From 0db96cce9f83f09b07a46f31f9930e5b7cc19f6f Mon Sep 17 00:00:00 2001
From: Matthias Andreas Benkard <code@mail.matthias.benkard.de>
Date: Mon, 5 May 2014 14:36:43 +0200
Subject: Fix bugs introduced by the previous patch.

---
 lib/Net/MulkyID/Setup.pm            | 18 +++++++++--
 www/authenticate-with-password.html | 39 ++++++++++++++++++++++++
 www/authenticate-with-password.js   | 35 +++++++++++++++++++++
 www/authenticate.html               | 28 ++---------------
 www/authenticate.js                 | 35 +++------------------
 www/authenticate.pl                 | 61 ++++++++++++++++++++++++-------------
 www/common.pl                       |  7 +++--
 www/login.pl                        | 36 ++++++----------------
 8 files changed, 151 insertions(+), 108 deletions(-)
 create mode 100644 www/authenticate-with-password.html
 create mode 100644 www/authenticate-with-password.js

diff --git a/lib/Net/MulkyID/Setup.pm b/lib/Net/MulkyID/Setup.pm
index acfe018..2393023 100755
--- a/lib/Net/MulkyID/Setup.pm
+++ b/lib/Net/MulkyID/Setup.pm
@@ -51,22 +51,31 @@ sub setup() {
 
   my $configpath   = $::MULKONF->{configpath}   // "/etc/mulkyid";
   my $pemfile      = $::MULKONF->{pemfile}      // "$configpath/rsa2048.pem";
-  my $auth_type    = $::MULKONF->{auth_type}   // "imap";
+  my $auth_type    = $::MULKONF->{auth_type}    // "imap";
   my $aliases_file = $::MULKONF->{aliases_file} // "/etc/aliases";
   my $imap_server  = $::MULKONF->{imap_server}  // "localhost";
   my $imap_port    = $::MULKONF->{imap_port}    // 143;
   my $basepath     = $::MULKONF->{basepath}     // "/browserid";
+  my $fake_domain  = $::MULKONF->{fake_domain}  // "";
+  my $real_domain  = $::MULKONF->{real_domain}  // "";
   $configpath = prompt("Where shall I put configuration files?", $configpath);
   $pemfile    = prompt("Where shall I put the private key?", $pemfile);
   $auth_type  = prompt("How will users authenticate? (imap, google)", $auth_type);
-  $basepath   = int(prompt("What will be the web-facing base path for IdP files and scripts?", $basepath));
-  for ($auth_type) {
+  $basepath   = prompt("What will be the web-facing base path for IdP files and scripts?", $basepath);
+  given (my $_ = $auth_type) {
     when ("imap") {
       $aliases_file = prompt("Where is the aliases file?  Type a single dot for none.", $aliases_file);
       $imap_server  = prompt("What is the IMAP server's address?", $imap_server);
       $imap_port    = int(prompt("What is the IMAP server's port?", $imap_port));
     }
     when ("google") {
+      $fake_domain = prompt("Fake domain name for email addresses?  Type a single dot for none. (FOR DEVELOPMENT)", $fake_domain);
+      if ($fake_domain eq '.' or $fake_domain eq '') {
+        $fake_domain = '';
+      } else {
+        $real_domain = prompt("Real domain name?", $real_domain);
+        $real_domain = '' if ($real_domain eq '.');
+      }
     }
     default {
       die "Invalid authentication type";
@@ -114,6 +123,9 @@ sub setup() {
     imap_server  => $imap_server,
     imap_port    => $imap_port,
     basepath     => $basepath,
+    auth_type    => $auth_type,
+    fake_domain  => $fake_domain,
+    real_domain  => $real_domain,
