handle server which aren't cgi "Status" aware

[cwebfiles.git] / login.c

#define _GNU_SOURCE

#include <stdlib.h>
#include <string.h>
#include "cwebfiles.h"
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <time.h>
#include <unistd.h>
#include <shadow.h>
#include <pwd.h>
#include <stdio.h>

extern char **environ;

#define BADAUTH "invalid user/pass"

int main() {
  FASTOUTPUT
  environ = NULL;
  setuid(0);
  
  char buf[1024];
  int res = read(0, buf, 1023);
  if (res == -1) senderr("couldn't read POST data", NOTMYFAULT);
  buf[res] = 0;
  char *nl = strchr(buf, '\r');
  if (nl != NULL) *nl = 0;
  char *user = buf;
  char *pass = strchr(buf, ':');
  if (pass == NULL) senderr("can't find user-pass-seperator", NOTMYFAULT);
  *pass = 0;
  pass++;
  
  // verify password
  struct spwd *shadow_entry = getspnam(user);
  struct passwd *passwd_entry = getpwnam(user);
  if (passwd_entry == NULL || shadow_entry == NULL) senderr(BADAUTH, NOTMYFAULT);
  char *enc_pass = crypt(pass, shadow_entry->sp_pwdp);
  if (enc_pass == NULL) senderr(BADAUTH, NOTMYFAULT);
  if (strcmp(enc_pass, shadow_entry->sp_pwdp) != 0) senderr(BADAUTH, NOTMYFAULT);
  
  // now create a new session
  // create a cookie
  unsigned char bincookie[COOKIE_LENGTH/2];
  grabrand(bincookie, COOKIE_LENGTH/2);
  char cookie[COOKIE_LENGTH+1];
  hex(cookie, bincookie, COOKIE_LENGTH/2);
  cookie[COOKIE_LENGTH] = 0;
  
  // set session data
  strncpy(session.user_name, user, 33);
  session.start_time = time(NULL);
  session.uid = passwd_entry->pw_uid;
  
  // write out session data to the fs
  persist_session(cookie);
  
  // phew, all done! tell the user everything is fine
  puts("Status: 200 login successful");
  puts("X-Frame-Options: DENY");
  puts("Content-Type: text/plain;charset=utf8");
  // TODO XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX SET SECURE FLAG!
  printf("Set-Cookie: " COOKIE_NAME "=%s; HttpOnly\n", cookie);
  puts("");
  puts("OK");
}