Code Coverage |
||||||||||
Lines |
Functions and Methods |
Classes and Traits |
||||||||
Total | |
100.00% |
104 / 104 |
|
100.00% |
11 / 11 |
CRAP | |
100.00% |
1 / 1 |
SocialLogin | |
100.00% |
104 / 104 |
|
100.00% |
11 / 11 |
46 | |
100.00% |
1 / 1 |
__construct | |
100.00% |
11 / 11 |
|
100.00% |
1 / 1 |
3 | |||
isLoginRequired | |
100.00% |
12 / 12 |
|
100.00% |
1 / 1 |
8 | |||
login | |
100.00% |
4 / 4 |
|
100.00% |
1 / 1 |
1 | |||
logout | |
100.00% |
4 / 4 |
|
100.00% |
1 / 1 |
1 | |||
getUser | |
100.00% |
4 / 4 |
|
100.00% |
1 / 1 |
3 | |||
getLogoutHref | |
100.00% |
2 / 2 |
|
100.00% |
1 / 1 |
1 | |||
getRouters | |
100.00% |
24 / 24 |
|
100.00% |
1 / 1 |
8 | |||
parseConfig | |
100.00% |
19 / 19 |
|
100.00% |
1 / 1 |
10 | |||
getProvider | |
100.00% |
4 / 4 |
|
100.00% |
1 / 1 |
2 | |||
parseState | |
100.00% |
13 / 13 |
|
100.00% |
1 / 1 |
6 | |||
generateState | |
100.00% |
7 / 7 |
|
100.00% |
1 / 1 |
3 |
1 | <?php |
2 | |
3 | namespace Miniframe\SocialLogin\Middleware; |
4 | |
5 | use Miniframe\Core\AbstractMiddleware; |
6 | use Miniframe\Core\Config; |
7 | use Miniframe\Core\Registry; |
8 | use Miniframe\Core\Request; |
9 | use Miniframe\Middleware\Session; |
10 | use Miniframe\Response\RedirectResponse; |
11 | use Miniframe\SocialLogin\Controller\Email; |
12 | use Miniframe\SocialLogin\Controller\Login; |
13 | use Miniframe\SocialLogin\Model\User; |
14 | use Miniframe\SocialLogin\Provider\ProviderInterface; |
15 | |
16 | class SocialLogin extends AbstractMiddleware |
17 | { |
18 | /** |
19 | * Base URL for the Social Login pages |
20 | * |
21 | * @var string |
22 | */ |
23 | protected $socialLoginPrefixUrl; |
24 | |
25 | /** |
26 | * Reference to the Session middleware |
27 | * |
28 | * @var Session |
29 | */ |
30 | protected $session; |
31 | |
32 | /** |
33 | * List of all enabled providers (FQCNs) |
34 | * |
35 | * @var array |
36 | */ |
37 | protected $providers = array(); |
38 | |
39 | /** |
40 | * Initiates the Social Login middleware |
41 | * |
42 | * @param Request $request Reference to the Request object. |
43 | * @param Config $config Reference to the config. |
44 | */ |
45 | public function __construct(Request $request, Config $config) |
46 | { |
47 | parent::__construct($request, $config); |
48 | $this->parseConfig(); |
49 | |
50 | // We require sessions to store the user login |
51 | if (!Registry::has(Session::class)) { |
52 | throw new \RuntimeException( |
53 | 'The SocialLogin extension requires the Session middleware' |
54 | . ' (https://bitbucket.org/miniframe/core/src/v1/src/Middleware/Session.md)' |
55 | ); |
56 | } |
57 | $this->session = Registry::get(Session::class); |
58 | |
59 | // Determine URLs |
60 | $baseHref = $config->get('framework', 'base_href'); |
61 | $this->socialLoginPrefixUrl = $baseHref . '_SOCIALLOGIN/'; |
62 | |
63 | // Validate the current URL, if access is granted |
64 | $fullPath = '/' . implode('/', $request->getPath()); |
65 | |
66 | if ($this->isLoginRequired($baseHref, $fullPath)) { |
67 | // Validate session, maybe throw a new RedirectResponse() to a login page. |
68 | $state = [ |
69 | 'redirectUrl' => $fullPath, // After logging in, redirect back to this URL |
70 | ]; |
71 | throw new RedirectResponse( |
72 | $this->socialLoginPrefixUrl . 'login?state=' . rawurlencode(SocialLogin::generateState($state)) |
73 | ); |
74 | } |
75 | } |
76 | |
77 | /** |
78 | * Verify if a login is required |
79 | * |
80 | * @param string $baseHref The base href. |
81 | * @param string $fullPath The full path. |
82 | * |
83 | * @return boolean |
84 | */ |
85 | protected function isLoginRequired(string $baseHref, string $fullPath): bool |
86 | { |
87 | $sessionData = $this->session->get('_SOCIALLOGIN'); |
88 | |
89 | // Exclusions |
90 | $exclusionBase = $this->request->isShellRequest() ? '/' : $baseHref; |
91 | $excludeList = $this->config->has('sociallogin', 'exclude') ? $this->config->get('sociallogin', 'exclude') : []; |
92 | foreach ($excludeList as $excludePath) { |
93 | $regex = '/^' |
94 | . str_replace(['?', '\\*'], ['.', '.*?'], preg_quote($exclusionBase . ltrim($excludePath, '/'), '/')) |
95 | . '$/'; |
96 | if (preg_match($regex, $fullPath)) { |
