p3k
/
Teacup
mirror of https://github.com/aaronpk/Teacup.git
1
0
Fork 0
Code Issues 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8 Commits
2 Branches
2.1 MiB
Tree: bce43daf28
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'bce43daf28'
${ noResults }
Teacup/controllers/auth.php

332 lines
11 KiB
Raw Normal View History

add base project files copied from Quill
9 years ago
tweaks to posting interface
9 years ago
add base project files copied from Quill
9 years ago
change login flow to support sites that don't have a micropub endpoint
9 years ago
add base project files copied from Quill
9 years ago
Use only the hostname to identify users. Store posts in the database. Send the micropub request and log the response.
9 years ago
parse home page h-card for the user's name and profile photo
9 years ago
add base project files copied from Quill
9 years ago
parse home page h-card for the user's name and profile photo
9 years ago
add base project files copied from Quill
9 years ago
change login flow to support sites that don't have a micropub endpoint
9 years ago
add base project files copied from Quill
9 years ago
change login flow to support sites that don't have a micropub endpoint
9 years ago
add base project files copied from Quill
9 years ago
change login flow to support sites that don't have a micropub endpoint
9 years ago
add base project files copied from Quill
9 years ago
Use only the hostname to identify users. Store posts in the database. Send the micropub request and log the response.
9 years ago
parse home page h-card for the user's name and profile photo
9 years ago
change login flow to support sites that don't have a micropub endpoint
9 years ago
add base project files copied from Quill
9 years ago
parse home page h-card for the user's name and profile photo
9 years ago
add base project files copied from Quill
9 years ago
change login flow to support sites that don't have a micropub endpoint
9 years ago
add base project files copied from Quill
9 years ago
parse home page h-card for the user's name and profile photo
9 years ago
Use only the hostname to identify users. Store posts in the database. Send the micropub request and log the response.
9 years ago
add base project files copied from Quill
9 years ago
change login flow to support sites that don't have a micropub endpoint
9 years ago
add base project files copied from Quill
9 years ago
change login flow to support sites that don't have a micropub endpoint
9 years ago
add base project files copied from Quill
9 years ago
change login flow to support sites that don't have a micropub endpoint
9 years ago
add base project files copied from Quill
9 years ago
change login flow to support sites that don't have a micropub endpoint
9 years ago
add base project files copied from Quill
9 years ago
change login flow to support sites that don't have a micropub endpoint
9 years ago
add base project files copied from Quill
9 years ago
change login flow to support sites that don't have a micropub endpoint
9 years ago
add base project files copied from Quill
9 years ago
change login flow to support sites that don't have a micropub endpoint
9 years ago
add base project files copied from Quill
9 years ago
change login flow to support sites that don't have a micropub endpoint
9 years ago
add base project files copied from Quill
9 years ago
change login flow to support sites that don't have a micropub endpoint
9 years ago
add base project files copied from Quill
9 years ago
change login flow to support sites that don't have a micropub endpoint
9 years ago
add base project files copied from Quill
9 years ago
change login flow to support sites that don't have a micropub endpoint
9 years ago
Use only the hostname to identify users. Store posts in the database. Send the micropub request and log the response.
9 years ago
change login flow to support sites that don't have a micropub endpoint
9 years ago
Use only the hostname to identify users. Store posts in the database. Send the micropub request and log the response.
9 years ago
change login flow to support sites that don't have a micropub endpoint
9 years ago
add base project files copied from Quill
9 years ago
 
  1. <?php
  2. 

  3. function buildRedirectURI() {
  4.   return Config::$base_url . 'auth/callback';
  5. }
  6. 

  7. function clientID() {
  8.   return trim(Config::$base_url, '/'); // remove trailing slash from client_id

  9. }
  10. 

  11. function build_url($parsed_url) { 
  12.   $scheme   = isset($parsed_url['scheme']) ? $parsed_url['scheme'] . '://' : ''; 
  13.   $host     = isset($parsed_url['host']) ? $parsed_url['host'] : ''; 
  14.   $port     = isset($parsed_url['port']) ? ':' . $parsed_url['port'] : ''; 
  15.   $user     = isset($parsed_url['user']) ? $parsed_url['user'] : ''; 
  16.   $pass     = isset($parsed_url['pass']) ? ':' . $parsed_url['pass']  : ''; 
  17.   $pass     = ($user || $pass) ? "$pass@" : ''; 
  18.   $path     = isset($parsed_url['path']) ? $parsed_url['path'] : ''; 
  19.   $query    = isset($parsed_url['query']) ? '?' . $parsed_url['query'] : ''; 
  20.   $fragment = isset($parsed_url['fragment']) ? '#' . $parsed_url['fragment'] : ''; 
  21.   return "$scheme$user$pass$host$port$path$query$fragment"; 
  22. } 
  23. 