   };
   write_file($conffile, <<EOF
 #! /usr/bin/env perl
diff --git a/www/authenticate-with-password.html b/www/authenticate-with-password.html
new file mode 100644
index 0000000..e000209
--- /dev/null
+++ b/www/authenticate-with-password.html
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+  <title>Persona IMAP Authentication</title>
+
+  <script type="text/javascript" src="https://login.persona.org/include.js"></script>
+  <script type="text/javascript" src="https://login.persona.org/authentication_api.js"></script>
+
+<!--
+  <script type="text/javascript" src="https://dev.diresworb.org/include.js"></script>
+  <script type="text/javascript" src="https://dev.diresworb.org/authentication_api.js"></script>
+-->
+
+  <script type="text/javascript" src="jquery/jquery.js"></script>
+  <script type="text/javascript" src="authenticate-with-password.js"></script>
+</head>
+<body>
+  <h1>Persona IMAP Login</h1>
+
+  <form action="#" method="POST" id="auth-form">
+    <table>
+      <tbody>
+        <tr>
+          <td>E-Mail: </td>
+          <td><input type="text" id="email" name="email" disabled="disabled"></input></td>
+        </tr>
+        <tr>
+          <td>Password: </td>
+          <td><input type="password" id="password" name="password"></input></td>
+        </tr>
+      </tbody>
+    </table>
+    <div class="button-box">
+      <button class="cancel">Cancel</button>
+      <input type="submit" value="Log in"></input>
+    </div>
+  </form>
+</body>
+</html>
diff --git a/www/authenticate-with-password.js b/www/authenticate-with-password.js
new file mode 100644
index 0000000..776d1e3
--- /dev/null
+++ b/www/authenticate-with-password.js
@@ -0,0 +1,35 @@
+jQuery(function($) {
+    var getParameterByName = function(name) {
+        // https://stackoverflow.com/a/5158301
+        var match = RegExp('[?&]' + name + '=([^&]*)').exec(window.location.search);
+        return match && decodeURIComponent(match[1].replace(/\+/g, ' '));
+    };
+
+    var email = getParameterByName('email');
+    $('#email').val(email);
+
+    var onAuthentication = function() {
+        var password = $('#password').val();
+        $.ajax({
+            type: 'POST',
+            url: '/browserid/login.pl',
+            dataType: 'json',
+            data: { email: email, password: password },
+            success: function(sig, status, xhr) {
+                console.log("Login successful!");
+                navigator.id.completeAuthentication();
+            },
+            error: function(reason, status, xhr) {
+                navigator.id.raiseAuthenticationFailure(reason.responseText);
+            }
+        });
+        return false;
+    };
+
+    var onCancel = function() {
+        navigator.id.cancelAuthentication();
+    };
+
+    $('#auth-form').submit(onAuthentication);
+    $('.cancel').click(onCancel);
+});
diff --git a/www/authenticate.html b/www/authenticate.html
index 8123aab..603a596 100644
--- a/www/authenticate.html
+++ b/www/authenticate.html
@@ -1,39 +1,17 @@
 <!DOCTYPE html>
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
-  <title>Persona IMAP Authentication</title>
+  <title>MulkyID Persona Login</title>
 
