mirror of
https://we.phorge.it/source/phorge.git
synced 2025-01-06 04:41:01 +01:00
24544b1a2f
Summary: Ref T4339. Login providers use absolute URIs, but the ones that rely on local form submits should not, because we want to include CSRF tokens where applicable. Instead, make the default be relative URIs and turn them into absolute ones for the callback proivders. Test Plan: Clicked, like, every login button. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T4339 Differential Revision: https://secure.phabricator.com/D8045
257 lines
7.5 KiB
PHP
257 lines
7.5 KiB
PHP
<?php
|
|
|
|
abstract class PhabricatorAuthProviderOAuth1 extends PhabricatorAuthProvider {
|
|
|
|
protected $adapter;
|
|
|
|
const PROPERTY_CONSUMER_KEY = 'oauth1:consumer:key';
|
|
const PROPERTY_CONSUMER_SECRET = 'oauth1:consumer:secret';
|
|
const PROPERTY_PRIVATE_KEY = 'oauth1:private:key';
|
|
|
|
abstract protected function newOAuthAdapter();
|
|
|
|
public function getDescriptionForCreate() {
|
|
return pht('Configure %s OAuth.', $this->getProviderName());
|
|
}
|
|
|
|
public function getAdapter() {
|
|
if (!$this->adapter) {
|
|
$adapter = $this->newOAuthAdapter();
|
|
$this->adapter = $adapter;
|
|
$this->configureAdapter($adapter);
|
|
}
|
|
return $this->adapter;
|
|
}
|
|
|
|
protected function configureAdapter(PhutilAuthAdapterOAuth1 $adapter) {
|
|
$config = $this->getProviderConfig();
|
|
$adapter->setConsumerKey($config->getProperty(self::PROPERTY_CONSUMER_KEY));
|
|
$secret = $config->getProperty(self::PROPERTY_CONSUMER_SECRET);
|
|
if (strlen($secret)) {
|
|
$adapter->setConsumerSecret(new PhutilOpaqueEnvelope($secret));
|
|
}
|
|
$adapter->setCallbackURI(PhabricatorEnv::getURI($this->getLoginURI()));
|
|
return $adapter;
|
|
}
|
|
|
|
public function isLoginFormAButton() {
|
|
return true;
|
|
}
|
|
|
|
protected function renderLoginForm(AphrontRequest $request, $mode) {
|
|
$attributes = array(
|
|
'method' => 'POST',
|
|
'uri' => $this->getLoginURI(),
|
|
);
|
|
return $this->renderStandardLoginButton($request, $mode, $attributes);
|
|
}
|
|
|
|
public function processLoginRequest(
|
|
PhabricatorAuthLoginController $controller) {
|
|
|
|
$request = $controller->getRequest();
|
|
$adapter = $this->getAdapter();
|
|
$account = null;
|
|
$response = null;
|
|
|
|
if ($request->isHTTPPost()) {
|
|
$uri = $adapter->getClientRedirectURI();
|
|
$response = id(new AphrontRedirectResponse())->setURI($uri);
|
|
return array($account, $response);
|
|
}
|
|
|
|
$denied = $request->getStr('denied');
|
|
if (strlen($denied)) {
|
|
// Twitter indicates that the user cancelled the login attempt by
|
|
// returning "denied" as a parameter.
|
|
throw new PhutilAuthUserAbortedException();
|
|
}
|
|
|
|
// NOTE: You can get here via GET, this should probably be a bit more
|
|
// user friendly.
|
|
|
|
$token = $request->getStr('oauth_token');
|
|
$verifier = $request->getStr('oauth_verifier');
|
|
|
|
if (!$token) {
|
|
throw new Exception("Expected 'oauth_token' in request!");
|
|
}
|
|
|
|
if (!$verifier) {
|
|
throw new Exception("Expected 'oauth_verifier' in request!");
|
|
}
|
|
|
|
$adapter->setToken($token);
|
|
$adapter->setVerifier($verifier);
|
|
|
|
// NOTE: As a side effect, this will cause the OAuth adapter to request
|
|
// an access token.
|
|
|
|
try {
|
|
$account_id = $adapter->getAccountID();
|
|
} catch (Exception $ex) {
|
|
// TODO: Handle this in a more user-friendly way.
