From 6cafa0aff9ca5041c9a721f53fb0bb93d43d1123 Mon Sep 17 00:00:00 2001
From: thematdev <thematdev@thematdev.org>
Date: Wed, 5 Jul 2023 15:47:31 +0300
Subject: [PATCH] Fixed redis_auth.c logic + filling user_sid field

redis_auth.c was unable to receive session_id as long as
user <-> session should be both ways
---
 src/new_client.c    | 41 ++++++++++++++++++++---------------------
 src/redis_auth.c    |  8 ++++++--
 src/view_comments.c | 16 +++++++++++++++-
 3 files changed, 41 insertions(+), 24 deletions(-)

diff --git a/src/new_client.c b/src/new_client.c
index 2390a7b..0641aa2 100644
--- a/src/new_client.c
+++ b/src/new_client.c
@@ -3,10 +3,10 @@
 #include "config.h"
 #include "utils.h"
 
-#define UUID_SIZE 36
+#define UUID_SIZE 37
 
 /* TODO: place cookie normally */
-void
+char *
 validate_credentials()
 {
     char username[RA_USER_MAX_LENGTH + 1], password[RA_PASSWORD_MAX_LENGTH + 1];
@@ -16,45 +16,38 @@ validate_credentials()
 
     err = cgiFormString("username", username, RA_USER_MAX_LENGTH + 1);
     if (err == cgiFormTruncated) {
-        fprintf(cgiOut, "Username too long(max %d chars)\n", RA_USER_MAX_LENGTH);
-        return;
+        return "Username too long\n";
     }
     if (err == cgiFormNotFound) {
-        fprintf(cgiOut, "Username not provided\n");
-        return;
+        return "Username not provided\n";
     }
 
     err = cgiFormString("password", password, RA_PASSWORD_MAX_LENGTH + 1);
     if (err == cgiFormTruncated) {
-        fprintf(cgiOut, "Password too long(max %d+1(NUL) bytes)\n", RA_PASSWORD_MAX_LENGTH);
-        return;
+        return "Password too long\n";
     }
     if (err == cgiFormNotFound) {
-        fprintf(cgiOut, "Password not provided\n");
-        return;
+        return "Password not provided\n";
     }
 
     if (!is_valid_username(username)) {
-        fprintf(cgiOut, "Username must be [A-Za-z0-9_]\n");
-        return;
+        return "Username must be [A-Za-z0-9_]\n";
     }
     
     if (!is_valid_password(password)) {
-        fprintf(cgiOut, "Password must be a sequence of bytes in range 32-255\n");
-        return;
+        return "Password must be a sequence of bytes in range 32-255\n";
     }
 
     auth = authenticate(username, password, session_id);
     if (auth < 0) {
-        fprintf(cgiOut, "Some error occured, contact system administrator\n");
-        return;
+        return "Some error occured, contact system administrator\n";
     }
 
     if (auth) {
         cgiHeaderCookieSet(SESSION_COOKIE_NAME, session_id, RA_SESSION_EXPIRE, "/", HOSTNAME, 0);
-        fprintf(cgiOut, "You've successfully logged in as %s\n", username);
+        return "You've successfully logged in!\n";
     } else {
-        fprintf(cgiOut, "Failed to log in, check credentials\n");
+        return "Failed to log in, check credentials\n";
     }
 }
 
@@ -73,6 +66,14 @@ print_login_form()
 int
 cgiMain()
 {
+    char *message;
+    if (cgiFormSubmitClicked("login") == cgiFormSuccess) {
+        message = validate_credentials();
+    } else {
+        message = "";
+    }
+
+
     cgiHeaderContentType("text/html");
 
     fprintf(cgiOut, "<html>\n");
@@ -83,9 +84,7 @@ cgiMain()
 
     fprintf(cgiOut, "<body>\n");
 
-    if (cgiFormSubmitClicked("login") == cgiFormSuccess) {
-        validate_credentials();
-    }
+    fputs(message, cgiOut);
 
     print_login_form();
 
diff --git a/src/redis_auth.c b/src/redis_auth.c
index 6e640a1..2c29a59 100644
--- a/src/redis_auth.c
+++ b/src/redis_auth.c
@@ -7,7 +7,7 @@
 #include <errno.h>
 #include <tomcrypt.h>
 
-#define UUID_SIZE 36
+#define UUID_SIZE 37
 #define SHA512_DIGEST_SIZE 64
 
 #define FAIL_AUTH() do { \
@@ -40,7 +40,7 @@ user_by_session_id(const char *session_id, char *username)
         goto defer;
     }
 
-    reply = redisCommand(ctx, "GET session:%s", session_id);
+    reply = redisCommand(ctx, "GET username:%s", session_id);
     if (reply->type != REDIS_REPLY_STRING) {
         strcpy(username, "");
     } else {
@@ -115,10 +115,14 @@ authenticate(const char *username, const char *password, char *session_id)
 
             sid_reply = redisCommand(ctx, "SET session:%s %s", username, session_id);
             freeReplyObject(sid_reply);
+            sid_reply = redisCommand(ctx, "SET username:%s %s", session_id, username);
+            freeReplyObject(sid_reply);
         } else {
             strcpy(session_id, sid_reply->str);
         }
         sid_reply = redisCommand(ctx, "EXPIRE session:%s %d", username, RA_SESSION_EXPIRE);
+        freeReplyObject(sid_reply);
+        sid_reply = redisCommand(ctx, "EXPIRE username:%s %d", session_id, RA_SESSION_EXPIRE);
         retval = 1;
     }
 
diff --git a/src/view_comments.c b/src/view_comments.c
index 41e514f..034c8d4 100644
--- a/src/view_comments.c
+++ b/src/view_comments.c
@@ -5,11 +5,16 @@
 #include "driver.h"
 #include "drivers/unix_fs/unix_fs_driver.h"
 #include "config.h"
+#include "auth.h"
 
 #include <stdlib.h>
 #include <time.h>
 #include <stdio.h>
 
+#define UUID_SIZE 37
+
+char authorized_user_sid[RA_USER_MAX_LENGTH + 1], session_id[UUID_SIZE];
+
 int
 page_by_id(int id)
 {
@@ -196,7 +201,11 @@ handle_submitted_comment()
    time(&header.creation_time);
    header.reply_id = rid;
    header.text_length = strlen(sanitized_text);
-   header.user_sid = "web/anonymous";
+   if (strcmp(authorized_user_sid, "")) {
+       header.user_sid = authorized_user_sid;
+   } else {
+       header.user_sid = "web/anonymous";
+   }
    header.user_displayname = displayname;
 
    if (driver.leave_comment(&driver_data, &header, sanitized_text) < 0) {
@@ -214,6 +223,11 @@ defer:
 int
 cgiMain()
 {
+    if (cgiCookieString(SESSION_COOKIE_NAME, session_id, UUID_SIZE) == cgiFormSuccess) {
+        user_by_session_id(session_id, authorized_user_sid);
+    } else {
+        authorized_user_sid[0] = '\0';
+    }
     cgiHeaderContentType("text/html");
 
     fprintf(cgiOut, "<html>\n");