   <script type="text/javascript" src="https://login.persona.org/include.js"></script>
   <script type="text/javascript" src="https://login.persona.org/authentication_api.js"></script>
 
-<!--
-  <script type="text/javascript" src="https://dev.diresworb.org/include.js"></script>
-  <script type="text/javascript" src="https://dev.diresworb.org/authentication_api.js"></script>
--->
-
   <script type="text/javascript" src="jquery/jquery.js"></script>
   <script type="text/javascript" src="authenticate.js"></script>
 </head>
 <body>
-  <h1>Persona IMAP Login</h1>
+  <h1>MulkyID Persona Login</h1>
 
-  <form action="#" method="POST" id="auth-form">
-    <table>
-      <tbody>
-        <tr>
-          <td>E-Mail: </td>
-          <td><input type="text" id="email" name="email" disabled="disabled"></input></td>
-        </tr>
-        <tr>
-          <td>Password: </td>
-          <td><input type="password" id="password" name="password"></input></td>
-        </tr>
-      </tbody>
-    </table>
-    <div class="button-box">
-      <button class="cancel">Cancel</button>
-      <input type="submit" value="Log in"></input>
-    </div>
-  </form>
+  <p>Logging in...</p>
 </body>
 </html>
diff --git a/www/authenticate.js b/www/authenticate.js
index 2d72480..86d722c 100644
--- a/www/authenticate.js
+++ b/www/authenticate.js
@@ -1,33 +1,6 @@
 jQuery(function($) {
-    var email;
-    
-    navigator.id.beginAuthentication(function(email_) {
-        email = email_;
-        $('#email').val(email);
-    });
-
-    var onAuthentication = function() {
-        var password = $('#password').val();
-        $.ajax({
-            type: 'POST',
-            url: '/browserid/login.pl',
-            dataType: 'json',
-            data: { email: email, password: password },
-            success: function(sig, status, xhr) {
-                console.log("Login successful!");
-                navigator.id.completeAuthentication();
-            },
-            error: function(reason, status, xhr) {
-                navigator.id.raiseAuthenticationFailure(reason.responseText);
-            }
-        });
-	return false;
-    };
-
-    var onCancel = function() {
-        navigator.id.cancelAuthentication();
-    };
-
-    $('#auth-form').submit(onAuthentication);
-    $('.cancel').click(onCancel);
+  navigator.id.beginAuthentication(function(email) {
+    var escapedEmail = encodeURIComponent(email);
+    window.location = 'authenticate.pl?email=' + escapedEmail;
+  });
 });
diff --git a/www/authenticate.pl b/www/authenticate.pl
index a36ad02..d73869d 100755
--- a/www/authenticate.pl
+++ b/www/authenticate.pl
@@ -15,34 +15,53 @@ use Net::Google::FederatedLogin;
 
 do "common.pl";
 
-while (my $cgi = new CGI::Fast) {
-  load_config();
-
-  my $claimed_email = $cgi->param('email');
-
-  my $g = Net::Google::FederatedLogin->new(
-    claimed_id => $claimed_email,
-    return_to  => reluri($cgi, 'login.pl'),
-    extensions => [{ns          => 'ax',
-                    uri         => 'http://openid.net/srv/ax/1.0',
-                    attributes  => {mode        => 'fetch_request',
-                                    required    => 'email',
-                                    type        => {email => 'http://axschema.org/contact/email'}}}]
-  );
-
-  my $cookie = $cgi->cookie('mulkid_session');
-  my $session = new CGI::Session("driver:File", $cookie, {Directory=>"/tmp"});
-  $session->param('claimed_email', $claimed_email);
+sub redirect_with_cookie($$$$) {
+  my ($cgi, $uri, $session, $cookie) = @_;
   if ($cookie) {
-    print $cgi->redirect(-url => $g->get_auth_url());
+    print $cgi->redirect(-url => $uri);
   } else {
     my $cookie = $cgi->cookie(-name     => 'mulkid_session',
                               -value    => $session->id,
                               -expires  => '+1d',
-                              #-secure   => 1,
+                              -secure   => 1,
                               -httponly => 1,
                               #-domain   => '.'.$::MULKONF->{realm}
                              );
-    print $cgi->redirect(-cookie => $cookie, -url => $g->get_auth_url());
+    print $cgi->redirect(-cookie => $cookie, -url => $uri);
+  }
+}
+
+while (my $cgi = new CGI::Fast) {
+  load_config();
+
+  my $claimed_email = $cgi->param('email');
+  my $cookie = $cgi->cookie('mulkid_session');
+  my $session = new CGI::Session("driver:File", $cookie, {Directory=>"/tmp"});
+
+  my $fakedomain = $::MULKONF->{fake_domain};
+  my $realdomain = $::MULKONF->{real_domain};
+  $claimed_email =~ s/\@$fakedomain/\@$realdomain/ if $fakedomain;
+
+  $session->param('claimed_email', $claimed_email);
+
+  given (my $_ = $::MULKONF->{auth_type}) {
+    when ('imap') {
+      redirect_with_cookie($cgi, reluri($cgi, "authenticate-with-password.html?email=$claimed_email"), $session, $cookie);
+    }
+    when ('google') {
+      my $g = Net::Google::FederatedLogin->new(
+        claimed_id => $claimed_email,
+        return_to  => reluri($cgi, 'login.pl'),
+        extensions => [{ns          => 'ax',
+                        uri         => 'http://openid.net/srv/ax/1.0',
+                        attributes  => {mode        => 'fetch_request',
+                                        required    => 'email',
+                                        type        => {email => 'http://axschema.org/contact/email'}}}]
+      );
+      redirect_with_cookie($cgi, $g->get_auth_url(), $session, $cookie);
+    }
+    default {
+      die "Invalid auth_type! " . $::MULKONF->{auth_type};
+    }
   }
 }
diff --git a/www/common.pl b/www/common.pl
index 3f3a5b0..736bf00 100644
--- a/www/common.pl
+++ b/www/common.pl
@@ -14,9 +14,12 @@ sub load_config() {
 }
 
