From 44710854ca2d6d1fb40786f53ee11599ab770582 Mon Sep 17 00:00:00 2001
From: bahbka <bahbka@gmail.com>
Date: Wed, 9 Jul 2014 10:20:30 +0400
Subject: Added authentication.

---
 README.md                    |  22 ++++-
 appinfo.json                 |   4 +-
 resources/configuration.html |  54 ++++++-----
 src/js/pebble-js-app.src.js  | 222 ++++++++++++++++++++++++++++++++++++++++++-
 stuff/pebble-my-data.pbw     | Bin 24241 -> 28583 bytes
 5 files changed, 274 insertions(+), 28 deletions(-)

diff --git a/README.md b/README.md
index 93a5e33..3933f08 100644
--- a/README.md
+++ b/README.md
@@ -17,6 +17,7 @@ Inspired by [Pebble Cards](http://keanulee.com/pebblecards).
 * Ability to change up/down buttons behavior from JSON (scrolling or up=1|2,down=1|2 params)
 * Append coordinates to URL (configurable)
 * Append HTTP request header Pebble-Token (unique to device/app pair), can be used for server-side device identification
+* Authentication (see documentation)
 * Scrollable data area
 * Custom update interval, specified in JSON
 * Vibrate on update if specified in JSON
@@ -31,6 +32,9 @@ Inspired by [Pebble Cards](http://keanulee.com/pebblecards).
 
 ## Changelog
 
+### 2.2.0
+- Authentication (see documentation)
+
 ### 2.1.2
 - Ability to change up/down buttons behavior from JSON (scrolling or up=1|2,down=1|2 params)
 - Added HTTP request header Pebble-Token (unique to device/app pair), can be used for server-side device identification
@@ -77,7 +81,8 @@ JSON output example (some fields are optional):
       "scroll": 1,
       "light": 1,
       "blink": 3,
-      "updown": 1
+      "updown": 1,
+      "auth": "salt"
     }
 
 GET param short=1 or long=1 added to URL on short or long select button update
@@ -129,6 +134,21 @@ Next update delay in seconds.
 - 0 use up/down buttons for scrolling
 - 1 use up/down buttons for update, appending up=1|2/down=1|2 params (1=short/2=long)
 
+### auth
+Salt for Pebble-Auth hash (see below)
+
+## Auth
+
+Authentication algorithm example (reinvent the wheel):
+1. -> Pebble makes HTTP request with Pebble-Token header (Pebble App Token by default, unique to device/app pair, can be changed at configuration page, clear to restore default)
+2. <- Server answers with JSON like { ..., "content": "logging in...", "refresh": 5, "auth": "randomsalt", ... }
+3.    Pebble calculates MD5(MD5(password)+"randomsalt"), saves it as auth token and uses as Pebble-Auth HTTP request header in future requests.
+4. -> Pebble makes HTTP request after 5 seconds with Pebble-Token header and with Pebble-Auth header (calculated and stored in previous step)
+5.    Server checks Pebble-Token and Pebble-Auth headers if data equal data in database (Pebble-Token <=> login, calculate MD5(password_md5_db+"randomsalt"))
+6. <- Server answers with private content (seems your need https for more security), or some error if auth failed; auth field in JSON not needed anymore, until you desire to regenerate auth token with new salt (paranoid mode) or to clear Pebble-Auth header
+
+To clear Pebble-Auth header, send { ..., "auth": "", ...} (eg logout).
+
 ## Bugs
 
 Sometime after install JS app fails to start, issue related Pebble App. Force stop Pebble App and start it again.
diff --git a/appinfo.json b/appinfo.json
index cd6ab51..2bc396d 100644
--- a/appinfo.json
+++ b/appinfo.json
@@ -3,8 +3,8 @@
   "shortName": "My Data",
   "longName": "My Data",
   "companyName": "bahbka",
-  "versionCode": 212,
-  "versionLabel": "2.1.2",
+  "versionCode": 220,
+  "versionLabel": "2.2.0",
   "watchapp": {
     "watchface": false
   },
diff --git a/resources/configuration.html b/resources/configuration.html
index 25c135a..4f21aae 100644
--- a/resources/configuration.html
+++ b/resources/configuration.html
@@ -1,6 +1,7 @@
 <!DOCTYPE html>
 <!-- -*-coding: utf-8 -*-
-vim: sw=2 ts=2 expandtab ai -->
+vim: sw=2 ts=2 expandtab ai
+-->
 
