p3k
/
Teacup
mirror of https://github.com/aaronpk/Teacup.git
1
0
Fork 0
Code Issues 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
85 Commits
2 Branches
158 MiB
Tree: 871d41767c
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '871d41767c'
${ noResults }
Teacup/controllers/auth.php

352 lines
12 KiB
Raw Normal View History

add base project files copied from Quill
10 years ago
use /pebble for client_id from pebble auth
9 years ago
add base project files copied from Quill
10 years ago
change login flow to support sites that don't have a micropub endpoint
10 years ago
add base project files copied from Quill
10 years ago
Use only the hostname to identify users. Store posts in the database. Send the micropub request and log the response.
10 years ago
parse home page h-card for the user's name and profile photo
10 years ago
update home page h-card parsing
10 years ago
parse home page h-card for the user's name and profile photo
10 years ago
add base project files copied from Quill
10 years ago
oops this is teacup
9 years ago
add base project files copied from Quill
10 years ago
render() method outputs directly
7 years ago
add base project files copied from Quill
10 years ago
IndieAuth updates closes #8
6 years ago
add base project files copied from Quill
10 years ago
update home page h-card parsing
10 years ago
add base project files copied from Quill
10 years ago
change login flow to support sites that don't have a micropub endpoint
10 years ago
add pebble login flow
10 years ago
add base project files copied from Quill
10 years ago
use /pebble for client_id from pebble auth
9 years ago
change login flow to support sites that don't have a micropub endpoint
10 years ago
teacup should request "create" scope
7 years ago
use /pebble for client_id from pebble auth
9 years ago
IndieAuth updates closes #8
6 years ago
add base project files copied from Quill
10 years ago
use /pebble for client_id from pebble auth
9 years ago
add base project files copied from Quill
10 years ago
Use only the hostname to identify users. Store posts in the database. Send the micropub request and log the response.
10 years ago
parse home page h-card for the user's name and profile photo
10 years ago
change login flow to support sites that don't have a micropub endpoint
10 years ago
add base project files copied from Quill
10 years ago
parse home page h-card for the user's name and profile photo
10 years ago
add base project files copied from Quill
10 years ago
change login flow to support sites that don't have a micropub endpoint
10 years ago
add base project files copied from Quill
10 years ago
parse home page h-card for the user's name and profile photo
10 years ago
Use only the hostname to identify users. Store posts in the database. Send the micropub request and log the response.
10 years ago
add base project files copied from Quill
10 years ago
change login flow to support sites that don't have a micropub endpoint
10 years ago
add base project files copied from Quill
10 years ago
render() method outputs directly
7 years ago
add base project files copied from Quill
10 years ago
change login flow to support sites that don't have a micropub endpoint
10 years ago
add base project files copied from Quill
10 years ago
IndieAuth updates closes #8
6 years ago
render() method outputs directly
7 years ago
add base project files copied from Quill
10 years ago
IndieAuth updates closes #8
6 years ago
add base project files copied from Quill
10 years ago
render() method outputs directly
7 years ago
add base project files copied from Quill
10 years ago
render() method outputs directly
7 years ago
add base project files copied from Quill
10 years ago
IndieAuth updates closes #8
6 years ago
add base project files copied from Quill
10 years ago
render() method outputs directly
7 years ago
add base project files copied from Quill
10 years ago
IndieAuth updates closes #8
6 years ago
use /pebble for client_id from pebble auth
9 years ago
add base project files copied from Quill
10 years ago
IndieAuth updates closes #8
6 years ago
add base project files copied from Quill
10 years ago
add pebble login flow
10 years ago
change login flow to support sites that don't have a micropub endpoint
10 years ago
add base project files copied from Quill
10 years ago
change login flow to support sites that don't have a micropub endpoint
10 years ago
IndieAuth updates closes #8
6 years ago
add base project files copied from Quill
10 years ago
change login flow to support sites that don't have a micropub endpoint
10 years ago
IndieAuth updates closes #8
6 years ago
change login flow to support sites that don't have a micropub endpoint
10 years ago
IndieAuth updates closes #8
6 years ago
change login flow to support sites that don't have a micropub endpoint
10 years ago
add base project files copied from Quill
10 years ago
change login flow to support sites that don't have a micropub endpoint
10 years ago
add base project files copied from Quill
10 years ago
change login flow to support sites that don't have a micropub endpoint
10 years ago
add pebble login flow
10 years ago
add base project files copied from Quill
10 years ago
change login flow to support sites that don't have a micropub endpoint
10 years ago
add base project files copied from Quill
10 years ago
IndieAuth updates closes #8
6 years ago
change login flow to support sites that don't have a micropub endpoint
10 years ago
add base project files copied from Quill
10 years ago
change login flow to support sites that don't have a micropub endpoint
10 years ago
add photo support to Teacup posts photos to the media endpoint if set
8 years ago
render() method outputs directly
7 years ago
change login flow to support sites that don't have a micropub endpoint
10 years ago
Use only the hostname to identify users. Store posts in the database. Send the micropub request and log the response.
10 years ago
change login flow to support sites that don't have a micropub endpoint
10 years ago
add pebble login flow
10 years ago
change login flow to support sites that don't have a micropub endpoint
10 years ago
Use only the hostname to identify users. Store posts in the database. Send the micropub request and log the response.
10 years ago
change login flow to support sites that don't have a micropub endpoint
10 years ago
add photo support to Teacup posts photos to the media endpoint if set
8 years ago
change login flow to support sites that don't have a micropub endpoint
10 years ago
add base project files copied from Quill
10 years ago
add pebble login flow
10 years ago
add base project files copied from Quill
10 years ago
render() method outputs directly
7 years ago
add base project files copied from Quill
10 years ago
add pebble login flow
10 years ago
add base project files copied from Quill
10 years ago
 
