winamp/Src/auth/auth.cpp

#include "api.h"

#include "../nu/ns_wc.h"
#include <api/service/waservicefactory.h>
#include "OAuthKey.h"
#include "../nu/AutoCharFn.h"
#include "../nu/AutoChar.h"
#include "auth.h"
#include "./loginbox/loginbox.h"

#include "ifc_authcallback.h"
#include "main.h"
#include "../nu/AutoUrl.h"
#include <api/syscb/callbacks/authcb.h>

#include "../Winamp/buildType.h"
#include <strsafe.h>

//#ifdef INTERNAL
//// QA
////const char *openauth_url ="https://authapi.qa.aol.com:8439/auth/clientLogin";
//// QH
//const char *openauth_url ="https://authapi.qh.aol.com:6443/auth/clientLogin";
//#else
const char *openauth_url ="https://api.screenname.aol.com:443/auth/clientLogin";
//#endif

static void CleanPassword(char *password)
{
	char *src = password;
	char *dest = password;

	while (src && *src)
	{
		char c = *src++;
		if (c >= 'a' && c <= 'z')
			*dest++ = c;
		else if (c >= 'A' && c <= 'Z')
			*dest++ = c;
		else if (c >= '0' && c <= '9')
			*dest++ = c;
	}
	*dest=0;
}

static void ParsePassword(const wchar_t *password, char **password_url, char **securid=0)
{
	const wchar_t *find_slash = wcschr(password, L'/');
	if (find_slash)
	{
		*password_url = AutoUrlDupN(password, find_slash-password);
		if (securid)
			*securid = AutoUrlDup(find_slash+1);
	}
	else
	{
		*password_url = AutoUrlDup(password);
		if (securid)
			*securid=0;
	}
}

// TODO: benski> use &forceRateLimit=true to force captcha request
int PostXML(const char *url, const char *post_data, obj_xml *parser, ifc_authcallback *callback);
static int Authorize(obj_xml *parser, const wchar_t *username, const wchar_t *password, ifc_authcallback *callback)
{
	char *password_url, *securid;
	ParsePassword(password, &password_url, &securid);

	char post_data[2048] = {0};
	StringCbPrintfA(post_data, sizeof(post_data), 
		"devId=%s"
		"&f=xml"
		"&pwd=%s"
		"&s=%s"
		"%s%s"
		"&tokenType=longterm",
		OPENAUTH_DEVID,
		password_url,
		AutoUrl(username),
		(securid?"&securid=":""),
		(securid?securid:"")
		);

	free(password_url);
	free(securid);
	return PostXML(openauth_url, post_data, parser, callback);
}

static int AuthorizeSecurID(obj_xml *parser, const wchar_t *username, const char *context, const wchar_t *securid, ifc_authcallback *callback)
{
	char post_data[2048] = {0};
	StringCbPrintfA(post_data, sizeof(post_data), 
		"devId=%s"
		"&f=xml"		
		"&s=%s"
		"&context=%s"
		"&securid=%s"
		"&tokenType=longterm",
		OPENAUTH_DEVID,		
		AutoUrl(username),
		AutoUrl(context),
		AutoUrl(securid)
		);

	return PostXML(openauth_url, post_data, parser, callback);
}


void OpenAuthParser::RegisterCallbacks(obj_xml *parser)
{
	parser->xmlreader_registerCallback(L"response\fstatusCode", &statusCode);
	parser->xmlreader_registerCallback(L"response\fstatusText", &statusText);
	parser->xmlreader_registerCallback(L"response\fstatusDetailCode", &statusDetailCode);
	parser->xmlreader_registerCallback(L"response\fdata\ftoken\fa", &token);
	parser->xmlreader_registerCallback(L"response\fdata\ftoken\fexpiresIn", &expire);
	parser->xmlreader_registerCallback(L"response\fdata\fsessionSecret", &session_secret);
	parser->xmlreader_registerCallback(L"response\fdata\fchallenge\fcontext", &context);

