p3k
/
Telegraph
mirror of https://github.com/aaronpk/Telegraph.git
1
0
Fork 0
Code Issues 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8 Commits
3 Branches
6.8 MiB
Tree: 6175ad184c
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6175ad184c'
${ noResults }
Telegraph/controllers/Auth.php

117 lines
4.6 KiB
Raw Normal View History

implement indieauth sign-in
8 years ago
 
  1. <?php
  2. use Symfony\Component\HttpFoundation\Request;
  3. use Symfony\Component\HttpFoundation\Response;
  4. use \Firebase\JWT\JWT;
  5. 

  6. class Auth {
  7. 

  8.   public function login(Request $request, Response $response) {
  9.     $response->setContent(view('login', [
  10.       'title' => 'Sign In to Telegraph',
  11.       'return_to' => $request->get('return_to')
  12.     ]));
  13.     return $response;
  14.   }
  15. 

  16.   public function login_start(Request $request, Response $response) {
  17. 

  18.     if(!$request->get('url') || !($me = IndieAuth\Client::normalizeMeURL($request->get('url')))) {
  19.       $response->setContent(view('login', [
  20.         'title' => 'Sign In to Telegraph',
  21.         'error' => 'Invalid URL',
  22.         'error_description' => 'The URL you entered, "<strong>' . htmlspecialchars($request->get('url')) . '</strong>" is not valid.'
  23.       ]));
  24.       return $response;
  25.     }
  26. 

  27.     $authorizationEndpoint = IndieAuth\Client::discoverAuthorizationEndpoint($me);
  28. 

  29.     $state = JWT::encode([
  30.       'me' => $me,
  31.       'authorization_endpoint' => $authorizationEndpoint,
  32.       'return_to' => $request->get('return_to'),
  33.       'time' => time(),
  34.       'exp' => time()+300 // verified by the JWT library

  35.     ], Config::$secretKey);
  36. 

  37.     if($authorizationEndpoint) {
  38.       // If the user specified only an authorization endpoint, use that

  39.       $authorizationURL = IndieAuth\Client::buildAuthorizationURL($authorizationEndpoint, $me, self::_buildRedirectURI(), Config::$clientID, $state);
  40.     } else {
  41.       // Otherwise, fall back to indieauth.com

  42.       $authorizationURL = IndieAuth\Client::buildAuthorizationURL(Config::$defaultAuthorizationEndpoint, $me, self::_buildRedirectURI(), Config::$clientID, $state);
  43.     }
  44. 

  45.     $response->setStatusCode(302);
  46.     $response->headers->set('Location', $authorizationURL);
  47.     return $response;
  48.   }
  49. 

  50.   public function login_callback(Request $request, Response $response) {
  51. 

  52.     if(!$request->get('state') || !$request->get('code') || !$request->get('me')) {
  53.       $response->setContent(view('login', [
  54.         'title' => 'Sign In to Telegraph',
  55.         'error' => 'Missing Parameters',
  56.         'error_description' => 'The auth server did not return the necessary parameters, <code>state</code> and <code>code</code> and <code>me</code>.'
  57.       ]));
  58.       return $response;
  59.     }
  60. 

  61.     // Validate the "state" parameter to ensure this request originated at this client

  62.     try {
  63.       $state = JWT::decode($request->get('state'), Config::$secretKey, ['HS256']);
  64. 

  65.       if(!$state) {
  66.         $response->setContent(view('login', [
  67.           'title' => 'Sign In to Telegraph',
  68.           'error' => 'Invalid State',
  69.           'error_description' => 'The <code>state</code> parameter was not valid.'
  70.         ]));
  71.         return $response;
  72.       }
  73.     } catch(Exception $e) {
  74.       $response->setContent(view('login', [
  75.         'title' => 'Sign In to Telegraph',
  76.         'error' => 'Invalid State',
  77.         'error_description' => 'The <code>state</code> parameter was invalid:<br>'.htmlspecialchars($e->getMessage())
  78.       ]));
  79.       return $response;
  80.     }
  81. 

  82.     // Discover the authorization endpoint from the "me" that was returned by the auth server

  83.     // This allows the auth server to return a different URL than the user originally entered,

  84.     // for example if the user enters multiusersite.example the auth server can return multiusersite.example/alice

  85.     if($state->authorization_endpoint) { // only discover the auth endpoint if one was originally found, otherwise use our fallback

  86.       $authorizationEndpoint = IndieAuth\Client::discoverAuthorizationEndpoint($request->get('me'));
  87.     } else {
  88.       $authorizationEndpoint = Config::$defaultAuthorizationEndpoint;
  89.     }
  90. 

  91.     // Verify the code with the auth server

  92.     $token = IndieAuth\Client::verifyIndieAuthCode($authorizationEndpoint, $request->get('code'), $request->get('me'), self::_buildRedirectURI(), Config::$clientID, $request->get('state'), true);
  93. 

  94.     if(!array_key_exists('auth', $token) || !array_key_exists('me', $token['auth'])) {
  95.       // The auth server didn't return a "me" URL

  96.       $response->setContent(view('login', [
  97.         'title' => 'Sign In to Telegraph',
  98.         'error' => 'Invalid Auth Server Response',
  99.         'error_description' => 'The authorization server did not return a valid response:<br>'.htmlspecialchars(json_encode($token))
  100.       ]));
  101.       return $response;
  102.     }
  103. 

  104.     // Create or load the user

  105. 

  106.     session_start();
  107.     $_SESSION['me'] = $token['auth']['me'];
  108.     $response->setStatusCode(302);
  109.     $response->headers->set('Location', ($state->return_to ?: '/dashboard'));
  110.     return $response;
  111.   }
  112. 

  113.   private static function _buildRedirectURI() {
  114.     return 'http' . (Config::$ssl ? 's' : '') . '://' . $_SERVER['SERVER_NAME'] . '/login/callback';
  115.   }
  116. 

  117. }