$html = render('auth_error', array('title' => 'Auth Callback', 'error' => 'Missing state parameter', 'errorDescription' => 'No state parameter was provided in the request. This shouldn\'t happen. It is possible this is a malicious authorization attempt.'));
$app->response()->body($html);
return;
}
if ($params['state'] != $_SESSION['auth_state']) {
$html = render('auth_error', array('title' => 'Auth Callback', 'error' => 'Invalid state', 'errorDescription' => 'The state parameter provided did not match the state provided at the start of authorization. This is most likely caused by a malicious authorization attempt.'));
$app->response()->body($html);
return;
}
// Now the basic sanity checks have passed. Time to start providing more helpful messages when there is an error.
// An authorization code is in the query string, and we want to exchange that for an access token at the token endpoint.
// Discover the endpoints
$micropubEndpoint = IndieAuth\Client::discoverMicropubEndpoint($me);
$tokenEndpoint = IndieAuth\Client::discoverTokenEndpoint($me);
if ($tokenEndpoint) {
$token = IndieAuth\Client::getAccessToken($tokenEndpoint, $params['code'], $params['me'], buildRedirectURI(), clientID(), k($params, 'state'), true);
} else {
$token = array('auth' => false, 'response' => false);
}
$redirectToDashboardImmediately = false;
// If a valid access token was returned, store the token info in the session and they are signed in
if (k($token['auth'], array('me', 'access_token', 'scope'))) {
$_SESSION['auth'] = $token['auth'];
$_SESSION['me'] = $params['me'];
$user = ORM::for_table('users')->where('url', $me)->find_one();
if ($user) {
// Already logged in, update the last login date
$user->last_login = date('Y-m-d H:i:s');
// If they have logged in before and we already have an access token, then redirect to the dashboard now
if ($user->micropub_access_token) {
$redirectToDashboardImmediately = true;
$html = render('auth_error', array('title' => 'Auth Callback', 'error' => 'Missing state parameter', 'errorDescription' => 'No state parameter was provided in the request. This shouldn\'t happen. It is possible this is a malicious authorization attempt.'));
$app->response()->body($html);
return;
}
if ($params['state'] != $_SESSION['auth_state']) {
$html = render('auth_error', array('title' => 'Auth Callback', 'error' => 'Invalid state', 'errorDescription' => 'The state parameter provided did not match the state provided at the start of authorization. This is most likely caused by a malicious authorization attempt.'));
$app->response()->body($html);
return;
}
// Now the basic sanity checks have passed. Time to start providing more helpful messages when there is an error.
// An authorization code is in the query string, and we want to exchange that for an access token at the token endpoint.
// Discover the endpoints
$micropubEndpoint = IndieAuth\Client::discoverMicropubEndpoint($me);
$tokenEndpoint = IndieAuth\Client::discoverTokenEndpoint($me);
if ($tokenEndpoint) {
$token = IndieAuth\Client::getAccessToken($tokenEndpoint, $params['code'], $params['me'], buildRedirectURI(), Config::$base_url, k($params, 'state'), true);
} else {
$token = array('auth' => false, 'response' => false);
}
$redirectToDashboardImmediately = false;
// If a valid access token was returned, store the token info in the session and they are signed in
if (k($token['auth'], array('me', 'access_token', 'scope'))) {
$_SESSION['auth'] = $token['auth'];
$_SESSION['me'] = $params['me'];
$user = ORM::for_table('users')->where('url', $me)->find_one();
if ($user) {
// Already logged in, update the last login date
$user->last_login = date('Y-m-d H:i:s');
// If they have logged in before and we already have an access token, then redirect to the dashboard now
if ($user->micropub_access_token) {
$redirectToDashboardImmediately = true;
public function login_callback(Request $request, Response $response)
{
if (!$request->get('state') || !$request->get('code') || !$request->get('me')) {
$response->setContent(view('login', ['title' => 'Sign In to Telegraph', 'error' => 'Missing Parameters', 'error_description' => 'The auth server did not return the necessary parameters, <code>state</code> and <code>code</code> and <code>me</code>.']));
return $response;
}
// Validate the "state" parameter to ensure this request originated at this client
try {
$state = JWT::decode($request->get('state'), Config::$secretKey, ['HS256']);
if (!$state) {