  24. // Input: Any URL or string like "aaronparecki.com"

  25. // Output: Normlized URL (default to http if no scheme, force "/" path)

  26. //         or return false if not a valid URL (has query string params, etc)

  27. function normalizeMeURL($url) {
  28.   $me = parse_url($url);
  29. 

  30.   if(array_key_exists('path', $me) && $me['path'] == '')
  31.     return false;
  32. 

  33.   // parse_url returns just "path" for naked domains

  34.   if(count($me) == 1 && array_key_exists('path', $me)) {
  35.     $me['host'] = $me['path'];
  36.     unset($me['path']);
  37.   }
  38. 

  39.   if(!array_key_exists('scheme', $me))
  40.     $me['scheme'] = 'http';
  41. 

  42.   if(!array_key_exists('path', $me))
  43.     $me['path'] = '/';
  44. 

  45.   // Invalid scheme

  46.   if(!in_array($me['scheme'], array('http','https')))
  47.     return false;
  48. 

  49.   // Invalid path

  50.   // if($me['path'] != '/')

  51.   //   return false;

  52. 

  53.   // query and fragment not allowed

  54.   if(array_key_exists('query', $me) || array_key_exists('fragment', $me))
  55.     return false;
  56. 

  57.   return build_url($me);
  58. }
  59. 

  60. function hostname($url) {
  61.   return parse_url($url, PHP_URL_HOST);
  62. }
  63. 

  64. function add_hcard_info($user, $hCard) {
  65.   if($user && $hCard) {
  66.     // Update the user's h-card info if present

  67.     if(array_key_exists('name', $hCard)) {
  68.       $user->name = $hCard['name'];
  69.     }
  70.     if(array_key_exists('photo', $hCard)) {
  71.       $user->photo_url = $hCard['photo'];
  72.     }
  73.   }  
  74. }
  75. 

  76. $app->get('/', function($format='html') use($app) {
  77.   $res = $app->response();
  78. 

  79. 

  80.   ob_start();
  81.   render('index', array(
  82.     'title' => 'Quill',
  83.     'meta' => ''
  84.   ));
  85.   $html = ob_get_clean();
  86.   $res->body($html);
  87. });
  88. 

  89. $app->get('/auth/start', function() use($app) {
  90.   $req = $app->request();
  91. 

  92.   $params = $req->params();
  93.   
  94.   // the "me" parameter is user input, and may be in a couple of different forms:

  95.   // aaronparecki.com http://aaronparecki.com http://aaronparecki.com/

  96.   // Normlize the value now (move this into a function in IndieAuth\Client later)

  97.   if(!array_key_exists('me', $params) || !($me = normalizeMeURL($params['me']))) {
  98.     $html = render('auth_error', array(
  99.       'title' => 'Sign In',
  100.       'error' => 'Invalid "me" Parameter',
  101.       'errorDescription' => 'The URL you entered, "<strong>' . $params['me'] . '</strong>" is not valid.'
  102.     ));
  103.     $app->response()->body($html);
  104.     return;
  105.   }
  106. 

  107.   $authorizationEndpoint = IndieAuth\Client::discoverAuthorizationEndpoint($me);
  108.   $tokenEndpoint = IndieAuth\Client::discoverTokenEndpoint($me);
  109.   $micropubEndpoint = IndieAuth\Client::discoverMicropubEndpoint($me);
  110.   $hCard = IndieAuth\Client::getHCard($me);
  111. 

  112.   // Generate a "state" parameter for the request

  113.   $state = IndieAuth\Client::generateStateParameter();
  114.   $_SESSION['auth_state'] = $state;
  115. 

  116.   if($tokenEndpoint && $micropubEndpoint && $authorizationEndpoint) {
  117.     $scope = 'post';
  118.     $authorizationURL = IndieAuth\Client::buildAuthorizationURL($authorizationEndpoint, $me, buildRedirectURI(), clientID(), $state, $scope);
  119.   } else {
  120.     $authorizationURL = IndieAuth\Client::buildAuthorizationURL('https://indieauth.com/auth', $me, buildRedirectURI(), clientID(), $state);
  121.   }
  122. 

  123.   // If the user has already signed in before and has a micropub access token, skip 

  124.   // the debugging screens and redirect immediately to the auth endpoint.

  125.   // This will still generate a new access token when they finish logging in.

  126.   $user = ORM::for_table('users')->where('url', hostname($me))->find_one();
  127. 

