Processing extra IDs in external authentication tokens.

Author: krulis-martin

app/config/config.local.neon.example

@@ -51,8 +51,9 @@ parameters:
   externalAuthenticators:
     - name: "cas-auth-ext"
       jwtSecret: "secretStringSharedWithExternAuth"
+      jwtAlgorithm: HS256 # optional, HS256 is default
       expiration: 60 # seconds passed since iat
-      usedAlgorithm: HS256 # optional, HS256 is default
+      extraIds: []  # additional service types whose IDs may be provided as extra IDs in the auth token
 
   emails:
     footerUrl: "%webapp.address%"

app/helpers/ExternalLogin/ExternalServiceAuthenticator.php

@@ -15,6 +15,7 @@
 use App\Model\Repository\Users;
 use App\Model\Repository\Instances;
 use App\Helpers\EmailVerificationHelper;
+use App\Helpers\FailureHelper;
 use Nette\Utils\Arrays;
 use Nette\Http\IResponse;
 use Firebase\JWT\JWT;
@@ -42,6 +43,9 @@ class ExternalServiceAuthenticator
     /** @var EmailVerificationHelper */
     public $emailVerificationHelper;
 
+    /** @var FailureHelper */
+    public $failureHelper;
+
     /**
      * @var array [ name => { jwtSecret, expiration } ]
      */
@@ -61,22 +65,25 @@ public function __construct(
         Users $users,
         Logins $logins,
         Instances $instances,
-        EmailVerificationHelper $emailVerificationHelper
+        EmailVerificationHelper $emailVerificationHelper,
+        FailureHelper $failureHelper,
     ) {
         $this->externalLogins = $externalLogins;
         $this->users = $users;
         $this->logins = $logins;
         $this->instances = $instances;
         $this->emailVerificationHelper = $emailVerificationHelper;
+        $this->failureHelper = $failureHelper;
 
         foreach ($authenticators as $auth) {
             if (!empty($auth['name'] && !empty($auth['jwtSecret']))) {
                 $this->authenticators[$auth['name']] = (object)[
                     'jwtSecret' => $auth['jwtSecret'],
                     'expiration' => Arrays::get($auth, 'expiration', 60),
                     'defaultRole' => Arrays::get($auth, 'defaultRole', null),
-                    'usedAlgorithm' => Arrays::get($auth, 'usedAlgorithm', 'HS256'),
                     // if set, users may register even when extrnal authenticator does not provide role
+                    'usedAlgorithm' => Arrays::get($auth, 'jwtAlgorithm', 'HS256'),
+                    'extraIds' => Arrays::get($auth, 'extraIds', []),
                 ];
             }
         }
@@ -144,6 +151,7 @@ public function authenticate(string $authName, string $token, string $instanceId
             }
         }
 
+        // failures throw exceptions...
         if ($user === null) {
             throw new WrongCredentialsException(
                 "User authenticated through '$authName' has no corresponding account in ReCodEx.",
@@ -158,6 +166,7 @@ public function authenticate(string $authName, string $token, string $instanceId
             );
         }
 
+        $this->handleExtraIds($user, $decodedToken, $this->authenticators[$authName]->extraIds);
 
         return $user;
     }
@@ -237,4 +246,53 @@ private function getInstance($decodedToken, string $instanceId = null): ?Instanc
 
         return null;
     }
+
+    /**
+     * Process possible additional (extra) identifiers present in the token.
+     * @param User $user being authenticated
+     * @param object $decodedToken
+     * @param string[] $allowedServices whose extra IDs may be added from the token
+     */
+    private function handleExtraIds(User $user, $decodedToken, array $allowedServices)
+    {
+        if (empty($decodedToken->extId)) {
+            return;
+        }
+
+        foreach ($decodedToken->extId as $service => $eid) {
+            if (!in_array($service, $allowedServices)) {
+                continue;  // skip services that are not allowed
+            }
+
+            $extUser = $this->externalLogins->getUser($service, $eid);
+            if ($extUser) {
+                if ($extUser->getId() !== $user->getId()) {
+                    // Identity crysis! ID belongs to another user...
+                    $this->failureHelper->report(
+                        FailureHelper::TYPE_API_ERROR,
+                        sprintf(
+                            "User '%s' was provided with extra ID '%s' (%s), "
+                                . "but that is already associated with user '%s'.",
+                            $user->getId(),
+                            $eid,
+                            $service,
+                            $extUser->getId()
+                        )
+                    );
+                }
+
+                continue; // either already exist or we cannot proceed anyway
+            }
+
+            $login = $this->externalLogins->findByUser($user, $service);
+            if ($login->getExternalId() !== $eid) {
+                // extra ID has changed (strange, but possible)
+                $login->setExternalId($eid);
+                $this->externalLogins->persist($login);
+                continue;
+            }
+
+            $this->externalLogins->connect($service, $user, $eid);
+        }
+    }
 }

app/model/entity/ExternalLogin.php

@@ -60,6 +60,11 @@ public function getExternalId(): string
         return $this->externalId;
     }
 