}
void OpenAuthParser::UnregisterCallbacks(obj_xml *parser)
{
	parser->xmlreader_unregisterCallback(&statusCode);
	parser->xmlreader_unregisterCallback(&statusText);
	parser->xmlreader_unregisterCallback(&statusDetailCode);		
	parser->xmlreader_unregisterCallback(&token);
	parser->xmlreader_unregisterCallback(&expire);
	parser->xmlreader_unregisterCallback(&session_secret);
	parser->xmlreader_unregisterCallback(&context);
}


int Auth::SetupLogin(OpenAuthParser &authParser, waServiceFactory *&parserFactory, obj_xml *&parser)
{
	parserFactory = WASABI_API_SVC->service_getServiceByGuid(obj_xmlGUID);
	if (parserFactory)
		parser = (obj_xml *)parserFactory->getInterface();

	if (parser)
	{
		parser->xmlreader_setCaseSensitive();
		authParser.RegisterCallbacks(parser);
		parser->xmlreader_open();
		return AUTH_SUCCESS;
	}
	else
		return AUTH_NOPARSER;
}

int Auth::ParseAuth(const wchar_t *password, OpenAuthParser &authParser, AuthResults *results)
{
	switch(authParser.statusCode.GetUInt32())
	{
	case 200:
		{
			char *password_url;
			ParsePassword(password, &password_url);
			UrlDecode(password_url);
			OAuthKey key(password_url, strlen(password_url));
			AutoChar session_utf8(authParser.session_secret.GetString(), CP_UTF8);
			key.FeedMessage((char *)session_utf8, strlen(session_utf8));
			key.EndMessage();
			key.GetBase64(results->session_key, sizeof(results->session_key));
			WideCharToMultiByteSZ(CP_UTF8, 0, authParser.token.GetString(), -1, results->token, sizeof(results->token), 0, 0);
			results->expire = authParser.expire.GetUInt32() + _time64(0);
			free(password_url);
			return AUTH_SUCCESS;
		}
	case 330:
		switch(authParser.statusDetailCode.GetUInt32())
		{
		case 3011: // Password-LoginId Required/Invalid
			return AUTH_INVALIDCRED;
		case 3012: // SecurId Required/Invalid 
		case 3013: // SecurId Next Token Required
			WideCharToMultiByteSZ(CP_UTF8, 0, authParser.context.GetString(), -1, results->context, sizeof(results->context), 0, 0);
			return AUTH_SECURID;
		}
		break;
	case 401:
		switch(authParser.statusDetailCode.GetUInt32())
		{
		case 3020:
			return AUTH_UNCONFIRMED;
		}
		break;
	}

	return AUTH_NOT_AUTHORIZED;
}

int Auth::Login(const wchar_t *username, const wchar_t *password, AuthResults *results, ifc_authcallback *callback)
{
	SecureZeroMemory(results, sizeof(AuthResults));
	OpenAuthParser authParser;
	obj_xml *parser = 0;
	waServiceFactory *parserFactory = 0;

	int err = SetupLogin(authParser, parserFactory, parser);
	if (err == AUTH_SUCCESS)
	{
		err = Authorize(parser, username, password, callback);
		authParser.UnregisterCallbacks(parser);
		parser->xmlreader_close();
		parserFactory->releaseInterface(parser);
		if (err != AUTH_SUCCESS)
			return err;

		return ParseAuth(password, authParser, results);
	}
	else
		return err;

	return AUTH_NOT_AUTHORIZED;
}

int Auth::LoginSecurID(const wchar_t *username, const wchar_t *password, const char *context, const wchar_t *securid, AuthResults *results, ifc_authcallback *callback)
{
	SecureZeroMemory(results, sizeof(AuthResults));
	OpenAuthParser authParser;
	obj_xml *parser = 0;
	waServiceFactory *parserFactory = 0;

	int err = SetupLogin(authParser, parserFactory, parser);
	if (err == AUTH_SUCCESS)
	{
		err = AuthorizeSecurID(parser, username, context, securid, callback);
		authParser.UnregisterCallbacks(parser);
		parser->xmlreader_close();
		parserFactory->releaseInterface(parser);
		if (err != AUTH_SUCCESS)
			return err;

		return ParseAuth(password, authParser, results);
	}
	else
		return err;

	return AUTH_NOT_AUTHORIZED;
}

const char *Auth::GetDevID()
{
	return OPENAUTH_DEVID;
}

int Auth::SetCredentials(GUID realm, const char *session_key, const char *token, const wchar_t *username, __time64_t expire)
{
	if (NULL != WASABI_API_SYSCB)
		WASABI_API_SYSCB->syscb_issueCallback(SysCallback::AUTH, AuthCallback::CREDENTIALS_ABOUTTOCHANGE, (intptr_t)this, (intptr_t)&realm);

	char guid_str[40] = {0};
	if (realm != GUID_NULL)
	{
	  StringCbPrintfA( guid_str, sizeof(guid_str), "%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X",
    (int)realm.Data1, (int)realm.Data2, (int)realm.Data3,
    (int)realm.Data4[0], (int)realm.Data4[1],
    (int)realm.Data4[2], (int)realm.Data4[3],
    (int)realm.Data4[4], (int)realm.Data4[5],
    (int)realm.Data4[6], (int)realm.Data4[7] );
	}
	else
	{
		StringCbCopyA(guid_str, sizeof(guid_str), "default");
	}

