p3k
/
Telegraph
mirror of https://github.com/aaronpk/Telegraph.git
1
0
Fork 0
Code Issues 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
22 Commits
3 Branches
30 MiB
Tree: 0d67cd8a24
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '0d67cd8a24'
${ noResults }
Telegraph/controllers/Auth.php

156 lines
5.8 KiB
Raw Normal View History

implement indieauth sign-in
9 years ago
create user and site on first login
9 years ago
implement indieauth sign-in
9 years ago
create user and site on first login
9 years ago
implement indieauth sign-in
9 years ago
fetch the user's h-card after logging in and update their profile data
9 years ago
implement indieauth sign-in
9 years ago
create user and site on first login
9 years ago
implement indieauth sign-in
9 years ago
 
  1. <?php
  2. use Symfony\Component\HttpFoundation\Request;
  3. use Symfony\Component\HttpFoundation\Response;
  4. use \Firebase\JWT\JWT;
  5. 

  6. class Auth {
  7. 

  8.   public function login(Request $request, Response $response) {
  9.     $response->setContent(view('login', [
  10.       'title' => 'Sign In to Telegraph',
  11.       'return_to' => $request->get('return_to')
  12.     ]));
  13.     return $response;
  14.   }
  15. 

  16.   public function logout(Request $request, Response $response) {
  17.     session_start();
  18.     if(array_key_exists('user_id', $_SESSION)) {
  19.       $_SESSION['user_id'] = null;
  20.       session_destroy();
  21.     }
  22.     $response->setStatusCode(302);
  23.     $response->headers->set('Location', '/login');
  24.     return $response;
  25.   }
  26. 

  27.   public function login_start(Request $request, Response $response) {
  28. 

  29.     if(!$request->get('url') || !($me = IndieAuth\Client::normalizeMeURL($request->get('url')))) {
  30.       $response->setContent(view('login', [
  31.         'title' => 'Sign In to Telegraph',
  32.         'error' => 'Invalid URL',
  33.         'error_description' => 'The URL you entered, "<strong>' . htmlspecialchars($request->get('url')) . '</strong>" is not valid.'
  34.       ]));
  35.       return $response;
  36.     }
  37. 

  38.     $authorizationEndpoint = IndieAuth\Client::discoverAuthorizationEndpoint($me);
  39. 

  40.     $state = JWT::encode([
  41.       'me' => $me,
  42.       'authorization_endpoint' => $authorizationEndpoint,
  43.       'return_to' => $request->get('return_to'),
  44.       'time' => time(),
  45.       'exp' => time()+300 // verified by the JWT library

  46.     ], Config::$secretKey);
  47. 

  48.     if($authorizationEndpoint) {
  49.       // If the user specified only an authorization endpoint, use that

  50.       $authorizationURL = IndieAuth\Client::buildAuthorizationURL($authorizationEndpoint, $me, self::_buildRedirectURI(), Config::$clientID, $state);
  51.     } else {
  52.       // Otherwise, fall back to indieauth.com

  53.       $authorizationURL = IndieAuth\Client::buildAuthorizationURL(Config::$defaultAuthorizationEndpoint, $me, self::_buildRedirectURI(), Config::$clientID, $state);
  54.     }
  55. 

  56.     $response->setStatusCode(302);
  57.     $response->headers->set('Location', $authorizationURL);
  58.     return $response;
  59.   }
  60. 

  61.   public function login_callback(Request $request, Response $response) {
  62. 

  63.     if(!$request->get('state') || !$request->get('code') || !$request->get('me')) {
  64.       $response->setContent(view('login', [
  65.         'title' => 'Sign In to Telegraph',
  66.         'error' => 'Missing Parameters',
  67.         'error_description' => 'The auth server did not return the necessary parameters, <code>state</code> and <code>code</code> and <code>me</code>.'
  68.       ]));
  69.       return $response;
  70.     }
  71. 

