X-Git-Url: https://git-public.kairo.at/?a=blobdiff_plain;ds=sidebyside;f=index.php;h=cfe66ec2669589a1b138e1b8a2cdcb33e29c1fb5;hb=b0e48c35c57284bf91bb8b3dc2da4c8a3206617c;hp=c69424b7e8f6327240a0ff6144ba896be6a098ad;hpb=4c6d80643398a11020d7f9f6c6682de90cbab9aa;p=authserver.git diff --git a/index.php b/index.php index c69424b..cfe66ec 100644 --- a/index.php +++ b/index.php @@ -18,6 +18,7 @@ $title->appendText('KaiRo.at Authentication Server'); $h1 = $body->appendElement('h1', 'KaiRo.at Authentication Server'); $errors = $utils->checkForSecureConnection(); +$utils->sendSecurityHeaders(); $para = $body->appendElement('p', _('This login system does not work without JavaScript. Please activate JavaScript for this site to log in.')); $para->setAttribute('id', 'jswarning'); @@ -67,6 +68,15 @@ if (!count($errors)) { $utils->log('login', 'user: '.$user['id']); $sesskey = $utils->createSessionKey(); setcookie('sessionkey', $sesskey, 0, "", "", !$utils->running_on_localhost, true); // Last two params are secure and httponly, secure is not set on localhost. + // If the session has a redirect set, make sure it's performed. + if (strlen(@$session['saved_redirect'])) { + header('Location: '.$utils->getDomainBaseURL().$session['saved_redirect']); + // Remove redirect. + $result = $db->prepare('UPDATE `auth_sessions` SET `saved_redirect` = :redir WHERE `id` = :sessid;'); + if (!$result->execute(array(':redir' => '', ':sessid' => $session['id']))) { + $utils->log('redir_save_failure', 'session: '.$session['id'].', redirect: (empty)'); + } + } // If the session has a user set, create a new one - otherwise take existing session entry. if (intval($session['user'])) { $result = $db->prepare('INSERT INTO `auth_sessions` (`sesskey`, `time_expire`, `user`, `logged_in`) VALUES (:sesskey, :expire, :userid, TRUE);'); @@ -148,7 +158,7 @@ if (!count($errors)) { $mail->addMailText(sprintf(_('This email address, %s, has been used for registration on "%s".'), $user['email'], _('KaiRo.at Authentication Service'))."\n\n"); $mail->addMailText(_('Please confirm that registration by clicking the following link (or calling it up in your browser):')."\n"); - $mail->addMailText(($utils->running_on_localhost?'http':'https').'://'.$_SERVER['SERVER_NAME'].strstr($_SERVER['REQUEST_URI'], '?', true) + $mail->addMailText($utils->getDomainBaseURL().strstr($_SERVER['REQUEST_URI'], '?', true) .'?email='.rawurlencode($user['email']).'&verification_code='.rawurlencode($user['verify_hash'])."\n\n"); $mail->addMailText(_('With this confirmation, you accept that we handle your data for the purpose of logging you into other websites when you request that.')."\n"); $mail->addMailText(_('Those websites will get to know your email address but not your password, which we store securely.')."\n"); @@ -186,7 +196,7 @@ if (!count($errors)) { $mail->addMailText(sprintf(_('A request for setting a new password for this email address, %s, has been submitted on "%s".'), $user['email'], _('KaiRo.at Authentication Service'))."\n\n"); $mail->addMailText(_('You can set a new password by clicking the following link (or calling it up in your browser):')."\n"); - $mail->addMailText(($utils->running_on_localhost?'http':'https').'://'.$_SERVER['SERVER_NAME'].strstr($_SERVER['REQUEST_URI'], '?', true) + $mail->addMailText($utils->getDomainBaseURL().strstr($_SERVER['REQUEST_URI'], '?', true) .'?email='.rawurlencode($user['email']).'&reset_code='.rawurlencode($resetcode)."\n\n"); $mail->addMailText(_('If you do not call this confirmation link within 1 hour, this link expires and the existing password is being kept in place.')."\n\n"); $mail->addMailText(sprintf(_('The %s team'), 'KaiRo.at')); @@ -275,6 +285,39 @@ if (!count($errors)) { $errors[] = _('The password reset link you called is not valid. Possibly it has expired and you need to call the "Password forgotten?" function again.'); } } + elseif (array_key_exists('clients', $_GET)) { + $result = $db->prepare('SELECT `id`,`email` FROM `auth_users` WHERE `id` = :userid;'); + $result->execute(array(':userid' => $session['user'])); + $user = $result->fetch(PDO::FETCH_ASSOC); + if ($session['logged_in'] && $user['id']) { + if (array_key_exists('client_id', $_POST) && (strlen($_POST['client_id']) >= 5)) { + $clientid = $_POST['client_id']; + $clientsecret = $utils->createClientSecret(); + $rediruri = strval(@$_POST['redirect_uri']); + $scope = strval(@$_POST['scope']); + $result = $db->prepare('INSERT INTO `oauth_clients` (`client_id`, `client_secret`, `redirect_uri`, `scope`, `user_id`) VALUES (:clientid, :secret, :rediruri, :scope, :userid);'); + if (!$result->execute(array(':clientid' => $clientid, + ':secret' => $clientsecret, + ':rediruri' => $rediruri, + ':scope' => $scope, + ':userid' => $user['id']))) { + $utils->log('client_save_failure', 'client: '.$clientid); + $errors[] = 'Unexpectedly failed to save new client information. Please contact KaiRo.at and tell the team about this.'; + } + } + if (!count($errors)) { + // List clients + $result = $db->prepare('SELECT `client_id`,`client_secret`,`redirect_uri`,`scope` FROM `oauth_clients` WHERE `user_id` = :userid;'); + $result->execute(array(':userid' => $user['id'])); + $clients = $result->fetchAll(PDO::FETCH_ASSOC); + if (!