Fix TOTP validation for overpass

diff --git a/cookbooks/overpass/templates/default/apache.erb b/cookbooks/overpass/templates/default/apache.erb
index 47e1363813592d994d51f03fd2bf48a30e33ae65..0aefcf85a2c8f931a26be4ca9192ac3953657c96 100644 (file)
--- a/cookbooks/overpass/templates/default/apache.erb
+++ b/cookbooks/overpass/templates/default/apache.erb
@@ -29,6 +29,7 @@
 
         DocumentRoot <%= @directory %>
 
+        RewriteEngine on
         RewriteMap totp prg:/srv/query.openstreetmap.org/apache/totp-filter
         RewriteCond ${totp:%{HTTP_COOKIE}} =0
         RewriteRule ^.*$ - [F,L]
@@ -39,6 +40,7 @@
         # Remove Origin so Overpass does not interfere.
         RequestHeader unset Origin
         Header always add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
+        Header always add Access-Control-Allow-Credentials true
 <% else -%>
         ScriptAlias /api/ <%= @script_directory %>/
 <% end -%>

diff --git a/cookbooks/overpass/templates/default/totp-filter.erb b/cookbooks/overpass/templates/default/totp-filter.erb
index 75145c63213d0121a3f2b96f103801a3c5f4449a..8245f2ae3ace64ecf753526b3829313ca95e8675 100644 (file)
--- a/cookbooks/overpass/templates/default/totp-filter.erb
+++ b/cookbooks/overpass/templates/default/totp-filter.erb
@@ -1,17 +1,21 @@
 #!/usr/bin/ruby
 
-requrie "cgi"
+require "cgi"
 require "rotp"
 
 totp = ROTP::TOTP.new("<%= @totp_key %>", :interval => 3600)
 
 STDIN.each_line do |header|
-  cookies = CGI::Cookie.parse(header)
+  cookies = CGI::Cookie.parse(header.chomp)
 
-  if totp.verify(cookies["_osm_totp_token"], :drift_behind => 3600, :drift_ahead => 3600)
-    puts "1"
+  if cookie = cookies.fetch("_osm_totp_token", nil)
+    if totp.verify(cookie.value.first, :drift_behind => 3600, :drift_ahead => 3600)
+      STDOUT.syswrite("1\n")
+    else
+      STDOUT.syswrite("0\n")
+    end
   else
-    puts "0"
+    STDOUT.syswrite("0\n")
   end
 end