plugins/generic-sessions/protocol_generic_sessions.c

   1 /*
   2  * ws protocol handler plugin for "generic sessions"
   3  *
   4  * Copyright (C) 2010-2016 Andy Green <andy@warmcat.com>
   5  *
   6  * This program is free software; you can redistribute it and/or
   7  * modify it under the terms of the GNU General Public
   8  * License as published by the Free Software Foundation:
   9  * version 2.1 of the License.
  10  *
  11  * This library is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14  * General Public License for more details.
  15  *
  16  * You should have received a copy of the GNU General Public
  17  * License along with this library; if not, write to the Free Software
  18  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
  19  * MA  02110-1301  USA
  20  */
  21
  22 #include "private-lwsgs.h"
  23
  24 /* keep changes in sync with the enum in lwsgs.h */
  25 static const char * const param_names[] = {
  26         "username",
  27         "password",
  28         "password2",
  29         "email",
  30         "register",
  31         "good",
  32         "bad",
  33         "reg-good",
  34         "reg-bad",
  35         "admin",
  36         "forgot",
  37         "forgot-good",
  38         "forgot-bad",
  39         "forgot-post-good",
  40         "forgot-post-bad",
  41         "change",
  42         "curpw",
  43         "delete"
  44 };
  45
  46 struct lwsgs_fill_args {
  47         char *buf;
  48         int len;
  49 };
  50
  51 static const struct lws_protocols protocols[];
  52
  53 static int
  54 lwsgs_lookup_callback_email(void *priv, int cols, char **col_val,
  55                             char **col_name)
  56 {
  57         struct lwsgs_fill_args *a = (struct lwsgs_fill_args *)priv;
  58         int n;
  59
  60         for (n = 0; n < cols; n++) {
  61                 if (!strcmp(col_name[n], "content")) {
  62                         strncpy(a->buf, col_val[n], a->len - 1);
  63                         a->buf[a->len - 1] = '\0';
  64                         continue;
  65                 }
  66         }
  67         return 0;
  68 }
  69
  70 static int
  71 lwsgs_email_cb_get_body(struct lws_email *email, char *buf, int len)
  72 {
  73         struct per_vhost_data__gs *vhd = (struct per_vhost_data__gs *)email->data;
  74         struct lwsgs_fill_args a;
  75         char ss[150], esc[50];
  76
  77         a.buf = buf;
  78         a.len = len;
  79
  80         lws_snprintf(ss, sizeof(ss) - 1,
  81                  "select content from email where username='%s';",
  82                  lws_sql_purify(esc, vhd->u.username, sizeof(esc) - 1));
  83
  84         strncpy(buf, "failed", len);
  85         if (sqlite3_exec(vhd->pdb, ss, lwsgs_lookup_callback_email, &a,
  86                          NULL) != SQLITE_OK) {
  87                 lwsl_err("Unable to lookup email: %s\n",
  88                          sqlite3_errmsg(vhd->pdb));
  89
  90                 return 1;
  91         }
  92
  93         return 0;
  94 }
  95
  96 static int
  97 lwsgs_email_cb_sent(struct lws_email *email)
  98 {
  99         struct per_vhost_data__gs *vhd = (struct per_vhost_data__gs *)email->data;
 100         char s[200], esc[50];
 101
 102         /* mark the user as having sent the verification email */
 103         lws_snprintf(s, sizeof(s) - 1,
 104                  "update users set verified=1 where username='%s' and verified==0;",
 105                  lws_sql_purify(esc, vhd->u.username, sizeof(esc) - 1));
 106         if (sqlite3_exec(vhd->pdb, s, NULL, NULL, NULL) != SQLITE_OK) {
 107                 lwsl_err("%s: Unable to update user: %s\n", __func__,
 108                          sqlite3_errmsg(vhd->pdb));
 109                 return 1;
 110         }
 111
 112         lws_snprintf(s, sizeof(s) - 1,
 113                  "delete from email where username='%s';",
 114                  lws_sql_purify(esc, vhd->u.username, sizeof(esc) - 1));
 115         if (sqlite3_exec(vhd->pdb, s, NULL, NULL, NULL) != SQLITE_OK) {
 116                 lwsl_err("%s: Unable to delete email text: %s\n", __func__,
 117                          sqlite3_errmsg(vhd->pdb));
 118                 return 1;
 119         }
 120
 121         return 0;
 122 }
 123
 124 static int
 125 lwsgs_email_cb_on_next(struct lws_email *email)
 126 {
 127         struct per_vhost_data__gs *vhd = lws_container_of(email,
 128                         struct per_vhost_data__gs, email);
 129         char s[LWSGS_EMAIL_CONTENT_SIZE], esc[50];
 130         time_t now = lws_now_secs();
 131
 132         /*
 133          * users not verified in 24h get deleted
 134          */
 135         lws_snprintf(s, sizeof(s) - 1, "delete from users where ((verified != %d)"
 136                  " and (creation_time <= %lu));", LWSGS_VERIFIED_ACCEPTED,
 137                  (unsigned long)now - vhd->timeout_email_secs);
 138         if (sqlite3_exec(vhd->pdb, s, NULL, NULL, NULL) != SQLITE_OK) {
 139                 lwsl_err("Unable to expire users: %s\n",
 140                          sqlite3_errmsg(vhd->pdb));
 141                 return 1;
 142         }
 143
 144         lws_snprintf(s, sizeof(s) - 1, "update users set token_time=0 where "
