X-Git-Url: https://git-public.kairo.at/?a=blobdiff_plain;f=app%2Fauthutils.php-class;h=690d5e7a82e832f2ea6f720e9a396b59551f011f;hb=c80595d16281ccdfb16bd370e165bb86e759e96c;hp=44152a43ea64c3712a1b217dcee21f6ce6c8e888;hpb=04116cc5dabb951023fb511fda0dc36956d6a84a;p=authserver.git
diff --git a/app/authutils.php-class b/app/authutils.php-class
index 44152a4..690d5e7 100755
--- a/app/authutils.php-class
+++ b/app/authutils.php-class
@@ -7,10 +7,12 @@ class AuthUtils {
// KaiRo.at authentication utilities PHP class
// This class contains helper functions for the authentication system.
//
- // function __construct($settings, $db)
+ // function __construct($settings)
// CONSTRUCTOR
// Settings are an associative array with a numeric pwd_cost field and an array pwd_nonces field.
- // The DB is a PDO object.
+ //
+ // public $settings
+ // Ab array of settings for the auth server website.
//
// public $db
// A PDO database object for interaction.
@@ -34,6 +36,9 @@ class AuthUtils {
// function checkForSecureConnection()
// Check is the connection is secure and return an array of error messages (empty if it's secure).
//
+ // function sendSecurityHeaders()
+ // Rend HTTP headers for improving security.
+ //
// function initSession()
// Initialize a session. Returns an associative array of all the DB fields of the session.
//
@@ -82,27 +87,43 @@ class AuthUtils {
// function pwdNeedsRehash($user)
// Return true if the pwdhash field of the user uses an outdated standard and needs to be rehashed.
//
+ // function setUpL10n()
+ // Set up the localization stack (gettext).
+ //
+ // function negotiateLocale($supportedLanguages)
+ // Return the language to use out of the given array of supported locales, via netotiation based on the HTTP Accept-Language header.
+ //
// function getGroupedEmails($group_id, [$exclude_email])
// Return all emails grouped in the specified group ID, optionally exclude a specific email (e.g. because you only want non-current entries)
//
+ // function getOAuthServer()
+ // Return an OAuth2 server object to use for all our actual OAuth2 interaction.
+ //
+ // function initHTMLDocument($titletext, [$headlinetext]) {
+ // initialize the HTML document for the auth system, with some elements we always use, esp. all the scripts and stylesheet.
+ // Sets the title of the document to the given title, the main headline will be the same as the title if not set explicitly.
+ // Returns an associative array with the following elements: 'document', 'html', 'head', 'title', 'body'.
+ //
// function appendLoginForm($dom_element, $session, $user, [$addfields])
// Append a login form for the given session to the given DOM element, possibly prefilling the email from the given user info array.
// The optional $addfields parameter is an array of name=>value pairs of hidden fields to add to the form.
- function __construct($settings, $db) {
+ function __construct($settings) {
// *** constructor ***
- $this->db = $db;
+ $this->settings = $settings;
+ $this->db = new PDO($this->settings['dbdata']['dsn'], $this->settings['dbdata']['username'], $this->settings['dbdata']['password']);
$this->db->exec("SET time_zone='+00:00';"); // Execute directly on PDO object, set session to UTC to make our gmdate() values match correctly.
// For debugging, potentially add |robert\.box\.kairo\.at to that regex temporarily.
$this->running_on_localhost = preg_match('/^((.+\.)?localhost|127\.0\.0\.\d+)$/', $_SERVER['SERVER_NAME']);
if (array_key_exists('pwd_cost', $settings)) {
- $this->pwd_cost = $settings['pwd_cost'];
+ $this->pwd_cost = $this->settings['pwd_cost'];
}
if (array_key_exists('pwd_nonces', $settings)) {
- $this->pwd_nonces = $settings['pwd_nonces'];
+ $this->pwd_nonces = $this->settings['pwd_nonces'];
}
}
+ public $settings = null;
public $db = null;
public $running_on_localhost = false;
public $client_reg_email_whitelist = array('kairo@kairo.at', 'com@kairo.at');
@@ -192,14 +213,14 @@ class AuthUtils {
}
else {
$utils->log('create_session_failure', 'at login, prev session: '.$session['id'].', new user: '.$userid);
- $errors[] = _('The session system is not working. Please contact KaiRo.at and tell the team about this.');
+ $errors[] = _('The session system is not working.').' '._('Please contact KaiRo.at and tell the team about this.');
}
}
else {
$result = $this->db->prepare('UPDATE `auth_sessions` SET `sesskey` = :sesskey, `user` = :userid, `logged_in` = TRUE, `time_expire` = :expire WHERE `id` = :sessid;');
if (!$result->execute(array(':sesskey' => $sesskey, ':userid' => $userid, ':expire' => gmdate('Y-m-d H:i:s', strtotime('+1 day')), ':sessid' => $session['id']))) {
$utils->log('login_failure', 'session: '.$session['id'].', user: '.$userid);
- $errors[] = _('Login failed unexpectedly. Please contact KaiRo.at and tell the team about this.');
+ $errors[] = _('Login failed unexpectedly.').' '._('Please contact KaiRo.at and tell the team about this.');
}
else {
// After update, actually fetch the session row from the DB so we have all values.
@@ -353,6 +374,46 @@ class AuthUtils {
}
}
+ function setUpL10n() {
+ // This is an array of locale tags in browser style mapping to unix system locale codes to use with gettext.
