/**
* Continues a previously saved request.
*
* The request is saved as a <code>SecurityToken</code> which is passed through
* the <code>token</code> path parameter. The underlying payload
* can contain the following keys
*
* - mt the HTTP method (e.g. GET, POST)
* - rt the FatFree routing path
* - rq an array containing the request parameters
*/
public function continueRequest($f3, $params)
{
$token = new SecurityToken();
$payload = $token->getPayload($params['token']);
if ($payload === null) {
$this->f3->fatalError($this->t('Invalid request.'));
return;
}
if (!isset($payload['mt'])) {
$payload['mt'] = 'GET';
}
if (!isset($payload['rt'])) {
$payload['rt'] = '/';
}
if (!isset($payload['rq'])) {
$payload['rq'] = array();
}
$this->f3->mock($payload['mt'] . ' ' . $payload['rt'], $payload['rq']);
}
/**
* Creates a auto login cookie. The login cookie will be based on the
* current log in user.
*
* @param string $id the ID of the series of auto login cookies, Cookies
* belonging to the same user and computer have the same ID. If none is specified,
* one will be generated
* @param int $expires the time at which the cookie will expire. If none is specified
* the time specified in {@link SIMPLEID_REMEMBERME_EXPIRES_IN} will be
* used
*
*/
protected function createCookie($id = NULL, $expires = NULL)
{
$user = $this->auth->getUser();
$rand = new Random();
if ($expires == NULL) {
$this->logger->log(LogLevel::DEBUG, 'Automatic login token created for ' . $user['uid']);
} else {
$this->logger->log(LogLevel::DEBUG, 'Automatic login token renewed for ' . $user['uid']);
}
if ($id == NULL) {
$id = $rand->id();
}
if ($expires == NULL) {
$expires = time() + SIMPLEID_LONG_TOKEN_EXPIRES_IN;
}
$data = array('typ' => 'rememberme', 'id' => $id, 'uid' => $user['uid'], 'exp' => $expires, 'uaid' => $this->auth->assignUAID());
$token = new SecurityToken();
$cookie = $token->generate($data);
$this->f3->set('COOKIE.' . $this->cookie_name, $cookie, SIMPLEID_LONG_TOKEN_EXPIRES_IN);
}
/**
* Applies the upgrade.
*/
function complete()
{
global $upgrade_access_check;
$cache = \Cache::instance();
$token = new SecurityToken();
if (!$this->f3->exists('GET.tk')) {
$this->f3->status(401);
$this->fatalError($this->t('SimpleID detected a potential security attack. Please try again.'));
return;
}
$payload = $token->getPayload($this->f3->get('POST.step'));
if ($payload == null) {
$this->f3->status(401);
$this->fatalError($this->t('SimpleID detected a potential security attack. Please try again.'));
return;
}
$upgid = $payload['upgid'];
$upgrade = $cache->get($upgid . '.upgrade');
$cache->reset('.upgrade');
if ($upgrade === false) {
$this->f3->status(500);
$this->fatalError($this->t('Upgrade not found'));
}
if (!$upgrade_access_check) {
$this->f3->set('edit_upgrade_php', $this->t('Remember to edit upgrade.php to check <code>$upgrade_access_check</code> back to <code>TRUE</code>.'));
}
$this->f3->set('results', $upgrade['results']);
$this->f3->set('upgrade_complete', $this->t('Your SimpleID installation has been upgraded. Please check the results below for any errors.'));
$this->f3->set('title', $this->t('Upgrade'));
$this->f3->set('page_class', 'dialog-page');
$this->f3->set('layout', 'upgrade_results.html');
print $tpl->render('page.html');
}
public function delete($f3, $params)
{
$this->checkHttps('error', true);
parse_str($this->f3->get('BODY'), $delete);
header('Content-Type: application/json');
$token = new SecurityToken();
if (!isset($delete['tk']) || !$token->verify($delete['tk'], 'apps')) {
$this->f3->status(401);
print json_encode(array('error' => 'unauthorized', 'error_description' => $this->t('Unauthorized')));
return;
}
$auth = AuthManager::instance();
$user = $auth->getUser();
$prefs =& $user->clients;
if (!isset($prefs[$params['cid']])) {
$this->f3->status(404);
print json_encode(array('error' => 'not_found', 'error_description' => $this->t('Not found')));
return;
}
$mgr = ModuleManager::instance();
$mgr->invokeAll('revokeApp', $params['cid']);
unset($prefs[$params['cid']]);
$store = StoreManager::instance();
$store->saveUser($user);
print json_encode(array('result' => 'success', 'result_description' => $this->t('App has been deleted.')));
}
/**
* Processes a user response from the {@link consentForm()} function.