 145                  "(token_time <= %lu);",
 146                  (unsigned long)now - vhd->timeout_email_secs);
 147         if (sqlite3_exec(vhd->pdb, s, NULL, NULL, NULL) != SQLITE_OK) {
 148                 lwsl_err("Unable to expire users: %s\n",
 149                          sqlite3_errmsg(vhd->pdb));
 150                 return 1;
 151         }
 152
 153         vhd->u.username[0] = '\0';
 154         lws_snprintf(s, sizeof(s) - 1, "select username from email limit 1;");
 155         if (sqlite3_exec(vhd->pdb, s, lwsgs_lookup_callback_user, &vhd->u,
 156                          NULL) != SQLITE_OK) {
 157                 lwsl_err("Unable to lookup user: %s\n", sqlite3_errmsg(vhd->pdb));
 158                 return 1;
 159         }
 160
 161         lws_snprintf(s, sizeof(s) - 1,
 162                  "select username, creation_time, email, ip, verified, token"
 163                  " from users where username='%s' limit 1;",
 164                  lws_sql_purify(esc, vhd->u.username, sizeof(esc) - 1));
 165         if (sqlite3_exec(vhd->pdb, s, lwsgs_lookup_callback_user, &vhd->u,
 166                          NULL) != SQLITE_OK) {
 167                 lwsl_err("Unable to lookup user: %s\n",
 168                          sqlite3_errmsg(vhd->pdb));
 169                 return 1;
 170         }
 171
 172         if (!vhd->u.username[0])
 173                 /*
 174                  * nothing to do, we are idle and no suitable
 175                  * accounts waiting for verification.  When a new user
 176                  * is added we will get kicked to try again.
 177                  */
 178                 return 1;
 179
 180         strncpy(email->email_to, vhd->u.email, sizeof(email->email_to) - 1);
 181
 182         return 0;
 183 }
 184
 185
 186 struct lwsgs_subst_args
 187 {
 188         struct per_session_data__gs *pss;
 189         struct per_vhost_data__gs *vhd;
 190         struct lws *wsi;
 191 };
 192
 193 static const char *
 194 lwsgs_subst(void *data, int index)
 195 {
 196         struct lwsgs_subst_args *a = (struct lwsgs_subst_args *)data;
 197         struct lwsgs_user u;
 198         lwsgw_hash sid;
 199         char esc[50], s[100];
 200         int n;
 201
 202         a->pss->result[0] = '\0';
 203         u.email[0] = '\0';
 204         if (!lwsgs_get_sid_from_wsi(a->wsi, &sid)) {
 205                 if (lwsgs_lookup_session(a->vhd, &sid, a->pss->result, 31)) {
 206                         lwsl_notice("sid lookup for %s failed\n", sid.id);
 207                         a->pss->delete_session = sid;
 208                         return NULL;
 209                 }
 210                 lws_snprintf(s, sizeof(s) - 1, "select username,email "
 211                          "from users where username = '%s';",
 212                          lws_sql_purify(esc, a->pss->result, sizeof(esc) - 1));
 213                 if (sqlite3_exec(a->vhd->pdb, s, lwsgs_lookup_callback_user,
 214                                  &u, NULL) != SQLITE_OK) {
 215                         lwsl_err("Unable to lookup token: %s\n",
 216                                  sqlite3_errmsg(a->vhd->pdb));
 217                         a->pss->delete_session = sid;
 218                         return NULL;
 219                 }
 220         } else
 221                 lwsl_notice("no sid\n");
 222
 223         strncpy(a->pss->result + 32, u.email, 100);
 224
 225         switch (index) {
 226         case 0:
 227                 return a->pss->result;
 228
 229         case 1:
 230                 n = lwsgs_get_auth_level(a->vhd, a->pss->result);
 231                 sprintf(a->pss->result, "%d", n);
 232                 return a->pss->result;
 233         case 2:
 234                 return a->pss->result + 32;
 235         }
 236
 237         return NULL;
 238 }
 239
 240 static int
 241 callback_generic_sessions(struct lws *wsi, enum lws_callback_reasons reason,
 242                           void *user, void *in, size_t len)
 243 {
 244         struct per_session_data__gs *pss = (struct per_session_data__gs *)user;
 245         const struct lws_protocol_vhost_options *pvo;
 246         struct per_vhost_data__gs *vhd = (struct per_vhost_data__gs *)
 247                         lws_protocol_vh_priv_get(lws_get_vhost(wsi),
 248                                         &protocols[0]);
 249         char cookie[1024], username[32], *pc = cookie;
 250         unsigned char buffer[LWS_PRE + LWSGS_EMAIL_CONTENT_SIZE];
 251         struct lws_process_html_args *args;
 252         struct lws_session_info *sinfo;
 253         char s[LWSGS_EMAIL_CONTENT_SIZE];
 254         unsigned char *p, *start, *end;
 255         sqlite3_stmt *sm;
 256         lwsgw_hash sid;
 257         const char *cp;
 258         int n;
 259
 260         switch (reason) {
 261         case LWS_CALLBACK_PROTOCOL_INIT: /* per vhost */
 262
 263                 vhd = lws_protocol_vh_priv_zalloc(lws_get_vhost(wsi),
 264                         &protocols[0], sizeof(struct per_vhost_data__gs));
 265                 if (!vhd)
 266                         return 1;
 267                 vhd->context = lws_get_context(wsi);
 268
 269                 /* defaults */