	if (session_key && session_key[0])
	{
		WritePrivateProfileStringA(guid_str, "session_key", session_key, inifile);
		WritePrivateProfileStringA(guid_str, "token", token, inifile);
		WritePrivateProfileStringA(guid_str, "username", AutoChar(username, CP_UTF8), inifile);
		char temp[128] = {0};
		StringCbPrintfA(temp, sizeof(temp), "%I64d", expire);
		WritePrivateProfileStringA(guid_str, "expiration", temp, inifile);
	}
	else
	{
		char empty[2] = {0,0};
		WritePrivateProfileSectionA(guid_str, empty, inifile);
		if (username && username[0]) // they might want to save their username tho
			WritePrivateProfileStringA(guid_str, "username", AutoChar(username, CP_UTF8), inifile);
	}

	if (NULL != WASABI_API_SYSCB)
		WASABI_API_SYSCB->syscb_issueCallback(SysCallback::AUTH, AuthCallback::CREDENTIALS_CHANGED, (intptr_t)this, (intptr_t)&realm);

	return AUTH_SUCCESS;
}

int Auth::GetCredentials(GUID realm, char *session_key, size_t session_key_len, char *token, size_t token_len, wchar_t *username, size_t username_len, __time64_t *expire)
{
	char guid_str[40] = {0};
	if (realm != GUID_NULL)
	{
	  StringCbPrintfA( guid_str, sizeof(guid_str), "%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X",
    (int)realm.Data1, (int)realm.Data2, (int)realm.Data3,
    (int)realm.Data4[0], (int)realm.Data4[1],
    (int)realm.Data4[2], (int)realm.Data4[3],
    (int)realm.Data4[4], (int)realm.Data4[5],
    (int)realm.Data4[6], (int)realm.Data4[7] );
	}
	else
	{
		StringCbCopyA(guid_str, sizeof(guid_str), "default");
	}

	GetPrivateProfileStringA(guid_str, "session_key", "", session_key, (DWORD)session_key_len, inifile);
	GetPrivateProfileStringA(guid_str, "token", "", token, (DWORD)token_len, inifile);
		char temp[1024] = {0};
	GetPrivateProfileStringA(guid_str, "username", "", temp, sizeof(temp), inifile);
	MultiByteToWideCharSZ(CP_UTF8, 0, temp, -1, username, (DWORD)username_len);
	
	GetPrivateProfileStringA(guid_str, "expiration", "", temp, sizeof(temp), inifile);
	*expire = _atoi64(temp);
	return AUTH_SUCCESS;
}

int Auth::GetUserName(GUID realm, wchar_t *username, size_t username_len)
{
	char guid_str[40] = {0};
	if (realm != GUID_NULL)
	{
	  StringCbPrintfA( guid_str, sizeof(guid_str), "%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X",
    (int)realm.Data1, (int)realm.Data2, (int)realm.Data3,
    (int)realm.Data4[0], (int)realm.Data4[1],
    (int)realm.Data4[2], (int)realm.Data4[3],
    (int)realm.Data4[4], (int)realm.Data4[5],
    (int)realm.Data4[6], (int)realm.Data4[7] );
	}
	else
	{
		StringCbCopyA(guid_str, sizeof(guid_str), "default");
	}

	char temp[1024] = {0};
	GetPrivateProfileStringA(guid_str, "username", "", temp, sizeof(temp), inifile);
	MultiByteToWideCharSZ(CP_UTF8, 0, temp, -1, username, (DWORD)username_len);
	return AUTH_SUCCESS;
}


Auth::Auth()
{
	inifile=0;
}
void Auth::Init()
{
	wchar_t inifileW[MAX_PATH] = {0};
	const wchar_t *settings_path = WASABI_API_APP->path_getUserSettingsPath();
	PathCombineW(inifileW, settings_path, L"auth.ini");
	inifile = _strdup(AutoCharFn(inifileW));
}

void Auth::Quit()
{
	free(inifile);
}

static void AddParameter(char *&position, size_t &len, const char *param, const wchar_t *val)
{
	AutoUrl encoded_val(val);
	StringCchPrintfExA(position, len, &position, &len, 0, "&%s=%s", param, encoded_val);
}

static void AddParameter(char *&position, size_t &len, const char *param, const char *val)
{
	AutoUrl encoded_val(val);
	StringCchPrintfExA(position, len, &position, &len, 0, "&%s=%s", param, encoded_val);
}

static void AddParameter(char *&position, size_t &len, const char *param, int64_t val)
{
	char temp[64] = {0};
	StringCchPrintfA(temp, 64, "%I64d", val);
	StringCchPrintfExA(position, len, &position, &len, 0, "&%s=%s", param, temp);
}