+ $supported_locales = array(
+ 'en-US' => 'en_US',
+ 'de' => 'de_DE',
+ );
+
+ $textdomain = 'kairo_auth';
+ $textlocale = $this->negotiateLocale(array_keys($supported_locales));
+ putenv('LC_ALL='.$supported_locales[$textlocale]);
+ $selectedlocale = setlocale(LC_ALL, $supported_locales[$textlocale]);
+ bindtextdomain($textdomain, '../locale');
+ bind_textdomain_codeset($textdomain, 'utf-8');
+ textdomain($textdomain);
+ }
+
+ function negotiateLocale($supportedLanguages) {
+ $nlocale = $supportedLanguages[0];
+ $headers = getAllHeaders();
+ $accLcomp = explode(',', @$headers['Accept-Language']);
+ $accLang = array();
+ foreach ($accLcomp as $lcomp) {
+ if (strlen($lcomp)) {
+ $ldef = explode(';', $lcomp);
+ $accLang[$ldef[0]] = (float)((strpos(@$ldef[1],'q=')===0)?substr($ldef[1],2):1);
+ }
+ }
+ if (count($accLang)) {
+ $pLang = ''; $pLang_q = 0;
+ foreach ($supportedLanguages as $wantedLang) {
+ if (isset($accLang[$wantedLang]) && ($accLang[$wantedLang] > $pLang_q)) {
+ $pLang = $wantedLang;
+ $pLang_q = $accLang[$wantedLang];
+ }
+ }
+ if (strlen($pLang)) { $nlocale = $pLang; }
+ }
+ return $nlocale;
+ }
+
function getGroupedEmails($group_id, $exclude_email = '') {
$emails = array();
if (intval($group_id)) {
@@ -365,6 +426,78 @@ class AuthUtils {
return $emails;
}
+ function getOAuthServer() {
+ // Simple server based on https://bshaffer.github.io/oauth2-server-php-docs/cookbook
+
+ // dbata needs to be set and be an associative array with the members 'dsn', 'username', and 'password'.
+ // dsn is the Data Source Name for your database, for exmaple "mysql:dbname=my_oauth2_db;host=localhost"
+ $oauth2_storage = new OAuth2\Storage\Pdo($this->settings['dbdata']);
+
+ // Set configuration
+ $oauth2_config = array(
+ 'require_exact_redirect_uri' => false,
+ 'always_issue_new_refresh_token' => true, // Needs to be handed below as well as there it's not constructed from within the server object.
+ 'refresh_token_lifetime' => 90*24*3600,
+ );
+
+ // Pass a storage object or array of storage objects to the OAuth2 server class
+ $server = new OAuth2\Server($oauth2_storage, $oauth2_config);
+
+ // Add the "Client Credentials" grant type (it is the simplest of the grant types)
+ //$server->addGrantType(new OAuth2\GrantType\ClientCredentials($storage));
+
+ // Add the "Authorization Code" grant type (this is where the oauth magic happens)
+ $server->addGrantType(new OAuth2\GrantType\AuthorizationCode($oauth2_storage));
+
+ // Add the "Refresh Token" grant type (required to get longer-living resource access by generating new access tokens)
+ $server->addGrantType(new OAuth2\GrantType\RefreshToken($oauth2_storage, array('always_issue_new_refresh_token' => true)));
+
+ return $server;
+ }
+
+ function initHTMLDocument($titletext, $headlinetext = null) {
+ global $settings;
+ if (is_null($headlinetext)) { $headlinetext = $titletext; }
+ // Start HTML document as a DOM object.
+ extract(ExtendedDocument::initHTML5()); // sets $document, $html, $head, $title, $body
+ $document->formatOutput = true; // we want a nice output
+
+ $style = $head->appendElement('link');
+ $style->setAttribute('rel', 'stylesheet');
+ $style->setAttribute('href', 'authsystem.css');
+ $head->appendJSFile('authsystem.js');
+ if ($settings['piwik_enabled']) {
+ $head->setAttribute('data-piwiksite', $settings['piwik_site_id']);
+ $head->setAttribute('data-piwikurl', $settings['piwik_url']);
+ $head->appendJSFile('piwik.js', true, true);
+ }
+ $title->appendText($titletext);
+ $h1 = $body->appendElement('h1', $headlinetext);
+
+ if ($settings['piwik_enabled']) {
+ // Piwik noscript element
+ $noscript = $body->appendElement('noscript');
+ $para = $noscript->appendElement('p');
+ $img = $para->appendImage($settings['piwik_url'].'piwik.php?idsite='.$settings['piwik_site_id']);
+ $img->setAttribute('style', 'border:0;');
+ }
+
+ // Make the document not be scaled on mobile devices.
+ $vpmeta = $head->appendElement('meta');
+ $vpmeta->setAttribute('name', 'viewport');
+ $vpmeta->setAttribute('content', 'width=device-width, height=device-height');
+
+ $para = $body->appendElement('p', _('This login system does not work without JavaScript. Please activate JavaScript for this site to log in.'));
+ $para->setAttribute('id', 'jswarning');
+ $para->setAttribute('class', 'warn');
+
+ return array('document' => $document,
+ 'html' => $html,
+ 'head' => $head,
+ 'title' => $title,
+ 'body' => $body);
+ }
+
function appendLoginForm($dom_element, $session, $user, $addfields = array()) {
$form = $dom_element->appendForm('./', 'POST', 'loginform');
$form->setAttribute('id', 'loginform');