  1. <?php
  2. 

  3. function buildRedirectURI() {
  4.   return Config::$base_url . 'auth/callback';
  5. }
  6. 

  7. function clientID($pebble=false) {
  8.   if($pebble) {
  9.     return Config::$base_url . 'pebble';
  10.   } else {
  11.     return trim(Config::$base_url, '/'); // remove trailing slash from client_id

  12.   }
  13. }
  14. 

  15. function build_url($parsed_url) { 
  16.   $scheme   = isset($parsed_url['scheme']) ? $parsed_url['scheme'] . '://' : ''; 
  17.   $host     = isset($parsed_url['host']) ? $parsed_url['host'] : ''; 
  18.   $port     = isset($parsed_url['port']) ? ':' . $parsed_url['port'] : ''; 
  19.   $user     = isset($parsed_url['user']) ? $parsed_url['user'] : ''; 
  20.   $pass     = isset($parsed_url['pass']) ? ':' . $parsed_url['pass']  : ''; 
  21.   $pass     = ($user || $pass) ? "$pass@" : ''; 
  22.   $path     = isset($parsed_url['path']) ? $parsed_url['path'] : ''; 
  23.   $query    = isset($parsed_url['query']) ? '?' . $parsed_url['query'] : ''; 
  24.   $fragment = isset($parsed_url['fragment']) ? '#' . $parsed_url['fragment'] : ''; 
  25.   return "$scheme$user$pass$host$port$path$query$fragment"; 
  26. } 
  27. 

  28. // Input: Any URL or string like "aaronparecki.com"

  29. // Output: Normlized URL (default to http if no scheme, force "/" path)

  30. //         or return false if not a valid URL (has query string params, etc)

  31. function normalizeMeURL($url) {
  32.   $me = parse_url($url);
  33. 

  34.   if(array_key_exists('path', $me) && $me['path'] == '')
  35.     return false;
  36. 

  37.   // parse_url returns just "path" for naked domains

  38.   if(count($me) == 1 && array_key_exists('path', $me)) {
  39.     $me['host'] = $me['path'];
  40.     unset($me['path']);
  41.   }
  42. 

  43.   if(!array_key_exists('scheme', $me))
  44.     $me['scheme'] = 'http';
  45. 

  46.   if(!array_key_exists('path', $me))
  47.     $me['path'] = '/';
  48. 

  49.   // Invalid scheme

  50.   if(!in_array($me['scheme'], array('http','https')))
  51.     return false;
  52. 

  53.   // Invalid path

  54.   // if($me['path'] != '/')

  55.   //   return false;

  56. 

  57.   // query and fragment not allowed

  58.   if(array_key_exists('query', $me) || array_key_exists('fragment', $me))
  59.     return false;
  60. 

  61.   return build_url($me);
  62. }
  63. 

  64. function hostname($url) {
  65.   return parse_url($url, PHP_URL_HOST);
  66. }
  67. 

