public function processRequest() { $current_user = $this->getRequest()->getUser(); $provider = $this->provider; if (!$provider->isProviderEnabled()) { return new Aphront400Response(); } $provider_name = $provider->getProviderName(); $provider_key = $provider->getProviderKey(); $request = $this->getRequest(); if ($request->getStr('error')) { $error_view = id(new PhabricatorOAuthFailureView())->setRequest($request); return $this->buildErrorResponse($error_view); } $error_response = $this->retrieveAccessToken($provider); if ($error_response) { return $error_response; } $userinfo_uri = new PhutilURI($provider->getUserInfoURI()); $userinfo_uri->setQueryParam('access_token', $this->accessToken); $userinfo_uri = (string) $userinfo_uri; try { $user_data = HTTPSFuture::loadContent($userinfo_uri); if ($user_data === false) { throw new PhabricatorOAuthProviderException("Request to '{$userinfo_uri}' failed!"); } $provider->setUserData($user_data); } catch (PhabricatorOAuthProviderException $e) { return $this->buildErrorResponse(new PhabricatorOAuthFailureView(), $e); } $provider->setAccessToken($this->accessToken); $user_id = $provider->retrieveUserID(); $provider_key = $provider->getProviderKey(); $oauth_info = $this->retrieveOAuthInfo($provider); if ($current_user->getPHID()) { if ($oauth_info->getID()) { if ($oauth_info->getUserID() != $current_user->getID()) { $dialog = new AphrontDialogView(); $dialog->setUser($current_user); $dialog->setTitle('Already Linked to Another Account'); $dialog->appendChild(hsprintf('<p>The %s account you just authorized is already linked to ' . 'another Phabricator account. Before you can associate your %s ' . 'account with this Phabriactor account, you must unlink it from ' . 'the Phabricator account it is currently linked to.</p>', $provider_name, $provider_name)); $dialog->addCancelButton('/settings/page/' . $provider_key . '/'); return id(new AphrontDialogResponse())->setDialog($dialog); } else { $this->saveOAuthInfo($oauth_info); // Refresh token. return id(new AphrontRedirectResponse())->setURI('/settings/page/' . $provider_key . '/'); } } $existing_oauth = id(new PhabricatorUserOAuthInfo())->loadOneWhere('userID = %d AND oauthProvider = %s', $current_user->getID(), $provider_key); if ($existing_oauth) { $dialog = new AphrontDialogView(); $dialog->setUser($current_user); $dialog->setTitle('Already Linked to an Account From This Provider'); $dialog->appendChild(hsprintf('<p>The account you are logged in with is already linked to a %s ' . 'account. Before you can link it to a different %s account, you ' . 'must unlink the old account.</p>', $provider_name, $provider_name)); $dialog->addCancelButton('/settings/page/' . $provider_key . '/'); return id(new AphrontDialogResponse())->setDialog($dialog); } if (!$request->isDialogFormPost()) { $dialog = new AphrontDialogView(); $dialog->setUser($current_user); $dialog->setTitle('Link ' . $provider_name . ' Account'); $dialog->appendChild(hsprintf('<p>Link your %s account to your Phabricator account?</p>', $provider_name)); $dialog->addHiddenInput('confirm_token', $provider->getAccessToken()); $dialog->addHiddenInput('expires', $oauth_info->getTokenExpires()); $dialog->addHiddenInput('state', $this->oauthState); $dialog->addHiddenInput('scope', $oauth_info->getTokenScope()); $dialog->addSubmitButton('Link Accounts'); $dialog->addCancelButton('/settings/page/' . $provider_key . '/'); return id(new AphrontDialogResponse())->setDialog($dialog); } $oauth_info->setUserID($current_user->getID()); $this->saveOAuthInfo($oauth_info); return id(new AphrontRedirectResponse())->setURI('/settings/page/' . $provider_key . '/'); } // Login with known auth. if ($oauth_info->getID()) { $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites(); $known_user = id(new PhabricatorUser())->load($oauth_info->getUserID()); $request->getApplicationConfiguration()->willAuthenticateUserWithOAuth($known_user, $oauth_info, $provider); $session_key = $known_user->establishSession('web'); $this->saveOAuthInfo($oauth_info); $request->setCookie('phusr', $known_user->getUsername()); $request->setCookie('phsid', $session_key); $uri = new PhutilURI('/login/validate/'); $uri->setQueryParams(array('phusr' => $known_user->getUsername())); return id(new AphrontRedirectResponse())->setURI((string) $uri); } $oauth_email = $provider->retrieveUserEmail(); if ($oauth_email) { $known_email = id(new PhabricatorUserEmail())->loadOneWhere('address = %s', $oauth_email); if ($known_email) { $dialog = new AphrontDialogView(); $dialog->setUser($current_user); $dialog->setTitle('Already Linked to Another Account'); $dialog->appendChild(hsprintf('<p>The %s account you just authorized has an email address which ' . 'is already in use by another Phabricator account. To link the ' . 'accounts, log in to your Phabricator account and then go to ' . 'Settings.</p>', $provider_name)); $user = id(new PhabricatorUser())->loadOneWhere('phid = %s', $known_email->getUserPHID()); $oauth_infos = id(new PhabricatorUserOAuthInfo())->loadAllWhere('userID = %d', $user->getID()); if ($oauth_infos) { $providers = array(); foreach ($oauth_infos as $info) { $provider = $info->getOAuthProvider(); $providers[] = PhabricatorOAuthProvider::newProvider($provider)->getProviderName(); } $dialog->appendChild(hsprintf('<p>The account is associated with: %s.</p>', implode(', ', $providers))); } $dialog->addCancelButton('/login/'); return id(new AphrontDialogResponse())->setDialog($dialog); } } if (!$provider->isProviderRegistrationEnabled()) { $dialog = new AphrontDialogView(); $dialog->setUser($current_user); $dialog->setTitle('No Account Registration With ' . $provider_name); $dialog->appendChild(hsprintf('<p>You can not register a new account using %s; you can only use ' . 'your %s account to log into an existing Phabricator account which ' . 'you have registered through other means.</p>', $provider_name, $provider_name)); $dialog->addCancelButton('/login/'); return id(new AphrontDialogResponse())->setDialog($dialog); } $controller = PhabricatorEnv::newObjectFromConfig('controller.oauth-registration', array($this->getRequest())); $controller->setOAuthProvider($provider); $controller->setOAuthInfo($oauth_info); $controller->setOAuthState($this->oauthState); return $this->delegateToController($controller); }
