public function processRequest()
{
$current_user = $this->getRequest()->getUser();
$provider = $this->provider;
if (!$provider->isProviderEnabled()) {
return new Aphront400Response();
}
$provider_name = $provider->getProviderName();
$provider_key = $provider->getProviderKey();
$request = $this->getRequest();
if ($request->getStr('error')) {
$error_view = id(new PhabricatorOAuthFailureView())->setRequest($request);
return $this->buildErrorResponse($error_view);
}
$error_response = $this->retrieveAccessToken($provider);
if ($error_response) {
return $error_response;
}
$userinfo_uri = new PhutilURI($provider->getUserInfoURI());
$userinfo_uri->setQueryParam('access_token', $this->accessToken);
$userinfo_uri = (string) $userinfo_uri;
try {
$user_data = HTTPSFuture::loadContent($userinfo_uri);
if ($user_data === false) {
throw new PhabricatorOAuthProviderException("Request to '{$userinfo_uri}' failed!");
}
$provider->setUserData($user_data);
} catch (PhabricatorOAuthProviderException $e) {
return $this->buildErrorResponse(new PhabricatorOAuthFailureView(), $e);
}
$provider->setAccessToken($this->accessToken);
$user_id = $provider->retrieveUserID();
$provider_key = $provider->getProviderKey();
$oauth_info = $this->retrieveOAuthInfo($provider);
if ($current_user->getPHID()) {
if ($oauth_info->getID()) {
if ($oauth_info->getUserID() != $current_user->getID()) {
$dialog = new AphrontDialogView();
$dialog->setUser($current_user);
$dialog->setTitle('Already Linked to Another Account');
$dialog->appendChild(hsprintf('<p>The %s account you just authorized is already linked to ' . 'another Phabricator account. Before you can associate your %s ' . 'account with this Phabriactor account, you must unlink it from ' . 'the Phabricator account it is currently linked to.</p>', $provider_name, $provider_name));
$dialog->addCancelButton('/settings/page/' . $provider_key . '/');
return id(new AphrontDialogResponse())->setDialog($dialog);
} else {
$this->saveOAuthInfo($oauth_info);
// Refresh token.
return id(new AphrontRedirectResponse())->setURI('/settings/page/' . $provider_key . '/');
}
}
$existing_oauth = id(new PhabricatorUserOAuthInfo())->loadOneWhere('userID = %d AND oauthProvider = %s', $current_user->getID(), $provider_key);
if ($existing_oauth) {
$dialog = new AphrontDialogView();
$dialog->setUser($current_user);
$dialog->setTitle('Already Linked to an Account From This Provider');
$dialog->appendChild(hsprintf('<p>The account you are logged in with is already linked to a %s ' . 'account. Before you can link it to a different %s account, you ' . 'must unlink the old account.</p>', $provider_name, $provider_name));
$dialog->addCancelButton('/settings/page/' . $provider_key . '/');
return id(new AphrontDialogResponse())->setDialog($dialog);
}
if (!$request->isDialogFormPost()) {
$dialog = new AphrontDialogView();
$dialog->setUser($current_user);
$dialog->setTitle('Link ' . $provider_name . ' Account');
$dialog->appendChild(hsprintf('<p>Link your %s account to your Phabricator account?</p>', $provider_name));
$dialog->addHiddenInput('confirm_token', $provider->getAccessToken());
$dialog->addHiddenInput('expires', $oauth_info->getTokenExpires());
$dialog->addHiddenInput('state', $this->oauthState);
$dialog->addHiddenInput('scope', $oauth_info->getTokenScope());
$dialog->addSubmitButton('Link Accounts');
$dialog->addCancelButton('/settings/page/' . $provider_key . '/');
return id(new AphrontDialogResponse())->setDialog($dialog);
}
$oauth_info->setUserID($current_user->getID());
$this->saveOAuthInfo($oauth_info);
return id(new AphrontRedirectResponse())->setURI('/settings/page/' . $provider_key . '/');
}
// Login with known auth.
