public function authenticate()
{
$keys = array('gid', 'token');
if (!Req::haspost($keys)) {
return $this->fail('Insufficient data.');
}
$gid = Req::post('gid');
$token = Req::post('token');
$curl = curl_init('https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=' . $token);
curl_setopt_array($curl, array(CURLOPT_RETURNTRANSFER => true, CURLOPT_HTTPGET => true));
$result = curl_exec($curl);
curl_close($curl);
$data = json_decode($result);
// Check aud
$audSegments = explode('.', $data->aud);
if (array_shift($audSegments) !== Config::$googleClientId) {
return $this->fail('Hmmm. Trying to hack?');
}
// Check gid
if ($gid !== $data->sub) {
return $this->fail('You are not who you say you are!');
}
// Check exp
if (date_create()->format('U') > $data->exp) {
return $this->fail('Your session has expired. Try again.');
}
// Check allowed domain
if (!empty(Config::$googleAllowedDomain)) {
if (empty($data->hd)) {
return $this->fail('Please sign in with your Compass email.');
}
$allowedDomain = Config::$googleAllowedDomain;
if (is_string(Config::$googleAllowedDomain)) {
$allowedDomain = [Config::$googleAllowedDomain];
}
if (!in_array($data->hd, $allowedDomain)) {
return $this->fail('Please sign in with your Compass email.');
}
}
$user = Lib::table('user');
$user->load(array('email' => $data->email));
$user->gid = $data->sub;
$user->picture = !empty($data->picture) ? $data->picture : '';
$user->name = $data->name;
$user->email = $data->email;
$user->identifier = Lib::generateHash();
if (empty($user->nick)) {
$nick = explode('@', $data->email);
$user->nick = $nick[0];
}
$user->store();
Lib::cookie(Lib::hash(Config::$userkey), $user->identifier);
return $this->success();
}
private function generateHash($length = 64)
{
return Lib::generateHash($length);
}