 <html>
   <head>
@@ -11,7 +12,7 @@ vim: sw=2 ts=2 expandtab ai -->
       small { color: gray }
       a { color: white }
       input { height: 1.5em; font-size: 1.2em; font-weight: bold }
-      .url { width: 93%; margin: 0.5em }
+      .text { width: 93%; margin: 0.5em; text-align: center }
       .submit { width: 93%; margin: 0.4em }
       .param { display: inline-table; width: 95%; height: 3em }
       .label,.checkbox { display: table-cell; vertical-align: middle }
@@ -50,16 +51,37 @@ vim: sw=2 ts=2 expandtab ai -->
         }
         return window.location.href = "pebblejs://close#" + encodeURIComponent(JSON.stringify(config));
       }
+
+      function toggle_visibility(id) {
+        var e = document.getElementById(id);
+        if(e.style.display == 'block')
+          e.style.display = 'none';
+        else
+          e.style.display = 'block';
+      }
     </script>
   </head>
   <body onload="put_config();">
     <h1>My Data</h1>
-    <small>v2.1.2, by bahbka</small>
+    <small>v2.2.0, by bahbka</small>
     <hr size="1" />
 
     <form action="javascript: get_config();" id="config_form">
-      Server URL:
-      <input type="text" id="url" class="url" value="" placeholder="your URL here">
+      Server URL
+      <input type="text" id="url" class="text" value="" placeholder="your URL here">
+
+      <hr size="1" />
+
+      <span onclick="toggle_visibility('auth')">Server auth <small>(optional)</small></span>
+      <div id="auth" style="display: none">
+      Pebble Token
+      <input type="text" id="token" class="text" value="">
+
+      Password
+      <input type="password" id="password" class="text" value="">
+      </div>
+
+      <hr size="1" />
 
       <div class="param">
         <div class="label">
@@ -91,25 +113,9 @@ vim: sw=2 ts=2 expandtab ai -->
       </div>
       <input type="submit" id="save" class="submit" value="save and apply">
     </form>
-    <hr size="1" />
 
-    Sample server output:<br>
-    <small>(see documentation on <a href="https://github.com/bahbka/pebble-my-data/blob/master/README.md">github</a>)</small>
-    <pre class="example">
-{
-  "content": "Hello\\nWorld!",
-  "refresh": 300, // refresh delay, seconds
-  "vibrate": 0,   // 0..3, 0 - don't vibrate
-  "font": 1,      // 1..8, try them all
-  "theme": 0,     // 0 - black, 1 - white
-  "scroll": 1,    // scroll up after update
-  "light": 1,     // turn on light
-  "blink": 1,     // blink content (count)
-  "updown": 1     // change up/down behavior
-}
-
-GET param select=1 or select=2 added to URL on
-short or long select button update
-    </pre>
+    <hr size="1" />
+    <small>see documentation on <a href="https://github.com/bahbka/pebble-my-data/blob/master/README.md">github</a></small><br>
+    <small><a href="http://forums.getpebble.com/discussion/13590">discussion</a> at pebble forums</small>
   </body>
 </html>
diff --git a/src/js/pebble-js-app.src.js b/src/js/pebble-js-app.src.js
index 099a2f9..bf08528 100644
--- a/src/js/pebble-js-app.src.js
+++ b/src/js/pebble-js-app.src.js
@@ -25,7 +25,16 @@ function http_request(url) {
   var req = new XMLHttpRequest();
 
   req.open('GET', url, true);
-  req.setRequestHeader('Pebble-Token', Pebble.getAccountToken());
+
+  if (!config["token"]) {
+    config["token"] = Pebble.getAccountToken();
+  }
+  req.setRequestHeader('Pebble-Token', config["token"]);
+
+  var auth = window.localStorage.getItem('pebble-my-data-auth');
+  if (auth) {
+    req.setRequestHeader('Pebble-Auth', auth);
+  }
 
   req.onload = function(e) {
 
@@ -37,6 +46,14 @@ function http_request(url) {
           response["msg_type"] = MSG.JSON_RESPONSE;
           Pebble.sendAppMessage(response);
 