97 | return false; |
98 | } |
99 | } |
100 | |
101 | // Requests starting with _SOCIALLOGIN are always open; they're for authentication. |
102 | if (substr($fullPath, 0, strlen($this->socialLoginPrefixUrl)) === $this->socialLoginPrefixUrl) { |
103 | return false; |
104 | } |
105 | // We're logged in, no authentication required |
106 | if (isset($sessionData['loggedin']) && $sessionData['loggedin'] === true) { |
107 | return false; |
108 | } |
109 | |
110 | return true; |
111 | } |
112 | |
113 | /** |
114 | * Logs in with a specific user |
115 | * |
116 | * @param User $user The user object. |
117 | * |
118 | * @return void |
119 | */ |
120 | public function login(User $user): void |
121 | { |
122 | $sessionData = $this->session->get('_SOCIALLOGIN'); |
123 | $sessionData['loggedin'] = true; |
124 | $sessionData['user'] = $user; |
125 | $this->session->set('_SOCIALLOGIN', $sessionData); |
126 | } |
127 | |
128 | /** |
129 | * Logs out the current user |
130 | * |
131 | * @return void |
132 | */ |
133 | public function logout(): void |
134 | { |
135 | $sessionData = $this->session->get('_SOCIALLOGIN'); |
136 | $sessionData['loggedin'] = false; |
137 | unset($sessionData['user']); |
138 | $this->session->set('_SOCIALLOGIN', $sessionData); |
139 | } |
140 | |
141 | /** |
142 | * Returns the user of the user that's currently logged in. |
143 | * |
144 | * @return User|null |
145 | */ |
146 | public function getUser(): ?User |
147 | { |
148 | $sessionData = $this->session->get('_SOCIALLOGIN'); |
149 | if (!isset($sessionData['loggedin']) || $sessionData['loggedin'] !== true) { |
150 | return null; |
151 | } |
152 | return $sessionData['user'] ?? null; |
153 | } |
154 | |
155 | /** |
156 | * Returns the URL to the logout page |
157 | * |
158 | * @return string |
159 | */ |
160 | public function getLogoutHref(): string |
161 | { |
162 | $state = ['redirectUrl' => '/' . implode('/', $this->request->getPath())]; |
163 | return $this->socialLoginPrefixUrl . 'logout?state=' . rawurlencode(SocialLogin::generateState($state)); |
164 | } |
165 | |
166 | /** |
167 | * Adds the Social Login routes |
168 | * |
169 | * @return array |
170 | */ |
171 | public function getRouters(): array |
172 | { |
173 | return [function (): ?callable { |
174 | $comparePath = explode('/', trim($this->socialLoginPrefixUrl, '/')); |
175 | foreach ($comparePath as $index => $path) { |
176 | if ($this->request->getPath($index) != $path) { |
177 | return null; |
178 | } |
179 | } |
180 | |
181 | // What's the subcommand? |
182 | $subCommand = $this->request->getPath(++$index); |
183 | |
184 | // Email provider |
185 | if ($subCommand == 'email') { |
186 | $action = $this->request->getPath(++$index); |
187 | if (!method_exists(Email::class, $action)) { |
188 | return null; |
189 | } |
190 | return [ |
191 | new Email($this->request, $this->config, $this, $this->socialLoginPrefixUrl, $this->session), |
192 | $action |
193 | ]; |
194 | } |
195 | |
196 | // Is the subcommand valid in the Login controller? |
197 | if ($subCommand && !method_exists(Login::class, $subCommand)) { |
198 | return null; |
199 | } |
200 | |
201 | // Is a provider specified? |
202 | $providerName = $this->request->getPath(++$index); |
203 | |
204 | // Regular provider |
205 | if ($providerName) { |
206 | $providerFQCN = $this->getProvider($providerName); |
207 | $provider = new $providerFQCN($this->request, $this->config); /* @var $provider ProviderInterface */ |
208 | } |
209 | |
210 | return [ |
211 | new Login( |
212 | $this->request, |
213 | $this->config, |
214 | $this, |
215 | $this->socialLoginPrefixUrl, |
216 | $this->providers, |
217 | $provider ?? null |
218 | ), |
219 | $subCommand ?? 'login' |
220 | ]; |
221 | }]; |
222 | } |
223 | |
224 | /** |
225 | * Parses the config and populates the 'providers' array |
226 | * |
227 | * @return void |
228 | */ |
229 | protected function parseConfig(): void |
230 | { |
231 | // Fetch state secret |
232 | static::$stateSecret = $this->config->get('sociallogin', 'state_secret'); |
233 | |
234 | // Fetch provider configuration |
235 | $providers = $this->config->get('sociallogin', 'providers'); |
