summaryrefslogtreecommitdiff
path: root/controllers/auth.php
diff options
context:
space:
mode:
Diffstat (limited to 'controllers/auth.php')
-rw-r--r--controllers/auth.php47
1 files changed, 28 insertions, 19 deletions
diff --git a/controllers/auth.php b/controllers/auth.php
index 299bde2..cd4c78e 100644
--- a/controllers/auth.php
+++ b/controllers/auth.php
@@ -29,6 +29,8 @@ $app->get('/auth/start', function() use($app) {
$_SESSION['reply'] = $params['reply'];
}
+ $_SESSION['attempted_me'] = $me;
+
$authorizationEndpoint = IndieAuth\Client::discoverAuthorizationEndpoint($me);
$tokenEndpoint = IndieAuth\Client::discoverTokenEndpoint($me);
$micropubEndpoint = IndieAuth\Client::discoverMicropubEndpoint($me);
@@ -127,22 +129,6 @@ $app->get('/auth/callback', function() use($app) {
$req = $app->request();
$params = $req->params();
- // Double check there is a "me" parameter
- // Should only fail for really hacked up requests
- if(!array_key_exists('me', $params) || !($me = IndieAuth\Client::normalizeMeURL($params['me']))) {
- if(array_key_exists('me', $params))
- $error = 'The ID you entered, <strong>' . $params['me'] . '</strong> is not valid.';
- else
- $error = 'There was no "me" parameter in the callback.';
- $html = render('auth_error', array(
- 'title' => 'Auth Callback',
- 'error' => 'Invalid "me" Parameter',
- 'errorDescription' => $error
- ));
- $app->response()->body($html);
- return;
- }
-
// If there is no state in the session, start the login again
if(!array_key_exists('auth_state', $_SESSION)) {
$app->redirect('/auth/start?me='.urlencode($params['me']));
@@ -165,7 +151,7 @@ $app->get('/auth/callback', function() use($app) {
$html = render('auth_error', array(
'title' => 'Auth Callback',
'error' => 'Missing state parameter',
- 'errorDescription' => 'No state parameter was provided in the request. This shouldn\'t happen. It is possible this is a malicious authorization attempt.'
+ 'errorDescription' => 'No state parameter was provided in the request. This shouldn\'t happen. It is possible this is a malicious authorization attempt, or your authorization server failed to pass back the "state" parameter.'
));
$app->response()->body($html);
return;
@@ -181,6 +167,17 @@ $app->get('/auth/callback', function() use($app) {
return;
}
+ if(!isset($_SESSION['attempted_me'])) {
+ $html = render('auth_error', [
+ 'title' => 'Auth Callback',
+ 'error' => 'Missing data',
+ 'errorDescription' => 'We forgot who was logging in. It\'s possible you took too long to finish signing in, or something got mixed up by signing in in another tab.'
+ ]);
+ $app->response()->body($html);
+ return;
+ }
+ $me = $_SESSION['attempted_me'];
+
// Now the basic sanity checks have passed. Time to start providing more helpful messages when there is an error.
// An authorization code is in the query string, and we want to exchange that for an access token at the token endpoint.
@@ -189,7 +186,7 @@ $app->get('/auth/callback', function() use($app) {
$tokenEndpoint = IndieAuth\Client::discoverTokenEndpoint($me);
if($tokenEndpoint) {
- $token = IndieAuth\Client::getAccessToken($tokenEndpoint, $params['code'], $params['me'], buildRedirectURI(), Config::$base_url, k($params,'state'), true);
+ $token = IndieAuth\Client::getAccessToken($tokenEndpoint, $params['code'], $me, buildRedirectURI(), Config::$base_url, k($params,'state'), true);
} else {
$token = array('auth'=>false, 'response'=>false);
@@ -199,8 +196,19 @@ $app->get('/auth/callback', function() use($app) {
// If a valid access token was returned, store the token info in the session and they are signed in
if(k($token['auth'], array('me','access_token','scope'))) {
+ // Double check that the domain of the returned "me" matches the expected
+ if(parse_url($token['auth']['me'], PHP_URL_HOST) != parse_url($me, PHP_URL_HOST)) {
+ $html = render('auth_error', [
+ 'title' => 'Error Signing In',
+ 'error' => 'Invalid user',
+ 'errorDescription' => 'The user URL that was returned in the access token did not match the domain of the user signing in.'
+ ]);
+ $app->response()->body($html);
+ return;
+ }
+
$_SESSION['auth'] = $token['auth'];
- $_SESSION['me'] = $params['me'];
+ $_SESSION['me'] = $me = $token['auth']['me'];
$user = ORM::for_table('users')->where('url', $me)->find_one();
if($user) {
@@ -228,6 +236,7 @@ $app->get('/auth/callback', function() use($app) {
}
unset($_SESSION['auth_state']);
+ unset($_SESSION['attempted_me']);
if($redirectToDashboardImmediately || k($_SESSION, 'dontask')) {
unset($_SESSION['dontask']);