 270                 vhd->timeout_idle_secs = 600;
 271                 vhd->timeout_absolute_secs = 36000;
 272                 vhd->timeout_anon_absolute_secs = 1200;
 273                 vhd->timeout_email_secs = 24 * 3600;
 274                 strcpy(vhd->email.email_helo, "unconfigured.com");
 275                 strcpy(vhd->email.email_from, "noreply@unconfigured.com");
 276                 strcpy(vhd->email_title, "Registration Email from unconfigured");
 277                 strcpy(vhd->email.email_smtp_ip, "127.0.0.1");
 278
 279                 vhd->email.on_next = lwsgs_email_cb_on_next;
 280                 vhd->email.on_get_body = lwsgs_email_cb_get_body;
 281                 vhd->email.on_sent = lwsgs_email_cb_sent;
 282                 vhd->email.data = (void *)vhd;
 283
 284                 pvo = (const struct lws_protocol_vhost_options *)in;
 285                 while (pvo) {
 286                         if (!strcmp(pvo->name, "admin-user"))
 287                                 strncpy(vhd->admin_user, pvo->value,
 288                                         sizeof(vhd->admin_user) - 1);
 289                         if (!strcmp(pvo->name, "admin-password-sha1"))
 290                                 strncpy(vhd->admin_password_sha1.id, pvo->value,
 291                                         sizeof(vhd->admin_password_sha1.id) - 1);
 292                         if (!strcmp(pvo->name, "session-db"))
 293                                 strncpy(vhd->session_db, pvo->value,
 294                                         sizeof(vhd->session_db) - 1);
 295                         if (!strcmp(pvo->name, "confounder"))
 296                                 strncpy(vhd->confounder, pvo->value,
 297                                         sizeof(vhd->confounder) - 1);
 298                         if (!strcmp(pvo->name, "email-from"))
 299                                 strncpy(vhd->email.email_from, pvo->value,
 300                                         sizeof(vhd->email.email_from) - 1);
 301                         if (!strcmp(pvo->name, "email-helo"))
 302                                 strncpy(vhd->email.email_helo, pvo->value,
 303                                         sizeof(vhd->email.email_helo) - 1);
 304                         if (!strcmp(pvo->name, "email-template"))
 305                                 strncpy(vhd->email_template, pvo->value,
 306                                         sizeof(vhd->email_template) - 1);
 307                         if (!strcmp(pvo->name, "email-title"))
 308                                 strncpy(vhd->email_title, pvo->value,
 309                                         sizeof(vhd->email_title) - 1);
 310                         if (!strcmp(pvo->name, "email-contact-person"))
 311                                 strncpy(vhd->email_contact_person, pvo->value,
 312                                         sizeof(vhd->email_contact_person) - 1);
 313                         if (!strcmp(pvo->name, "email-confirm-url-base"))
 314                                 strncpy(vhd->email_confirm_url, pvo->value,
 315                                         sizeof(vhd->email_confirm_url) - 1);
 316                         if (!strcmp(pvo->name, "email-server-ip"))
 317                                 strncpy(vhd->email.email_smtp_ip, pvo->value,
 318                                         sizeof(vhd->email.email_smtp_ip) - 1);
 319
 320                         if (!strcmp(pvo->name, "timeout-idle-secs"))
 321                                 vhd->timeout_idle_secs = atoi(pvo->value);
 322                         if (!strcmp(pvo->name, "timeout-absolute-secs"))
 323                                 vhd->timeout_absolute_secs = atoi(pvo->value);
 324                         if (!strcmp(pvo->name, "timeout-anon-absolute-secs"))
 325                                 vhd->timeout_anon_absolute_secs = atoi(pvo->value);
 326                         if (!strcmp(pvo->name, "email-expire"))
 327                                 vhd->timeout_email_secs = atoi(pvo->value);
 328                         pvo = pvo->next;
 329                 }
 330                 if (!vhd->admin_user[0] ||
 331                     !vhd->admin_password_sha1.id[0] ||
 332                     !vhd->session_db[0]) {
 333                         lwsl_err("generic-sessions: "
 334                                  "You must give \"admin-user\", "
 335                                  "\"admin-password-sha1\", "
 336                                  "and \"session_db\" per-vhost options\n");
 337                         return 1;
 338                 }
 339
 340                 if (sqlite3_open_v2(vhd->session_db, &vhd->pdb,
 341                                     SQLITE_OPEN_READWRITE |
 342                                     SQLITE_OPEN_CREATE, NULL) != SQLITE_OK) {
 343                         lwsl_err("Unable to open session db %s: %s\n",
 344                                  vhd->session_db, sqlite3_errmsg(vhd->pdb));
 345
 346                         return 1;
 347                 }
 348
 349                 if (sqlite3_prepare(vhd->pdb,
 350                                     "create table if not exists sessions ("
