From 3ff2de2b16b38a0e31a4e3f22c7e0f4fe05d21e5 Mon Sep 17 00:00:00 2001 From: Kabir Kwatra Date: Wed, 3 Jul 2019 01:39:31 -0700 Subject: [PATCH 1/2] modified use of hashed password --- break/SchoolLoop/SchoolLoop.swift | 35 +++++++--------------- break/SchoolLoop/SchoolLoopConstants.swift | 2 +- 2 files changed, 12 insertions(+), 25 deletions(-) diff --git a/break/SchoolLoop/SchoolLoop.swift b/break/SchoolLoop/SchoolLoop.swift index 3f61741..e8d6745 100644 --- a/break/SchoolLoop/SchoolLoop.swift +++ b/break/SchoolLoop/SchoolLoop.swift @@ -715,7 +715,7 @@ public class SchoolLoop: NSObject, NSSecureCoding { /// any errors that occurred during the send. public func sendLoopMail(with composedLoopMail: SchoolLoopComposedLoopMail, completion: ((_ error: SchoolLoopError) -> Void)?) { let url = SchoolLoopConstants.loopMailSendURL(domainName: school.domainName) - var request = hashedAuthenticatedRequest(url: url) + var request = authenticatedRequest(url: url, httpMethod: "POST") modify(&request, forSendingUsing: composedLoopMail) let session = URLSession.shared session.dataTask(with: request) { (data, response, error) in @@ -809,7 +809,7 @@ public class SchoolLoop: NSObject, NSSecureCoding { /// any errors that occurred during the fetch public func getLocker(withPath path: String, completion: ((_ error: SchoolLoopError) -> Void)?) { let url = SchoolLoopConstants.lockerURL(path: path, domainName: school.domainName, username: account.username) - let request = authenticatedRequest(url: url, httpMethod: "PROPFIND") + let request = authenticatedRequest(url: url, httpMethod: "PROPFIND", useRealPassword: true) let session = URLSession.shared session.dataTask(with: request) { (data, response, error) in let httpResponse = response as? HTTPURLResponse @@ -841,27 +841,10 @@ public class SchoolLoop: NSObject, NSSecureCoding { /// - url: The URL to used for creation of the request /// - httpMethod: The HTTP method used for the creation of the request /// - Returns: An authenticated request with the current user's credentials - private func authenticatedRequest(url: URL, httpMethod: String = "GET") -> URLRequest { + private func authenticatedRequest(url: URL, httpMethod: String = "GET", useRealPassword: Bool = false) -> URLRequest { let request = NSMutableURLRequest(url: url) request.httpMethod = httpMethod - authenticate(request) - return request as URLRequest - } - - /// Creates an hashed, authenticated request with the current user's - /// credentials, suitable for interaction with School Loop's POST API. - /// - /// - Parameters: - /// - url: The URL to used for creation of the request - /// - httpMethod: The HTTP method used for the creation of the request - /// - Returns: An hashed, authenticated request with the current user's - /// credentials - private func hashedAuthenticatedRequest(url: URL, httpMethod: String = "POST") -> URLRequest { - let request = NSMutableURLRequest(url: url) - request.httpMethod = httpMethod - authenticate(request) - request.addValue("true", forHTTPHeaderField: "SL-HASH") - request.addValue(SchoolLoopConstants.devToken, forHTTPHeaderField: "SL-UUID") + authenticate(request, useRealPassword: useRealPassword) return request as URLRequest } @@ -871,9 +854,13 @@ public class SchoolLoop: NSObject, NSSecureCoding { /// /// - Parameters: /// - request: The request to add authentication to - private func authenticate(_ request: NSMutableURLRequest) { - let base64String = Data("\(account.username):\(account.password)".utf8).base64EncodedString() + private func authenticate(_ request: NSMutableURLRequest, useRealPassword: Bool) { + let base64String = Data("\(account.username):\(useRealPassword ? account.password : account.hashedPassword)".utf8).base64EncodedString() request.addValue("Basic \(base64String)", forHTTPHeaderField: "Authorization") + if (!useRealPassword) { + request.addValue("true", forHTTPHeaderField: "SL-HASH") + request.addValue(SchoolLoopConstants.devToken, forHTTPHeaderField: "SL-UUID") + } } /// Modifies a request for sending based on the specified composed LoopMail. @@ -896,7 +883,7 @@ public class SchoolLoop: NSObject, NSSecureCoding { /// request /// - Returns: A request for the specified locker item private func request(lockerItemPath path: String) -> URLRequest { - return authenticatedRequest(url: SchoolLoopConstants.lockerURL(path: path, domainName: school.domainName, username: account.username)) + return authenticatedRequest(url: SchoolLoopConstants.lockerURL(path: path, domainName: school.domainName, username: account.username), useRealPassword: true) } // MARK: - Lookup methods diff --git a/break/SchoolLoop/SchoolLoopConstants.swift b/break/SchoolLoop/SchoolLoopConstants.swift index 7d004f7..d4643fb 100644 --- a/break/SchoolLoop/SchoolLoopConstants.swift +++ b/break/SchoolLoop/SchoolLoopConstants.swift @@ -63,7 +63,7 @@ enum SchoolLoopConstants { /// - Returns: A URL to the School Loop login endpoint with the specified /// domain name static func loginURL(domainName: String) -> URL { - return URL(string: "https://\(domainName)/mapi/login?version=\(version)&devToken=\(SchoolLoopConstants.devToken)&devOS=\(SchoolLoopConstants.devOS)&year=\(SchoolLoopConstants.year)".addingPercentEncoding(withAllowedCharacters: .urlQueryAllowed)!)! + return URL(string: "https://\(domainName)/mapi/login?version=\(version)&devToken=\(SchoolLoopConstants.devToken)&devOS=\(SchoolLoopConstants.devOS)&year=\(SchoolLoopConstants.year)&uuid=\(devToken)".addingPercentEncoding(withAllowedCharacters: .urlQueryAllowed)!)! } /// Creates a URL to the School Loop course endpoint with the specified From 9fbb54bddf37b589d069ca1b87e2af54a739c954 Mon Sep 17 00:00:00 2001 From: Kabir Date: Wed, 3 Jul 2019 04:02:43 -0700 Subject: [PATCH 2/2] removed unnecessary parentheses --- break/SchoolLoop/SchoolLoop.swift | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/break/SchoolLoop/SchoolLoop.swift b/break/SchoolLoop/SchoolLoop.swift index e8d6745..5b3baab 100644 --- a/break/SchoolLoop/SchoolLoop.swift +++ b/break/SchoolLoop/SchoolLoop.swift @@ -857,7 +857,7 @@ public class SchoolLoop: NSObject, NSSecureCoding { private func authenticate(_ request: NSMutableURLRequest, useRealPassword: Bool) { let base64String = Data("\(account.username):\(useRealPassword ? account.password : account.hashedPassword)".utf8).base64EncodedString() request.addValue("Basic \(base64String)", forHTTPHeaderField: "Authorization") - if (!useRealPassword) { + if !useRealPassword { request.addValue("true", forHTTPHeaderField: "SL-HASH") request.addValue(SchoolLoopConstants.devToken, forHTTPHeaderField: "SL-UUID") }