p3k
/
Telegraph
mirror of https://github.com/aaronpk/Telegraph.git
1
0
Fork 0
Code Issues 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
114 Commits
3 Branches
30 MiB
Tree: 6babb2250c
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6babb2250c'
${ noResults }
Telegraph/controllers/Auth.php

182 lines
6.2 KiB
Raw Normal View History

implement indieauth sign-in
9 years ago
add API docs and finishing touches on copy/layout
9 years ago
implement indieauth sign-in
9 years ago
create user and site on first login
9 years ago
add API docs and finishing touches on copy/layout
9 years ago
create user and site on first login
9 years ago
implement indieauth sign-in
9 years ago
use the user's own authz endpoint if one is defined also updates to the latest indieauth client library as of 20201126
4 years ago
implement indieauth sign-in
9 years ago
use the user's own authz endpoint if one is defined also updates to the latest indieauth client library as of 20201126
4 years ago
implement indieauth sign-in
9 years ago
use the user's own authz endpoint if one is defined also updates to the latest indieauth client library as of 20201126
4 years ago
implement indieauth sign-in
9 years ago
use the user's own authz endpoint if one is defined also updates to the latest indieauth client library as of 20201126
4 years ago
implement indieauth sign-in
9 years ago
fix IndieAuth protocol use `me` and `authorization_endpoint` from session
7 years ago
implement indieauth sign-in
9 years ago
fix IndieAuth protocol use `me` and `authorization_endpoint` from session
7 years ago
implement indieauth sign-in
9 years ago
use the user's own authz endpoint if one is defined also updates to the latest indieauth client library as of 20201126
4 years ago
implement indieauth sign-in
9 years ago
use the user's own authz endpoint if one is defined also updates to the latest indieauth client library as of 20201126
4 years ago
implement indieauth sign-in
9 years ago
use the user's own authz endpoint if one is defined also updates to the latest indieauth client library as of 20201126
4 years ago
implement indieauth sign-in
9 years ago
use the user's own authz endpoint if one is defined also updates to the latest indieauth client library as of 20201126
4 years ago
implement indieauth sign-in
9 years ago
use the user's own authz endpoint if one is defined also updates to the latest indieauth client library as of 20201126
4 years ago
create user and site on first login
9 years ago
use the user's own authz endpoint if one is defined also updates to the latest indieauth client library as of 20201126
4 years ago
create user and site on first login
9 years ago
use the user's own authz endpoint if one is defined also updates to the latest indieauth client library as of 20201126
4 years ago
create user and site on first login
9 years ago
implement indieauth sign-in
9 years ago
fetch the user's h-card after logging in and update their profile data
9 years ago
implement indieauth sign-in
9 years ago
create user and site on first login
9 years ago
implement indieauth sign-in
9 years ago
use base URL from config for creating redirect URL
9 years ago
implement indieauth sign-in
9 years ago
 
  1. <?php
  2. use Symfony\Component\HttpFoundation\Request;
  3. use Symfony\Component\HttpFoundation\Response;
  4. use \Firebase\JWT\JWT;
  5. 

  6. class Auth {
  7. 

  8.   public function login(Request $request, Response $response) {
  9.     session_start();
  10.     if(session('user_id')) {
  11.       $response->setStatusCode(302);
  12.       $response->headers->set('Location', '/dashboard');
  13.     } else {
  14.       $response->setContent(view('login', [
  15.         'title' => 'Sign In to Telegraph',
  16.         'return_to' => $request->get('return_to')
  17.       ]));
  18.     }
  19.     return $response;
  20.   }
  21. 

  22.   public function logout(Request $request, Response $response) {
  23.     session_start();
  24.     if(session('user_id')) {
  25.       $_SESSION['user_id'] = null;
  26.       session_destroy();
  27.     }
  28.     $response->setStatusCode(302);
  29.     $response->headers->set('Location', '/login');
  30.     return $response;
  31.   }
  32. 

  33.   public function login_start(Request $request, Response $response) {
  34. 

  35.     if(!$request->get('url') || !($me = IndieAuth\Client::normalizeMeURL($request->get('url')))) {
  36.       $response->setContent(view('login', [
  37.         'title' => 'Sign In to Telegraph',
  38.         'error' => 'Invalid URL',
  39.         'error_description' => 'The URL you entered, "<strong>' . htmlspecialchars($request->get('url')) . '</strong>" is not valid.'
  40.       ]));
  41.       return $response;
  42.     }
  43. 

  44.     // Check if the user's URL defines an authorization endpoint

  45.     $authorizationEndpoint = IndieAuth\Client::discoverAuthorizationEndpoint($me);
  46.     if(!$authorizationEndpoint) {
  47.       $authorizationEndpoint = Config::$defaultAuthorizationEndpoint;
  48.     }
  49. 

  50.     $codeVerifier = IndieAuth\Client::generatePKCECodeVerifier();
  51.     $state = JWT::encode([
  52.       'az' => $authorizationEndpoint,
  53.       'me' => $me,
  54.       'code_verifier' => $codeVerifier,
  55.       'return_to' => $request->get('return_to'),
  56.       'time' => time(),
  57.       'exp' => time()+300 // verified by the JWT library

  58.     ], Config::$secretKey);
  59. 