 351                                     " name char(40),"
 352                                     " username varchar(32),"
 353                                     " expire integer"
 354                                     ");",
 355                                     -1, &sm, NULL) != SQLITE_OK) {
 356                         lwsl_err("Unable to prepare session table init: %s\n",
 357                                  sqlite3_errmsg(vhd->pdb));
 358
 359                         return 1;
 360                 }
 361
 362                 if (sqlite3_step(sm) != SQLITE_DONE) {
 363                         lwsl_err("Unable to run session table init: %s\n",
 364                                  sqlite3_errmsg(vhd->pdb));
 365
 366                         return 1;
 367                 }
 368                 sqlite3_finalize(sm);
 369
 370                 if (sqlite3_exec(vhd->pdb,
 371                                  "create table if not exists users ("
 372                                  " username varchar(32),"
 373                                  " creation_time integer,"
 374                                  " ip varchar(46),"
 375                                  " email varchar(100),"
 376                                  " pwhash varchar(42),"
 377                                  " pwsalt varchar(42),"
 378                                  " pwchange_time integer,"
 379                                  " token varchar(42),"
 380                                  " verified integer,"
 381                                  " token_time integer,"
 382                                  " last_forgot_validated integer,"
 383                                  " primary key (username)"
 384                                  ");",
 385                                  NULL, NULL, NULL) != SQLITE_OK) {
 386                         lwsl_err("Unable to create user table: %s\n",
 387                                  sqlite3_errmsg(vhd->pdb));
 388
 389                         return 1;
 390                 }
 391
 392                 sprintf(s, "create table if not exists email ("
 393                                  " username varchar(32),"
 394                                  " content blob,"
 395                                  " primary key (username)"
 396                                  ");");
 397                 if (sqlite3_exec(vhd->pdb, s, NULL, NULL, NULL) != SQLITE_OK) {
 398                         lwsl_err("Unable to create user table: %s\n",
 399                                  sqlite3_errmsg(vhd->pdb));
 400
 401                         return 1;
 402                 }
 403
 404                 lws_email_init(&vhd->email, lws_uv_getloop(vhd->context, 0),
 405                                 LWSGS_EMAIL_CONTENT_SIZE);
 406                 break;
 407
 408         case LWS_CALLBACK_PROTOCOL_DESTROY:
 409                 if (vhd->pdb) {
 410                         sqlite3_close(vhd->pdb);
 411                         vhd->pdb = NULL;
 412                 }
 413                 lws_email_destroy(&vhd->email);
 414                 break;
 415
 416         case LWS_CALLBACK_HTTP:
 417                 lwsl_info("LWS_CALLBACK_HTTP: %s\n", in);
 418
 419                 pss->login_session.id[0] = '\0';
 420                 pss->phs.pos = 0;
 421                 strncpy(pss->onward, (char *)in, sizeof(pss->onward) - 1);
 422                 pss->onward[sizeof(pss->onward) - 1] = '\0';
 423
 424                 if (!strcmp((const char *)in, "/lwsgs-forgot")) {
 425                         lwsgs_handler_forgot(vhd, wsi, pss);
 426                         goto redirect_with_cookie;
 427                 }
 428
 429                 if (!strcmp((const char *)in, "/lwsgs-confirm")) {
 430                         lwsgs_handler_confirm(vhd, wsi, pss);
 431                         goto redirect_with_cookie;
 432                 }
 433                 if (!strcmp((const char *)in, "/lwsgs-check")) {
 434                         lwsgs_handler_check(vhd, wsi, pss);
 435                         goto try_to_reuse;
 436                 }
 437
 438                 if (!strcmp((const char *)in, "/lwsgs-login"))
 439                         break;
 440                 if (!strcmp((const char *)in, "/lwsgs-logout"))
 441                         break;
 442                 if (!strcmp((const char *)in, "/lwsgs-forgot"))
 443                         break;
 444                 if (!strcmp((const char *)in, "/lwsgs-change"))
 445                         break;
 446
 447                 /* if no legitimate url for GET, return 404 */
 448
 449                 lwsl_err("http doing 404 on %s\n", in);
 450                 lws_return_http_status(wsi, HTTP_STATUS_NOT_FOUND, NULL);
 451                 goto try_to_reuse;
 452
 453         case LWS_CALLBACK_CHECK_ACCESS_RIGHTS:
 454                 n = 0;
 455                 username[0] = '\0';
 456                 sid.id[0] = '\0';
 457                 args = (struct lws_process_html_args *)in;
 458                 lwsl_debug("LWS_CALLBACK_CHECK_ACCESS_RIGHTS\n");
 459                 if (!lwsgs_get_sid_from_wsi(wsi, &sid)) {
 460                         if (lwsgs_lookup_session(vhd, &sid, username, sizeof(username))) {
