/**
* Hook for after parsing route
*
* @return void
*/
public function onAfterRoute()
{
// First, check for presence of subject dn, which is the minimum required field
if (!isset($_SERVER['SSL_CLIENT_S_DN']) || !$_SERVER['SSL_CLIENT_S_DN']) {
\App::redirect($this->params->get('failure_location', '/invalidcert.php'));
return;
}
if (\User::isGuest()) {
// If so, redirect to login
Request::setVar('option', 'com_users');
Request::setVar('task', 'user.login');
Request::setVar('authenticator', 'certificate');
Request::setVar('return', base64_encode(\Request::current()));
return;
}
// Check if user is registered and if current session is linked to cert identity
$hzad = \Hubzero\Auth\Domain::getInstance('authentication', 'certificate', $_SERVER['SSL_CLIENT_I_DN_CN']);
if ($link = \Hubzero\Auth\Link::getInstance($hzad->id, $_SERVER['SSL_CLIENT_S_DN_CN'])) {
if ($link->user_id == \User::get('id')) {
// All clear...return nothing
return;
}
}
// Otherwise, we have a cert-based user that doesn't match the current user
Request::setVar('option', 'com_users');
Request::setVar('task', 'user.logout');
$this->event->stop();
}
/**
* Similar to onAuthenticate, except we already have a logged in user, we're just linking accounts
*
* @param array $options additional options
* @return void
*/
public function link($options = array())
{
// Check for the required subject dn field
if ($this->isAuthenticated()) {
$domain = $_SERVER['SSL_CLIENT_I_DN_CN'];
$username = $_SERVER['SSL_CLIENT_S_DN_CN'];
$hzad = \Hubzero\Auth\Domain::getInstance('authentication', 'certificate', $domain);
// Create the link
if (\Hubzero\Auth\Link::getInstance($hzad->id, $username)) {
// This certificate account is already linked to another hub account
App::redirect(Route::url('index.php?option=com_members&id=' . User::get('id') . '&active=account'), Lang::txt('PLG_AUTHENTICATION_CERTIFICATE_ACCOUNT_ALREADY_LINKED'), 'error');
} else {
$hzal = \Hubzero\Auth\Link::find_or_create('authentication', 'certificate', $domain, $username);
$hzal->user_id = User::get('id');
$hzal->email = $_SERVER['SSL_CLIENT_S_DN_Email'];
$hzal->update();
}
} else {
// User somehow got redirect back without being authenticated (not sure how this would happen?)
App::redirect(Route::url('index.php?option=com_members&id=' . User::get('id') . '&active=account'), Lang::txt('PLG_AUTHENTICATION_CERTIFICATE_ERROR_LINKING_CERT'), 'error');
}
}
/**
* Similar to onAuthenticate, except we already have a logged in user, we're just linking accounts
*
* @param array $options
* @return void
*/
public function link($options = array())
{
// Set up the config for the sdk instance
$config = array('appId' => $this->params->get('app_id'), 'secret' => $this->params->get('app_secret'));
// Set defaults
\Facebook\FacebookSession::setDefaultApplication($config['appId'], $config['secret']);
$helper = new \Facebook\FacebookRedirectLoginHelper(self::getReturnUrl($options['return']));
try {
$session = $helper->getSessionFromRedirect();
} catch (\Facebook\FacebookRequestException $ex) {
// When Facebook returns an error
} catch (\Exception $ex) {
// When validation fails or other local issues
}
// Make sure we have a user_id (facebook returns 0 for a non-logged in user)
if (isset($user_id) && $user_id > 0 || isset($session) && $session) {
try {
$request = new \Facebook\FacebookRequest($session, 'GET', '/me');
$user_profile = $request->execute()->getGraphObject(\Facebook\GraphUser::className());
$id = $user_profile->getId();
$email = $user_profile->getProperty('email');
} catch (\Facebook\FacebookRequestException $e) {
// Error message?