$clients) { $clients = array(); } + $pagetype = 'clientlist'; + } + } + else { + $errors[] = _('This function is only available if you are logged in.'); + } + } elseif (intval($session['user'])) { $result = $db->prepare('SELECT `id`,`email`,`verify_hash` FROM `auth_users` WHERE `id` = :userid;'); $result->execute(array(':userid' => $session['user'])); @@ -316,6 +359,8 @@ if (!count($errors)) { if ($pagetype == 'verification_sent') { $para = $body->appendElement('p', sprintf(_('An email for confirmation has been sent to %s. Please follow the link provided there to complete the process.'), $user['email'])); $para->setAttribute('class', 'verifyinfo pending'); + $para = $body->appendElement('p', _('Reload this page after you confirm to continue.')); + $para->setAttribute('class', 'verifyinfo pending'); } elseif ($pagetype == 'resetmail_sent') { $para = $body->appendElement('p', @@ -365,6 +410,45 @@ if (!count($errors)) { } $submit = $litem->appendInputSubmit(_('Save password')); } + elseif ($pagetype == 'clientlist') { + $scopes = array('clientreg', 'email'); + $form = $body->appendForm('?clients', 'POST', 'newclientform'); + $form->setAttribute('id', 'clientform'); + $tbl = $form->appendElement('table'); + $tbl->setAttribute('class', 'clientlist border'); + $thead = $tbl->appendElement('thead'); + $trow = $thead->appendElement('tr'); + $trow->appendElement('th', _('Client ID')); + $trow->appendElement('th', _('Client Secrect')); + $trow->appendElement('th', _('Redirect URI')); + $trow->appendElement('th', _('Scope')); + $trow->appendElement('th'); + $tbody = $tbl->appendElement('tbody'); + foreach ($clients as $client) { + $trow = $tbody->appendElement('tr'); + $trow->appendElement('td', $client['client_id']); + $trow->appendElement('td', $client['client_secret']); + $trow->appendElement('td', $client['redirect_uri']); + $trow->appendElement('td', $client['scope']); + $trow->appendElement('td'); // Future: Delete link? + } + // Form fields for adding a new one. + $tfoot = $tbl->appendElement('tfoot'); + $trow = $tfoot->appendElement('tr'); + $cell = $trow->appendElement('td'); + $inptxt = $cell->appendInputText('client_id', 80, 25, 'client_id'); + $cell = $trow->appendElement('td'); // Empty, as secret will be generated. + $cell = $trow->appendElement('td'); + $inptxt = $cell->appendInputText('redirect_uri', 500, 50, 'redirect_uri'); + $cell = $trow->appendElement('td'); + $select = $cell->appendElementSelect('scope'); + foreach ($scopes as $scope) { + $select->appendElementOption($scope, $scope); + } + //$inptxt = $cell->appendInputText('scope', 100, 20, 'scope'); + $cell = $trow->appendElement('td'); + $submit = $cell->appendInputSubmit(_('Create')); + } elseif ($session['logged_in']) { if ($pagetype == 'reset_done') { $para = $body->appendElement('p', _('Your password has successfully been reset.')); @@ -378,6 +462,10 @@ if (!count($errors)) { $ulist->setAttribute('class', 'flat'); $litem = $ulist->appendElement('li'); $link = $litem->appendLink('./?logout', _('Log out')); + if (in_array($user['email'], $utils->client_reg_email_whitelist)) { + $litem = $ulist->appendElement('li'); + $link = $litem->appendLink('./?clients', _('Manage OAuth2 clients')); + } $litem = $ulist->appendElement('li'); $litem->appendLink('./?reset', _('Set new password')); } @@ -390,34 +478,7 @@ if (!count($errors)) { $para = $body->appendElement('p', _('Your password has successfully been reset. You can log in now with the new password.')); $para->setAttribute('class', 'resetinfo done'); } - $form = $body->appendForm('./', 'POST', 'loginform'); - $form->setAttribute('id', 'loginform'); - $form->setAttribute('class', 'loginarea hidden'); - $ulist = $form->appendElement('ul'); - $ulist->setAttribute('class', 'flat login'); - $litem = $ulist->appendElement('li'); - $inptxt = $litem->appendInputEmail('email', 30, 20, 'login_email', (intval($user['id'])?$user['email']:'')); - $inptxt->setAttribute('autocomplete', 'email'); - $inptxt->setAttribute('required', ''); - $inptxt->setAttribute('placeholder', _('Email')); - $inptxt->setAttribute('class', 'login'); - $litem = $ulist->appendElement('li'); - $inptxt = $litem->appendInputPassword('pwd', 20, 20, 'login_pwd', ''); - $inptxt->setAttribute('required', ''); - $inptxt->setAttribute('placeholder', _('Password')); - $inptxt->setAttribute('class', 'login'); - $litem = $ulist->appendElement('li'); - $litem->appendLink('./?reset', _('Forgot password?')); - $litem = $ulist->appendElement('li'); - $cbox = $litem->appendInputCheckbox('remember', 'login_remember', 'true', false); - $cbox->setAttribute('class', 'logincheck'); - $label = $litem->appendLabel('login_remember', _('Remember me')); - $label->setAttribute('id', 'rememprompt'); - $label->setAttribute('class', 'loginprompt'); - $litem = $ulist->appendElement('li'); - $litem->appendInputHidden('tcode', $utils->createTimeCode($session)); - $submit = $litem->appendInputSubmit(_('Log in / Register')); - $submit->setAttribute('class', 'loginbutton'); + $utils->appendLoginForm($body, $session, $user); } }