* libs/web: Reworked authentication

4 files changed, 28 insertions, 23 deletions

diff --git a/libs/httpd/host/runluci b/libs/httpd/host/runluci
index 6f6cdde3d..d31b3f79c 100755
--- a/libs/httpd/host/runluci
+++ b/libs/httpd/host/runluci
@@ -23,6 +23,9 @@ if pcall(require, "uci") and pcall(require, "luci.model.uci") then
 	luci.model.uci.set_confdir(luci.model.uci.confdir_default)
 end
 
+require("luci.sys")
+luci.sys.user.checkpasswd = function() return true end
+
 
 filehandler = luci.httpd.handler.file.Simple(DOCROOT)
 vhost:set_default_handler(filehandler)
diff --git a/libs/httpd/luasrc/httpd/handler/luci.lua b/libs/httpd/luasrc/httpd/handler/luci.lua
index 232883256..ac3ed78d0 100644
--- a/libs/httpd/luasrc/httpd/handler/luci.lua
+++ b/libs/httpd/luasrc/httpd/handler/luci.lua
@@ -32,7 +32,6 @@ end
 
 function Luci.handle_head(self, ...)
 	local response, sourceout = self:handle_get(...)
-	self.running = self.running - 1
 	return response
 end
 
@@ -67,7 +66,6 @@ function Luci.handle_get(self, request, sourcein, sinkerr)
 			status = 500
 			headers["Content-Type"] = "text/plain"
 			local err = {id}
-			self.running = self.running - 1
 			return Response( status, headers ), function() return table.remove(err) end
 		end
 
diff --git a/libs/sys/luasrc/sys.lua b/libs/sys/luasrc/sys.lua
index b8ec10e0f..56beafe94 100644
--- a/libs/sys/luasrc/sys.lua
+++ b/libs/sys/luasrc/sys.lua
@@ -295,10 +295,7 @@ user.getuser = posix.getpasswd
 function user.checkpasswd(username, password)
 	local account = user.getuser(username)
 
-	-- FIXME: detect testing environment
-	if luci.fs.stat("/etc/shadow") and not luci.fs.access("/etc/shadow", "r") then
-		return true
-	elseif account then
+	if account then
 		if account.passwd == "!" then
 			return true
 		else
diff --git a/libs/web/luasrc/dispatcher.lua b/libs/web/luasrc/dispatcher.lua
index d9917c2a8..b74c5bdc2 100644
--- a/libs/web/luasrc/dispatcher.lua
+++ b/libs/web/luasrc/dispatcher.lua
@@ -33,6 +33,8 @@ require("luci.fs")
 
 context = luci.util.threadlocal()
 
+authenticator = {}
+
 -- Index table
 local index = nil
 
@@ -76,25 +78,20 @@ function error500(message)
 	return false
 end
 
---- Render and evaluate the system authentication login form.
--- @param default	Default username
--- @return			Authentication status
-function sysauth(default)
+function authenticator.htmlauth(validator, default)
 	local user = luci.http.formvalue("username")
 	local pass = luci.http.formvalue("password")
 	
-	if user and luci.sys.user.checkpasswd(user, pass) then
-		local sid = luci.sys.uniqueid(16)
-		luci.http.header("Set-Cookie", "sysauth=" .. sid.."; path=/")
-		luci.sauth.write(sid, user)
-		return true
-	else
-		require("luci.i18n")
-		require("luci.template")
-		context.path = {}
-		luci.template.render("sysauth", {duser=default, fuser=user})
-		return false
+	if user and validator(user, pass) then
+		return user
 	end
+	
+	require("luci.i18n")
+	require("luci.template")
+	context.path = {}
+	luci.template.render("sysauth", {duser=default, fuser=user})
+	return false
+	
 end
 
 --- Dispatch an HTTP request.
@@ -172,13 +169,23 @@ function dispatch(request)
 	
 	if track.sysauth then
 		require("luci.sauth")
+		local authen = authenticator[track.sysauth_authenticator]
 		local def  = (type(track.sysauth) == "string") and track.sysauth
 		local accs = def and {track.sysauth} or track.sysauth
 		local user = luci.sauth.read(luci.http.getcookie("sysauth"))
 		
-		
 		if not luci.util.contains(accs, user) then
-			if not sysauth(def) then
+			if authen then
+				local user = authen(luci.sys.user.checkpasswd, def)
+				if not user or not luci.util.contains(accs, user) then
+					return
+				else
+					local sid = luci.sys.uniqueid(16)
+					luci.http.header("Set-Cookie", "sysauth=" .. sid.."; path=/")
+					luci.sauth.write(sid, user)
+				end
+			else
+				luci.http.status(403, "Forbidden")
 				return
 			end
 		end