*
* @since 2.0
*/
function consent()
{
$auth = AuthManager::instance();
$token = new SecurityToken();
$store = StoreManager::instance();
if (!$auth->isLoggedIn()) {
$auth_module = $this->mgr->getModule('SimpleID\\Auth\\AuthModule');
$auth_module->loginForm();
return;
}
$user = $auth->getUser();
$form_state = $token->getPayload($this->f3->get('POST.fs'));
$request = $form_state['rq'];
$response = $form_state['rs'];
if (!$token->verify($this->f3->get('POST.tk'), 'oauth_consent')) {
$this->logger->log(LogLevel::WARNING, 'Security token ' . $this->f3->get('POST.tk') . ' invalid.');
$this->f3->set('message', $this->t('SimpleID detected a potential security attack. Please try again.'));
$this->consentForm($request, $response);
return;
}
if ($this->f3->get('POST.op') == $this->t('Deny')) {
$response->setError('access_denied')->renderRedirect();
return;
} else {
$this->mgr->invokeRefAll('oAuthConsentFormSubmit', $form_state);
$client = $store->loadClient($request['client_id'], 'SimpleID\\Protocols\\OAuth\\OAuthClient');
$cid = $client->getStoreID();
$now = time();
$consents = array('oauth' => $this->f3->get('POST.prefs.consents.oauth'));
if (isset($user->clients[$cid])) {
$prefs = $user->clients[$cid];
} else {
$prefs = array('oauth' => array(), 'store_id' => $client->getStoreID(), 'display_name' => $client->getDisplayName(), 'display_html' => $client->getDisplayHTML(), 'first_time' => $now, 'consents' => array());
}
$prefs['last_time'] = $now;
$prefs['consents'] = array_merge($prefs['consents'], $consents);
if ($this->f3->exists('POST.prefs.oauth.prompt_none') && $this->f3->exists('POST.prefs.oauth.prompt_none') == 'true') {
$prefs['oauth']['prompt_none'] = true;
}
$user->clients[$cid] = $prefs;
$store->saveUser($user);
}
$this->processAuthRequest($request, $response);
}
/**
* Returns the dashboard OTP block.
*
* @return array the dashboard OTP block
*/
public function dashboardBlocksHook()
{
$auth = AuthManager::instance();
$user = $auth->getUser();
$base_path = $this->f3->get('base_path');
$token = new SecurityToken();
$tk = $token->generate('otp', SecurityToken::OPTION_BIND_SESSION);
$html = '<p>' . $this->t('Login verification adds an extra layer of protection to your account. When enabled, you will need to enter an additional security code whenever you log into SimpleID.') . '</p>';
if (isset($user['otp'])) {
$html .= '<p>' . $this->t('Login verification is <strong>enabled</strong>.') . '</p>';
$html .= '<form action="' . $base_path . 'auth/otp" method="post" enctype="application/x-www-form-urlencoded"><input type="hidden" name="tk" value="' . $tk . '"/>';
$html .= '<input type="submit" name="op" value="' . $this->t('Disable') . '" /></form>';
} else {
$html .= '<p>' . $this->t('Login verification is <strong>disabled</strong>. To enable login verification, click the button below.') . '</p>';
$html .= '<form action="' . $base_path . 'auth/otp" method="post" enctype="application/x-www-form-urlencoded"><input type="hidden" name="tk" value="' . $tk . '"/>';
$html .= '<input type="submit" name="op" value="' . $this->t('Enable') . '" /></form>';
}
return array(array('id' => 'otp', 'title' => $this->t('Login Verification'), 'content' => $html, 'weight' => 0));
}
/**
* Processes a user response from the {@link simpleid_openid_consent_form()} function.
*
* If the user verifies the relying party, an OpenID response will be sent to
* the relying party. Otherwise, the dashboard will be displayed to the user.