+          if (response["auth"] != null) {
+            if (response["auth"] == "") {
+              window.localStorage.removeItem('pebble-my-data-auth');
+            } else if (config["password"]) {
+              window.localStorage.setItem('pebble-my-data-auth', MD5(MD5(config["password"]) + response["auth"]));
+            }
+          }
+
         } catch(e) {
           console.log("json parse error");
           Pebble.sendAppMessage({ "msg_type": MSG.ERROR });
@@ -145,6 +162,9 @@ Pebble.addEventListener('showConfiguration', function () {
   } else {
     url = "";
   }
+  if (!config["token"]) {
+    config["token"] = Pebble.getAccountToken();
+  }
   //console.log("put options = " + JSON.stringify(config));
 
   Pebble.openURL('data:text/html,'+encodeURI('_HTMLMARKER_<!--.html'.replace('_CONFIG_', JSON.stringify(config), 'g')));
@@ -169,3 +189,203 @@ Pebble.addEventListener("webviewclosed", function(e) {
     }
   }
 });
+
+var MD5 = function (string) {
+  function RotateLeft(lValue, iShiftBits) {
+    return (lValue<<iShiftBits) | (lValue>>>(32-iShiftBits));
+  }
+
+  function AddUnsigned(lX,lY) {
+    var lX4,lY4,lX8,lY8,lResult;
+    lX8 = (lX & 0x80000000);
+    lY8 = (lY & 0x80000000);
+    lX4 = (lX & 0x40000000);
+    lY4 = (lY & 0x40000000);
+    lResult = (lX & 0x3FFFFFFF)+(lY & 0x3FFFFFFF);
+    if (lX4 & lY4) {
+      return (lResult ^ 0x80000000 ^ lX8 ^ lY8);
+    }
+    if (lX4 | lY4) {
+      if (lResult & 0x40000000) {
+        return (lResult ^ 0xC0000000 ^ lX8 ^ lY8);
+      } else {
+        return (lResult ^ 0x40000000 ^ lX8 ^ lY8);
+      }
+    } else {
+      return (lResult ^ lX8 ^ lY8);
+    }
+  }
+
+  function F(x,y,z) { return (x & y) | ((~x) & z); }
+  function G(x,y,z) { return (x & z) | (y & (~z)); }
+  function H(x,y,z) { return (x ^ y ^ z); }
+  function I(x,y,z) { return (y ^ (x | (~z))); }
+
+  function FF(a,b,c,d,x,s,ac) {
+    a = AddUnsigned(a, AddUnsigned(AddUnsigned(F(b, c, d), x), ac));
+    return AddUnsigned(RotateLeft(a, s), b);
+  };
+
+  function GG(a,b,c,d,x,s,ac) {
+    a = AddUnsigned(a, AddUnsigned(AddUnsigned(G(b, c, d), x), ac));
+    return AddUnsigned(RotateLeft(a, s), b);
+  };
+
+  function HH(a,b,c,d,x,s,ac) {
+    a = AddUnsigned(a, AddUnsigned(AddUnsigned(H(b, c, d), x), ac));
+    return AddUnsigned(RotateLeft(a, s), b);
+  };
+
+  function II(a,b,c,d,x,s,ac) {
+    a = AddUnsigned(a, AddUnsigned(AddUnsigned(I(b, c, d), x), ac));
+    return AddUnsigned(RotateLeft(a, s), b);
+  };
+
+  function ConvertToWordArray(string) {
+    var lWordCount;
+    var lMessageLength = string.length;
+    var lNumberOfWords_temp1=lMessageLength + 8;
+    var lNumberOfWords_temp2=(lNumberOfWords_temp1-(lNumberOfWords_temp1 % 64))/64;