if ($oauth_info->getID()) {
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
$known_user = id(new PhabricatorUser())->load($oauth_info->getUserID());
$request->getApplicationConfiguration()->willAuthenticateUserWithOAuth($known_user, $oauth_info, $provider);
$session_key = $known_user->establishSession('web');
$this->saveOAuthInfo($oauth_info);
$request->setCookie('phusr', $known_user->getUsername());
$request->setCookie('phsid', $session_key);
$uri = new PhutilURI('/login/validate/');
$uri->setQueryParams(array('phusr' => $known_user->getUsername()));
return id(new AphrontRedirectResponse())->setURI((string) $uri);
}
$oauth_email = $provider->retrieveUserEmail();
if ($oauth_email) {
$known_email = id(new PhabricatorUserEmail())->loadOneWhere('address = %s', $oauth_email);
if ($known_email) {
$dialog = new AphrontDialogView();
$dialog->setUser($current_user);
$dialog->setTitle('Already Linked to Another Account');
$dialog->appendChild(hsprintf('<p>The %s account you just authorized has an email address which ' . 'is already in use by another Phabricator account. To link the ' . 'accounts, log in to your Phabricator account and then go to ' . 'Settings.</p>', $provider_name));
$user = id(new PhabricatorUser())->loadOneWhere('phid = %s', $known_email->getUserPHID());
$oauth_infos = id(new PhabricatorUserOAuthInfo())->loadAllWhere('userID = %d', $user->getID());
if ($oauth_infos) {
$providers = array();
foreach ($oauth_infos as $info) {
$provider = $info->getOAuthProvider();
$providers[] = PhabricatorOAuthProvider::newProvider($provider)->getProviderName();
}
$dialog->appendChild(hsprintf('<p>The account is associated with: %s.</p>', implode(', ', $providers)));
}
$dialog->addCancelButton('/login/');
return id(new AphrontDialogResponse())->setDialog($dialog);
}
}
if (!$provider->isProviderRegistrationEnabled()) {
$dialog = new AphrontDialogView();
$dialog->setUser($current_user);
$dialog->setTitle('No Account Registration With ' . $provider_name);
$dialog->appendChild(hsprintf('<p>You can not register a new account using %s; you can only use ' . 'your %s account to log into an existing Phabricator account which ' . 'you have registered through other means.</p>', $provider_name, $provider_name));
$dialog->addCancelButton('/login/');
return id(new AphrontDialogResponse())->setDialog($dialog);
}
$controller = PhabricatorEnv::newObjectFromConfig('controller.oauth-registration', array($this->getRequest()));
$controller->setOAuthProvider($provider);
$controller->setOAuthInfo($oauth_info);
$controller->setOAuthState($this->oauthState);
return $this->delegateToController($controller);
}
public function willProcessRequest(array $data)
{
$this->provider = PhabricatorOAuthProvider::newProvider($data['provider']);
}
public function processRequest()
{
$request = $this->getRequest();
if ($request->getUser()->getPHID()) {
// Kick the user out if they're already logged in.
return id(new AphrontRedirectResponse())->setURI('/');
}
$next_uri = $this->getRequest()->getPath();
$request->setCookie('next_uri', $next_uri);
if ($next_uri == '/login/' && !$request->isFormPost()) {
// The user went straight to /login/, so presumably they want to go
// to the dashboard upon logging in. Because, you know, that's logical.
// And people are logical. Sometimes... Fine, no they're not.
// We check for POST here because getPath() would get reset to /login/.
$request->setCookie('next_uri', '/');
}
// Always use $request->getCookie('next_uri', '/') after the above.