 461                                 static const char * const oprot[] = {
 462                                         "http://", "https://"
 463                                 };
 464                                 lwsl_notice("session lookup for %s failed, probably expired\n", sid.id);
 465                                 pss->delete_session = sid;
 466                                 args->final = 1; /* signal we dealt with it */
 467                                 if (lws_hdr_copy(wsi, cookie, sizeof(cookie) - 1,
 468                                              WSI_TOKEN_HOST) < 0)
 469                                         return 1;
 470                                 lws_snprintf(pss->onward, sizeof(pss->onward) - 1,
 471                                          "%s%s%s", oprot[lws_is_ssl(wsi)],
 472                                             cookie, args->p);
 473                                 lwsl_notice("redirecting to ourselves with cookie refresh\n");
 474                                 /* we need a redirect to ourselves, session cookie is expired */
 475                                 goto redirect_with_cookie;
 476                         }
 477                 } else
 478                         lwsl_notice("failed to get sid from wsi\n");
 479
 480                 n = lwsgs_get_auth_level(vhd, username);
 481
 482                 if ((args->max_len & n) != args->max_len) {
 483                         lwsl_notice("Access rights fail 0x%X vs 0x%X (cookie %s)\n",
 484                                         args->max_len, n, sid.id);
 485                         return 1;
 486                 }
 487                 lwsl_debug("Access rights OK\n");
 488                 break;
 489
 490         case LWS_CALLBACK_SESSION_INFO:
 491         {
 492                 struct lwsgs_user u;
 493                 sinfo = (struct lws_session_info *)in;
 494                 sinfo->username[0] = '\0';
 495                 sinfo->email[0] = '\0';
 496                 sinfo->ip[0] = '\0';
 497                 sinfo->session[0] = '\0';
 498                 sinfo->mask = 0;
 499
 500                 sid.id[0] = '\0';
 501                 lwsl_debug("LWS_CALLBACK_SESSION_INFO\n");
 502                 if (lwsgs_get_sid_from_wsi(wsi, &sid))
 503                         break;
 504                 if (lwsgs_lookup_session(vhd, &sid, username, sizeof(username)))
 505                         break;
 506
 507                 lws_snprintf(s, sizeof(s) - 1,
 508                          "select username, email from users where username='%s';",
 509                          username);
 510                 if (sqlite3_exec(vhd->pdb, s, lwsgs_lookup_callback_user, &u, NULL) !=
 511                     SQLITE_OK) {
 512                         lwsl_err("Unable to lookup token: %s\n",
 513                                  sqlite3_errmsg(vhd->pdb));
 514                         break;
 515                 }
 516                 strncpy(sinfo->username, u.username, sizeof(sinfo->username) - 1);
 517                 sinfo->username[sizeof(sinfo->username) - 1] = '\0';
 518                 strncpy(sinfo->email, u.email, sizeof(sinfo->email) - 1);
 519                 strncpy(sinfo->session, sid.id, sizeof(sinfo->session) - 1);
 520                 sinfo->mask = lwsgs_get_auth_level(vhd, username);
 521                 lws_get_peer_simple(wsi, sinfo->ip, sizeof(sinfo->ip));
 522         }
 523
 524                 break;
 525
 526         case LWS_CALLBACK_PROCESS_HTML:
 527
 528                 args = (struct lws_process_html_args *)in;
 529                 {
 530                         static const char * const vars[] = {
 531                                 "$lwsgs_user",
 532                                 "$lwsgs_auth",
 533                                 "$lwsgs_email"
 534                         };
 535                         struct lwsgs_subst_args a;
 536
 537                         a.vhd = vhd;
 538                         a.pss = pss;
 539                         a.wsi = wsi;
 540
 541                         pss->phs.vars = vars;
 542                         pss->phs.count_vars = ARRAY_SIZE(vars);
 543                         pss->phs.replace = lwsgs_subst;
 544                         pss->phs.data = &a;
 545
 546                         if (lws_chunked_html_process(args, &pss->phs))
 547                                 return -1;
 548                 }
 549                 break;
 550
 551         case LWS_CALLBACK_HTTP_BODY:
 552                 if (len < 2)
 553                         break;
 554
 555                 if (!pss->spa) {
 556                         pss->spa = lws_spa_create(wsi, param_names,
 557                                                 ARRAY_SIZE(param_names), 1024,
 558                                                 NULL, NULL);
 559                         if (!pss->spa)
 560                                 return -1;
 561                 }
 562
 563                 if (lws_spa_process(pss->spa, in, len)) {
 564                         lwsl_notice("spa process blew\n");
 565                         return -1;
 566                 }
 567                 break;