 sub email_users($) {
-  return @_
-    if $::MULKONF->{auth_type} eq 'google';
   my ($email) = @_;
+  my $fakedomain = $::MULKONF->{fake_domain};
+  my $realdomain = $::MULKONF->{real_domain};
+  $email =~ s/\@$realdomain/\@$fakedomain/ if $fakedomain;
+  return ($email)
+    if $::MULKONF->{auth_type} eq 'google';
   my $alias;
   if ($email =~ /^(.*?)@/) { $alias = $1; }
   my $aliases_file = $::MULKONF->{aliases};
diff --git a/www/login.pl b/www/login.pl
index a2f06c4..1b196fa 100755
--- a/www/login.pl
+++ b/www/login.pl
@@ -39,40 +39,24 @@ sub check_imap_password($$) {
 
 
 while (my $cgi = new CGI::Fast) {
-  load_config;
+  load_config();
 
   my $cookie = $cgi->cookie('mulkid_session');
-  my $session;
-  if ($cookie) {
-    $session = new CGI::Session("driver:File", $cookie, {Directory=>"/tmp"});
-    print $cgi->header(-content_type => 'application/json; charset=UTF-8');
-  } else {
-    $session = new CGI::Session("driver:File", undef, {Directory=>"/tmp"});
-    my $cookie = $cgi->cookie(-name     => 'mulkid_session',
-                              -value    => $session->id,
-                              -expires  => '+1d',
-                              -secure   => 1,
-                              -httponly => 1,
-                              #-domain   => '.mulk.eu'
-                             );
-    print $cgi->header(-content_type => 'application/json; charset=UTF-8',
-                       -cookie       => $cookie);
-  }
-
-  my $email = $cgi->param('email') or die "No email address provided";
-
-  for ($::MULKONF->{auth_type}) {
+  my $session = new CGI::Session("driver:File", $cookie, {Directory=>"/tmp"});
+  given (my $_ = $::MULKONF->{auth_type}) {
     when ('imap') {
+      my $email = $cgi->param('email') or die "No email address provided";
       my $password = $cgi->param('password') or die "Empty password";
       for my $user (email_users($email)) {
         #say STDERR "Trying user: $user";
         if (check_imap_password($user, $password)) {
           $session->param('user', $user);
-          #say encode_json({user => $user});
-          print $cgi->redirect(-url => reluri($cgi, 'successful-login.html'));
+          print $cgi->header(-content_type => 'application/json; charset=UTF-8');
+          say encode_json({user => $user});
           exit 0;
         }
       }
+      die "Could not authenticate.";
     }
     when ('google') {
       my $g = Net::Google::FederatedLogin->new(
@@ -82,8 +66,10 @@ while (my $cgi = new CGI::Fast) {
       $g->verify_auth or die "Could not verify the OpenID assertion!";
       my $ext = $g->get_extension('http://openid.net/srv/ax/1.0');
       my $verified_email = $ext->get_parameter('value.email');
+      my $fakedomain = $::MULKONF->{fake_domain};
+      my $realdomain = $::MULKONF->{real_domain};
+      $verified_email =~ s/\@$realdomain/\@$fakedomain/ if $fakedomain;
       $session->param('user', $verified_email);
-      #say encode_json({user => $user});
       print $cgi->redirect(-url => reluri($cgi, 'successful-login.html'));
       exit 0;
     }
@@ -91,6 +77,4 @@ while (my $cgi = new CGI::Fast) {
       die "Invalid auth_type.  Check MulkyID configuration!";
     }
   }
-
-  die "Could not authenticate.";
 }
-- 
cgit v1.2.3