  68. function add_hcard_info($user, $hCard) {
  69.   if($user && $hCard) {
  70.     // Update the user's h-card info if present

  71.     if(BarnabyWalters\Mf2\hasProp($hCard, 'name'))
  72.       $user->name = BarnabyWalters\Mf2\getPlaintext($hCard, 'name');
  73.     if(BarnabyWalters\Mf2\hasProp($hCard, 'photo'))
  74.       $user->photo_url = BarnabyWalters\Mf2\getPlaintext($hCard, 'photo');
  75.   }  
  76. }
  77. 

  78. $app->get('/', function($format='html') use($app) {
  79.   $res = $app->response();
  80. 

  81. 

  82.   render('index', array(
  83.     'title' => 'Teacup',
  84.     'meta' => ''
  85.   ));
  86. });
  87. 

  88. $app->get('/auth/start', function() use($app) {
  89.   $req = $app->request();
  90. 

  91.   $params = $req->params();
  92.   
  93.   // the "me" parameter is user input, and may be in a couple of different forms:

  94.   // aaronparecki.com http://aaronparecki.com http://aaronparecki.com/

  95.   // Normlize the value now (move this into a function in IndieAuth\Client later)

  96.   if(!array_key_exists('me', $params) || !($me = normalizeMeURL($params['me']))) {
  97.     render('auth_error', array(
  98.       'title' => 'Sign In',
  99.       'error' => 'Invalid "me" Parameter',
  100.       'errorDescription' => 'The URL you entered, "<strong>' . $params['me'] . '</strong>" is not valid.'
  101.     ));
  102.     return;
  103.   }
  104. 

  105.   $_SESSION['attempted_me'] = $me;
  106. 

  107.   $authorizationEndpoint = IndieAuth\Client::discoverAuthorizationEndpoint($me);
  108.   $tokenEndpoint = IndieAuth\Client::discoverTokenEndpoint($me);
  109.   $micropubEndpoint = IndieAuth\Client::discoverMicropubEndpoint($me);
  110.   $hCard = IndieAuth\Client::representativeHCard($me);
  111. 

  112.   // Generate a "state" parameter for the request

  113.   $state = IndieAuth\Client::generateStateParameter();
  114.   $_SESSION['auth_state'] = $state;
  115.   
  116.   // Store whether to return to the Pebble settings tab or the new post page after signing in

  117.   if(array_key_exists('redirect', $params) && $params['redirect'] == 'settings') {
  118.     $_SESSION['redirect_after_login'] = '/pebble/settings/finished';
  119.   } else {
  120.     $_SESSION['redirect_after_login'] = '/new';
  121.   }
  122. 

  123.   $pebble = k($params, 'pebble');
  124.   $_SESSION['pebble'] = $pebble;
  125. 

  126.   if($tokenEndpoint && $micropubEndpoint && $authorizationEndpoint) {
  127.     $scope = 'create';
  128.     $authorizationURL = IndieAuth\Client::buildAuthorizationURL($authorizationEndpoint, $me, buildRedirectURI(), clientID($pebble), $state, $scope);
  129.     $_SESSION['authorization_endpoint'] = $authorizationEndpoint;
  130.     $_SESSION['micropub_endpoint'] = $micropubEndpoint;
  131.     $_SESSION['token_endpoint'] = $tokenEndpoint;
  132.   } else {
  133.     $authorizationURL = IndieAuth\Client::buildAuthorizationURL('https://indieauth.com/auth', $me, buildRedirectURI(), clientID($pebble), $state);
  134.   }
  135. 

  136.   // If the user has already signed in before and has a micropub access token, skip 

  137.   // the debugging screens and redirect immediately to the auth endpoint.

  138.   // This will still generate a new access token when they finish logging in.

  139.   $user = ORM::for_table('users')->where('url', hostname($me))->find_one();
  140. 

  141.   if($user && $user->access_token && !array_key_exists('restart', $params)) {
  142. 

  143.     add_hcard_info($user, $hCard);
  144.     $user->micropub_endpoint = $micropubEndpoint;
  145.     $user->authorization_endpoint = $authorizationEndpoint;
  146.     $user->token_endpoint = $tokenEndpoint;
  147.     $user->type = $micropubEndpoint ? 'micropub' : 'local';
  148.     $user->save();
  149. 

  150.     $app->redirect($authorizationURL, 301);
  151. 

  152.   } else {
  153. 

