diff options
author | Andrew Dolgov <[email protected]> | 2024-01-23 16:58:26 +0300 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2024-01-23 16:58:26 +0300 |
commit | 3946e9546604e531b0f3eb7849dd6d2dea247d9c (patch) | |
tree | 1e77eac130594be9682b0b41a1c270057faa0785 | |
parent | 452ad8003719bb467d9c8eb041f726aa19f95125 (diff) |
add basic oidc support
-rw-r--r-- | classes/Config.php | 8 | ||||
-rw-r--r-- | login.php | 63 |
2 files changed, 68 insertions, 3 deletions
diff --git a/classes/Config.php b/classes/Config.php index b445973..3fc8358 100644 --- a/classes/Config.php +++ b/classes/Config.php @@ -15,6 +15,10 @@ class Config { const DICT_SERVER = "DICT_SERVER"; const SESSION_LIFETIME = "SESSION_LIFETIME"; const SESSION_NAME = "SESSION_NAME"; + const OIDC_NAME = "OIDC_NAME"; + const OIDC_URL = "OIDC_URL"; + const OIDC_CLIENT_ID = "OIDC_CLIENT_ID"; + const OIDC_CLIENT_SECRET = "OIDC_CLIENT_SECRET"; private const _DEFAULTS = [ Config::DB_TYPE => [ "sqlite", Config::T_STRING ], @@ -24,6 +28,10 @@ class Config { Config::DICT_SERVER => [ "", Config::T_STRING ], Config::SESSION_LIFETIME => [ 86400*30, Config::T_INT ], Config::SESSION_NAME => [ "epube_sid", Config::T_STRING ], + Config::OIDC_NAME => [ "OIDC", Config::T_STRING ], + Config::OIDC_URL => [ "", Config::T_STRING ], + Config::OIDC_CLIENT_ID => [ "", Config::T_STRING ], + Config::OIDC_CLIENT_SECRET => [ "", Config::T_STRING ], ]; private static ?Config $instance = null; @@ -1,10 +1,11 @@ <?php - set_include_path(__DIR__ ."/include" . PATH_SEPARATOR . - get_include_path()); + set_include_path(__DIR__ . "/include" . PATH_SEPARATOR . get_include_path()); require_once "common.php"; require_once "sessions.php"; + use Jumbojett\OpenIDConnectClient; + Config::sanity_check(); $op = $_REQUEST["op"] ?? ""; @@ -36,6 +37,54 @@ } else { $login_notice = "Incorrect username or password"; } + } else if ($op == "perform-oidc-login") { + $oidc = new OpenIDConnectClient(Config::get(Config::OIDC_URL), + Config::get(Config::OIDC_CLIENT_ID), + Config::get(Config::OIDC_CLIENT_SECRET)); + + $oidc->setRedirectURL(Config::make_self_url() . "/login.php"); + $oidc->addScope(['openid', 'profile', 'email']); + $oidc->authenticate(); + + exit; + } else if ($_REQUEST['code'] ?? false) { + + $oidc = new OpenIDConnectClient(Config::get(Config::OIDC_URL), + Config::get(Config::OIDC_CLIENT_ID), + Config::get(Config::OIDC_CLIENT_SECRET)); + + try { + $oidc->setRedirectURL(Config::make_self_url() . "/login.php"); + $oidc->addScope(['openid', 'profile', 'email']); + $oidc->authenticate(); + + $username = trim(mb_strtolower($oidc->requestUserInfo("preferred_username"))); + + if ($username) { + $user = ORM::for_table('epube_users') + ->where('user', $username) + ->find_one(); + + if ($user) { + if (session_status() != PHP_SESSION_ACTIVE) + session_start(); + + session_regenerate_id(true); + + $_SESSION["owner"] = $username; + $_SESSION["pass_hash"] = sha1($user->pass); + $_SESSION["csrf_token"] = bin2hex(random_bytes(16)); + + header("Location: index.php"); + exit; + } + } + + } catch (Exception $e) { + $login_notice = 'OIDC Error: ' . $e->getMessage(); + } + + logout_user(); } else { logout_user(); } @@ -54,6 +103,11 @@ <link rel="manifest" href="manifest.json"> <meta name="mobile-web-app-capable" content="yes"> <script type="text/javascript"> + function oidc_login() { + window.location.href = '?op=perform-oidc-login'; + return false; + } + $(document).ready(function() { /* global EpubeApp */ @@ -88,7 +142,10 @@ <label>Password</label> <input type="password" class="form-control" name="password" required="true"> </div> - <button type="submit" class="btn btn-default">Log in</button> + <button type="submit" class="btn btn-primary">Log in</button> + <?php if (Config::get(Config::OIDC_URL) != "") { ?> + <button type="submit" onclick="return oidc_login()" class="btn btn-default">Log in with <?= Config::get(Config::OIDC_NAME) ?></button> + <?php } ?> </form> </div> </body> |