@@ -20,10 +20,11 @@ public function __construct(array $info, array $config)
2020 public function authenticate (&$ state
2121 {
2222 if (!array_key_exists ('access_token ' , $ _REQUEST
23+ && !array_key_exists ('code ' , $ _REQUEST
2324 && !array_key_exists ('HTTP_AUTHORIZATION ' , $ _SERVER
2425 ) {
2526 header ('HTTP/1.1 401 Unauthorized ' );
26- echo 'go5auth | error: access_token is required ' ;
27+ echo 'go5auth | error: access_token or code is required ' ;
2728 exit ;
2829 }
2930
@@ -40,8 +41,26 @@ public function authenticate(&$state)
4041 ? $ _REQUEST 'access_token ' ]
4142 : trim (substr ($ _SERVER 'HTTP_AUTHORIZATION ' ], 7 ));
4243
43- SimpleSAML_Logger::debug ('go5auth | access_token: ' . $ accessToken
44- $ userInfo$ this getUserInfo ($ accessToken
44+ if (!empty ($ accessToken
45+ SimpleSAML_Logger::debug ('go5auth | access_token: ' . $ accessToken
46+ $ tokenInfo$ this getTokenInfo ($ accessToken
47+ } else {
48+ $ code$ _REQUEST 'code ' ];
49+ $ hostnameisset ($ _REQUEST 'hostname ' ])
50+ ? $ _REQUEST 'hostname ' ]
51+ : $ _SERVER 'HTTP_HOST ' ];
52+
53+ SimpleSAML_Logger::debug ('go5auth | code: ' . $ code
54+ $ tokenInfo$ this getTokenInfoFromCode ($ code$ hostname
55+ }
56+
57+ if (!in_array ($ tokenInfoowner_type , ['user ' , 'sso-user ' ])) {
58+ header ('HTTP/1.1 401 Unauthorized ' );
59+ echo 'go5auth | error: invalid access_token owner type ' ;
60+ exit ;
61+ }
62+
63+ $ userInfo$ this getUserInfo ($ tokenInfouser_id , $ tokenInfoplatform_id );
4564
4665 if ($ userInfodata ->attributes ->status !== 'active ' || $ userInfodata ->attributes ->{'login-enabled ' } !== true ) {
4766 header ('HTTP/1.1 401 Unauthorized ' );
@@ -75,23 +94,59 @@ public function authenticate(&$state)
7594 SimpleSAML_Auth_Source::completeAuth ($ state
7695 }
7796
78- private function getUserInfo ($ token
97+ private function getTokenInfoFromCode ($ code$ hostname
98+ {
99+ try {
100+ $ codeResponse$ this httpClient ->post (URL_PREFIX . '/oauth/token ' , [
101+ 'form_params ' => [
102+ 'grant_type ' => 'authorization_code ' ,
103+ 'redirect_uri ' => $ hostname
104+ 'client_id ' => WEB_CLIENT_ID ,
105+ 'client_secret ' => WEB_CLIENT_SECRET ,
106+ 'code ' => $ code
107+ ]
108+ ]);
109+
110+ return json_decode ($ codeResponsegetBody ()->getContents ());
111+
112+ } catch (HttpClientException $ e
113+ header ('HTTP/1.1 401 Unauthorized ' );
114+ echo 'go5auth | error: invalid oauth code | ' . $ egetMessage ();
115+ exit ;
116+ }
117+ }
118+
119+ private function getTokenInfo ($ token
120+ {
121+ try {
122+ $ tokenResponse$ this httpClient ->get (
123+ URL_PREFIX . '/oauth/token?access_token= ' . $ token
124+ );
125+
126+ return json_decode ($ tokenResponsegetBody ()->getContents ());
127+
128+ } catch (HttpClientException $ e
129+ header ('HTTP/1.1 401 Unauthorized ' );
130+ echo 'go5auth | error: invalid access_token | ' . $ egetMessage ();
131+ exit ;
132+ }
133+ }
134+
135+ private function getUserInfo ($ userId$ platformId
79136 {
80137 try {
81- $ tokenResponse$ this httpClient ->get (URL_PREFIX . '/oauth/token?access_token= ' . $ token
82- $ tokenInfojson_decode ($ tokenResponsegetBody ()->getContents ());
83138 $ userResponse$ this httpClient ->get (
84- BASE_URI_USER_SDK . '/users/ ' . $ tokenInfo -> user_id , [
139+ BASE_URI_USER_SDK . '/users/ ' . $ userId
85140 'headers ' => [
86- 'x-go5-platform-id ' => $ tokenInfo -> platform_id ,
141+ 'x-go5-platform-id ' => $ platformId
87142 'x-app-sdk ' => 1 ,
88143 ]]);
89144
90145 return json_decode ($ userResponsegetBody ()->getContents ());
91146
92147 } catch (HttpClientException $ e
93148 header ('HTTP/1.1 401 Unauthorized ' );
94- echo 'go5auth | error: invalid access_token ' ;
149+ echo 'go5auth | error: invalid user | ' . $ e -> getMessage () ;
95150 exit ;
96151 }
97152 }
0 commit comments