Kezdőlap Felfedezés Súgó
Bejelentkezés
chiappa
/
irdb
tükrözi: https://git.snix.ch/chiappa/irdb.git
1
0
Másolás 0
Fájlok Problémák 0
Fa: aaeee67c98
Branch-ok Tag-ek
irdb
/
ui
/
src
/
Auth
/
OidcController.php

OidcController.php 3.6 KB
Előzmények Nyers

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102 
  1. <?php
    2. 

  2. 

  3. declare(strict_types=1);
    4. 

  4. 

  5. namespace App\Auth;
    6. 

  6. 

  7. use App\ApiClient\ApiException;
    8. 

  8. use App\ApiClient\AuthClient;
    9. 

  9. use Psr\Http\Message\ResponseInterface;
    10. 

  10. use Psr\Http\Message\ServerRequestInterface;
    11. 

  11. use Psr\Log\LoggerInterface;
    12. 

  12. 

  13. /**
    14. 

  14.  * OIDC bring-up.
    15. 

  15.  *
    16. 

  16.  *  - `GET /login/oidc` — calls `OidcAuthenticator::authenticate()`. With
    17. 

  17.  *    no `code` query, the underlying library redirects to the IdP and
    18. 

  18.  *    `exit`s, so this method does not return in that case.
    19. 

  19.  *  - `GET /oidc/callback` — same call; this time the library sees the
    20. 

  20.  *    `code` and `state`, exchanges the code, validates the ID token,
    21. 

  21.  *    and we hydrate the session.
    22. 

  22.  *
    23. 

  23.  * If the resolved user has an "empty" role (the api's
    24. 

  24.  * `OIDC_DEFAULT_ROLE=none` case surfaces as `role = "none"` in the
    25. 

  25.  * upsert response), redirect to `/no-access` — they're authenticated
    26. 

  26.  * but unauthorized.
    27. 

  27.  */
    28. 

  28. final class OidcController
    29. 

  29. {
    30. 

  30.     public function __construct(
    31. 

  31.         private readonly OidcAuthenticator $authenticator,
    32. 

  32.         private readonly AuthClient $auth,
    33. 

  33.         private readonly SessionManager $sessions,
    34. 

  34.         private readonly LoggerInterface $logger,
    35. 

  35.         private readonly bool $enabled,
    36. 

  36.     ) {
    37. 

  37.     }
    38. 

  38. 

  39.     public function initiate(ServerRequestInterface $request, ResponseInterface $response): ResponseInterface
    40. 

  40.     {
    41. 

  41.         if (!$this->enabled) {
    42. 

  42.             return $response->withStatus(404);
    43. 

  43.         }
    44. 

  44.         // authenticate() will redirect-and-exit on the initiate path; only
    45. 

  45.         // on the callback path does it return normally. We delegate.
    46. 

  46.         return $this->finishOrFail($request, $response);
    47. 

  47.     }
    48. 

  48. 

  49.     public function callback(ServerRequestInterface $request, ResponseInterface $response): ResponseInterface
    50. 

  50.     {
    51. 

  51.         if (!$this->enabled) {
    52. 

  52.             return $response->withStatus(404);
    53. 

  53.         }
    54. 

  54. 

  55.         return $this->finishOrFail($request, $response);
    56. 

  56.     }
    57. 

  57. 

  58.     private function finishOrFail(ServerRequestInterface $request, ResponseInterface $response): ResponseInterface
    59. 

  59.     {
    60. 

  60.         try {
    61. 

  61.             $claims = $this->authenticator->authenticate();
    62. 

  62.         } catch (OidcException $e) {
    63. 

  63.             $this->logger->error('oidc handshake failed', ['error' => $e->getMessage()]);
    64. 

  64.             $this->sessions->flash('error', 'Sign-in via Microsoft failed. Please try again.');
    65. 

  65. 

  66.             return $response->withStatus(302)->withHeader('Location', '/login');
    67. 

  67.         }
    68. 

  68. 

  69.         try {
    70. 

  70.             $user = $this->auth->upsertOidc(
    71. 

  71.                 subject: $claims->subject,
    72. 

  72.                 email: $claims->email,
    73. 

  73.                 displayName: $claims->displayName,
    74. 

  74.                 groups: $claims->groups,
    75. 

  75.             );
    76. 

  76.         } catch (ApiException $e) {
    77. 

  77.             $this->logger->error('oidc upsert failed', ['error' => $e->getMessage()]);
    78. 

  78.             $this->sessions->flash('error', 'API unreachable; please retry.');
    79. 

  79. 

  80.             return $response->withStatus(302)->withHeader('Location', '/login');
    81. 

  81.         }
    82. 

  82. 

  83.         if ($user->role === 'none' || $user->role === '') {
    84. 

  84.             $this->logger->warning('oidc user has no role assigned', ['subject' => $claims->subject]);
    85. 

  85. 

  86.             return $response->withStatus(302)->withHeader('Location', '/no-access');
    87. 

  87.         }
    88. 

  88. 

  89.         $this->sessions->regenerateId();
    90. 

  90.         $this->sessions->setUser(new UserContext(
    91. 

  91.             userId: $user->userId,
    92. 

  92.             displayName: $user->displayName !== '' ? $user->displayName : ($claims->email ?? $claims->subject),
    93. 

  93.             role: $user->role,
    94. 

  94.             email: $user->email ?? $claims->email,
    95. 

  95.             source: UserContext::SOURCE_OIDC,
    96. 

  96.         ));
    97. 

  97. 

  98.         $next = $this->sessions->consumeNext() ?? '/app/dashboard';
    99. 

  99. 

  100.         return $response->withStatus(302)->withHeader('Location', $next);
    101. 

  101.     }
    102. 

  102. }
    103.