  128.   if($user && $user->access_token && !array_key_exists('restart', $params)) {
  129. 

  130.     add_hcard_info($user, $hCard);
  131.     $user->micropub_endpoint = $micropubEndpoint;
  132.     $user->authorization_endpoint = $authorizationEndpoint;
  133.     $user->token_endpoint = $tokenEndpoint;
  134.     $user->type = $micropubEndpoint ? 'micropub' : 'local';
  135.     $user->save();
  136. 

  137.     $app->redirect($authorizationURL, 301);
  138. 

  139.   } else {
  140. 

  141.     if(!$user)
  142.       $user = ORM::for_table('users')->create();
  143.     add_hcard_info($user, $hCard);
  144.     $user->url = hostname($me);
  145.     $user->date_created = date('Y-m-d H:i:s');
  146.     $user->micropub_endpoint = $micropubEndpoint;
  147.     $user->authorization_endpoint = $authorizationEndpoint;
  148.     $user->token_endpoint = $tokenEndpoint;
  149.     $user->type = $micropubEndpoint ? 'micropub' : 'local';
  150.     $user->save();
  151. 

  152.     $html = render('auth_start', array(
  153.       'title' => 'Sign In',
  154.       'me' => $me,
  155.       'authorizing' => $me,
  156.       'meParts' => parse_url($me),
  157.       'micropubUser' => $authorizationEndpoint && $tokenEndpoint && $micropubEndpoint,
  158.       'tokenEndpoint' => $tokenEndpoint,
  159.       'micropubEndpoint' => $micropubEndpoint,
  160.       'authorizationEndpoint' => $authorizationEndpoint,
  161.       'authorizationURL' => $authorizationURL
  162.     ));
  163.     $app->response()->body($html);
  164.   }
  165. });
  166. 

  167. $app->get('/auth/callback', function() use($app) {
  168.   $req = $app->request();
  169.   $params = $req->params();
  170. 

  171.   // Double check there is a "me" parameter

  172.   // Should only fail for really hacked up requests

  173.   if(!array_key_exists('me', $params) || !($me = normalizeMeURL($params['me']))) {
  174.     $html = render('auth_error', array(
  175.       'title' => 'Auth Callback',
  176.       'error' => 'Invalid "me" Parameter',
  177.       'errorDescription' => 'The ID you entered, <strong>' . $params['me'] . '</strong> is not valid.'
  178.     ));
  179.     $app->response()->body($html);
  180.     return;
  181.   }
  182. 

  183.   // If there is no state in the session, start the login again

  184.   if(!array_key_exists('auth_state', $_SESSION)) {
  185.     $app->redirect('/auth/start?me='.urlencode($params['me']));
  186.     return;
  187.   }
  188. 

  189.   if(!array_key_exists('code', $params) || trim($params['code']) == '') {
  190.     $html = render('auth_error', array(
  191.       'title' => 'Auth Callback',
  192.       'error' => 'Missing authorization code',
  193.       'errorDescription' => 'No authorization code was provided in the request.'
  194.     ));
  195.     $app->response()->body($html);
  196.     return;
  197.   }
  198. 

  199.   // Verify the state came back and matches what we set in the session

  200.   // Should only fail for malicious attempts, ok to show a not as nice error message

  201.   if(!array_key_exists('state', $params)) {
  202.     $html = render('auth_error', array(
  203.       'title' => 'Auth Callback',
  204.       'error' => 'Missing state parameter',
  205.       'errorDescription' => 'No state parameter was provided in the request. This shouldn\'t happen. It is possible this is a malicious authorization attempt.'
  206.     ));
  207.     $app->response()->body($html);
  208.     return;
  209.   }
  210. 

  211.   if($params['state'] != $_SESSION['auth_state']) {
  212.     $html = render('auth_error', array(
  213.       'title' => 'Auth Callback',
  214.       'error' => 'Invalid state',
  215.       'errorDescription' => 'The state parameter provided did not match the state provided at the start of authorization. This is most likely caused by a malicious authorization attempt.'
  216.     ));
  217.     $app->response()->body($html);
  218.     return;
  219.   }
  220. 

  221.   // Now the basic sanity checks have passed. Time to start providing more helpful messages when there is an error.

  222.   // An authorization code is in the query string, and we want to exchange that for an access token at the token endpoint.

  223. 

  224.   // Discover the endpoints

  225.   $authorizationEndpoint = IndieAuth\Client::discoverAuthorizationEndpoint($me);
  226.   $micropubEndpoint = IndieAuth\Client::discoverMicropubEndpoint($me);
  227.   $tokenEndpoint = IndieAuth\Client::discoverTokenEndpoint($me);
  228. 

