From 7ed2364a6f317a2a51ee5c0dfffcb021bda8c0c1 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <fox@fakecake.org>
Date: Wed, 21 Feb 2024 22:18:27 +0300
Subject: periodically validate OIDC refresh token

---
 init.php | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

(limited to 'init.php')

diff --git a/init.php b/init.php
index 4ac8004..e5590ec 100644
--- a/init.php
+++ b/init.php
@@ -14,6 +14,8 @@ class Auth_OIDC extends Auth_Base {
 	const AUTH_OIDC_CLIENT_ID = "AUTH_OIDC_CLIENT_ID";
 	const AUTH_OIDC_CLIENT_SECRET = "AUTH_OIDC_CLIENT_SECRET";
 
+	// in seconds
+	const AUTH_OIDC_VALIDATE_INTERVAL = "AUTH_OIDC_VALIDATE_INTERVAL";
 
 	/** @var PluginHost $host */
 	private $host;
@@ -31,10 +33,12 @@ class Auth_OIDC extends Auth_Base {
 		Config::add(self::AUTH_OIDC_URL, "", Config::T_STRING);
 		Config::add(self::AUTH_OIDC_CLIENT_ID, "", Config::T_STRING);
 		Config::add(self::AUTH_OIDC_CLIENT_SECRET, "", Config::T_STRING);
+		Config::add(self::AUTH_OIDC_VALIDATE_INTERVAL, "3600", Config::T_INT);
 
 		if (Config::get(self::AUTH_OIDC_URL)) {
 			$host->add_hook($host::HOOK_AUTH_USER, $this);
 			$host->add_hook($host::HOOK_LOGINFORM_ADDITIONAL_BUTTONS, $this);
+			$host->add_hook($host::HOOK_VALIDATE_SESSION, $this);
 
 			if (Config::get(self::AUTH_OIDC_POST_LOGOUT_URL) != "")
 				$host->add_hook($host::HOOK_POST_LOGOUT, $this);
@@ -89,6 +93,9 @@ class Auth_OIDC extends Auth_Base {
 					}
 				}
 
+				$_SESSION["auth_oidc:refresh_token"] = $oidc->getRefreshToken();
+				$_SESSION["auth_oidc:refresh_token_last_check"] = time();
+
 				return $user_id;
 
 			} catch (Exception $e) {
@@ -99,6 +106,30 @@ class Auth_OIDC extends Auth_Base {
 		return false;
 	}
 
+	function hook_validate_session(): bool {
+		$refresh_token = $_SESSION["auth_oidc:refresh_token"] ?? false;
+
+		if ($refresh_token && $_SESSION["auth_oidc:refresh_token_last_check"] < time() - Config::get(self::AUTH_OIDC_VALIDATE_INTERVAL)) {
+			$oidc = new OpenIDConnectClient(Config::get(self::AUTH_OIDC_URL),
+				Config::get(self::AUTH_OIDC_CLIENT_ID),
+				Config::get(self::AUTH_OIDC_CLIENT_SECRET));
+
+			try {
+				$result = $oidc->introspectToken($refresh_token);
+
+				if ($result->active)
+					$_SESSION["auth_oidc:refresh_token_last_check"] = time();
+
+				return $result->active;
+			} catch (Exception $e) {
+				$_SESSION["login_error_msg"] = 'OIDC: ' . $e->getMessage();
+				return false;
+			}
+		}
+
+		return true;
+	}
+
 	function get_login_js() {
 		return file_get_contents(__DIR__ . "/init.js");
 	}
-- 
cgit v1.2.3