//#ifdef INTERNAL
// QA
//static const char *c2w_server="my.screenname.qa.aol.com";
//static const char *c2w_path="/_cqr/login/login.psp";
//static const char *c2w_path_encoded="%2F_cqr%2Flogin%2Flogin.psp";
// QH
//static const char *c2w_server="my.screenname.qh.aol.com";
//static const char *c2w_path="/_cqr/login/login.psp";
//static const char *c2w_path_encoded="%2F_cqr%2Flogin%2Flogin.psp";
//#else
static const char *c2w_server="my.screenname.aol.com";
static const char *c2w_path="/_cqr/login/login.psp";
static const char *c2w_path_encoded="%2F_cqr%2Flogin%2Flogin.psp";
//#endif


int Auth::ClientToWeb(GUID realm, const wchar_t *destination_url, wchar_t *url, size_t urlcch)
{
	char session_key[1024], token[1024] = {0};
	wchar_t username[1024] = {0};
	__time64_t expire;
	int ret = GetCredentials(realm, session_key, 1024, token, 1024, username, 1024, &expire);
	if (ret)
		return ret;

	if (!session_key[0] || !token[0] || !username[0])
		return 1;

	char post_data[2048]="";
	char *post_itr=post_data;
	size_t post_cch=sizeof(post_data)/sizeof(*post_data);

	OAuthKey key(session_key, strlen(session_key));

	key.FeedMessage("GET&", 4);
	key.FeedMessage("http%3A%2F%2F", 13);
	key.FeedMessage(c2w_server, strlen(c2w_server));
	key.FeedMessage(c2w_path_encoded, strlen(c2w_path_encoded));
	key.FeedMessage("&", 1);

	// parameters
	StringCbPrintfExA(post_itr, post_cch, &post_itr, &post_cch, 0, "a=%s", AutoUrl(token));
	char *start = post_itr;
	key.FeedMessage("a%3D", 4);
	AutoUrl token_a_url1(token);
	AutoUrl token_a_url((char *)token_a_url1);
	key.FeedMessage(token_a_url, strlen((char *)token_a_url));

	AddParameter(post_itr, post_cch, "destUrl", destination_url);
	AddParameter(post_itr, post_cch, "devId", GetDevID());
	AddParameter(post_itr, post_cch, "entryType", L"client2Web");
		__time64_t t = _time64(0);
	AddParameter(post_itr, post_cch, "ts", t);

	AutoUrl encoded_post(start);
	key.FeedMessage((char *)encoded_post, strlen(encoded_post));

	key.EndMessage();
	char hash[512] = {0};
	key.GetBase64(hash, 512);

	StringCchPrintfA(post_itr, post_cch, "&sig_sha256=%s", AutoUrl(hash));

	char urla[2048] = {0};
	StringCbPrintfA(urla, sizeof(urla), "http://%s%s?%s", c2w_server, c2w_path, post_data);

	MultiByteToWideCharSZ(CP_UTF8, 0, urla, -1, url, (int)urlcch);

	return 0;
}

HWND Auth::CreateLoginWindow(GUID realm, HWND owner, UINT style)
{
#ifndef USE_LOGINBOX
	return NULL;
#else
	return LoginBox_CreateWindow(this, &realm, owner, style);
#endif
}

INT_PTR Auth::LoginBox(GUID realm, HWND owner, UINT style)
{
#ifndef USE_LOGINBOX
	return -1;
#else
	return LoginBox_Show(this, &realm, owner, style);
#endif
}

#define CBCLASS Auth
START_DISPATCH;
CB(API_AUTH_LOGIN, Login)
CB(API_AUTH_GETDEVID, GetDevID)
CB(API_AUTH_LOGIN_SECURID, LoginSecurID)
CB(API_AUTH_SETCREDENTIALS, SetCredentials)
CB(API_AUTH_GETCREDENTIALS, GetCredentials)
CB(API_AUTH_CLIENT_TO_WEB, ClientToWeb)
CB(API_AUTH_CREATELOGINWINDOW, CreateLoginWindow)
CB(API_AUTH_LOGINBOX, LoginBox)
CB(API_AUTH_GETUSERNAME, GetUserName)
END_DISPATCH;
#undef CBCLASS