$response->setContent(view('login', ['title' => 'Sign In to Telegraph', 'error' => 'Invalid State', 'error_description' => 'The <code>state</code> parameter was not valid.']));
return $response;
}
} catch (Exception $e) {
$response->setContent(view('login', ['title' => 'Sign In to Telegraph', 'error' => 'Invalid State', 'error_description' => 'The <code>state</code> parameter was invalid:<br>' . htmlspecialchars($e->getMessage())]));
return $response;
}
// Discover the authorization endpoint from the "me" that was returned by the auth server
// This allows the auth server to return a different URL than the user originally entered,
// for example if the user enters multiusersite.example the auth server can return multiusersite.example/alice
if ($state->authorization_endpoint) {
// only discover the auth endpoint if one was originally found, otherwise use our fallback
$authorizationEndpoint = IndieAuth\Client::discoverAuthorizationEndpoint($request->get('me'));
} else {
$authorizationEndpoint = Config::$defaultAuthorizationEndpoint;
}
// Verify the code with the auth server
$token = IndieAuth\Client::verifyIndieAuthCode($authorizationEndpoint, $request->get('code'), $request->get('me'), self::_buildRedirectURI(), Config::$clientID, $request->get('state'), true);
if (!array_key_exists('auth', $token) || !array_key_exists('me', $token['auth'])) {
// The auth server didn't return a "me" URL
$response->setContent(view('login', ['title' => 'Sign In to Telegraph', 'error' => 'Invalid Auth Server Response', 'error_description' => 'The authorization server did not return a valid response:<br>' . htmlspecialchars(json_encode($token))]));
return $response;
}
// Create or load the user
$user = ORM::for_table('users')->where('url', $token['auth']['me'])->find_one();
if (!$user) {
$user = ORM::for_table('users')->create();
$user->url = $token['auth']['me'];
$user->created_at = date('Y-m-d H:i:s');
$user->last_login = date('Y-m-d H:i:s');
$user->save();
// Create a site for them with the default role
$site = ORM::for_table('sites')->create();
$site->name = 'My Website';
$site->url = $token['auth']['me'];
$site->created_by = $user->id;
$site->created_at = date('Y-m-d H:i:s');
$site->save();
$role = ORM::for_table('roles')->create();
$role->site_id = $site->id;
$role->user_id = $user->id;
$role->role = 'owner';
$role->token = random_string(32);
$role->save();
} else {
$user->last_login = date('Y-m-d H:i:s');
$user->save();
}
q()->queue('Telegraph\\ProfileFetcher', 'fetch', [$user->id]);
session_start();
$_SESSION['user_id'] = $user->id;
$response->setStatusCode(302);
$response->headers->set('Location', $state->return_to ?: '/dashboard');
return $response;
}
$html = render('auth_error', array('title' => 'Auth Callback', 'error' => 'Invalid state', 'errorDescription' => 'The state parameter provided did not match the state provided at the start of authorization. This is most likely caused by a malicious authorization attempt.'));
$app->response()->body($html);
return;
}
// Now the basic sanity checks have passed. Time to start providing more helpful messages when there is an error.
// An authorization code is in the query string, and we want to exchange that for an access token at the token endpoint.
// Discover the endpoints
$authorizationEndpoint = IndieAuth\Client::discoverAuthorizationEndpoint($me);
$micropubEndpoint = IndieAuth\Client::discoverMicropubEndpoint($me);
$tokenEndpoint = IndieAuth\Client::discoverTokenEndpoint($me);
if ($tokenEndpoint) {
$token = IndieAuth\Client::getAccessToken($tokenEndpoint, $params['code'], $params['me'], buildRedirectURI(), clientID(), $params['state'], true);
} elseif ($authorizationEndpoint) {
$token = IndieAuth\Client::verifyIndieAuthCode($authorizationEndpoint, $params['code'], $params['me'], buildRedirectURI(), clientID(), $params['state'], true);
} else {
$token = IndieAuth\Client::verifyIndieAuthCode(Config::$defaultAuthorizationEndpoint, $params['code'], $params['me'], buildRedirectURI(), clientID(), $params['state'], true);
}
$redirectToDashboardImmediately = false;
// If a valid access token was returned, store the token info in the session and they are signed in
if (k($token['auth'], array('me'))) {
$_SESSION['auth'] = $token['auth'];
$_SESSION['me'] = $params['me'];
$redirectToDashboardImmediately = true;
$user = ORM::for_table('users')->where('url', $me)->find_one();
if (!$user) {
// New user! Store the user in the database
$user = ORM::for_table('users')->create();
$user->url = $me;
$user->date_created = date('Y-m-d H:i:s');
}
$user->subscriptions_url = '';