From fadfd186aad1b03c05d5afd26a1cf19fa833474f Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Thu, 13 Oct 2022 19:33:18 +0100 Subject: [PATCH] Fix TOTP validation for overpass --- cookbooks/overpass/templates/default/apache.erb | 2 ++ .../overpass/templates/default/totp-filter.erb | 14 +++++++++----- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/cookbooks/overpass/templates/default/apache.erb b/cookbooks/overpass/templates/default/apache.erb index 47e136381..0aefcf85a 100644 --- a/cookbooks/overpass/templates/default/apache.erb +++ b/cookbooks/overpass/templates/default/apache.erb @@ -29,6 +29,7 @@ DocumentRoot <%= @directory %> + RewriteEngine on RewriteMap totp prg:/srv/query.openstreetmap.org/apache/totp-filter RewriteCond ${totp:%{HTTP_COOKIE}} =0 RewriteRule ^.*$ - [F,L] @@ -39,6 +40,7 @@ # Remove Origin so Overpass does not interfere. RequestHeader unset Origin Header always add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin + Header always add Access-Control-Allow-Credentials true <% else -%> ScriptAlias /api/ <%= @script_directory %>/ <% end -%> diff --git a/cookbooks/overpass/templates/default/totp-filter.erb b/cookbooks/overpass/templates/default/totp-filter.erb index 75145c632..8245f2ae3 100644 --- a/cookbooks/overpass/templates/default/totp-filter.erb +++ b/cookbooks/overpass/templates/default/totp-filter.erb @@ -1,17 +1,21 @@ #!/usr/bin/ruby -requrie "cgi" +require "cgi" require "rotp" totp = ROTP::TOTP.new("<%= @totp_key %>", :interval => 3600) STDIN.each_line do |header| - cookies = CGI::Cookie.parse(header) + cookies = CGI::Cookie.parse(header.chomp) - if totp.verify(cookies["_osm_totp_token"], :drift_behind => 3600, :drift_ahead => 3600) - puts "1" + if cookie = cookies.fetch("_osm_totp_token", nil) + if totp.verify(cookie.value.first, :drift_behind => 3600, :drift_ahead => 3600) + STDOUT.syswrite("1\n") + else + STDOUT.syswrite("0\n") + end else - puts "0" + STDOUT.syswrite("0\n") end end -- 2.39.5