 568
 569         case LWS_CALLBACK_HTTP_BODY_COMPLETION:
 570
 571                 if (!pss->spa)
 572                         break;
 573
 574                 lwsl_info("LWS_CALLBACK_HTTP_BODY_COMPLETION: %s\n", pss->onward);
 575                 lws_spa_finalize(pss->spa);
 576
 577                 if (!strcmp((char *)pss->onward, "/lwsgs-change")) {
 578                         if (!lwsgs_handler_change_password(vhd, wsi, pss)) {
 579                                 cp = lws_spa_get_string(pss->spa, FGS_GOOD);
 580                                 goto pass;
 581                         }
 582
 583                         cp = lws_spa_get_string(pss->spa, FGS_BAD);
 584                         lwsl_notice("user/password no good %s\n",
 585                                 lws_spa_get_string(pss->spa, FGS_USERNAME));
 586                         strncpy(pss->onward, cp, sizeof(pss->onward) - 1);
 587                         pss->onward[sizeof(pss->onward) - 1] = '\0';
 588                         goto completion_flow;
 589                 }
 590
 591                 if (!strcmp((char *)pss->onward, "/lwsgs-login")) {
 592                         if (lws_spa_get_string(pss->spa, FGS_FORGOT) &&
 593                             lws_spa_get_string(pss->spa, FGS_FORGOT)[0]) {
 594                                 if (lwsgs_handler_forgot_pw_form(vhd, wsi, pss)) {
 595                                         n = FGS_FORGOT_BAD;
 596                                         goto reg_done;
 597                                 }
 598                                 /* get the email monitor to take a look */
 599                                 lws_email_check(&vhd->email);
 600                                 n = FGS_FORGOT_GOOD;
 601                                 goto reg_done;
 602                         }
 603
 604                         if (!lws_spa_get_string(pss->spa, FGS_USERNAME) ||
 605                             !lws_spa_get_string(pss->spa, FGS_PASSWORD)) {
 606                                 lwsl_notice("username '%s' or pw '%s' missing\n",
 607                                                 lws_spa_get_string(pss->spa, FGS_USERNAME),
 608                                                 lws_spa_get_string(pss->spa, FGS_PASSWORD));
 609                                 return -1;
 610                         }
 611
 612                         if (lws_spa_get_string(pss->spa, FGS_REGISTER) &&
 613                             lws_spa_get_string(pss->spa, FGS_REGISTER)[0]) {
 614
 615                                 if (lwsgs_handler_register_form(vhd, wsi, pss))
 616                                         n = FGS_REG_BAD;
 617                                 else {
 618                                         n = FGS_REG_GOOD;
 619
 620                                         /* get the email monitor to take a look */
 621                                         lws_email_check(&vhd->email);
 622                                 }
 623 reg_done:
 624                                 strncpy(pss->onward, lws_spa_get_string(pss->spa, n),
 625                                         sizeof(pss->onward) - 1);
 626                                 pss->onward[sizeof(pss->onward) - 1] = '\0';
 627                                 pss->login_expires = 0;
 628                                 pss->logging_out = 1;
 629                                 goto completion_flow;
 630                         }
 631
 632                         /* we have the username and password... check if admin */
 633                         if (lwsgw_check_admin(vhd, lws_spa_get_string(pss->spa, FGS_USERNAME),
 634                                               lws_spa_get_string(pss->spa, FGS_PASSWORD))) {
 635                                 if (lws_spa_get_string(pss->spa, FGS_ADMIN))
 636                                         cp = lws_spa_get_string(pss->spa, FGS_ADMIN);
 637                                 else
 638                                         if (lws_spa_get_string(pss->spa, FGS_GOOD))
 639                                                 cp = lws_spa_get_string(pss->spa, FGS_GOOD);
 640                                         else {
 641                                                 lwsl_info("No admin or good target url in form\n");
 642                                                 return -1;
 643                                         }
 644                                 lwsl_debug("admin\n");
 645                                 goto pass;
 646                         }
 647
 648                         /* check users in database */
 649
 650                         if (!lwsgs_check_credentials(vhd, lws_spa_get_string(pss->spa, FGS_USERNAME),
 651                                                      lws_spa_get_string(pss->spa, FGS_PASSWORD))) {
 652                                 lwsl_info("pw hash check met\n");
 653                                 cp = lws_spa_get_string(pss->spa, FGS_GOOD);
 654                                 goto pass;
 655                         } else
 656                                 lwsl_notice("user/password no good %s\n",
 657                                                 lws_spa_get_string(pss->spa, FGS_USERNAME));
