#!/bin/bash
# auth.sh
#
# since it's common for people to accidently leave in a trailing space,
# remove those (and any other non-printable chars) first..
tr -dc '[[:print:]]' <<< "$username"
# then do more input validation on the supplied token...
if grep -P '^[\-a-zA-Z0-9]+$' <<<$username; then
 # token contains only allowed chars, good
 if [[ "${#username}" == 128 ]]; then
  # token is the length of a sha512 hash, good
  hash=$username
 fi
 if [[ "${#username}" == 127 ]]; then
  # fix needed for routers that chop off the last char
  hash=$username
 fi
 if [[ "${#username}" == 126 ]]; then
  # same thing as above
  hash=$username
 fi
 if [[ "${#username}" == 23 ]]; then
  # token is 23 chars long, someone forgot to hash their token,
  # so do it for them, then continue
  hash=`echo -n $username|openssl sha -sha512|awk '{print $NF}'`
 fi
 if [ "$hash" == "" ]; then
  # $hash is empty, which means whatever was provided contained valid chars,
  # but wasn't the length of a token or a hash, so don't let them in
  exit 1
 fi
else
 # token contains invalid chars, possible screwup,
 # possible attempt to inject shell/db commands, so reject
 exit 1
fi
# check if the token is valid and not expired
result=`timeout 8 wget -T8 -qO- https://[redacted]?token=$hash`
# either wget crashed or the API server is screwed up, so let em in
if [ $? != 0 ]; then
 exit 0;
fi
# allow if token is good OR max sessions reached.
# without the latter, renegotiation would fail.
# instead, session_up checks for max sessions.
if [ "$result" == "good" ] || [ "$result" == "max" ]; then
 exit 0
else
 exit 1
fi