+    var lNumberOfWords = (lNumberOfWords_temp2+1)*16;
+    var lWordArray=Array(lNumberOfWords-1);
+    var lBytePosition = 0;
+    var lByteCount = 0;
+    while ( lByteCount < lMessageLength ) {
+      lWordCount = (lByteCount-(lByteCount % 4))/4;
+      lBytePosition = (lByteCount % 4)*8;
+      lWordArray[lWordCount] = (lWordArray[lWordCount] | (string.charCodeAt(lByteCount)<<lBytePosition));
+      lByteCount++;
+    }
+    lWordCount = (lByteCount-(lByteCount % 4))/4;
+    lBytePosition = (lByteCount % 4)*8;
+    lWordArray[lWordCount] = lWordArray[lWordCount] | (0x80<<lBytePosition);
+    lWordArray[lNumberOfWords-2] = lMessageLength<<3;
+    lWordArray[lNumberOfWords-1] = lMessageLength>>>29;
+    return lWordArray;
+  };
+
+  function WordToHex(lValue) {
+    var WordToHexValue="",WordToHexValue_temp="",lByte,lCount;
+    for (lCount = 0;lCount<=3;lCount++) {
+      lByte = (lValue>>>(lCount*8)) & 255;
+      WordToHexValue_temp = "0" + lByte.toString(16);
+      WordToHexValue = WordToHexValue + WordToHexValue_temp.substr(WordToHexValue_temp.length-2,2);
+    }
+    return WordToHexValue;
+  };
+
+  function Utf8Encode(string) {
+    string = string.replace(/\r\n/g,"\n");
+    var utftext = "";
+
+    for (var n = 0; n < string.length; n++) {
+
+      var c = string.charCodeAt(n);
+
+      if (c < 128) {
+        utftext += String.fromCharCode(c);
+      }
+      else if((c > 127) && (c < 2048)) {
+        utftext += String.fromCharCode((c >> 6) | 192);
+        utftext += String.fromCharCode((c & 63) | 128);
+      }
+      else {
+        utftext += String.fromCharCode((c >> 12) | 224);
+        utftext += String.fromCharCode(((c >> 6) & 63) | 128);
+        utftext += String.fromCharCode((c & 63) | 128);
+      }
+
+    }
+
+    return utftext;
+  };
+
+  var x=Array();
+  var k,AA,BB,CC,DD,a,b,c,d;
+  var S11=7, S12=12, S13=17, S14=22;
+  var S21=5, S22=9 , S23=14, S24=20;
+  var S31=4, S32=11, S33=16, S34=23;
+  var S41=6, S42=10, S43=15, S44=21;
+
+  string = Utf8Encode(string);
+
+  x = ConvertToWordArray(string);
+
+  a = 0x67452301; b = 0xEFCDAB89; c = 0x98BADCFE; d = 0x10325476;
+
+  for (k=0;k<x.length;k+=16) {
+    AA=a; BB=b; CC=c; DD=d;
+    a=FF(a,b,c,d,x[k+0], S11,0xD76AA478);
+    d=FF(d,a,b,c,x[k+1], S12,0xE8C7B756);
+    c=FF(c,d,a,b,x[k+2], S13,0x242070DB);
+    b=FF(b,c,d,a,x[k+3], S14,0xC1BDCEEE);
+    a=FF(a,b,c,d,x[k+4], S11,0xF57C0FAF);
+    d=FF(d,a,b,c,x[k+5], S12,0x4787C62A);
+    c=FF(c,d,a,b,x[k+6], S13,0xA8304613);
+    b=FF(b,c,d,a,x[k+7], S14,0xFD469501);
+    a=FF(a,b,c,d,x[k+8], S11,0x698098D8);
+    d=FF(d,a,b,c,x[k+9], S12,0x8B44F7AF);
+    c=FF(c,d,a,b,x[k+10],S13,0xFFFF5BB1);
