p3k
/
Telegraph
mirror of https://github.com/aaronpk/Telegraph.git
1
0
Fork 0
Code Issues 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
115 Commits
3 Branches
16 MiB
Tree: a66990e037
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a66990e037'
${ noResults }
Telegraph/controllers/Auth.php

182 lines
6.2 KiB
Raw Normal View History

implement indieauth sign-in
10 years ago
add API docs and finishing touches on copy/layout
10 years ago
implement indieauth sign-in
10 years ago
create user and site on first login
10 years ago
add API docs and finishing touches on copy/layout
10 years ago
create user and site on first login
10 years ago
implement indieauth sign-in
10 years ago
use the user's own authz endpoint if one is defined also updates to the latest indieauth client library as of 20201126
5 years ago
implement indieauth sign-in
10 years ago
use the user's own authz endpoint if one is defined also updates to the latest indieauth client library as of 20201126
5 years ago
implement indieauth sign-in
10 years ago
use the user's own authz endpoint if one is defined also updates to the latest indieauth client library as of 20201126
5 years ago
implement indieauth sign-in
10 years ago
use the user's own authz endpoint if one is defined also updates to the latest indieauth client library as of 20201126
5 years ago
implement indieauth sign-in
10 years ago
fix IndieAuth protocol use `me` and `authorization_endpoint` from session
8 years ago
implement indieauth sign-in
10 years ago
fix IndieAuth protocol use `me` and `authorization_endpoint` from session
8 years ago
implement indieauth sign-in
10 years ago
use the user's own authz endpoint if one is defined also updates to the latest indieauth client library as of 20201126
5 years ago
implement indieauth sign-in
10 years ago
use the user's own authz endpoint if one is defined also updates to the latest indieauth client library as of 20201126
5 years ago
implement indieauth sign-in
10 years ago
use the user's own authz endpoint if one is defined also updates to the latest indieauth client library as of 20201126
5 years ago
implement indieauth sign-in
10 years ago
use the user's own authz endpoint if one is defined also updates to the latest indieauth client library as of 20201126
5 years ago
implement indieauth sign-in
10 years ago
use the user's own authz endpoint if one is defined also updates to the latest indieauth client library as of 20201126
5 years ago
create user and site on first login
10 years ago
use the user's own authz endpoint if one is defined also updates to the latest indieauth client library as of 20201126
5 years ago
create user and site on first login
10 years ago
use the user's own authz endpoint if one is defined also updates to the latest indieauth client library as of 20201126
5 years ago
create user and site on first login
10 years ago
implement indieauth sign-in
10 years ago
fetch the user's h-card after logging in and update their profile data
10 years ago
implement indieauth sign-in
10 years ago
create user and site on first login
10 years ago
implement indieauth sign-in
10 years ago
use base URL from config for creating redirect URL
9 years ago
implement indieauth sign-in
10 years ago
 
  1. <?php
  2. use Symfony\Component\HttpFoundation\Request;
  3. use Symfony\Component\HttpFoundation\Response;
  4. use \Firebase\JWT\JWT;
  5. 

  6. class Auth {
  7. 

  8.   public function login(Request $request, Response $response) {
  9.     session_start();
  10.     if(session('user_id')) {
  11.       $response->setStatusCode(302);
  12.       $response->headers->set('Location', '/dashboard');
  13.     } else {
  14.       $response->setContent(view('login', [
  15.         'title' => 'Sign In to Telegraph',
  16.         'return_to' => $request->get('return_to')
  17.       ]));
  18.     }
  19.     return $response;
  20.   }
  21. 

  22.   public function logout(Request $request, Response $response) {
  23.     session_start();
  24.     if(session('user_id')) {
  25.       $_SESSION['user_id'] = null;
  26.       session_destroy();
  27.     }
  28.     $response->setStatusCode(302);
  29.     $response->headers->set('Location', '/login');
  30.     return $response;
  31.   }
  32. 

  33.   public function login_start(Request $request, Response $response) {
  34. 

  35.     if(!$request->get('url') || !($me = IndieAuth\Client::normalizeMeURL($request->get('url')))) {
  36.       $response->setContent(view('login', [
  37.         'title' => 'Sign In to Telegraph',
  38.         'error' => 'Invalid URL',
  39.         'error_description' => 'The URL you entered, "<strong>' . htmlspecialchars($request->get('url')) . '</strong>" is not valid.'
  40.       ]));
  41.       return $response;
  42.     }
  43. 

  44.     // Check if the user's URL defines an authorization endpoint

  45.     $authorizationEndpoint = IndieAuth\Client::discoverAuthorizationEndpoint($me);
  46.     if(!$authorizationEndpoint) {
  47.       $authorizationEndpoint = Config::$defaultAuthorizationEndpoint;
  48.     }
  49. 

  50.     $codeVerifier = IndieAuth\Client::generatePKCECodeVerifier();
  51.     $state = JWT::encode([
  52.       'az' => $authorizationEndpoint,
  53.       'me' => $me,
  54.       'code_verifier' => $codeVerifier,
  55.       'return_to' => $request->get('return_to'),
  56.       'time' => time(),
  57.       'exp' => time()+300 // verified by the JWT library

  58.     ], Config::$secretKey);
  59. 

