/** * This extended constructor is setting up * the underlying AuthorizationServer with * the grant types that GLPi Plugins support * on it's OAuth2 Framework */ public function __construct() { parent::__construct(); $this->setSessionStorage(OAuthHelper::getSessionStorage()); $this->setAccessTokenStorage(OAuthHelper::getAccessTokenStorage()); $this->setRefreshTokenStorage(OAuthHelper::getRefreshTokenStorage()); $this->setClientStorage(OAuthHelper::getClientStorage()); $this->setScopeStorage(OAuthHelper::getScopeStorage()); $this->setAuthCodeStorage(new AuthCodeStorage()); // Adding the password grant to able users to login by themselves $passwordGrant = new PasswordGrant(); $passwordGrant->setVerifyCredentialsCallback(function ($login, $password) { $user = User::where(function ($q) use($login) { return $q->where('email', '=', $login)->orWhere('username', '=', $login); }); $count = $user->count(); if ($count < 1) { return false; } if ($count > 1) { throw new \Exception('Dangerous, query result count > 1 when user tried' . ' to log with login "' . $login . '" ' . 'and password "' . $password . '"'); return false; } elseif ($count == 0) { return false; } else { $user = $user->first(); if ($user->assertPasswordIs($password)) { return $user->id; } else { return false; } } }); $this->addGrantType($passwordGrant); $appGrant = new ClientCredentialsGrant(); $this->addGrantType($appGrant); $refreshTokenGrant = new RefreshTokenGrant(); $this->addGrantType($refreshTokenGrant); }
/** * It creates an access token, a session, and links * scopes mentionned in $scopes to the session and * access token, it finally returns the new access token * * It associates the 'webapp' app */ public static function createAccessTokenFromUserId($user_id, $scopes, $ttl = 3600) { $user = User::where('id', '=', $user_id)->first(); if (!$user) { return false; } $session = new Session(); $session->owner_type = 'user'; $session->owner_id = $user->id; $session->app_id = 'webapp'; $session->save(); $accessToken = new AccessToken(); $accessToken->session_id = $session->id; $accessToken->token = SecureKey::generate(); $accessToken->expire_time = DB::raw('FROM_UNIXTIME(' . ($ttl + time()) . ')'); $accessToken->save(); foreach ($scopes as $_scope) { $scope = Scope::where('identifier', '=', $_scope)->first(); if ($scope) { $session->scopes()->attach($scope); $accessToken->scopes()->attach($scope); } } $refreshToken = new RefreshToken(); $refreshToken->access_token_id = $accessToken->id; $refreshToken->token = SecureKey::generate(); $refreshToken->expire_time = DB::raw('FROM_UNIXTIME(' . (604800 + time()) . ')'); $refreshToken->save(); return ["token" => $accessToken->token, "refresh_token" => $refreshToken->token, "ttl" => $ttl]; }
} if (isset($body->description)) { if (gettype($body->description) != 'string' || !App::isValidDescription($body->description)) { throw new InvalidField('description'); } else { $user_app->description = $body->description; } } $user_app->save(); Tool::endWithJson($user_app); }); $user_delete_app = Tool::makeEndpoint(function ($id) use($app, $resourceServer) { OAuthHelper::needsScopes(['user', 'user:apps']); $body = Tool::getBody(); $user_id = $resourceServer->getAccessToken()->getSession()->getOwnerId(); $user = User::where('id', '=', $user_id)->first(); $user_app = $user->apps()->find($id); if ($user_app) { $user_app->delete(); $app->halt(200); } else { throw new ResourceNotFound('App', $id); } }); // HTTP REST Map $app->get('/user/apps', $user_apps); $app->get('/user/apps/:id', $user_app); $app->put('/user/apps/:id', $user_edit_app); $app->delete('/user/apps/:id', $user_delete_app); $app->post('/user/apps', $user_declare_app); $app->options('/user/apps', function () {
throw new InvalidField('email'); } // -- <this_is_not_used_for_now> -- // rejecting if request isn't signed by // a recaptcha captcha // if (!isset($body->recaptcha_response) || // gettype($body->recaptcha_response) !== 'string') { // throw new InvalidRecaptcha; // } // $recaptchaStuff = new ReCaptcha(Tool::getConfig()['recaptcha_secret']); // $resp = $recaptchaStuff->verify($body->recaptcha_response); // if (!$resp->isSuccess()) { // throw new InvalidRecaptcha; // } // -- </this_is_not_used_for_now> $user = User::where('email', '=', $body->email)->first(); if (!$user) { throw new AccountNotFound(); } $resetPasswordToken = new ResetPasswordToken(); $resetPasswordToken->token = Tool::randomSha1(); $resetPasswordToken->user_id = $user->id; $resetPasswordToken->save(); $mailer = new Mailer(); $mailer->sendMail('reset_your_password.html', [$user->email], 'Reset your GLPi Plugin Directory password', ['user' => $user, 'reset_password_token' => $resetPasswordToken->token]); $app->halt(200); }); $user_reset_password = Tool::makeEndpoint(function () use($app) { $body = Tool::getBody(); // rejecting if token not provided as a string if (!isset($body->token) || gettype($body->token) !== 'string') {
OAuthHelper::needsScopes(['user', 'plugin:card']); $user = OAuthHelper::currentlyAuthed(); $body = Tool::getBody(); $plugin = Plugin::where('key', '=', $key)->first(); if (!$plugin) { throw new ResourceNotFound('Plugin', $key); } if (!$plugin->permissions()->where('admin', '=', true)->where('user_id', '=', $user->id)->first()) { throw new LackPermission('manage_permissions', 'Plugin', $key); } if (!isset($body->username) || gettype($body->username) != 'string') { throw new InvalidField('username'); } // verify user has the admin flag on the plugin // otherwise reject $target_user = User::where('username', '=', $body->username)->first(); if (!$target_user) { throw new ResourceNotFound('User', $body->username); } if ($plugin->permissions->find($target_user)) { throw new RightAlreadyExist($body->username, $plugin->key); } $plugin->permissions()->attach($target_user); $app->halt(200); }); $plugin_delete_permission = Tool::makeEndpoint(function ($key, $username) use($app) { OAuthHelper::needsScopes(['user', 'plugin:card']); $user = OAuthHelper::currentlyAuthed(); // reject if plugin not found $plugin = Plugin::where('key', '=', $key)->first(); if (!$plugin) {