// *** constructor ***
$this->settings = json_decode(@file_get_contents('/etc/kairo/auth_settings.json'), true);
if (!is_array($this->settings)) { throw new ErrorException('Authentication system settings not found', 0); }
+
+ // Sanitize settings.
+ $this->settings['piwik_enabled'] = (@$this->settings['piwik_enabled']) ? true : false;
+ $this->settings['piwik_site_id'] = intval(@$this->settings['piwik_site_id']);
+ $this->settings['piwik_url'] = strlen(@$this->settings['piwik_url']) ? $this->settings['piwik_url'] : '/matomo/';
+ $this->settings['piwik_tracker_path'] = strlen(@$this->settings['piwik_tracker_path']) ? $this->settings['piwik_tracker_path'] : '../vendor/matomo/matomo-php-tracker/';
+ $this->settings['skin'] = (@$this->settings['skin'] && is_dir('skin/'.$this->settings['skin'])) ? $this->settings['skin'] : 'default';
+ $this->settings['operator_name'] = (@$this->settings['operator_name']) ? $this->settings['operator_name'] : 'Example';
+ $this->settings['operator_contact_url'] = (@$this->settings['operator_contact_url']) ? $this->settings['operator_contact_url'] : 'https://github.com/KaiRo_at/authserver/';
+ $this->settings['info_from_email'] = (@$this->settings['info_from_email']) ? $this->settings['info_from_email'] : 'noreply@example.com';
+
+ // Initialize database.
$config = new \Doctrine\DBAL\Configuration();
$connectionParams = array(
'dbname' => $this->settings['db_name'],
);
$this->db = \Doctrine\DBAL\DriverManager::getConnection($connectionParams, $config);
$this->db->executeQuery('SET time_zone = "+00:00";'); // Make sure the DB runs on UTC for this connection.
+ // Update DB schema if needed (if the utils PHP file has been changed since we last checked the DB, we trigger the update functionality).
try {
- $last_log = $this->db->fetchColumn('SELECT time_logged FROM fs_log WHERE code = \'db_checked\' ORDER BY id DESC LIMIT 1', array(1), 0);
+ $last_log = $this->db->fetchColumn('SELECT time_logged FROM auth_log WHERE code = \'db_checked\' ORDER BY id DESC LIMIT 1', array(1), 0);
$utils_mtime = filemtime(__FILE__);
}
catch (Exception $e) {
if (!$last_log || strtotime($last_log) < $utils_mtime) {
$this->updateDBSchema();
}
+
+ // Set local variables.
// For debugging, potentially add |robert\.box\.kairo\.at to that regex temporarily.
$this->running_on_localhost = preg_match('/^((.+\.)?localhost|127\.0\.0\.\d+)$/', $_SERVER['SERVER_NAME']);
if (array_key_exists('pwd_cost', $this->settings)) {
if (array_key_exists('pwd_nonces', $this->settings)) {
$this->pwd_nonces = $this->settings['pwd_nonces'];
}
+ if (array_key_exists('client_reg_email_whitelist', $this->settings) && is_array($this->settings['client_reg_email_whitelist'])) {
+ // If the config lists any emails, set whitelist to them, otherwise there is no whitelist and any user can add OAuth2 clients.
+ $this->client_reg_email_whitelist = $this->settings['client_reg_email_whitelist'];
+ }
}
public $settings = null;
public $db = null;
public $running_on_localhost = false;
- public $client_reg_email_whitelist = array('kairo@kairo.at', 'com@kairo.at');
+ public $client_reg_email_whitelist = false;
private $pwd_cost = 10;
private $pwd_nonces = array();
}
else {
$utils->log('create_session_failure', 'at login, prev session: '.$session['id'].', new user: '.$userid);
- $errors[] = _('The session system is not working.').' '._('Please <a href="https://www.kairo.at/contact">contact KaiRo.at</a> and tell the team about this.');
+ $errors[] = _('The session system is not working.').' '
+ .sprintf(_('Please <a href="%s">contact %s</a> and tell the team about this.'), $this->settings['operator_contact_url'], $this->settings['operator_name']);
}
}
else {
$result = $this->db->prepare('UPDATE `auth_sessions` SET `sesskey` = :sesskey, `user` = :userid, `logged_in` = TRUE, `time_expire` = :expire WHERE `id` = :sessid;');
if (!$result->execute(array(':sesskey' => $sesskey, ':userid' => $userid, ':expire' => gmdate('Y-m-d H:i:s', strtotime('+1 day')), ':sessid' => $session['id']))) {
$utils->log('login_failure', 'session: '.$session['id'].', user: '.$userid);
- $errors[] = _('Login failed unexpectedly.').' '._('Please <a href="https://www.kairo.at/contact">contact KaiRo.at</a> and tell the team about this.');
+ $errors[] = _('Login failed unexpectedly.').' '
+ .sprintf(_('Please <a href="%s">contact %s</a> and tell the team about this.'), $this->settings['operator_contact_url'], $this->settings['operator_name']);
}
else {
// After update, actually fetch the session row from the DB so we have all values.