  60.     $authorizationURL = IndieAuth\Client::buildAuthorizationURL($authorizationEndpoint, [
  61.       'me' => $me,
  62.       'redirect_uri' => self::_buildRedirectURI(),
  63.       'client_id' => Config::$clientID,
  64.       'state' => $state,
  65.       'code_verifier' => $codeVerifier,
  66.     ]);
  67. 

  68.     $response->setStatusCode(302);
  69.     $response->headers->set('Location', $authorizationURL);
  70.     return $response;
  71.   }
  72. 

  73.   public function login_callback(Request $request, Response $response) {
  74. 

  75.     if(!$request->get('state') || !$request->get('code')) {
  76.       $response->setContent(view('login', [
  77.         'title' => 'Sign In to Telegraph',
  78.         'error' => 'Missing Parameters',
  79.         'error_description' => 'The auth server did not return the necessary parameters, <code>state</code> and <code>code</code>.'
  80.       ]));
  81.       return $response;
  82.     }
  83. 

  84.     // Validate the "state" parameter to ensure this request originated at this client

  85.     try {
  86.       $state = JWT::decode($request->get('state'), Config::$secretKey, ['HS256']);
  87. 

  88.       if(!$state) {
  89.         $response->setContent(view('login', [
  90.           'title' => 'Sign In to Telegraph',
  91.           'error' => 'Invalid State',
  92.           'error_description' => 'The <code>state</code> parameter was not valid.'
  93.         ]));
  94.         return $response;
  95.       }
  96.     } catch(Exception $e) {
  97.       $response->setContent(view('login', [
  98.         'title' => 'Sign In to Telegraph',
  99.         'error' => 'Invalid State',
  100.         'error_description' => 'The <code>state</code> parameter was invalid:<br>'.htmlspecialchars($e->getMessage())
  101.       ]));
  102.       return $response;
  103.     }
  104. 

  105.     $authorizationEndpoint = $state->az;
  106. 

  107.     // Verify the code with the auth server

  108.     $data = IndieAuth\Client::exchangeAuthorizationCode($state->az, [
  109.       'code' => $request->get('code'),
  110.       'redirect_uri' => self::_buildRedirectURI(),
  111.       'client_id' => Config::$clientID,
  112.       'code_verifier' => $state->code_verifier,
  113.     ]);
  114. 

  115.     if(!isset($data['response']['me'])) {
  116.       // The authorization server didn't return a "me" URL

  117.       $response->setContent(view('login', [
  118.         'title' => 'Sign In to Telegraph',
  119.         'error' => 'Invalid Auth Server Response',
  120.         'error_description' => 'The authorization server ('.$authorizationEndpoint.') did not return a valid response:<br><pre style="text-align:left; max-height: 400px; overflow: scroll;">HTTP '.$data['response_code']."\n\n".htmlspecialchars(json_encode($data)).'</pre>'
  121.       ]));
  122.       return $response;
  123.     }
  124. 

  125.     // Verify the authorization endpoint matches

  126.     if($data['response']['me'] != $state->me) {
  127.       $newAuthorizationEndpoint = IndieAuth\Client::discoverAuthorizationEndpoint($data['response']['me']);
  128.       if($newAuthorizationEndpoint != $authorizationEndpoint) {
  129.         $response->setContent(view('login', [
  130.           'title' => 'Sign In to Telegraph',
  131.           'error' => 'Invalid Authorization Endpoint',
  132.           'error_description' => 'The authorization endpoint for the returned profile URL ('.$data['response']['me'].') did not match the authorization endpoint used to begin the login.'
  133.         ]));
  134.         return $response;
  135.       }
  136.     }
  137. 

  138.     $me = $data['response']['me'];
  139. 

  140.     // Create or load the user

  141.     $user = ORM::for_table('users')->where('url', $me)->find_one();
  142.     if(!$user) {
  143.       $user = ORM::for_table('users')->create();
  144.       $user->url = $me;
  145.       $user->created_at = date('Y-m-d H:i:s');
  146.       $user->last_login = date('Y-m-d H:i:s');
  147.       $user->save();
  148. 

  149.       // Create a site for them with the default role

  150.       $site = ORM::for_table('sites')->create();
  151.       $site->name = 'My Website';
  152.       $site->url = $me;
  153.       $site->created_by = $user->id;
  154.       $site->created_at = date('Y-m-d H:i:s');
  155.       $site->save();
  156. 

  157.       $role = ORM::for_table('roles')->create();
  158.       $role->site_id = $site->id;
  159.       $role->user_id = $user->id;
  160.       $role->role = 'owner';
  161.       $role->token = random_string(32);
  162.       $role->save();
  163. 

  164.     } else {
  165.       $user->last_login = date('Y-m-d H:i:s');
  166.       $user->save();
  167.     }
  168. 

  169.     q()->queue('Telegraph\ProfileFetcher', 'fetch', [$user->id]);
  170. 

  171.     session_start();
  172.     $_SESSION['user_id'] = $user->id;
  173.     $response->setStatusCode(302);
  174.     $response->headers->set('Location', ($state->return_to ?: '/dashboard'));
  175.     return $response;
  176.   }
  177. 

  178.   private static function _buildRedirectURI() {
  179.     return Config::$base . 'login/callback';
  180.   }
  181. 

  182. }