5124: Experiments

Author: rimi-itk

composer.json

@@ -59,7 +59,8 @@
         "drupal/viewsreference": "^2.0@beta",
         "drupal/xls_serialization": "^2.0",
         "drush/drush": "^12.2",
-        "jjj/chosen": "2.2.1"
+        "jjj/chosen": "2.2.1",
+        "os2loop/os2loop_login_hack": "^1.0"
     },
     "require-dev": {
         "dealerdirect/phpcodesniffer-composer-installer": "^1.0",
@@ -111,6 +112,16 @@
                 }
             }
         },
+        "os2loop/os2loop_login_hack": {
+            "type": "path",
+            "url": "web/profiles/custom/os2loop/modules/os2loop_login_hack",
+            "options": {
+                "symlink": false,
+                "versions": {
+                    "os2loop/os2loop_login_hack": "1.0-dev"
+                }
+            }
+        },
         "drupal/views_flag_refresh": {
             "type": "package",
             "package": {

composer.lock

@@ -0,0 +1,2 @@
+composer.lock
+vendor/

web/profiles/custom/os2loop/modules/os2loop_login_hack/.gitignore

@@ -0,0 +1,15 @@
+{
+    "name": "os2loop/os2loop_login_hack",
+    "description": "drupal/os2loop_login_hack",
+    "license": "GPL-2.0+",
+    "type": "os2loop-custom-module",
+    "authors": [
+        {
+            "name": "Mikkel Ricky",
+            "email": "rimi@aarhus.dk"
+        }
+    ],
+    "require": {
+        "firebase/php-jwt": "^6.11"
+    }
+}

web/profiles/custom/os2loop/modules/os2loop_login_hack/composer.json

@@ -0,0 +1,7 @@
+name: 'os2loop_login_hack'
+type: module
+description: 'os2loop_login_hack'
+package: Custom
+core_version_requirement: ^10 || ^11
+dependencies:
+  - drupal:user

web/profiles/custom/os2loop/modules/os2loop_login_hack/os2loop_login_hack.info.yml

@@ -0,0 +1,17 @@
+os2loop_login_hack.start:
+  path: '/os2loop-login-hack/start'
+  defaults:
+    _title: 'Start login hack'
+    _controller: '\Drupal\os2loop_login_hack\Controller\Os2loopLoginHackController::start'
+  methods: [POST]
+  requirements:
+    _role: 'anonymous'
+
+os2loop_login_hack.authenticate:
+  path: '/os2loop-login-hack/authenticate'
+  defaults:
+    _title: 'Authenticate'
+    _controller: '\Drupal\os2loop_login_hack\Controller\Os2loopLoginHackController::authenticate'
+  methods: [GET]
+  requirements:
+    _role: 'anonymous'

web/profiles/custom/os2loop/modules/os2loop_login_hack/os2loop_login_hack.routing.yml

@@ -0,0 +1,4 @@
+services:
+  logger.channel.os2loop_login_hack:
+    parent: logger.channel_base
+    arguments: ['os2loop_login_hack']

web/profiles/custom/os2loop/modules/os2loop_login_hack/os2loop_login_hack.services.yml

