mark/indieauth
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Added support for multiple users

Browse source
This commit is contained in:
Mark Wane 2024-07-17 19:50:39 +01:00
parent 7812d56d02
commit c2c7af38a5
Signed by: mark
GPG key ID: 406607E3C6A78C73
1 changed files with 24 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
index.php
View file

@ -1,5 +1,5 @@
<?php <?php
/* Single user IndieAuth endpoint using server envvars from SSO /* Multi-user IndieAuth endpoint using server envvars from SSO
* Based on https://github.com/inklings-io/selfauth * Based on https://github.com/inklings-io/selfauth
*/ */
require_once 'functions.php'; require_once 'functions.php';
@ -16,21 +16,31 @@ if ( ! is_null($code) ){
if ( ! ( if ( ! (
is_string($code) && is_string($code) &&
is_string($redirect_uri) && is_string($redirect_uri) &&
is_string($client_id) && is_string($client_id)
verify_signed_code( APP_KEY, USER_URL . $redirect_uri . $client_id, $code )
) ) { ) ) {
$error = 'Invalid request';
http_response_code(400);
include 'form.php';
die();
}
$code_parts = explode(':', $code, 3);
$suffix_parts = explode(':', base64_url_decode( $code_parts[2] ), 2 );
$user = $suffix_parts[0];
if ( ! verify_signed_code( APP_KEY, $user . $redirect_uri . $client_id, $code ) ) {
$error = 'Invalid code'; $error = 'Invalid code';
http_response_code(400); http_response_code(400);
include 'form.php'; include 'form.php';
die(); die();
} }
$response = array('me' => USER_URL); $response = array('me' => USER_URLS[$user]);
$code_parts = explode(':', $code, 3);
$accept_header = $_SERVER['HTTP_ACCEPT'] ?: '*/*'; $accept_header = $_SERVER['HTTP_ACCEPT'] ?: '*/*';
if ( '' !== $code_parts[2] ) { if ( '' !== $suffix_parts[1] ) {
$response['scope'] = base64_url_decode($code_parts[2]); $response['scope'] = $suffix_parts[1];
} }
$json = get_q_value('application/json', $accept_header); $json = get_q_value('application/json', $accept_header);
@ -52,13 +62,14 @@ if ( ! is_null($code) ){
// No code submitted, // No code submitted,
// Check login // Check login
if ( is_null($_SERVER["REMOTE_USER"]) ) { $user = $_SERVER["REMOTE_USER"];
if ( is_null($user) ) {
$error = 'Not logged in. Login on the <a href="https://auth.cool110.xyz/">SSO portal</a>'; $error = 'Not logged in. Login on the <a href="https://auth.cool110.xyz/">SSO portal</a>';
http_response_code(403); http_response_code(403);
include 'form.php'; include 'form.php';
die(); die();
} elseif ( USER_NAME !== $_SERVER["REMOTE_USER"] ){ } elseif ( ! array_key_exists( $user, USER_URLS ) ){
$error = 'This system is for ' . USER_NAME . ' only.'; $error = 'Account not provisioned';
http_response_code(403); http_response_code(403);
include 'form.php'; include 'form.php';
die(); die();
@ -108,7 +119,8 @@ if ( ! is_null($csrf_code) ) {
$scope = implode( ' ', $scope ); $scope = implode( ' ', $scope );
} }
$code = create_signed_code( APP_KEY, USER_URL . $redirect_uri . $client_id, 5 * 60, $scope ); $suffix = $user . ':' . $scope;
$code = create_signed_code( APP_KEY, $user . $redirect_uri . $client_id, 5 * 60, $suffix );
$final_redir = $redirect_uri; $final_redir = $redirect_uri;
if ( strpos($redirect_uri, '?') === false ) { if ( strpos($redirect_uri, '?') === false ) {
@ -119,7 +131,7 @@ if ( ! is_null($csrf_code) ) {
$parameters = array( $parameters = array(
'code' => $code, 'code' => $code,
'me' => USER_URL 'me' => USER_URLS[$user]
); );
if ( ! is_null($state) ) { if ( ! is_null($state) ) {
$parameters['state'] = $state; $parameters['state'] = $state;