|
|
throw $ex;
|
|
}
|
|
|
|
if (!strlen($account_id)) {
|
|
$response = $controller->buildProviderErrorResponse(
|
|
$this,
|
|
pht(
|
|
'The OAuth provider failed to retrieve an account ID.'));
|
|
|
|
return array($account, $response);
|
|
}
|
|
|
|
return array($this->loadOrCreateAccount($account_id), $response);
|
|
}
|
|
|
|
public function readFormValuesFromProvider() {
|
|
$config = $this->getProviderConfig();
|
|
$id = $config->getProperty(self::PROPERTY_CONSUMER_KEY);
|
|
$secret = $config->getProperty(self::PROPERTY_CONSUMER_SECRET);
|
|
|
|
return array(
|
|
self::PROPERTY_CONSUMER_KEY => $id,
|
|
self::PROPERTY_CONSUMER_SECRET => $secret,
|
|
);
|
|
}
|
|
|
|
public function readFormValuesFromRequest(AphrontRequest $request) {
|
|
return array(
|
|
self::PROPERTY_CONSUMER_KEY
|
|
=> $request->getStr(self::PROPERTY_CONSUMER_KEY),
|
|
self::PROPERTY_CONSUMER_SECRET
|
|
=> $request->getStr(self::PROPERTY_CONSUMER_SECRET),
|
|
);
|
|
}
|
|
|
|
public function processEditForm(
|
|
AphrontRequest $request,
|
|
array $values) {
|
|
$errors = array();
|
|
$issues = array();
|
|
|
|
$key_ckey = self::PROPERTY_CONSUMER_KEY;
|
|
$key_csecret = self::PROPERTY_CONSUMER_SECRET;
|
|
|
|
if (!strlen($values[$key_ckey])) {
|
|
$errors[] = pht('Consumer key is required.');
|
|
$issues[$key_ckey] = pht('Required');
|
|
}
|
|
|
|
if (!strlen($values[$key_csecret])) {
|
|
$errors[] = pht('Consumer secret is required.');
|
|
$issues[$key_csecret] = pht('Required');
|
|
}
|
|
|
|
// If the user has not changed the secret, don't update it (that is,
|
|
// don't cause a bunch of "****" to be written to the database).
|
|
if (preg_match('/^[*]+$/', $values[$key_csecret])) {
|
|
unset($values[$key_csecret]);
|
|
}
|
|
|
|
return array($errors, $issues, $values);
|
|
}
|
|
|
|
public function extendEditForm(
|
|
AphrontRequest $request,
|
|
AphrontFormView $form,
|
|
array $values,
|
|
array $issues) {
|
|
|
|
$key_id = self::PROPERTY_CONSUMER_KEY;
|
|
$key_secret = self::PROPERTY_CONSUMER_SECRET;
|
|
|
|
$v_id = $values[$key_id];
|
|
$v_secret = $values[$key_secret];
|
|
if ($v_secret) {
|
|
$v_secret = str_repeat('*', strlen($v_secret));
|
|
}
|
|
|
|
$e_id = idx($issues, $key_id, $request->isFormPost() ? null : true);
|
|
$e_secret = idx($issues, $key_secret, $request->isFormPost() ? null : true);
|
|
|
|
$form
|
|
->appendChild(
|
|
id(new AphrontFormTextControl())
|
|
->setLabel(pht('OAuth Consumer Key'))
|
|
->setName($key_id)
|
|
->setValue($v_id)
|
|
->setError($e_id))
|
|
->appendChild(
|
|
id(new AphrontFormPasswordControl())
|
|
->setLabel(pht('OAuth Consumer Secret'))
|
|
->setName($key_secret)
|
|
->setValue($v_secret)
|
|
->setError($e_secret));
|
|
}
|
|
|
|
public function renderConfigPropertyTransactionTitle(
|
|
PhabricatorAuthProviderConfigTransaction $xaction) {
|
|
|
|
$author_phid = $xaction->getAuthorPHID();
|
|
$old = $xaction->getOldValue();
|
|
$new = $xaction->getNewValue();
|
|
$key = $xaction->getMetadataValue(
|
|
PhabricatorAuthProviderConfigTransaction::PROPERTY_KEY);
|
|
|
|
switch ($key) {
|
|
case self::PROPERTY_CONSUMER_KEY:
|
|
if (strlen($old)) {
|
|
return pht(
|
|
'%s updated the OAuth consumer key for this provider from '.
|
|
'"%s" to "%s".',
|
|
$xaction->renderHandleLink($author_phid),
|
|
$old,
|
|
$new);
|
|
} else {
|
|
return pht(
|
|
'%s set the OAuth consumer key for this provider to '.
|
|
'"%s".',
|
|
$xaction->renderHandleLink($author_phid),
|
|
$new);
|
|
}
|
|
case self::PROPERTY_CONSUMER_SECRET:
|
|
if (strlen($old)) {
|
|
return pht(
|
|
'%s updated the OAuth consumer secret for this provider.',
|
|
$xaction->renderHandleLink($author_phid));
|
|
} else {
|
|
return pht(
|
|
'%s set the OAuth consumer secret for this provider.',
|
|
$xaction->renderHandleLink($author_phid));
|
|
}
|
|
}
|
|
|
|
return parent::renderConfigPropertyTransactionTitle($xaction);
|
|
}
|
|
|
|
protected function willSaveAccount(PhabricatorExternalAccount $account) {
|
|
parent::willSaveAccount($account);
|
|
$this->synchronizeOAuthAccount($account);
|
|
}
|
|
|
|
protected function synchronizeOAuthAccount(
|
|
PhabricatorExternalAccount $account) {
|
|
$adapter = $this->getAdapter();
|
|
|
|
$oauth_token = $adapter->getToken();
|
|
$oauth_token_secret = $adapter->getTokenSecret();
|
|
|
|
$account->setProperty('oauth1.token', $oauth_token);
|
|
$account->setProperty('oauth1.token.secret', $oauth_token_secret);
|
|
}
|
|
|
|
public function willRenderLinkedAccount(
|
|
PhabricatorUser $viewer,
|
|
PHUIObjectItemView $item,
|
|
PhabricatorExternalAccount $account) {
|
|
|
|
$item->addAttribute(pht('OAuth1 Account'));
|
|
|
|
parent::willRenderLinkedAccount($viewer, $item, $account);
|
|
}
|
|
|
|
|
|
}
|