  229.   $redirectToDashboardImmediately = false;
  230. 

  231.   if($tokenEndpoint) {
  232.     // Exchange auth code for an access token

  233.     $token = IndieAuth\Client::getAccessToken($tokenEndpoint, $params['code'], $params['me'], buildRedirectURI(), clientID(), $params['state'], true);
  234. 

  235.     // If a valid access token was returned, store the token info in the session and they are signed in

  236.     if(k($token['auth'], array('me','access_token','scope'))) {
  237.       $_SESSION['auth'] = $token['auth'];
  238.       $_SESSION['me'] = $params['me'];
  239. 

  240.       // TODO?

  241.       // This client requires the "post" scope.

  242. 

  243. 

  244.       // Make a request to the micropub endpoint to discover the syndication targets if any.

  245.       // Errors are silently ignored here. The user will be able to retry from the new post interface and get feedback.

  246.       // get_syndication_targets($user);

  247.     }
  248. 

  249.   } else {
  250.     // No token endpoint was discovered, instead, verify the auth code at the auth server or with indieauth.com

  251. 

  252.     // Never show the intermediate login confirmation page if we just authenticated them instead of got authorization

  253.     $redirectToDashboardImmediately = true;
  254. 

  255.     if(!$authorizationEndpoint) {
  256.       $authorizationEndpoint = 'https://indieauth.com/auth';
  257.     }
  258. 

  259.     $token['auth'] = IndieAuth\Client::verifyIndieAuthCode($authorizationEndpoint, $params['code'], $params['me'], buildRedirectURI(), clientID(), $params['state']);
  260. 

  261.     if(k($token['auth'], 'me')) {
  262.       $token['response'] = ''; // hack becuase the verify call doesn't actually return the real response

  263.       $token['auth']['scope'] = '';
  264.       $token['auth']['access_token'] = '';
  265.       $_SESSION['auth'] = $token['auth'];
  266.       $_SESSION['me'] = $params['me'];
  267.     }
  268.   }
  269. 

  270. 

  271.   // Verify the login actually succeeded

  272.   if(!array_key_exists('me', $_SESSION)) {
  273.     $html = render('auth_error', array(
  274.       'title' => 'Sign-In Failed',
  275.       'error' => 'Unable to verify the sign-in attempt',
  276.       'errorDescription' => ''
  277.     ));
  278.     $app->response()->body($html);
  279.     return;
  280.   }
  281. 

  282. 

  283.   $user = ORM::for_table('users')->where('url', hostname($me))->find_one();
  284.   if($user) {
  285.     // Already logged in, update the last login date

  286.     $user->last_login = date('Y-m-d H:i:s');
  287.     // If they have logged in before and we already have an access token, then redirect to the dashboard now

  288.     if($user->access_token)
  289.       $redirectToDashboardImmediately = true;
  290.   } else {
  291.     // New user! Store the user in the database

  292.     $user = ORM::for_table('users')->create();
  293.     $user->url = hostname($me);
  294.     $user->date_created = date('Y-m-d H:i:s');
  295.     $user->last_login = date('Y-m-d H:i:s');
  296.   }
  297.   $user->micropub_endpoint = $micropubEndpoint;
  298.   $user->access_token = $token['auth']['access_token'];
  299.   $user->token_scope = $token['auth']['scope'];
  300.   $user->token_response = $token['response'];
  301.   $user->save();
  302.   $_SESSION['user_id'] = $user->id();
  303. 

  304. 

  305. 

  306.   unset($_SESSION['auth_state']);
  307. 

  308.   if($redirectToDashboardImmediately) {
  309.     $app->redirect('/new', 301);
  310.   } else {
  311.     $html = render('auth_callback', array(
  312.       'title' => 'Sign In',
  313.       'me' => $me,
  314.       'authorizing' => $me,
  315.       'meParts' => parse_url($me),
  316.       'tokenEndpoint' => $tokenEndpoint,
  317.       'auth' => $token['auth'],
  318.       'response' => $token['response'],
  319.       'curl_error' => (array_key_exists('error', $token) ? $token['error'] : false)
  320.     ));
  321.     $app->response()->body($html);
  322.   }
  323. });
  324. 

  325. $app->get('/signout', function() use($app) {
  326.   unset($_SESSION['auth']);
  327.   unset($_SESSION['me']);
  328.   unset($_SESSION['auth_state']);
  329.   unset($_SESSION['user_id']);
  330.   $app->redirect('/', 301);
  331. });
  332.