  154.     if(!$user)
  155.       $user = ORM::for_table('users')->create();
  156.     add_hcard_info($user, $hCard);
  157.     $user->url = hostname($me);
  158.     $user->date_created = date('Y-m-d H:i:s');
  159.     $user->micropub_endpoint = $micropubEndpoint;
  160.     $user->authorization_endpoint = $authorizationEndpoint;
  161.     $user->token_endpoint = $tokenEndpoint;
  162.     $user->type = $micropubEndpoint ? 'micropub' : 'local';
  163.     $user->save();
  164. 

  165.     render('auth_start', array(
  166.       'title' => 'Sign In',
  167.       'me' => $me,
  168.       'authorizing' => $me,
  169.       'meParts' => parse_url($me),
  170.       'micropubUser' => $authorizationEndpoint && $tokenEndpoint && $micropubEndpoint,
  171.       'tokenEndpoint' => $tokenEndpoint,
  172.       'micropubEndpoint' => $micropubEndpoint,
  173.       'authorizationEndpoint' => $authorizationEndpoint,
  174.       'authorizationURL' => $authorizationURL
  175.     ));
  176.   }
  177. });
  178. 

  179. $app->get('/auth/callback', function() use($app) {
  180.   $req = $app->request();
  181.   $params = $req->params();
  182. 

  183.   // If there is no state in the session, start the login again

  184.   if(!array_key_exists('auth_state', $_SESSION)) {
  185.     render('auth_error', array(
  186.       'title' => 'Auth Callback',
  187.       'error' => 'Missing session state',
  188.       'errorDescription' => 'Something went wrong, please try signing in again, and make sure cookies are enabled for this domain.'
  189.     ));
  190.     return;
  191.   }
  192. 

  193.   if(!array_key_exists('code', $params) || trim($params['code']) == '') {
  194.     render('auth_error', array(
  195.       'title' => 'Auth Callback',
  196.       'error' => 'Missing authorization code',
  197.       'errorDescription' => 'No authorization code was provided in the request.'
  198.     ));
  199.     return;
  200.   }
  201. 

  202.   // Verify the state came back and matches what we set in the session

  203.   // Should only fail for malicious attempts, ok to show a not as nice error message

  204.   if(!array_key_exists('state', $params)) {
  205.     render('auth_error', array(
  206.       'title' => 'Auth Callback',
  207.       'error' => 'Missing state parameter',
  208.       'errorDescription' => 'No state parameter was provided in the request. This shouldn\'t happen. It is possible this is a malicious authorization attempt, or your authorization server failed to pass back the "state" parameter.'
  209.     ));
  210.     return;
  211.   }
  212. 

  213.   if($params['state'] != $_SESSION['auth_state']) {
  214.     render('auth_error', array(
  215.       'title' => 'Auth Callback',
  216.       'error' => 'Invalid state',
  217.       'errorDescription' => 'The state parameter provided did not match the state provided at the start of authorization. This is most likely caused by a malicious authorization attempt.'
  218.     ));
  219.     return;
  220.   }
  221. 

  222.   if(!isset($_SESSION['attempted_me'])) {
  223.     render('auth_error', [
  224.       'title' => 'Auth Callback',
  225.       'error' => 'Missing data',
  226.       'errorDescription' => 'We forgot who was logging in. It\'s possible you took too long to finish signing in, or something got mixed up by signing in in another tab.'
  227.     ]);
  228.     return;
  229.   }
  230.   $me = $_SESSION['attempted_me'];
  231. 

  232.   $pebble = k($_SESSION, 'pebble');
  233. 

  234.   // Now the basic sanity checks have passed. Time to start providing more helpful messages when there is an error.

  235.   // An authorization code is in the query string, and we want to exchange that for an access token at the token endpoint.

  236. 

  237.   $authorizationEndpoint = isset($_SESSION['authorization_endpoint']) ? $_SESSION['authorization_endpoint'] : false;
  238.   $tokenEndpoint = isset($_SESSION['token_endpoint']) ? $_SESSION['token_endpoint'] : false;
  239.   $micropubEndpoint = isset($_SESSION['micropub_endpoint']) ? $_SESSION['micropub_endpoint'] : false;
  240. 

  241.   unset($_SESSION['authorization_endpoint']);
  242.   unset($_SESSION['token_endpoint']);
  243.   unset($_SESSION['micropub_endpoint']);
  244. 

  245.   $skipDebugScreen = false;
  246. 

  247.   if($tokenEndpoint) {
  248.     // Exchange auth code for an access token

  249.     $token = IndieAuth\Client::getAccessToken($tokenEndpoint, $params['code'], $me, buildRedirectURI(), clientID($pebble), true);
  250. 