+    public function setExternalId(string $externalId): void
+    {
+        $this->externalId = $externalId;
+    }
+
     public function getUser(): User
     {
         return $this->user;

app/model/repository/ExternalLogins.php

@@ -11,7 +11,6 @@
  */
 class ExternalLogins extends BaseRepository
 {
-
     public function __construct(EntityManagerInterface $em)
     {
         parent::__construct($em, ExternalLogin::class);

tests/ExternalLogin/ExternalServiceAuthenticator.phpt

@@ -1,14 +1,9 @@
 <?php
 
-use App\Exceptions\BadRequestException;
 use App\Exceptions\WrongCredentialsException;
 use App\Exceptions\InvalidExternalTokenException;
 use App\Helpers\ExternalLogin\ExternalServiceAuthenticator;
-use App\Helpers\ExternalLogin\UserData;
 use App\Helpers\EmailVerificationHelper;
-use App\Model\Entity\ExternalLogin;
-use App\Model\Entity\Instance;
-use App\Model\Entity\User;
 use App\Model\Repository\Instances;
 use App\Model\Repository\ExternalLogins;
 use App\Model\Repository\Logins;
@@ -49,16 +44,17 @@ class ExternalServiceAuthenticatorTestCase extends Tester\TestCase
         $this->users = $container->getByType(Users::class);
         $this->logins = $container->getByType(Logins::class);
         $this->authenticator = new ExternalServiceAuthenticator(
-            [ [
+            [[
                 'name' => self::AUTH_NAME,
                 'jwtSecret' => self::AUTH_SECRET,
                 'expiration' => 60,
-            ] ],
+            ]],
             $this->externalLogins,
             $this->users,
             $this->logins,
             $container->getByType(Instances::class),
-            $container->getByType(EmailVerificationHelper::class)
+            $container->getByType(EmailVerificationHelper::class),
+            $container->getByType(App\Helpers\FailureHelper::class)
         );
     }
 

tests/Presenters/LoginPresenter.phpt

@@ -52,6 +52,9 @@ class TestLoginPresenter extends Tester\TestCase
     /** @var \App\Helpers\EmailVerificationHelper */
     private $emailVerificationHelper;
 
+    /** @var \App\Helpers\FailureHelper */
+    private $failureHelper;
+
     public function __construct($container)
     {
         $this->container = $container;
@@ -62,6 +65,7 @@ class TestLoginPresenter extends Tester\TestCase
         $this->externalLogins = $container->getByType(\App\Model\Repository\ExternalLogins::class);
         $this->instances = $container->getByType(\App\Model\Repository\Instances::class);
         $this->emailVerificationHelper = $container->getByType(\App\Helpers\EmailVerificationHelper::class);
+        $this->failureHelper = $container->getByType(App\Helpers\FailureHelper::class);
     }
 
     protected function setUp()
@@ -86,8 +90,8 @@ class TestLoginPresenter extends Tester\TestCase
             "POST",
             ["action" => "default"],
             [
-            "username" => $this->userLogin,
-            "password" => $this->userPassword
+                "username" => $this->userLogin,
+                "password" => $this->userPassword
             ]
         );
 
@@ -114,8 +118,8 @@ class TestLoginPresenter extends Tester\TestCase
             "POST",
             ["action" => "default"],
             [
-            "username" => $this->userLogin,
-            "password" => $this->userPassword . "42"
+                "username" => $this->userLogin,
+                "password" => $this->userPassword . "42"
             ]
         );
 
@@ -135,15 +139,16 @@ class TestLoginPresenter extends Tester\TestCase
         Assert::count(0, $events);
 
         $authenticator = new ExternalServiceAuthenticator(
-            [ [
+            [[
                 'name' => 'test-cas',
                 'jwtSecret' => 'tajnyRetezec',
-            ] ],
+            ]],
             $this->externalLogins,
             $this->users,
             $this->logins,
             $this->instances,
-            $this->emailVerificationHelper
+            $this->emailVerificationHelper,
+            $this->failureHelper
         );
 
         $user = $this->presenter->users->getByEmail($this->userLogin);
@@ -159,7 +164,7 @@ class TestLoginPresenter extends Tester\TestCase
 
         $this->presenter->externalServiceAuthenticator = $authenticator;
 
-        $request = new Request("V1:Login", "POST", ["action" => "external", "authenticatorName" => "test-cas"], [ 'token' => $token ]);
+        $request = new Request("V1:Login", "POST", ["action" => "external", "authenticatorName" => "test-cas"], ['token' => $token]);
 
         $response = $this->presenter->run($request);
         Assert::type(JsonResponse::class, $response);