$response->status = \Hubzero\Auth\Status::FAILURE;
$response->error_message = Lang::txt('PLG_AUTHENTICATION_FACEBOOK_ERROR_RETRIEVING_PROFILE', $e->getMessage());
return;
}
$hzad = \Hubzero\Auth\Domain::getInstance('authentication', 'facebook', '');
// Create the link
if (\Hubzero\Auth\Link::getInstance($hzad->id, $id)) {
// This facebook account is already linked to another hub account
App::redirect(Route::url('index.php?option=com_members&id=' . User::get('id') . '&active=account'), Lang::txt('PLG_AUTHENTICATION_FACEBOOK_ACCOUNT_ALREADY_LINKED'), 'error');
} else {
$hzal = \Hubzero\Auth\Link::find_or_create('authentication', 'facebook', null, $id);
$hzal->user_id = User::get('id');
$hzal->email = $email;
$hzal->update();
}
} else {
// User didn't authorize our app, or, clicked cancel
App::redirect(Route::url('index.php?option=com_members&id=' . User::get('id') . '&active=account'), Lang::txt('PLG_AUTHENTICATION_FACEBOOK_MUST_AUTHORIZE_TO_LINK', Config::get('sitename')), 'error');
}
}
/**
* Similar to onAuthenticate, except we already have a logged in user, we're just linking accounts
*
* @param array $options
* @return void
*/
public function link($options = array())
{
// Build twitter object using temp credentials saved in session
$twitter = new TwitterOAuth($this->params->get('app_id'), $this->params->get('app_secret'), App::get('session')->get('twitter.oauth.token'), App::get('session')->get('twitter.oauth.token_secret'));
// Request user specific (longer lasting) credentials
$token_credentials = $twitter->getAccessToken(Request::getVar('oauth_verifier'));
// Build new twitter object with user credentials
$twitter = new TwitterOAuth($this->params->get('app_id'), $this->params->get('app_secret'), $token_credentials['oauth_token'], $token_credentials['oauth_token_secret']);
// Get user account info
$account = $twitter->get('account/verify_credentials');
// Make sure we have a twitter account
if (!$account->errors && $account->id > 0) {
// Get unique username
$username = (string) $account->id;
$hzad = \Hubzero\Auth\Domain::getInstance('authentication', 'twitter', '');
// Create the link
if (\Hubzero\Auth\Link::getInstance($hzad->id, $username)) {
// This twitter account is already linked to another hub account
App::redirect(Route::url('index.php?option=com_members&id=' . User::get('id') . '&active=account'), Lang::txt('PLG_AUTHENTICATION_TWITTER_ACCOUNT_ALREADY_LINKED'), 'error');
return;
} else {
$hzal = \Hubzero\Auth\Link::find_or_create('authentication', 'twitter', null, $username);
$hzal->user_id = User::get('id');
$hzal->update();
}
} else {
// User didn't authorize our app, or, clicked cancel
App::redirect(Route::url('index.php?option=com_members&id=' . User::get('id') . '&active=account'), Lang::txt('PLG_AUTHENTICATION_TWITTER_MUST_AUTHORIZE_TO_LINK', Config::get('sitename')), 'error');
return;
}
}
/**
* @access public
* @param array - $options
* @return void
*/
public function link($options = array())
{
if ($status = $this->status()) {
$this->log('link', $status);
// Get unique username
$username = $status['eppn'];
$hzad = \Hubzero\Auth\Domain::getInstance('authentication', 'shibboleth', $status['idp']);
if (\Hubzero\Auth\Link::getInstance($hzad->id, $username)) {
$this->log('already linked', array('domain' => $hzad->id, 'username' => $username));
App::redirect(Route::url('index.php?option=com_members&id=' . User::get('id') . '&active=account'), 'This account appears to already be linked to a hub account', 'error');
} else {
$hzal = \Hubzero\Auth\Link::find_or_create('authentication', 'shibboleth', $status['idp'], $username);
$hzal->user_id = User::get('id');
$this->log('setting link', $hzal);
$hzal->update();
}
} else {
// User somehow got redirect back without being authenticated (not sure how this would happen?)
App::redirect(Route::url('index.php?option=com_members&id=' . User::get('id') . '&active=account'), 'There was an error linking your account, please try again later.', 'error');
}
}
/**
* Similar to onAuthenticate, except we already have a logged in user, we're just linking accounts
*
* @param array $options
* @return void
*/
public function link($options = array())
{
$jsession = App::get('session');
// Set up linkedin configuration
$linkedin_config['appKey'] = $this->params->get('api_key');
$linkedin_config['appSecret'] = $this->params->get('app_secret');
// Create Object
$linkedin_client = new LinkedIn($linkedin_config);
if (!Request::getVar('oauth_verifier', NULL)) {
// User didn't authorize our app, or, clicked cancel
App::redirect(Route::url('index.php?option=com_members&id=' . User::get('id') . '&active=account'), Lang::txt('PLG_AUTHENTICATION_LINKEDIN_MUST_AUTHORIZE_TO_LOGIN', App::get('sitename')), 'error');
