/** * Ensure the current connection with the user agent is secure with HTTPS. * * This function uses {@link isHttps()} to determine whether the connection * is via HTTPS. If it is, this function will return successfully. * * If it is not, what happens next is determined by the following steps. * * 1. If $allow_override is true and allow_plaintext is also true, * then the function will return successfully * 2. Otherwise, then it will either redirect (if $action is * redirect) or return an error (if $action is error) * * @param string $action what to do if connection is not secure - either * 'redirect' or 'error' * @param boolean $allow_override whether allow_plaintext is checked * to see if an unencrypted connection is allowed * @param string $redirect_url if $action is redirect, what URL to redirect to. * If null, this will redirect to the same page (albeit with an HTTPS connection) * @param boolean $strict whether HTTP Strict Transport Security is active */ protected function checkHttps($action = 'redirect', $allow_override = false, $redirect_url = null, $strict = true) { if ($this->isHttps()) { if ($strict) { header('Strict-Transport-Security: max-age=3600'); } return; } $config = $this->f3->get('config'); if ($allow_override && $config['allow_plaintext']) { return; } if ($action == 'error') { $this->f3->status(426); header('Upgrade: TLS/1.2, HTTP/1.1'); header('Connection: Upgrade'); $this->fatalError($this->t('An encrypted connection (HTTPS) is required for this page.')); exit; return; } if ($redirect_url == null) { $redirect_url = $this->getCanonicalURL($this->f3->get('PATH'), $this->f3->get('SERVER.QUERY_STRING'), 'https'); } $this->f3->status(301); header('Location: ' . $redirect_url); exit; }
/** * redirect user to CCP SSO page and request authorization * -> cf. Controller->getCookieCharacters() ( equivalent cookie based login) * @param \Base $f3 */ public function requestAuthorization($f3) { if (!empty($ssoCcpClientId = Controller\Controller::getEnvironmentData('SSO_CCP_CLIENT_ID'))) { $params = $f3->get('GET'); if (isset($params['characterId']) && ($activeCharacter = $this->getCharacter(0))) { // authentication restricted to a characterId ----------------------------------------------- // restrict login to this characterId e.g. for character switch on map page $characterId = (int) trim($params['characterId']); /** * @var Model\CharacterModel $character */ $character = Model\BasicModel::getNew('CharacterModel'); $character->getById($characterId, 0); // check if character is valid and exists if (!$character->dry() && $character->hasUserCharacter() && $activeCharacter->getUser()->_id === $character->getUser()->_id) { // requested character belongs to current user // -> update character vom CREST (e.g. corp changed,..) $updateStatus = $character->updateFromCrest(); if (empty($updateStatus)) { // make sure character data is up2date! // -> this is not the case if e.g. userCharacters was removed "ownerHash" changed... $character->getById($character->_id); if ($character->hasUserCharacter() && $character->isAuthorized()) { $loginCheck = $this->loginByCharacter($character); if ($loginCheck) { // set "login" cookie $this->setLoginCookie($character); // route to "map" $f3->reroute('@map'); } } } } // redirect to map map page on successful login $f3->set(self::SESSION_KEY_SSO_FROM_MAP, true); } // redirect to CCP SSO ---------------------------------------------------------------------- // used for "state" check between request and callback $state = bin2hex(mcrypt_create_iv(12, MCRYPT_DEV_URANDOM)); $f3->set(self::SESSION_KEY_SSO_STATE, $state); $urlParams = ['response_type' => 'code', 'redirect_uri' => Controller\Controller::getEnvironmentData('URL') . $f3->build('/sso/callbackAuthorization'), 'client_id' => Controller\Controller::getEnvironmentData('SSO_CCP_CLIENT_ID'), 'scope' => implode(' ', $this->requestScopes), 'state' => $state]; $ssoAuthUrl = self::getAuthorizationEndpoint() . '?' . http_build_query($urlParams, '', '&', PHP_QUERY_RFC3986); $f3->status(302); $f3->reroute($ssoAuthUrl); } else { // SSO clientId missing $f3->set(self::SESSION_KEY_SSO_ERROR, self::ERROR_CCP_CLIENT_ID); self::getCrestLogger()->write(self::ERROR_CCP_CLIENT_ID); $f3->reroute('@login'); } }