 658
 659                         if (!lws_spa_get_string(pss->spa, FGS_BAD)) {
 660                                 lwsl_info("No admin or good target url in form\n");
 661                                 return -1;
 662                         }
 663
 664                         strncpy(pss->onward, lws_spa_get_string(pss->spa, FGS_BAD),
 665                                 sizeof(pss->onward) - 1);
 666                         pss->onward[sizeof(pss->onward) - 1] = '\0';
 667                         lwsl_debug("failed\n");
 668
 669                         goto completion_flow;
 670                 }
 671
 672                 if (!strcmp((char *)pss->onward, "/lwsgs-logout")) {
 673
 674                         lwsl_notice("/logout\n");
 675
 676                         if (lwsgs_get_sid_from_wsi(wsi, &pss->login_session)) {
 677                                 lwsl_notice("not logged in...\n");
 678                                 return 1;
 679                         }
 680
 681                         lwsgw_update_session(vhd, &pss->login_session, "");
 682
 683                         if (!lws_spa_get_string(pss->spa, FGS_GOOD)) {
 684                                 lwsl_info("No admin or good target url in form\n");
 685                                 return -1;
 686                         }
 687
 688                         strncpy(pss->onward, lws_spa_get_string(pss->spa, FGS_GOOD), sizeof(pss->onward) - 1);
 689                         pss->onward[sizeof(pss->onward) - 1] = '\0';
 690
 691                         pss->login_expires = 0;
 692                         pss->logging_out = 1;
 693
 694                         goto completion_flow;
 695                 }
 696
 697                 break;
 698
 699 pass:
 700                 strncpy(pss->onward, cp, sizeof(pss->onward) - 1);
 701                 pss->onward[sizeof(pss->onward) - 1] = '\0';
 702
 703                 if (lwsgs_get_sid_from_wsi(wsi, &sid))
 704                         sid.id[0] = '\0';
 705
 706                 pss->login_expires = lws_now_secs() +
 707                                      vhd->timeout_absolute_secs;
 708
 709                 if (!sid.id[0]) {
 710                         /* we need to create a new, authorized session */
 711
 712                         if (lwsgs_new_session_id(vhd, &pss->login_session,
 713                                                  lws_spa_get_string(pss->spa, FGS_USERNAME),
 714                                                  pss->login_expires))
 715                                 goto try_to_reuse;
 716
 717                         lwsl_info("Creating new session: %s\n",
 718                                     pss->login_session.id);
 719                 } else {
 720                         /*
 721                          * we can just update the existing session to be
 722                          * authorized
 723                          */
 724                         lwsl_info("Authorizing existing session %s", sid.id);
 725                         lwsgw_update_session(vhd, &sid,
 726                                 lws_spa_get_string(pss->spa, FGS_USERNAME));
 727                         pss->login_session = sid;
 728                 }
 729
 730 completion_flow:
 731                 lwsgw_expire_old_sessions(vhd);
 732                 goto redirect_with_cookie;
 733
 734         case LWS_CALLBACK_HTTP_DROP_PROTOCOL:
 735                 if (pss && pss->spa) {
 736                         lws_spa_destroy(pss->spa);
 737                         pss->spa = NULL;
 738                 }
 739                 break;
 740
 741         case LWS_CALLBACK_ADD_HEADERS:
 742                 lwsgw_expire_old_sessions(vhd);
 743
 744                 args = (struct lws_process_html_args *)in;
 745
 746                 if (pss->delete_session.id[0]) {
 747                         pc = cookie;
 748                         lwsgw_cookie_from_session(&pss->delete_session, 0, &pc,
 749                                                   cookie + sizeof(cookie) - 1);
 750
 751                         lwsl_info("deleting cookie '%s'\n", cookie);
 752
 753                         if (lws_add_http_header_by_name(wsi,
 754                                         (unsigned char *)"set-cookie:",
 755                                         (unsigned char *)cookie, pc - cookie,
 756                                         (unsigned char **)&args->p,
 757                                         (unsigned char *)args->p + args->max_len))
 758                                 return 1;
 759                 }
 760
 761                 if (!pss->login_session.id[0])
 762                         lwsgs_get_sid_from_wsi(wsi, &pss->login_session);
 763
 764                 if (!pss->login_session.id[0] && !pss->logging_out) {
 765
 766                         pss->login_expires = lws_now_secs() +
 767                                              vhd->timeout_anon_absolute_secs;
 768                         if (lwsgs_new_session_id(vhd, &pss->login_session, "",
 769                                                  pss->login_expires))
 770                                 goto try_to_reuse;
