From b217e836543c89d872c8f692e2557c8c43da468f Mon Sep 17 00:00:00 2001 From: Robert Kaiser Date: Wed, 16 Nov 2016 04:54:45 +0100 Subject: [PATCH] KaiRo bug 392 - Create an interstitial page to confirm the user to log in --- authorize.php | 42 +++++++++++++++++++++++++++++++++++++----- authsystem.css | 21 ++++++++++++++++++++- authsystem.js | 19 +++++++++++++++++++ index.php | 2 +- 4 files changed, 77 insertions(+), 7 deletions(-) diff --git a/authorize.php b/authorize.php index 0740e23..114064f 100644 --- a/authorize.php +++ b/authorize.php @@ -30,6 +30,14 @@ $para->setAttribute('class', 'warn'); if (!count($errors)) { $session = $utils->initSession(); // Read session or create new session and set cookie. + if ($session['logged_in'] && (@$_GET['logout'] == 1)) { + $result = $db->prepare('UPDATE `auth_sessions` SET `logged_in` = FALSE WHERE `id` = :sessid;'); + if (!$result->execute(array(':sessid' => $session['id']))) { + $utils->log('logout_failure', 'session: '.$session['id']); + $errors[] = _('Unexpected error while logging out.'); + } + $session['logged_in'] = 0; + } if (intval($session['user'])) { $result = $db->prepare('SELECT `id`,`email`,`verify_hash` FROM `auth_users` WHERE `id` = :userid;'); $result->execute(array(':userid' => $session['user'])); @@ -41,7 +49,6 @@ if (!count($errors)) { else { $user = array('id' => 0, 'email' => ''); } - $pagetype = 'default'; if (is_null($session)) { $errors[] = _('The session system is not working. Please contact KaiRo.at and tell the team about this.'); } @@ -56,8 +63,8 @@ if (!count($errors)) { exit(); } - // Display an authorization form (unless the scope is email, which we always grant in this system). if (empty($_POST) && (@$request->query['scope'] != 'email')) { + // Display an authorization form (unless the scope is email, which we handle as a login request below). $para = $body->appendElement('p', sprintf(_('Hi %s!'), $user['email'])); $para->setAttribute('class', 'userwelcome'); @@ -70,9 +77,33 @@ if (!count($errors)) { $submit = $form->appendInputSubmit(_('no')); $submit->setAttribute('name', 'authorized'); } + elseif (empty($_POST) && (@$request->query['scope'] == 'email')) { + // Display an interstitial page for a login when we have email scope (verified email for logging in). + $para = $body->appendElement('p', sprintf(_('Sign in to %s using…'), $request->query['client_id'])); // XXX: put domain name from redirect URI on there instead + $para->setAttribute('class', 'signinwelcome'); + $form = $body->appendForm('', 'POST', 'loginauthform'); + $form->setAttribute('id', 'loginauthform'); + $form->setAttribute('class', 'loginarea'); + $form->appendInputRadio('user_email', 'uemail_'.md5($user['email']), $user['email'], $user['email'] == $user['email']); + $form->appendLabel('uemail_'.md5($user['email']), $user['email']); + $para = $form->appendElement('p'); + $para->setAttribute('class', 'small otheremaillinks'); + $link = $para->appendLink('#', _('Add another email address')); + $link->setAttribute('id', 'addanotheremail'); // Makes the JS put the right functionality onto the link. + $para->appendText(' '); + $link = $para->appendLink('#', _('This is not me')); + $link->setAttribute('id', 'isnotme'); // Makes the JS put the right functionality onto the link. + $authinput = $form->appendInputHidden('authorized', 'yes'); + $authinput->setAttribute('id', 'isauthorized'); + $submit = $form->appendInputSubmit(_('Sign in')); + $para = $form->appendElement('p'); + $para->setAttribute('class', 'small'); + $link = $para->appendLink('#', _('Cancel')); + $link->setAttribute('id', 'cancelauth'); // Makes the JS put the right functionality onto the link. + } else { // Handle authorize request, forwarding code in GET parameters if the user has authorized your client. - $is_authorized = ((@$_POST['authorized'] === 'yes') || ($request->query['scope'] == 'email')); + $is_authorized = (@$_POST['authorized'] === 'yes'); $server->handleAuthorizeRequest($request, $response, $is_authorized, $user['id']); /* For testing only if ($is_authorized) { @@ -92,8 +123,9 @@ if (!count($errors)) { $utils->appendLoginForm($body, $session, $user); // Save the request in the session so we can get back to fulfilling it. $result = $db->prepare('UPDATE `auth_sessions` SET `saved_redirect` = :redir WHERE `id` = :sessid;'); - if (!$result->execute(array(':redir' => $_SERVER['REQUEST_URI'], ':sessid' => $session['id']))) { - $utils->log('redir_save_failure', 'session: '.$session['id'].', redirect: '.$_SERVER['REQUEST_URI']); + $saved_request = str_replace('&logout=1', '', $_SERVER['REQUEST_URI']); // Make sure to strip a logout to not get into a loop. + if (!$result->execute(array(':redir' => $saved_request, ':sessid' => $session['id']))) { + $utils->log('redir_save_failure', 'session: '.$session['id'].', redirect: '.$saved_request); } } } diff --git a/authsystem.css b/authsystem.css index b0d16e5..4a273f9 100644 --- a/authsystem.css +++ b/authsystem.css @@ -106,7 +106,8 @@ table.border td { .resetinfo, .verifyinfo, -.newpwdinfo { +.newpwdinfo, +.signinwelcome { margin: 5px 10px 0; /* IE8 and older do not support rem */ margin: 0.5rem 1rem 0; } @@ -119,6 +120,24 @@ table.border td { background-position: 0 50%; } +.signinwelcome { + font-size: 1.2em; +} + +.otheremaillinks > a { + background-color: #EEEEDD; + text-decoration: none; + padding: .2em; + border-radius: 3px; +} +.otheremaillinks > a:link, .otheremaillinks > a:visited { color: #BBBBBB; } +.otheremaillinks > a:hover, .otheremaillinks > a:active { color: #808080; } + +#addanotheremail { /* HACK - not implemented yet */ + background-color: transparent !important; + color: transparent !important; +} + .small { font-size: 0.75em; } diff --git a/authsystem.js b/authsystem.js index faaf975..dee8142 100644 --- a/authsystem.js +++ b/authsystem.js @@ -23,4 +23,23 @@ window.onload = function() { loginForm.setAttribute("class", "loginarea"); } } + var cancelAuth = document.getElementById("cancelauth"); + if (cancelAuth) { + cancelAuth.onclick = function() { + document.getElementById("isauthorized").value = "no"; + document.getElementById("loginauthform").submit(); + } + } + var addAnotherEmail = document.getElementById("addanotheremail"); + if (addAnotherEmail) { + addAnotherEmail.onclick = function() { + // Not implemented yet. + } + } + var isNotMe = document.getElementById("isnotme"); + if (isNotMe) { + isNotMe.onclick = function() { + location.href = location.href + "&logout=1"; + } + } } diff --git a/index.php b/index.php index ac22847..23a045d 100644 --- a/index.php +++ b/index.php @@ -40,7 +40,7 @@ if (!count($errors)) { $result = $db->prepare('UPDATE `auth_sessions` SET `logged_in` = FALSE WHERE `id` = :sessid;'); if (!$result->execute(array(':sessid' => $session['id']))) { $utils->log('logout_failure', 'session: '.$session['id']); - $errors[] = _('The email address is invalid.'); + $errors[] = _('Unexpected error while logging out.'); } $session['logged_in'] = 0; } -- 2.43.0