  60.     $authorizationURL = IndieAuth\Client::buildAuthorizationURL($authorizationEndpoint, [
  61.       'me' => $me,
  62.       'redirect_uri' => self::_buildRedirectURI(),
  63.       'client_id' => Config::$clientID,
  64.       'state' => $state,
  65.       'code_verifier' => $codeVerifier,
  66.     ]);
  67. 

  68.     $response->setStatusCode(302);
  69.     $response->headers->set('Location', $authorizationURL);
  70.     return $response;
  71.   }
  72. 

  73.   public function login_callback(Request $request, Response $response) {
  74. 

  75.     if(!$request->get('state') || !$request->get('code')) {
  76.       $response->setContent(view('login', [
  77.         'title' => 'Sign In to Telegraph',
  78.         'error' => 'Missing Parameters',
  79.         'error_description' => 'The auth server did not return the necessary parameters, <code>state</code> and <code>code</code>.'
  80.       ]));
  81.       return $response;
  82.     }
  83. 

  84.     // Validate the "state" parameter to ensure this request originated at this client

  85.     try {
  86.       $state = JWT::decode($request->get('state'), Config::$secretKey, ['HS256']);
  87. 

  88.       if(!$state) {
  89.         $response->setContent(view('login', [
  90.           'title' => 'Sign In to Telegraph',
  91.           'error' => 'Invalid State',
  92.           'error_description' => 'The <code>state</code> parameter was not valid.'
  93.         ]));
  94.         return $response;
  95.       }
  96.     } catch(Exception $e) {
  97.       $response->setContent(view('login', [
  98.         'title' => 'Sign In to Telegraph',
  99.         'error' => 'Invalid State',
  100.         'error_description' => 'The <code>state</code> parameter was invalid:<br>'.htmlspecialchars($e->getMessage())
  101.       ]));
  102.       return $response;
  103.     }
  104. 

  105.     $authorizationEndpoint = $state->az;
  106. 

  107.     // Verify the code with the auth server

  108.     $data = IndieAuth\Client::exchangeAuthorizationCode($state->az, [
  109.       'code' => $request->get('code'),
  110.       'redirect_uri' => self::_buildRedirectURI(),
  111.       'client_id' => Config::$clientID,
  112.       'code_verifier' => $state->code_verifier,
  113.     ]);
  114. 

  115.     if(!isset($data['response']['me'])) {
  116.       // The authorization server didn't return a "me" URL

  117.       $response->setContent(view('login', [
  118.         'title' => 'Sign In to Telegraph',
  119.         'error' => 'Invalid Auth Server Response',
  120.         'error_description' => 'The authorization server ('.$authorizationEndpoint.') did not return a valid response:<br><pre style="text-align:left; max-height: 400px; overflow: scroll;">HTTP '.$data['response_code']."\n\n".htmlspecialchars(json_encode($data)).'</pre>'
  121.       ]));
  122.       return $response;
  123.     }
  124. 

  125.     // Verify the authorization endpoint matches

  126.     if($data['response']['me'] != $state->me) {
  127.       $newAuthorizationEndpoint = IndieAuth\Client::discoverAuthorizationEndpoint($data['response']['me']);
  128.       if($newAuthorizationEndpoint != $authorizationEndpoint) {
  129.         $response->setContent(view('login', [
  130.           'title' => 'Sign In to Telegraph',
  131.           'error' => 'Invalid Authorization Endpoint',
  132.           'error_description' => 'The authorization endpoint for the returned profile URL ('.$data['response']['me'].') did not match the authorization endpoint used to begin the login.'
  133.         ]));
  134.         return $response;
  135.       }
  136.     }
  137. 

  138.     $me = $data['response']['me'];
  139. 

  140.     // Create or load the user

  141.     $user = ORM::for_table('users')->where('url', $me)->find_one();
  142.     if(!$user) {
  143.       $user = ORM::for_table('users')->create();
  144.       $user->url = $me;
  145.       $user->created_at = date('Y-m-d H:i:s');
  146.       $user->last_login = date('Y-m-d H:i:s');
  147.       $user->save();
  148. 

  149.       // Create a site for them with the default role

  150.       $site = ORM::for_table('sites')->create();
  151.       $site->name = 'My Website';
  152.       $site->url = $me;
  153.       $site->created_by = $user->id;
  154.       $site->created_at = date('Y-m-d H:i:s');
  155.       $site->save();
  156. 

  157.       $role = ORM::for_table('roles')->create();
  158.       $role->site_id = $site->id;
  159.       $role->user_id = $user->id;
  160.       $role->role = 'owner';
  161.       $role->token = random_string(32);
  162.       $role->save();
  163. 

  164.     } else {
  165.       $user->last_login = date('Y-m-d H:i:s');
  166.       $user->save();
  167.     }
  168. 

  169.     q()->queue('Telegraph\ProfileFetcher', 'fetch', [$user->id]);
  170. 

  171.     session_start();
  172.     $_SESSION['user_id'] = $user->id;
  173.     $response->setStatusCode(302);
  174.     $response->headers->set('Location', ($state->return_to ?: '/dashboard'));
  175.     return $response;
  176.   }
  177. 

  178.   private static function _buildRedirectURI() {
  179.     return Config::$base . 'login/callback';
  180.   }
  181. 

  182. }