$password_auth = PhabricatorEnv::getEnvConfig('auth.password-auth-enabled');
$forms = array();
$error_view = null;
if ($password_auth) {
$error = false;
$username_or_email = $request->getCookie('phusr');
if ($request->isFormPost()) {
$username_or_email = $request->getStr('username_or_email');
$user = id(new PhabricatorUser())->loadOneWhere('username = %s', $username_or_email);
if (!$user) {
$user = id(new PhabricatorUser())->loadOneWhere('email = %s', $username_or_email);
}
$okay = false;
if ($user) {
if ($user->comparePassword($request->getStr('password'))) {
$session_key = $user->establishSession('web');
$request->setCookie('phusr', $user->getUsername());
$request->setCookie('phsid', $session_key);
return id(new AphrontRedirectResponse())->setURI($request->getCookie('next_uri', '/'));
} else {
$log = PhabricatorUserLog::newLog(null, $user, PhabricatorUserLog::ACTION_LOGIN_FAILURE);
$log->save();
}
}
if (!$okay) {
$request->clearCookie('phusr');
$request->clearCookie('phsid');
}
$error = true;
}
if ($error) {
$error_view = new AphrontErrorView();
$error_view->setTitle('Bad username/password.');
}
$form = new AphrontFormView();
$form->setUser($request->getUser())->setAction('/login/')->appendChild(id(new AphrontFormTextControl())->setLabel('Username/Email')->setName('username_or_email')->setValue($username_or_email))->appendChild(id(new AphrontFormPasswordControl())->setLabel('Password')->setName('password')->setCaption('<a href="/login/email/">' . 'Forgot your password? / Email Login</a>'))->appendChild(id(new AphrontFormSubmitControl())->setValue('Login'));
// $panel->setCreateButton('Register New Account', '/login/register/');
$forms['Phabricator Login'] = $form;
}
$providers = array(PhabricatorOAuthProvider::PROVIDER_FACEBOOK, PhabricatorOAuthProvider::PROVIDER_GITHUB);
foreach ($providers as $provider_key) {
$provider = PhabricatorOAuthProvider::newProvider($provider_key);
$enabled = $provider->isProviderEnabled();
if (!$enabled) {
continue;
}
$auth_uri = $provider->getAuthURI();
$redirect_uri = $provider->getRedirectURI();
$client_id = $provider->getClientID();
$provider_name = $provider->getProviderName();
$minimum_scope = $provider->getMinimumScope();
// TODO: In theory we should use 'state' to prevent CSRF, but the total
// effect of the CSRF attack is that an attacker can cause a user to login
// to Phabricator if they're already logged into some OAuth provider. This
// does not seem like the most severe threat in the world, and generating
// CSRF for logged-out users is vaugely tricky.
if ($provider->isProviderRegistrationEnabled()) {
$title = "Login or Register with {$provider_name}";
$body = "Login or register for Phabricator using your " . "{$provider_name} account.";
$button = "Login or Register with {$provider_name}";
} else {
$title = "Login with {$provider_name}";
$body = "Login to your existing Phabricator account using your " . "{$provider_name} account.<br /><br /><strong>You can not use " . "{$provider_name} to register a new account.</strong>";
$button = "Login with {$provider_name}";
}
$auth_form = new AphrontFormView();
$auth_form->setAction($auth_uri)->addHiddenInput('client_id', $client_id)->addHiddenInput('redirect_uri', $redirect_uri)->addHiddenInput('scope', $minimum_scope)->setUser($request->getUser())->setMethod('GET')->appendChild('<p class="aphront-form-instructions">' . $body . '</p>')->appendChild(id(new AphrontFormSubmitControl())->setValue("{$button} »"));
$forms[$title] = $auth_form;
}
$panel = new AphrontPanelView();
$panel->setWidth(AphrontPanelView::WIDTH_FORM);
foreach ($forms as $name => $form) {
$panel->appendChild('<h1>' . $name . '</h1>');
$panel->appendChild($form);
$panel->appendChild('<br />');
}
return $this->buildStandardPageResponse(array($error_view, $panel), array('title' => 'Login'));
}
