/**
* This extended constructor is setting up
* the underlying AuthorizationServer with
* the grant types that GLPi Plugins support
* on it's OAuth2 Framework
*/
public function __construct()
{
parent::__construct();
$this->setSessionStorage(OAuthHelper::getSessionStorage());
$this->setAccessTokenStorage(OAuthHelper::getAccessTokenStorage());
$this->setRefreshTokenStorage(OAuthHelper::getRefreshTokenStorage());
$this->setClientStorage(OAuthHelper::getClientStorage());
$this->setScopeStorage(OAuthHelper::getScopeStorage());
$this->setAuthCodeStorage(new AuthCodeStorage());
// Adding the password grant to able users to login by themselves
$passwordGrant = new PasswordGrant();
$passwordGrant->setVerifyCredentialsCallback(function ($login, $password) {
$user = User::where(function ($q) use($login) {
return $q->where('email', '=', $login)->orWhere('username', '=', $login);
});
$count = $user->count();
if ($count < 1) {
return false;
}
if ($count > 1) {
throw new \Exception('Dangerous, query result count > 1 when user tried' . ' to log with login "' . $login . '" ' . 'and password "' . $password . '"');
return false;
} elseif ($count == 0) {
return false;
} else {
$user = $user->first();
if ($user->assertPasswordIs($password)) {
return $user->id;
} else {
return false;
}
}
});
$this->addGrantType($passwordGrant);
$appGrant = new ClientCredentialsGrant();
$this->addGrantType($appGrant);
$refreshTokenGrant = new RefreshTokenGrant();
$this->addGrantType($refreshTokenGrant);
}
/**
* It creates an access token, a session, and links
* scopes mentionned in $scopes to the session and
* access token, it finally returns the new access token
*
* It associates the 'webapp' app
*/
public static function createAccessTokenFromUserId($user_id, $scopes, $ttl = 3600)
{
$user = User::where('id', '=', $user_id)->first();
if (!$user) {
return false;
}
$session = new Session();
$session->owner_type = 'user';
$session->owner_id = $user->id;
$session->app_id = 'webapp';
$session->save();
$accessToken = new AccessToken();
$accessToken->session_id = $session->id;
$accessToken->token = SecureKey::generate();
$accessToken->expire_time = DB::raw('FROM_UNIXTIME(' . ($ttl + time()) . ')');
$accessToken->save();
foreach ($scopes as $_scope) {
$scope = Scope::where('identifier', '=', $_scope)->first();
if ($scope) {
$session->scopes()->attach($scope);
$accessToken->scopes()->attach($scope);
}
}
$refreshToken = new RefreshToken();
$refreshToken->access_token_id = $accessToken->id;
$refreshToken->token = SecureKey::generate();
$refreshToken->expire_time = DB::raw('FROM_UNIXTIME(' . (604800 + time()) . ')');
$refreshToken->save();
return ["token" => $accessToken->token, "refresh_token" => $refreshToken->token, "ttl" => $ttl];
}
}
if (isset($body->description)) {
if (gettype($body->description) != 'string' || !App::isValidDescription($body->description)) {
throw new InvalidField('description');
} else {
$user_app->description = $body->description;
}
}
$user_app->save();
Tool::endWithJson($user_app);
});
$user_delete_app = Tool::makeEndpoint(function ($id) use($app, $resourceServer) {
OAuthHelper::needsScopes(['user', 'user:apps']);
$body = Tool::getBody();
$user_id = $resourceServer->getAccessToken()->getSession()->getOwnerId();
$user = User::where('id', '=', $user_id)->first();
$user_app = $user->apps()->find($id);
if ($user_app) {
$user_app->delete();
$app->halt(200);
} else {
throw new ResourceNotFound('App', $id);
}
});
// HTTP REST Map
$app->get('/user/apps', $user_apps);
$app->get('/user/apps/:id', $user_app);
$app->put('/user/apps/:id', $user_edit_app);
$app->delete('/user/apps/:id', $user_delete_app);
$app->post('/user/apps', $user_declare_app);
$app->options('/user/apps', function () {
throw new InvalidField('email');
}
// -- <this_is_not_used_for_now> --
// rejecting if request isn't signed by
// a recaptcha captcha
// if (!isset($body->recaptcha_response) ||
// gettype($body->recaptcha_response) !== 'string') {
// throw new InvalidRecaptcha;
// }
// $recaptchaStuff = new ReCaptcha(Tool::getConfig()['recaptcha_secret']);
// $resp = $recaptchaStuff->verify($body->recaptcha_response);
// if (!$resp->isSuccess()) {
// throw new InvalidRecaptcha;
// }
// -- </this_is_not_used_for_now>
$user = User::where('email', '=', $body->email)->first();
if (!$user) {
throw new AccountNotFound();
}
$resetPasswordToken = new ResetPasswordToken();
$resetPasswordToken->token = Tool::randomSha1();
$resetPasswordToken->user_id = $user->id;
$resetPasswordToken->save();
$mailer = new Mailer();
$mailer->sendMail('reset_your_password.html', [$user->email], 'Reset your GLPi Plugin Directory password', ['user' => $user, 'reset_password_token' => $resetPasswordToken->token]);
$app->halt(200);
});
$user_reset_password = Tool::makeEndpoint(function () use($app) {
$body = Tool::getBody();
// rejecting if token not provided as a string
if (!isset($body->token) || gettype($body->token) !== 'string') {
OAuthHelper::needsScopes(['user', 'plugin:card']);
$user = OAuthHelper::currentlyAuthed();
$body = Tool::getBody();
$plugin = Plugin::where('key', '=', $key)->first();
if (!$plugin) {
throw new ResourceNotFound('Plugin', $key);
}
if (!$plugin->permissions()->where('admin', '=', true)->where('user_id', '=', $user->id)->first()) {
throw new LackPermission('manage_permissions', 'Plugin', $key);
}
if (!isset($body->username) || gettype($body->username) != 'string') {
throw new InvalidField('username');
}
// verify user has the admin flag on the plugin
// otherwise reject
$target_user = User::where('username', '=', $body->username)->first();
if (!$target_user) {
throw new ResourceNotFound('User', $body->username);
}
if ($plugin->permissions->find($target_user)) {
throw new RightAlreadyExist($body->username, $plugin->key);
}
$plugin->permissions()->attach($target_user);
$app->halt(200);
});
$plugin_delete_permission = Tool::makeEndpoint(function ($key, $username) use($app) {
OAuthHelper::needsScopes(['user', 'plugin:card']);
$user = OAuthHelper::currentlyAuthed();
// reject if plugin not found
$plugin = Plugin::where('key', '=', $key)->first();
if (!$plugin) {