+    b=FF(b,c,d,a,x[k+11],S14,0x895CD7BE);
+    a=FF(a,b,c,d,x[k+12],S11,0x6B901122);
+    d=FF(d,a,b,c,x[k+13],S12,0xFD987193);
+    c=FF(c,d,a,b,x[k+14],S13,0xA679438E);
+    b=FF(b,c,d,a,x[k+15],S14,0x49B40821);
+    a=GG(a,b,c,d,x[k+1], S21,0xF61E2562);
+    d=GG(d,a,b,c,x[k+6], S22,0xC040B340);
+    c=GG(c,d,a,b,x[k+11],S23,0x265E5A51);
+    b=GG(b,c,d,a,x[k+0], S24,0xE9B6C7AA);
+    a=GG(a,b,c,d,x[k+5], S21,0xD62F105D);
+    d=GG(d,a,b,c,x[k+10],S22,0x2441453);
+    c=GG(c,d,a,b,x[k+15],S23,0xD8A1E681);
+    b=GG(b,c,d,a,x[k+4], S24,0xE7D3FBC8);
+    a=GG(a,b,c,d,x[k+9], S21,0x21E1CDE6);
+    d=GG(d,a,b,c,x[k+14],S22,0xC33707D6);
+    c=GG(c,d,a,b,x[k+3], S23,0xF4D50D87);
+    b=GG(b,c,d,a,x[k+8], S24,0x455A14ED);
+    a=GG(a,b,c,d,x[k+13],S21,0xA9E3E905);
+    d=GG(d,a,b,c,x[k+2], S22,0xFCEFA3F8);
+    c=GG(c,d,a,b,x[k+7], S23,0x676F02D9);
+    b=GG(b,c,d,a,x[k+12],S24,0x8D2A4C8A);
+    a=HH(a,b,c,d,x[k+5], S31,0xFFFA3942);
+    d=HH(d,a,b,c,x[k+8], S32,0x8771F681);
+    c=HH(c,d,a,b,x[k+11],S33,0x6D9D6122);
+    b=HH(b,c,d,a,x[k+14],S34,0xFDE5380C);
+    a=HH(a,b,c,d,x[k+1], S31,0xA4BEEA44);
+    d=HH(d,a,b,c,x[k+4], S32,0x4BDECFA9);
+    c=HH(c,d,a,b,x[k+7], S33,0xF6BB4B60);
+    b=HH(b,c,d,a,x[k+10],S34,0xBEBFBC70);
+    a=HH(a,b,c,d,x[k+13],S31,0x289B7EC6);
+    d=HH(d,a,b,c,x[k+0], S32,0xEAA127FA);
+    c=HH(c,d,a,b,x[k+3], S33,0xD4EF3085);
+    b=HH(b,c,d,a,x[k+6], S34,0x4881D05);
+    a=HH(a,b,c,d,x[k+9], S31,0xD9D4D039);
+    d=HH(d,a,b,c,x[k+12],S32,0xE6DB99E5);
+    c=HH(c,d,a,b,x[k+15],S33,0x1FA27CF8);
+    b=HH(b,c,d,a,x[k+2], S34,0xC4AC5665);
+    a=II(a,b,c,d,x[k+0], S41,0xF4292244);
+    d=II(d,a,b,c,x[k+7], S42,0x432AFF97);
+    c=II(c,d,a,b,x[k+14],S43,0xAB9423A7);
+    b=II(b,c,d,a,x[k+5], S44,0xFC93A039);
+    a=II(a,b,c,d,x[k+12],S41,0x655B59C3);
+    d=II(d,a,b,c,x[k+3], S42,0x8F0CCC92);
+    c=II(c,d,a,b,x[k+10],S43,0xFFEFF47D);
+    b=II(b,c,d,a,x[k+1], S44,0x85845DD1);
+    a=II(a,b,c,d,x[k+8], S41,0x6FA87E4F);
+    d=II(d,a,b,c,x[k+15],S42,0xFE2CE6E0);
+    c=II(c,d,a,b,x[k+6], S43,0xA3014314);
+    b=II(b,c,d,a,x[k+13],S44,0x4E0811A1);
+    a=II(a,b,c,d,x[k+4], S41,0xF7537E82);
+    d=II(d,a,b,c,x[k+11],S42,0xBD3AF235);
+    c=II(c,d,a,b,x[k+2], S43,0x2AD7D2BB);
+    b=II(b,c,d,a,x[k+9], S44,0xEB86D391);
+    a=AddUnsigned(a,AA);
+    b=AddUnsigned(b,BB);
+    c=AddUnsigned(c,CC);
+    d=AddUnsigned(d,DD);
+  }
+
+  var temp = WordToHex(a)+WordToHex(b)+WordToHex(c)+WordToHex(d);
+
+  return temp.toLowerCase();
+}
diff --git a/stuff/pebble-my-data.pbw b/stuff/pebble-my-data.pbw
index db24381..cf82115 100644
Binary files a/stuff/pebble-my-data.pbw and b/stuff/pebble-my-data.pbw differ
-- 
cgit v1.2.3