return false;
}
+ /*
+ Some resources for how to store passwords:
+ - https://blog.mozilla.org/webdev/2012/06/08/lets-talk-about-password-storage/
+ - https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines
+ oauth-server-php: https://bshaffer.github.io/oauth2-server-php-docs/cookbook
+ */
function pwdHash($new_password) {
$hash_prefix = '';
if (count($this->pwd_nonces)) {
// Add the "Refresh Token" grant type (required to get longer-living resource access by generating new access tokens)
$server->addGrantType(new OAuth2\GrantType\RefreshToken($oauth2_storage, array('always_issue_new_refresh_token' => true)));
+ // Add 'token' response type (mirroring what getDefaultResponseTypes is doing).
+ $server->addResponseType(new OAuth2\ResponseType\AccessToken($oauth2_storage, $oauth2_storage, $oauth2_config));
+
+ // Add 'code' response type (mirroring what getDefaultResponseTypes is doing).
+ $server->addResponseType(new OAuth2\ResponseType\AuthorizationCode($oauth2_storage));
+
return $server;
}
$style = $head->appendElement('link');
$style->setAttribute('rel', 'stylesheet');
$style->setAttribute('href', 'authsystem.css');
+ $style = $head->appendElement('link');
+ $style->setAttribute('rel', 'stylesheet');
+ $style->setAttribute('href', 'skin/'.$settings['skin'].'/authskin.css');
$head->appendJSFile('authsystem.js');
if ($settings['piwik_enabled']) {
$head->setAttribute('data-piwiksite', $settings['piwik_site_id']);
$head->setAttribute('data-piwikurl', $settings['piwik_url']);
$head->appendJSFile('piwik.js', true, true);
}
+ $icon = $head->appendElement('link');
+ $icon->setAttribute('rel', 'shortcut icon');
+ $icon->setAttribute('href', 'skin/'.$settings['skin'].'/icon32.png');
+ $icon->setAttribute('type', 'image/png');
$title->appendText($titletext);
$h1 = $body->appendElement('h1', $headlinetext);
$table->addColumn('logged_in', 'boolean', array('notnull' => true, 'default' => false));
$table->addColumn('time_created', 'datetime', array('notnull' => true, 'default' => 'CURRENT_TIMESTAMP'));
$table->addColumn('time_expire', 'datetime', array('notnull' => true, 'default' => 'CURRENT_TIMESTAMP'));
- $table->addColumn('saved_redirect', 'string', array('length' => 255, 'notnull' => true, 'default' => ''));
+ $table->addColumn('saved_redirect', 'string', array('length' => 2000, 'notnull' => true, 'default' => ''));
$table->setPrimaryKey(array('id'), 'id');
$table->addIndex(array('sesskey'), 'sesskey');
$table->addIndex(array('time_expire'), 'time_expire');
$table = $schema->createTable('oauth_access_tokens');
$table->addColumn('access_token', 'string', array('length' => 40, 'notnull' => true));
$table->addColumn('client_id', 'string', array('length' => 80, 'notnull' => true));
- $table->addColumn('user_id', 'string', array('length' => 80, 'notnull' => false));
+ $table->addColumn('user_id', 'string', array('length' => 255, 'notnull' => false));
$table->addColumn('expires', 'datetime', array('notnull' => true));
$table->addColumn('scope', 'string', array('length' => 2000, 'notnull' => false));
$table->setPrimaryKey(array('access_token'), 'access_token_pk');
$table = $schema->createTable('oauth_authorization_codes');
$table->addColumn('authorization_code', 'string', array('length' => 40, 'notnull' => true));
$table->addColumn('client_id', 'string', array('length' => 80, 'notnull' => true));
- $table->addColumn('user_id', 'string', array('length' => 80, 'notnull' => false));
+ $table->addColumn('user_id', 'string', array('length' => 255, 'notnull' => false));
$table->addColumn('redirect_uri', 'string', array('length' => 2000, 'notnull' => false));
$table->addColumn('expires', 'datetime', array('notnull' => true));
$table->addColumn('scope', 'string', array('length' => 2000, 'notnull' => false));
$table = $schema->createTable('oauth_refresh_tokens');
$table->addColumn('refresh_token', 'string', array('length' => 40, 'notnull' => true));
$table->addColumn('client_id', 'string', array('length' => 80, 'notnull' => true));
- $table->addColumn('user_id', 'string', array('length' => 80, 'notnull' => false));
+ $table->addColumn('user_id', 'string', array('length' => 255, 'notnull' => false));
$table->addColumn('expires', 'datetime', array('notnull' => true));
$table->addColumn('scope', 'string', array('length' => 2000, 'notnull' => false));
$table->setPrimaryKey(array('refresh_token'), 'refresh_token_pk');