  72.     // Validate the "state" parameter to ensure this request originated at this client

  73.     try {
  74.       $state = JWT::decode($request->get('state'), Config::$secretKey, ['HS256']);
  75. 

  76.       if(!$state) {
  77.         $response->setContent(view('login', [
  78.           'title' => 'Sign In to Telegraph',
  79.           'error' => 'Invalid State',
  80.           'error_description' => 'The <code>state</code> parameter was not valid.'
  81.         ]));
  82.         return $response;
  83.       }
  84.     } catch(Exception $e) {
  85.       $response->setContent(view('login', [
  86.         'title' => 'Sign In to Telegraph',
  87.         'error' => 'Invalid State',
  88.         'error_description' => 'The <code>state</code> parameter was invalid:<br>'.htmlspecialchars($e->getMessage())
  89.       ]));
  90.       return $response;
  91.     }
  92. 

  93.     // Discover the authorization endpoint from the "me" that was returned by the auth server

  94.     // This allows the auth server to return a different URL than the user originally entered,

  95.     // for example if the user enters multiusersite.example the auth server can return multiusersite.example/alice

  96.     if($state->authorization_endpoint) { // only discover the auth endpoint if one was originally found, otherwise use our fallback

  97.       $authorizationEndpoint = IndieAuth\Client::discoverAuthorizationEndpoint($request->get('me'));
  98.     } else {
  99.       $authorizationEndpoint = Config::$defaultAuthorizationEndpoint;
  100.     }
  101. 

  102.     // Verify the code with the auth server

  103.     $token = IndieAuth\Client::verifyIndieAuthCode($authorizationEndpoint, $request->get('code'), $request->get('me'), self::_buildRedirectURI(), Config::$clientID, $request->get('state'), true);
  104. 

  105.     if(!array_key_exists('auth', $token) || !array_key_exists('me', $token['auth'])) {
  106.       // The auth server didn't return a "me" URL

  107.       $response->setContent(view('login', [
  108.         'title' => 'Sign In to Telegraph',
  109.         'error' => 'Invalid Auth Server Response',
  110.         'error_description' => 'The authorization server did not return a valid response:<br>'.htmlspecialchars(json_encode($token))
  111.       ]));
  112.       return $response;
  113.     }
  114. 

  115.     // Create or load the user

  116.     $user = ORM::for_table('users')->where('url', $token['auth']['me'])->find_one();
  117.     if(!$user) {
  118.       $user = ORM::for_table('users')->create();
  119.       $user->url = $token['auth']['me'];
  120.       $user->created_at = date('Y-m-d H:i:s');
  121.       $user->last_login = date('Y-m-d H:i:s');
  122.       $user->save();
  123. 

  124.       // Create a site for them with the default role

  125.       $site = ORM::for_table('sites')->create();
  126.       $site->name = 'My Website';
  127.       $site->created_by = $user->id;
  128.       $site->created_at = date('Y-m-d H:i:s');
  129.       $site->save();
  130. 

  131.       $role = ORM::for_table('roles')->create();
  132.       $role->site_id = $site->id;
  133.       $role->user_id = $user->id;
  134.       $role->role = 'owner';
  135.       $role->token = random_string(32);
  136.       $role->save();
  137. 

  138.     } else {
  139.       $user->last_login = date('Y-m-d H:i:s');
  140.       $user->save();
  141.     }
  142. 

  143.     q()->queue('Telegraph\ProfileFetcher', 'fetch', [$user->id]);
  144. 

  145.     session_start();
  146.     $_SESSION['user_id'] = $user->id;
  147.     $response->setStatusCode(302);
  148.     $response->headers->set('Location', ($state->return_to ?: '/dashboard'));
  149.     return $response;
  150.   }
  151. 

  152.   private static function _buildRedirectURI() {
  153.     return 'http' . (Config::$ssl ? 's' : '') . '://' . $_SERVER['SERVER_NAME'] . '/login/callback';
  154.   }
  155. 

  156. }