 771                         pc = cookie;
 772                         lwsgw_cookie_from_session(&pss->login_session,
 773                                                   pss->login_expires, &pc,
 774                                                   cookie + sizeof(cookie) - 1);
 775
 776                         lwsl_info("LWS_CALLBACK_ADD_HEADERS: setting cookie '%s'\n", cookie);
 777                         if (lws_add_http_header_by_name(wsi,
 778                                         (unsigned char *)"set-cookie:",
 779                                         (unsigned char *)cookie, pc - cookie,
 780                                         (unsigned char **)&args->p,
 781                                         (unsigned char *)args->p + args->max_len))
 782                                 return 1;
 783                 }
 784                 break;
 785
 786         default:
 787                 break;
 788         }
 789
 790         return 0;
 791
 792 redirect_with_cookie:
 793         p = buffer + LWS_PRE;
 794         start = p;
 795         end = p + sizeof(buffer) - LWS_PRE;
 796
 797         if (lws_add_http_header_status(wsi, HTTP_STATUS_SEE_OTHER, &p, end))
 798                 return 1;
 799
 800         if (lws_add_http_header_by_token(wsi, WSI_TOKEN_HTTP_LOCATION,
 801                         (unsigned char *)pss->onward,
 802                         strlen(pss->onward), &p, end))
 803                 return 1;
 804
 805         if (lws_add_http_header_by_token(wsi, WSI_TOKEN_HTTP_CONTENT_TYPE,
 806                         (unsigned char *)"text/html", 9, &p, end))
 807                 return 1;
 808         if (lws_add_http_header_content_length(wsi, 0, &p, end))
 809                 return 1;
 810
 811         if (pss->delete_session.id[0]) {
 812                 lwsgw_cookie_from_session(&pss->delete_session, 0, &pc,
 813                                           cookie + sizeof(cookie) - 1);
 814
 815                 lwsl_notice("deleting cookie '%s'\n", cookie);
 816
 817                 if (lws_add_http_header_by_name(wsi,
 818                                 (unsigned char *)"set-cookie:",
 819                                 (unsigned char *)cookie, pc - cookie,
 820                                 &p, end))
 821                         return 1;
 822         }
 823
 824         if (!pss->login_session.id[0]) {
 825                 pss->login_expires = lws_now_secs() +
 826                                      vhd->timeout_anon_absolute_secs;
 827                 if (lwsgs_new_session_id(vhd, &pss->login_session, "",
 828                                          pss->login_expires))
 829                         return 1;
 830         } else
 831                 pss->login_expires = lws_now_secs() +
 832                                      vhd->timeout_absolute_secs;
 833
 834         if (pss->login_session.id[0] || pss->logging_out) {
 835                 /*
 836                  * we succeeded to login, we must issue a login
 837                  * cookie with the prepared data
 838                  */
 839                 pc = cookie;
 840
 841                 lwsgw_cookie_from_session(&pss->login_session,
 842                                           pss->login_expires, &pc,
 843                                           cookie + sizeof(cookie) - 1);
 844
 845                 lwsl_info("setting cookie '%s'\n", cookie);
 846
 847                 pss->logging_out = 0;
 848
 849                 if (lws_add_http_header_by_name(wsi,
 850                                 (unsigned char *)"set-cookie:",
 851                                 (unsigned char *)cookie, pc - cookie,
 852                                 &p, end))
 853                         return 1;
 854         }
 855
 856         if (lws_finalize_http_header(wsi, &p, end))
 857                 return 1;
 858
 859         n = lws_write(wsi, start, p - start, LWS_WRITE_HTTP_HEADERS);
 860         if (n < 0)
 861                 return 1;
 862
 863         /* fallthru */
 864
 865 try_to_reuse:
 866         if (lws_http_transaction_completed(wsi))
 867                 return -1;
 868
 869         return 0;
 870 }
 871
 872 static const struct lws_protocols protocols[] = {
 873         {
 874                 "protocol-generic-sessions",
 875                 callback_generic_sessions,
 876                 sizeof(struct per_session_data__gs),
 877                 1024,
 878         },
 879 };
 880
 881 LWS_EXTERN LWS_VISIBLE int
 882 init_protocol_generic_sessions(struct lws_context *context,
 883                         struct lws_plugin_capability *c)
 884 {
 885         if (c->api_magic != LWS_PLUGIN_API_MAGIC) {
 886                 lwsl_err("Plugin API %d, library API %d", LWS_PLUGIN_API_MAGIC,
 887                          c->api_magic);
 888                 return 1;
 889         }
 890
 891         c->protocols = protocols;
 892         c->count_protocols = ARRAY_SIZE(protocols);
 893         c->extensions = NULL;
 894         c->count_extensions = 0;
 895
 896         return 0;
 897 }
 898
 899 LWS_EXTERN LWS_VISIBLE int
 900 destroy_protocol_generic_sessions(struct lws_context *context)
 901 {
 902         return 0;
 903 }