*/
public function consent()
{
$auth = AuthManager::instance();
$token = new SecurityToken();
$store = StoreManager::instance();
if (!$auth->isLoggedIn()) {
$auth_module = $this->mgr->getModule('SimpleID\\Auth\\AuthModule');
$auth_module->loginForm();
return;
}
$user = $auth->getUser();
$form_state = $token->getPayload($this->f3->get('POST.fs'));
$request = $form_state['rq'];
$response = $form_state['rs'];
$reason = $form_state['code'];
if (!$token->verify($this->f3->get('POST.tk'), 'openid_consent')) {
$this->logger->log(LogLevel::WARNING, 'Security token ' . $this->f3->get('POST.tk') . ' invalid.');
$this->f3->set('message', $this->t('SimpleID detected a potential security attack. Please try again.'));
$this->consentForm($request, $response, $reason);
return;
}
$return_to = $response['return_to'];
if ($return_to == null) {
$return_to = $request['openid.return_to'];
}
if ($this->f3->get('POST.op') == $this->t('Cancel')) {
$response = $this->createErrorResponse($request, false);
if (!$return_to) {
$this->f3->set('message', $this->t('Log in cancelled.'));
}
} else {
$this->mgr->invokeRefAll('openIDConsentFormSubmit', $form_state);
$consents = array('openid' => $this->f3->exists('POST.prefs.consents.openid') && $this->f3->exists('POST.prefs.consents.openid') == 'true');
$this->logActivity($request, $consents);
$this->signResponse($response, isset($response['assoc_handle']) ? $response['assoc_handle'] : NULL);
if (!$return_to) {
$this->f3->set('message', $this->t('You were logged in successfully.'));
}
}
if ($return_to) {
$response->render($return_to);
} else {
$this->f3->reroute('/');
}
}
/**
* Displays a user login or a login verification form.
*
* @param array $params the F3 parameters
* @param array $form_state the form state
*/
public function loginForm($params = array('destination' => null), $form_state = array('mode' => AuthManager::MODE_CREDENTIALS))
{
$tpl = new \Template();
$config = $this->f3->get('config');
// 1. Check for HTTPS
$this->checkHttps('redirect', true);
// 2. Build the buttons and security messaging
switch ($form_state['mode']) {
case AuthManager::MODE_REENTER_CREDENTIALS:
// Follow through
$this->f3->set('uid', $form_state['uid']);
case AuthManager::MODE_CREDENTIALS:
$security_class = $config['allow_autocomplete'] ? 'allow-autocomplete ' : '';
$this->f3->set('security_class', $security_class);
$this->f3->set('submit_button', $this->t('Log in'));
$this->f3->set('title', $this->t('Log In'));
break;
case AuthManager::MODE_VERIFY:
if (count($forms) == 0) {
return;
}
// Nothing to verify
$this->f3->set('submit_button', $this->t('Verify'));
$this->f3->set('title', $this->t('Verify'));
}
if (isset($form_state['cancel'])) {
$this->f3->set('cancellable', true);
$this->f3->set('cancel_button', $this->t('Cancel'));
}
// 3. Build the forms
if ($form_state['mode'] == AuthManager::MODE_VERIFY && isset($form_state['verify_forms'])) {
$forms = $form_state['verify_forms'];
unset($form_state['verify_forms']);
} else {
$forms = $this->mgr->invokeRefAll('loginForm', $form_state);
uasort($forms, function ($a, $b) {
if ($a['weight'] == $b['weight']) {
return 0;
}
return $a['weight'] < $b['weight'] ? -1 : 1;
});
}
$this->f3->set('forms', $forms);
// 4. We can't use SecurityToken::BIND_SESSION here because the PHP session is not
// yet stable
$token = new SecurityToken();
$this->f3->set('tk', $token->generate('login', SecurityToken::OPTION_NONCE));
$this->f3->set('fs', $token->generate($form_state));
if (isset($params['destination'])) {
$this->f3->set('destination', $params['destination']);
}
$this->f3->set('framekiller', true);
$this->f3->set('page_class', 'dialog-page');
$this->f3->set('layout', 'auth_login.html');
header('X-Frame-Options: DENY');
print $tpl->render('page.html');
}