236 | if (!is_array($providers)) { |
237 | throw new \RuntimeException( |
238 | 'The providers config value should be a list. (see ' |
239 | . 'https://bitbucket.org/miniframe/miniframe-social-login/src/v1/README.md for more)' |
240 | ); |
241 | } |
242 | |
243 | // Do the providers exist? |
244 | foreach ($providers as $provider) { |
245 | $provider = strtolower($provider); |
246 | if (class_exists('App\\SocialLogin\\Provider\\' . ucfirst($provider))) { |
247 | $this->providers[$provider] = 'App\\SocialLogin\\Provider\\' . ucfirst($provider); |
248 | } elseif (class_exists('Miniframe\\SocialLogin\\Provider\\' . ucfirst($provider))) { |
249 | $this->providers[$provider] = 'Miniframe\\SocialLogin\\Provider\\' . ucfirst($provider); |
250 | } else { |
251 | throw new \RuntimeException( |
252 | 'Provider "' . $provider . '" not found in namespaces ' |
253 | . 'Miniframe\\SocialLogin\\Provider and' |
254 | . 'App\\SocialLogin\\Provider.' |
255 | ); |
256 | } |
257 | } |
258 | |
259 | // Do the providers implement the correct interface? |
260 | foreach ($this->providers as $provider) { |
261 | if (!in_array(ProviderInterface::class, class_implements($provider))) { |
262 | throw new \RuntimeException($provider . ' does not implement ' . ProviderInterface::class); |
263 | } |
264 | } |
265 | |
266 | // Is autologin legal? |
267 | if ( |
268 | $this->config->has('sociallogin', 'autologin') |
269 | && $this->config->get('sociallogin', 'autologin') == true |
270 | && count($providers) > 1 |
271 | ) { |
272 | throw new \InvalidArgumentException('Autologin can\'t be enabled when there is more then 1 provider'); |
273 | } |
274 | } |
275 | |
276 | /** |
277 | * Returns a provider fully qualified class name by its config name |
278 | * |
279 | * @param string $provider Config name of the provider. |
280 | * |
281 | * @return string |
282 | */ |
283 | protected function getProvider(string $provider): string |
284 | { |
285 | $provider = strtolower($provider); |
286 | if (!isset($this->providers[$provider])) { |
287 | throw new \RuntimeException('Provider ' . $provider . ' not found'); |
288 | } |
289 | return $this->providers[$provider]; |
290 | } |
291 | |
292 | /** |
293 | * Should contain the state secret |
294 | * |
295 | * @var string|null |
296 | */ |
297 | protected static $stateSecret; |
298 | |
299 | /** |
300 | * Parses a state string |
301 | * |
302 | * @param string|null $data The state as base64-encoded, json-encoded string. |
303 | * |
304 | * @return array |
305 | */ |
306 | public static function parseState(?string $data): array |
307 | { |
308 | if (!static::$stateSecret) { |
309 | throw new \RuntimeException('No state secret configured. Please configure a state secret.'); |
310 | } |
311 | if (!$data) { |
312 | return array(); |
313 | } |
314 | |
315 | // Decodes content, if it's an empty array, don't validate. |
316 | $decoded = json_decode(base64_decode($data), true, 2, JSON_THROW_ON_ERROR); |
317 | if (!$decoded) { |
318 | return array(); |
319 | } |
320 | |
321 | // Validate! |
322 | $validateArray = $decoded; |
323 | unset($validateArray['validate']); |
324 | $validateString = sha1(static::$stateSecret . serialize($validateArray)); |
325 | |
326 | if (!isset($decoded['validate']) || $validateString !== $decoded['validate']) { |
327 | throw new \UnexpectedValueException('The state looks tampered'); |
328 | } |
329 | |
330 | return $decoded; |
331 | } |
332 | |
333 | /** |
334 | * Converts an array to a base64-encoded, json-encoded string. |
335 | * |
336 | * @param array $data The data array. |
337 | * |
338 | * @return string |
339 | */ |
340 | public static function generateState(array $data): string |
341 | { |
342 | if (!static::$stateSecret) { |
343 | throw new \RuntimeException('No state secret configured. Please configure a state secret.'); |
344 | } |
345 | |
346 | $validateArray = $data; |
347 | if (isset($validateArray['validate'])) { |
348 | unset($validateArray['validate']); |
349 | } |
350 | $data['validate'] = sha1(static::$stateSecret . serialize($validateArray)); |
351 | |
352 | return base64_encode(json_encode($data, JSON_THROW_ON_ERROR)); |
353 | } |
354 | } |