@@ -0,0 +1,165 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Drupal\os2loop_login_hack\Controller;
+
+use Drupal\Component\Datetime\TimeInterface;
+use Drupal\Core\Controller\ControllerBase;
+use Drupal\Core\Entity\EntityTypeManagerInterface;
+use Drupal\Core\Routing\TrustedRedirectResponse;
+use Drupal\Core\Url;
+use Drupal\user\Entity\User;
+use Drupal\user\UserStorageInterface;
+use Firebase\JWT\JWT;
+use Firebase\JWT\Key;
+use Psr\Log\LoggerInterface;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+use Symfony\Component\HttpFoundation\Exception\BadRequestException;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
+
+/**
+ * Returns responses for os2loop_login_hack routes.
+ */
+final class Os2loopLoginHackController extends ControllerBase {
+  private const JWT_KEY = 'os2loop_login_hack';
+
+  /**
+   * The user storage.
+   */
+  private readonly UserStorageInterface $userStorage;
+
+  /**
+   * Constructor.
+   */
+  public function __construct(
+    EntityTypeManagerInterface $entityTypeManager,
+    private readonly TimeInterface $time,
+    #[Autowire(service: 'logger.channel.os2loop_login_hack')]
+    private readonly LoggerInterface $logger,
+  ) {
+    $this->userStorage = $entityTypeManager->getStorage('user');
+  }
+
+  /**
+   * Start user authentication.
+   */
+  public function start(Request $request): Response {
+    try {
+      $data = json_decode($request->getContent(), associative: TRUE, flags: JSON_THROW_ON_ERROR);
+      $username = $data['username'] ?? NULL;
+      if (empty($username)) {
+        throw new BadRequestHttpException('Missing username');
+      }
+
+      $user = $this->loadUser($username);
+      if (empty($user)) {
+        // Don't disclose whether or not the user exists.
+        throw new BadRequestHttpException();
+      }
+
+      // Check that we can get userinfo.
+      $userinfo = $this->getUserinfo($user);
+      if (empty($userinfo)) {
+        throw new BadRequestHttpException();
+      }
+
+      // https://github.com/firebase/php-jwt?tab=readme-ov-file#example
+      $payload = [
+        // Issued at.
+        'iat' => $this->time->getRequestTime(),
+        // Expire af 60 seconds.
+        'exp' => $this->time->getRequestTime() + 60,
+        'username' => $username,
+      ];
+      $jwt = JWT::encode($payload, self::JWT_KEY, 'HS256');
+
+      $url = Url::fromRoute('os2loop_login_hack.authenticate', [
+        'username' => $username,
+        'jwt' => $jwt,
+      ])->setAbsolute()->toString(TRUE)->getGeneratedUrl();
+
+      return new JsonResponse([
+        'authenticate_url' => $url,
+        'jwt' => $jwt,
+      ]);
+    }
+    catch (\Exception $exception) {
+      $this->logger->error('start: @message', ['@message' => $exception->getMessage(), $exception]);
+      throw new BadRequestException($exception->getMessage());
+    }
+  }
+
+  /**
+   * Authenticate user.
+   */
+  public function authenticate(Request $request): Response {
+    try {
+      $username = $request->get('username');
+      $jwt = $request->get('jwt');
+      if (empty($username) || empty($jwt)) {
+        throw new BadRequestHttpException();
+      }
+
+      $payload = (array) JWT::decode($jwt, new Key(self::JWT_KEY, 'HS256'));
+      $username = $payload['username'] ?? NULL;
+      if (empty($username)) {
+        throw new BadRequestHttpException();
+      }
+
+      $user = $this->loadUser($username);
+      if (empty($user)) {
+        // Don't disclose whether or not the user exists.
+        throw new BadRequestHttpException();
+      }
+
+      $this->updateUser($user);
+
+      user_login_finalize($user);
+
+      $url = Url::fromRoute('<front>')->setAbsolute()->toString(TRUE)->getGeneratedUrl();
+      $this->messenger()->addStatus($this->t('Welcome @user.', ['@user' => $user->getDisplayName()]));
+
+      return new TrustedRedirectResponse($url);
+    }
+    catch (\Exception $exception) {
+      $this->logger->error('start: @message', ['@message' => $exception->getMessage(), $exception]);
+      throw new BadRequestException($exception->getMessage());
+    }
+  }
+
+  /**
+   * Load user by username.
+   *
+   * @param string $username
+   *   The username.
+   *
+   * @return \Drupal\user\Entity\User|null
+   *   The user if any.
+   */
+  private function loadUser(string $username): ?User {
+    $users = $this->userStorage->loadByProperties(['name' => $username]);
+
+    return reset($users) ?: NULL;
+  }
+
+  /**
+   * Update user with info from IdP.
+   */
+  private function updateUser(User $user): User {
+    // $userinfo = $this->getUserinfo($user);
+    // @todo Update user.
+    return $user;
+  }
+
+  /**
+   * Get user info from userinfo endpoint.
+   */
+  private function getUserinfo(): array {
+    return [];
+  }
+
+}