}
// LinkedIn has sent a response, user has granted permission, take the temp access token,
// the user's secret and the verifier to request the user's real secret key
$request = $jsession->get('linkedin.oauth.request');
$reply = $linkedin_client->retrieveTokenAccess($request['oauth_token'], $request['oauth_token_secret'], Request::getVar('oauth_verifier'));
if ($reply['success'] === TRUE) {
// The request went through without an error, gather user's 'access' tokens
$jsession->set('linkedin.oauth.access', $reply['linkedin']);
// Set the user as authorized for future quick reference
$jsession->set('linkedin.oauth.authorized', TRUE);
} else {
return new Exception(Lang::txt('Access token retrieval failed'), 500);
}
if ($jsession->get('linkedin.oauth.authorized') == TRUE) {
$linkedin_client->setTokenAccess($jsession->get('linkedin.oauth.access'));
// Get the linked in profile
$profile = $linkedin_client->profile('~:(id,first-name,last-name,email-address)');
$profile = $profile['linkedin'];
// Parse the profile XML
$profile = new SimpleXMLElement($profile);
// Get the profile values
$li_id = $profile->{'id'};
$username = (string) $li_id;
// (make sure this is unique)
$hzad = \Hubzero\Auth\Domain::getInstance('authentication', 'linkedin', '');
// Create the link
if (\Hubzero\Auth\Link::getInstance($hzad->id, $username)) {
// This linkedin account is already linked to another hub account
App::redirect(Route::url('index.php?option=com_members&id=' . User::get('id') . '&active=account'), Lang::txt('PLG_AUTHENTICATION_LINKEDIN_ACCOUNT_ALREADY_LINKED'), 'error');
} else {
$hzal = \Hubzero\Auth\Link::find_or_create('authentication', 'linkedin', null, $username);
$hzal->user_id = User::get('id');
$hzal->email = (string) $profile->{'email-address'};
$hzal->update();
}
} else {
// User didn't authorize our app, or, clicked cancel
App::redirect(Route::url('index.php?option=com_members&id=' . User::get('id') . '&active=account'), Lang::txt('PLG_AUTHENTICATION_LINKEDIN_MUST_AUTHORIZE_TO_LINK', Config::get('sitename')), 'error');
}
}
/**
* Similar to onAuthenticate, except we already have a logged in user, we're just linking accounts
*
* @param array $options
* @return void
*/
public function link($options = array())
{
// Set up the config for the google api instance
$client = new Google_Client();
$client->setClientId($this->params->get('app_id'));
$client->setClientSecret($this->params->get('app_secret'));
$client->setRedirectUri(self::getRedirectUri('google'));
// Create OAuth2 Instance
$oauth2 = new Google_Service_Oauth2($client);
// If we have this code, we know we have a successful return from google
if ($code = Request::getVar('code', NULL)) {
// Authenticate the user
$client->authenticate($code);
}
// If we have an access token set, carry on
if ($client->getAccessToken()) {
// Get the user info
$user_profile = $oauth2->userinfo->get();
// Make sure we use something unique and consistent here!
$username = $user_profile['email'];
$hzad = \Hubzero\Auth\Domain::getInstance('authentication', 'google', '');
// Create the link
if (\Hubzero\Auth\Link::getInstance($hzad->id, $username)) {
// This google account is already linked to another hub account
App::redirect(Route::url('index.php?option=com_members&id=' . User::get('id') . '&active=account'), Lang::txt('PLG_AUTHENTICATION_GOOGLE_ACCOUNT_ALREADY_LINKED'), 'error');
} else {
// Create the hubzero auth link
$hzal = \Hubzero\Auth\Link::find_or_create('authentication', 'google', null, $username);
$hzal->user_id = User::get('id');
$hzal->email = $user_profile['email'];
$hzal->update();
}
} else {
// User didn't authorize our app, or, clicked cancel...
App::redirect(Route::url('index.php?option=com_members&id=' . User::get('id') . '&active=account'), Lang::txt('PLG_AUTHENTICATION_GOOGLE_MUST_AUTHORIZE_TO_LINK', Config::get('sitename')), 'error');
}
}
/**
* Similar to onAuthenticate, except we already have a logged in user, we're just linking accounts
*
* @param array $options
* @return void
*/
public function link($options = array())
{
// Set up the config for the api instance
$client = new Oauth();
if ($this->params->get('environment') == 'sandbox') {
$client->useSandboxEnvironment();
}
$client->setClientId($this->params->get('app_id'))->setClientSecret($this->params->get('app_secret'))->setRedirectUri(self::getRedirectUri('orcid'));
// If we have a code coming back, the user has authorized our app, and we can authenticate
if ($code = Request::getVar('code', NULL)) {
// Authenticate the user
$client->authenticate($code);
} else {
// User didn't authorize our app or clicked cancel