  251.     // If a valid access token was returned, store the token info in the session and they are signed in

  252.     if(k($token['auth'], array('me','access_token','scope'))) {
  253.       // Double check that the domain of the returned "me" matches the expected

  254.       if(parse_url($token['auth']['me'], PHP_URL_HOST) != parse_url($me, PHP_URL_HOST)) {
  255.         render('auth_error', [
  256.           'title' => 'Error Signing In',
  257.           'error' => 'Invalid user',
  258.           'errorDescription' => 'The user URL that was returned in the access token did not match the domain of the user signing in.'
  259.         ]);
  260.         return;
  261.       }
  262. 

  263.       $_SESSION['auth'] = $token['auth'];
  264.       $_SESSION['me'] = $token['auth']['me'];
  265.     }
  266. 

  267.   } else {
  268.     // No token endpoint was discovered, instead, verify the auth code at the auth server or with indieauth.com

  269. 

  270.     // Never show the intermediate login confirmation page if we just authenticated them instead of got authorization

  271.     $skipDebugScreen = true;
  272. 

  273.     if(!$authorizationEndpoint) {
  274.       $authorizationEndpoint = 'https://indieauth.com/auth';
  275.     }
  276. 

  277.     $token['auth'] = IndieAuth\Client::verifyIndieAuthCode($authorizationEndpoint, $params['code'], $me, buildRedirectURI(), clientID($pebble));
  278. 

  279.     if(k($token['auth'], 'me')) {
  280.       $token['response'] = ''; // hack becuase the verify call doesn't actually return the real response

  281.       $token['auth']['scope'] = '';
  282.       $token['auth']['access_token'] = '';
  283.       $_SESSION['auth'] = $token['auth'];
  284.       $_SESSION['me'] = $params['me'];
  285.     }
  286.   }
  287. 

  288.   // Verify the login actually succeeded

  289.   if(!k($token['auth'], 'me')) {
  290.     render('auth_error', array(
  291.       'title' => 'Sign-In Failed',
  292.       'error' => 'Unable to verify the sign-in attempt',
  293.       'errorDescription' => ''
  294.     ));
  295.     return;
  296.   }
  297. 

  298. 

  299.   $user = ORM::for_table('users')->where('url', hostname($me))->find_one();
  300.   if($user) {
  301.     // Already logged in, update the last login date

  302.     $user->last_login = date('Y-m-d H:i:s');
  303.     // If they have logged in before and we already have an access token, then redirect to the dashboard now

  304.     if($user->access_token)
  305.       $skipDebugScreen = true;
  306.   } else {
  307.     // New user! Store the user in the database

  308.     $user = ORM::for_table('users')->create();
  309.     $user->url = hostname($me);
  310.     $user->date_created = date('Y-m-d H:i:s');
  311.     $user->last_login = date('Y-m-d H:i:s');
  312.   }
  313.   $user->micropub_endpoint = $micropubEndpoint;
  314.   $user->access_token = $token['auth']['access_token'];
  315.   $user->token_scope = $token['auth']['scope'];
  316.   $user->token_response = $token['response'];
  317.   $user->save();
  318.   $_SESSION['user_id'] = $user->id();
  319. 

  320. 

  321.   if($tokenEndpoint) {
  322.     // Make a request to the micropub endpoint to discover the media endpoint if set.

  323.     get_micropub_config($user);
  324.   }
  325. 

  326.   unset($_SESSION['auth_state']);
  327. 

  328.   if($skipDebugScreen) {
  329.     $app->redirect($_SESSION['redirect_after_login'], 301);
  330.   } else {
  331.     render('auth_callback', array(
  332.       'title' => 'Sign In',
  333.       'me' => $me,
  334.       'authorizing' => $me,
  335.       'meParts' => parse_url($me),
  336.       'tokenEndpoint' => $tokenEndpoint,
  337.       'auth' => $token['auth'],
  338.       'response' => $token['response'],
  339.       'curl_error' => (array_key_exists('error', $token) ? $token['error'] : false),
  340.       'redirect' => $_SESSION['redirect_after_login']
  341.     ));
  342.   }
  343. });
  344. 

  345. $app->get('/signout', function() use($app) {
  346.   unset($_SESSION['auth']);
  347.   unset($_SESSION['me']);
  348.   unset($_SESSION['auth_state']);
  349.   unset($_SESSION['user_id']);
  350.   $app->redirect('/', 301);
  351. });
  352.