 732         case LWS_CALLBACK_HTTP_DROP_PROTOCOL:
 733                 if (pss && pss->spa) {
 734                         lws_spa_destroy(pss->spa);
 735                         pss->spa = NULL;
 736                 }
 737                 break;
 738
 739         case LWS_CALLBACK_ADD_HEADERS:
 740                 lwsgw_expire_old_sessions(vhd);
 741
 742                 args = (struct lws_process_html_args *)in;
 743
 744                 if (pss->delete_session.id[0]) {
 745                         pc = cookie;
 746                         lwsgw_cookie_from_session(&pss->delete_session, 0, &pc,
 747                                                   cookie + sizeof(cookie) - 1);
 748
 749                         lwsl_info("deleting cookie '%s'\n", cookie);
 750
 751                         if (lws_add_http_header_by_name(wsi,
 752                                         (unsigned char *)"set-cookie:",
 753                                         (unsigned char *)cookie, pc - cookie,
 754                                         (unsigned char **)&args->p,
 755                                         (unsigned char *)args->p + args->max_len))
 756                                 return 1;
 757                 }
 758
 759                 if (!pss->login_session.id[0])
 760                         lwsgs_get_sid_from_wsi(wsi, &pss->login_session);
 761
 762                 if (!pss->login_session.id[0] && !pss->logging_out) {
 763
 764                         pss->login_expires = lws_now_secs() +
 765                                              vhd->timeout_anon_absolute_secs;
 766                         if (lwsgs_new_session_id(vhd, &pss->login_session, "",
 767                                                  pss->login_expires))
 768                                 goto try_to_reuse;
 769                         pc = cookie;
 770                         lwsgw_cookie_from_session(&pss->login_session,
 771                                                   pss->login_expires, &pc,
 772                                                   cookie + sizeof(cookie) - 1);
 773
 774                         lwsl_info("LWS_CALLBACK_ADD_HEADERS: setting cookie '%s'\n", cookie);
 775                         if (lws_add_http_header_by_name(wsi,
 776                                         (unsigned char *)"set-cookie:",
 777                                         (unsigned char *)cookie, pc - cookie,
 778                                         (unsigned char **)&args->p,
 779                                         (unsigned char *)args->p + args->max_len))
 780                                 return 1;
 781                 }
 782                 break;
 783
 784         default:
 785                 break;
 786         }
 787
 788         return 0;
 789
 790 redirect_with_cookie:
 791         p = buffer + LWS_PRE;
 792         start = p;
 793         end = p + sizeof(buffer) - LWS_PRE;
 794
 795         if (lws_add_http_header_status(wsi, HTTP_STATUS_SEE_OTHER, &p, end))
 796                 return 1;
 797
 798         if (lws_add_http_header_by_token(wsi, WSI_TOKEN_HTTP_LOCATION,
 799                         (unsigned char *)pss->onward,
 800                         strlen(pss->onward), &p, end))
 801                 return 1;
 802
 803         if (lws_add_http_header_by_token(wsi, WSI_TOKEN_HTTP_CONTENT_TYPE,
 804                         (unsigned char *)"text/html", 9, &p, end))
 805                 return 1;
 806         if (lws_add_http_header_content_length(wsi, 0, &p, end))
 807                 return 1;
 808
 809         if (pss->delete_session.id[0]) {
 810                 lwsgw_cookie_from_session(&pss->delete_session, 0, &pc,
 811                                           cookie + sizeof(cookie) - 1);
 812
 813                 lwsl_notice("deleting cookie '%s'\n", cookie);
 814
 815                 if (lws_add_http_header_by_name(wsi,
 816                                 (unsigned char *)"set-cookie:",
 817                                 (unsigned char *)cookie, pc - cookie,
 818                                 &p, end))
 819                         return 1;
 820         }
 821
 822         if (!pss->login_session.id[0]) {
 823                 pss->login_expires = lws_now_secs() +
 824                                      vhd->timeout_anon_absolute_secs;
 825                 if (lwsgs_new_session_id(vhd, &pss->login_session, "",
 826                                          pss->login_expires))
 827                         return 1;
 828         } else
 829                 pss->login_expires = lws_now_secs() +
 830                                      vhd->timeout_absolute_secs;
 831
 832         if (pss->login_session.id[0] || pss->logging_out) {
 833                 /*
 834                  * we succeeded to login, we must issue a login
 835                  * cookie with the prepared data
 836                  */
 837                 pc = cookie;
 838
 839                 lwsgw_cookie_from_session(&pss->login_session,
 840                                           pss->login_expires, &pc,
 841                                           cookie + sizeof(cookie) - 1);
 842
 843                 lwsl_info("setting cookie '%s'\n", cookie);
 844
 845                 pss->logging_out = 0;
 846
 847                 if (lws_add_http_header_by_name(wsi,
 848                                 (unsigned char *)"set-cookie:",
 849                                 (unsigned char *)cookie, pc - cookie,
 850                                 &p, end))
 851                         return 1;
 852         }
 853
 854         if (lws_finalize_http_header(wsi, &p, end))
 855                 return 1;
 856
 857         n = lws_write(wsi, start, p - start, LWS_WRITE_HTTP_HEADERS);
 858         if (n < 0)
 859                 return 1;
 860
 861         /* fallthru */
 862
 863 try_to_reuse:
 864         if (lws_http_transaction_completed(wsi))
 865                 return -1;
 866
 867         return 0;
 868 }
 869
 870 static const struct lws_protocols protocols[] = {
 871         {
 872                 "protocol-generic-sessions",
 873                 callback_generic_sessions,
 874                 sizeof(struct per_session_data__gs),
 875                 1024,
 876         },
 877 };
 878
 879 LWS_EXTERN LWS_VISIBLE int
 880 init_protocol_generic_sessions(struct lws_context *context,
 881                         struct lws_plugin_capability *c)
 882 {
 883         if (c->api_magic != LWS_PLUGIN_API_MAGIC) {
 884                 lwsl_err("Plugin API %d, library API %d", LWS_PLUGIN_API_MAGIC,
 885                          c->api_magic);
 886                 return 1;
 887         }
 888
 889         c->protocols = protocols;
 890         c->count_protocols = ARRAY_SIZE(protocols);
 891         c->extensions = NULL;
 892         c->count_extensions = 0;
 893
 894         return 0;
 895 }
 896
 897 LWS_EXTERN LWS_VISIBLE int
 898 destroy_protocol_generic_sessions(struct lws_context *context)
 899 {
 900         return 0;
 901 }