App::redirect(Route::url('index.php?option=com_users&view=login&return=' . base64_encode('/members/myaccount')), Lang::txt('PLG_AUTHENTICATION_SCISTARTER_MUST_AUTHORIZE_TO_LOGIN', Config::get('sitename')), 'error');
}
if ($client->isAuthenticated()) {
$account = $client->getUserData();
} else {
// User didn't authorize our app or clicked cancel
App::redirect(Route::url('index.php?option=com_members&id=' . User::get('id') . '&active=account'), Lang::txt('PLG_AUTHENTICATION_SCISTARTER_MUST_AUTHORIZE_TO_LINK', Config::get('sitename')), 'error');
}
// Make sure we have a scistarter account
if ($account->scistarter_user_id > 0) {
$username = (string) $account->email;
$hzad = \Hubzero\Auth\Domain::getInstance('authentication', 'scistarter', '');
// Create the link
if (\Hubzero\Auth\Link::getInstance($hzad->id, $username)) {
// This scistarter account is already linked to another hub account
App::redirect(Route::url('index.php?option=com_members&id=' . User::get('id') . '&active=account'), Lang::txt('PLG_AUTHENTICATION_SCISTARTER_ACCOUNT_ALREADY_LINKED'), 'error');
} else {
$hzal = \Hubzero\Auth\Link::find_or_create('authentication', 'scistarter', null, $username);
$hzal->user_id = User::get('id');
$hzal->update();
}
} else {
// User didn't authorize our app, or, clicked cancel
App::redirect(Route::url('index.php?option=com_members&id=' . User::get('id') . '&active=account'), Lang::txt('PLG_AUTHENTICATION_SCISTARTER_AUTHENTICATION_FAILED', Config::get('sitename')), 'error');
}
}
/**
* Similar to onAuthenticate, except we already have a logged in user, we're just linking accounts
*
* @param array $options
* @return void
*/
public function link($options = array())
{
if (Config::get('debug')) {
$debug_location = $this->params->get('debug_location', '/var/log/apache2/php/phpCAS.log');
phpCAS::setDebug($debug_location);
}
$this->initialize();
if (phpCAS::isAuthenticated() && $this->checkBoilerkey()) {
// Get unique username
$username = phpCAS::getUser();
$hzad = \Hubzero\Auth\Domain::getInstance('authentication', 'pucas', '');
// Create the link
if (\Hubzero\Auth\Link::getInstance($hzad->id, $username)) {
// This purdue cas account is already linked to another hub account
App::redirect(Route::url('index.php?option=com_members&id=' . User::get('id') . '&active=account'), Lang::txt('PLG_AUTHENTICATION_PUCAS_ACCOUNT_ALREADY_LINKED'), 'error');
} else {
$hzal = \Hubzero\Auth\Link::find_or_create('authentication', 'pucas', null, $username);
$hzal->user_id = User::get('id');
$hzal->email = phpCAS::getAttribute('email');
$hzal->update();
}
} else {
// User somehow got redirect back without being authenticated (not sure how this would happen?)
App::redirect(Route::url('index.php?option=com_members&id=' . User::get('id') . '&active=account'), Lang::txt('PLG_AUTHENTICATION_PUCAS_ERROR_LINKING'), 'error');
}
}
/**
* Similar to onAuthenticate, except we already have a logged in user, we're just linking accounts
*
* @param array $options
* @return void
*/
public function link($options = array())
{
// Set up the config for the ORCID api instance
$oauth = new Oauth();
$oauth->setClientId($this->params->get('client_id'))->setClientSecret($this->params->get('client_secret'))->setRedirectUri(self::getRedirectUri('orcid'));
// If we have a code coming back, the user has authorized our app, and we can authenticate
if (!Request::getVar('code', NULL)) {
// User didn't authorize our app, or, clicked cancel...
App::redirect(Route::url('index.php?option=com_members&id=' . User::get('id') . '&active=account'), Lang::txt('PLG_AUTHENTICATION_ORCID_MUST_AUTHORIZE_TO_LINK', Config::get('sitename')), 'error');
}
// Authenticate the user
$oauth->authenticate(Request::getVar('code'));
// Check for successful authentication
if ($oauth->isAuthenticated()) {
$orcid = new Profile($oauth);
// Set username to ORCID iD
$username = $orcid->id();
$hzad = \Hubzero\Auth\Domain::getInstance('authentication', 'orcid', '');
// Create the link
if (\Hubzero\Auth\Link::getInstance($hzad->id, $username)) {
// This orcid account is already linked to another hub account
App::redirect(Route::url('index.php?option=com_members&id=' . User::get('id') . '&active=account'), Lang::txt('PLG_AUTHENTICATION_ORCID_ACCOUNT_ALREADY_LINKED'), 'error');
} else {
// Create the hubzero auth link
$hzal = \Hubzero\Auth\Link::find_or_create('authentication', 'orcid', null, $username);
$hzal->user_id = User::get('id');
$hzal->email = $orcid->email();
$hzal->update();
}
} else {
// User didn't authorize our app, or, clicked cancel...
App::redirect(Route::url('index.php?option=com_members&id=' . User::get('id') . '&active=account'), Lang::txt('PLG_AUTHENTICATION_ORCID_MUST_AUTHORIZE_TO_LINK', Config::get('sitename')), 'error');
}
}