public function willProcessRequest(array $data) { $this->provider = PhabricatorOAuthProvider::newProvider($data['provider']); }
public function processRequest() { $request = $this->getRequest(); if ($request->getUser()->getPHID()) { // Kick the user out if they're already logged in. return id(new AphrontRedirectResponse())->setURI('/'); } $next_uri = $this->getRequest()->getPath(); $request->setCookie('next_uri', $next_uri); if ($next_uri == '/login/' && !$request->isFormPost()) { // The user went straight to /login/, so presumably they want to go // to the dashboard upon logging in. Because, you know, that's logical. // And people are logical. Sometimes... Fine, no they're not. // We check for POST here because getPath() would get reset to /login/. $request->setCookie('next_uri', '/'); } // Always use $request->getCookie('next_uri', '/') after the above. $password_auth = PhabricatorEnv::getEnvConfig('auth.password-auth-enabled'); $forms = array(); $error_view = null; if ($password_auth) { $error = false; $username_or_email = $request->getCookie('phusr'); if ($request->isFormPost()) { $username_or_email = $request->getStr('username_or_email'); $user = id(new PhabricatorUser())->loadOneWhere('username = %s', $username_or_email); if (!$user) { $user = id(new PhabricatorUser())->loadOneWhere('email = %s', $username_or_email); } $okay = false; if ($user) { if ($user->comparePassword($request->getStr('password'))) { $session_key = $user->establishSession('web'); $request->setCookie('phusr', $user->getUsername()); $request->setCookie('phsid', $session_key); return id(new AphrontRedirectResponse())->setURI($request->getCookie('next_uri', '/')); } else { $log = PhabricatorUserLog::newLog(null, $user, PhabricatorUserLog::ACTION_LOGIN_FAILURE); $log->save(); } } if (!$okay) { $request->clearCookie('phusr'); $request->clearCookie('phsid'); } $error = true; } if ($error) { $error_view = new AphrontErrorView(); $error_view->setTitle('Bad username/password.'); } $form = new AphrontFormView(); $form->setUser($request->getUser())->setAction('/login/')->appendChild(id(new AphrontFormTextControl())->setLabel('Username/Email')->setName('username_or_email')->setValue($username_or_email))->appendChild(id(new AphrontFormPasswordControl())->setLabel('Password')->setName('password')->setCaption('<a href="/login/email/">' . 'Forgot your password? / Email Login</a>'))->appendChild(id(new AphrontFormSubmitControl())->setValue('Login')); // $panel->setCreateButton('Register New Account', '/login/register/'); $forms['Phabricator Login'] = $form; } $providers = array(PhabricatorOAuthProvider::PROVIDER_FACEBOOK, PhabricatorOAuthProvider::PROVIDER_GITHUB); foreach ($providers as $provider_key) { $provider = PhabricatorOAuthProvider::newProvider($provider_key); $enabled = $provider->isProviderEnabled(); if (!$enabled) { continue; } $auth_uri = $provider->getAuthURI(); $redirect_uri = $provider->getRedirectURI(); $client_id = $provider->getClientID(); $provider_name = $provider->getProviderName(); $minimum_scope = $provider->getMinimumScope(); // TODO: In theory we should use 'state' to prevent CSRF, but the total // effect of the CSRF attack is that an attacker can cause a user to login // to Phabricator if they're already logged into some OAuth provider. This // does not seem like the most severe threat in the world, and generating // CSRF for logged-out users is vaugely tricky. if ($provider->isProviderRegistrationEnabled()) { $title = "Login or Register with {$provider_name}"; $body = "Login or register for Phabricator using your " . "{$provider_name} account."; $button = "Login or Register with {$provider_name}"; } else { $title = "Login with {$provider_name}"; $body = "Login to your existing Phabricator account using your " . "{$provider_name} account.<br /><br /><strong>You can not use " . "{$provider_name} to register a new account.</strong>"; $button = "Login with {$provider_name}"; } $auth_form = new AphrontFormView(); $auth_form->setAction($auth_uri)->addHiddenInput('client_id', $client_id)->addHiddenInput('redirect_uri', $redirect_uri)->addHiddenInput('scope', $minimum_scope)->setUser($request->getUser())->setMethod('GET')->appendChild('<p class="aphront-form-instructions">' . $body . '</p>')->appendChild(id(new AphrontFormSubmitControl())->setValue("{$button} »")); $forms[$title] = $auth_form; } $panel = new AphrontPanelView(); $panel->setWidth(AphrontPanelView::WIDTH_FORM); foreach ($forms as $name => $form) { $panel->appendChild('<h1>' . $name . '</h1>'); $panel->appendChild($form); $panel->appendChild('<br />'); } return $this->buildStandardPageResponse(array($error_view, $panel), array('title' => 'Login')); }