Fixes on session cookies
Marked opbs and rps cookies a non encrypted formerly these cookies were encrypted so were useless from js side. Change-Id: Ic1627ab91585bd70e66cf546fd98e0f81b60962f
This commit is contained in:
parent
bcd66970b7
commit
9c646d9766
|
@ -264,8 +264,10 @@ final class OAuth2ProviderController extends Controller
|
|||
*/
|
||||
public function endSession()
|
||||
{
|
||||
if(!$this->auth_service->isUserLogged())
|
||||
if(!$this->auth_service->isUserLogged()) {
|
||||
Log::debug("OAuth2ProviderController::endSession user is not logged!");
|
||||
return Response::view('errors.404', array(), 404);
|
||||
}
|
||||
|
||||
$request = new OAuth2LogoutRequest
|
||||
(
|
||||
|
|
|
@ -15,7 +15,8 @@ class EncryptCookies extends BaseEncrypter
|
|||
* @var array
|
||||
*/
|
||||
protected $except = [
|
||||
//
|
||||
'opbs',
|
||||
'rps',
|
||||
];
|
||||
|
||||
protected function decrypt(Request $request)
|
||||
|
|
|
@ -14,6 +14,7 @@
|
|||
|
||||
use Illuminate\Support\Facades\Cookie;
|
||||
use Illuminate\Support\Facades\Session;
|
||||
use Illuminate\Support\Facades\Log;
|
||||
use OAuth2\Models\IPrincipal;
|
||||
use OAuth2\Models\Principal;
|
||||
use OAuth2\Services\IPrincipalService;
|
||||
|
@ -59,6 +60,8 @@ final class PrincipalService implements IPrincipalService
|
|||
*/
|
||||
public function save(IPrincipal $principal)
|
||||
{
|
||||
Log::debug("PrincipalService::save");
|
||||
|
||||
$this->register
|
||||
(
|
||||
$principal->getUserId(),
|
||||
|
@ -73,10 +76,12 @@ final class PrincipalService implements IPrincipalService
|
|||
*/
|
||||
public function register($user_id, $auth_time)
|
||||
{
|
||||
Log::debug(sprintf("PrincipalService::register user_id %s auth_time %s", $user_id, $auth_time));
|
||||
Session::put(self::UserIdParam, $user_id);
|
||||
Session::put(self::AuthTimeParam, $auth_time);
|
||||
$opbs = bin2hex(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM));
|
||||
Cookie::queue('opbs', $opbs, $minutes = 2628000, $path = '/', $domain = null, $secure = false, $httpOnly = false);
|
||||
Log::debug(sprintf("PrincipalService::register opbs %s", $opbs));
|
||||
Session::put(self::OPBrowserState, $opbs);
|
||||
Session::save();
|
||||
}
|
||||
|
@ -86,6 +91,7 @@ final class PrincipalService implements IPrincipalService
|
|||
*/
|
||||
public function clear()
|
||||
{
|
||||
Log::debug("PrincipalService::clear");
|
||||
Session::remove(self::UserIdParam);
|
||||
Session::remove(self::AuthTimeParam);
|
||||
Session::remove(self::OPBrowserState);
|
||||
|
|
|
@ -1363,51 +1363,75 @@ final class OAuth2Protocol implements IOAuth2Protocol
|
|||
{
|
||||
try
|
||||
{
|
||||
$this->log_service->debug_msg("OAuth2Protocol::endSession");
|
||||
|
||||
$this->last_request = $request;
|
||||
|
||||
if (is_null($this->last_request))
|
||||
if (is_null($this->last_request)) {
|
||||
$this->log_service->debug_msg("OAuth2Protocol::endSession last request is null");
|
||||
throw new InvalidOAuth2Request;
|
||||
}
|
||||
|
||||
if(!$this->last_request->isValid())
|
||||
if(!$this->last_request->isValid()) {
|
||||
$this->log_service->debug_msg(sprintf("OAuth2Protocol::endSession last request is invalid error %s", $this->last_request->getLastValidationError()));
|
||||
throw new InvalidOAuth2Request($this->last_request->getLastValidationError());
|
||||
}
|
||||
|
||||
if(! $this->last_request instanceof OAuth2LogoutRequest) throw new InvalidOAuth2Request;
|
||||
if(!$this->last_request instanceof OAuth2LogoutRequest) throw new InvalidOAuth2Request;
|
||||
|
||||
$id_token_hint = $this->last_request->getIdTokenHint();
|
||||
|
||||
$jwt = BasicJWTFactory::build($id_token_hint);
|
||||
|
||||
if((!$jwt instanceof IJWT))
|
||||
if((!$jwt instanceof IJWT)) {
|
||||
$this->log_service->debug_msg("OAuth2Protocol::endSession invalid id_token_hint!");
|
||||
throw new InvalidOAuth2Request('invalid id_token_hint!');
|
||||
}
|
||||
|
||||
$client_id = $jwt->getClaimSet()->getAudience();
|
||||
|
||||
if(is_null($client_id)) throw new InvalidClientException('claim aud not set on id_token_hint!');
|
||||
if(is_null($client_id)) {
|
||||
$this->log_service->debug_msg("OAuth2Protocol::endSession claim aud not set on id_token_hint!");
|
||||
throw new InvalidClientException('claim aud not set on id_token_hint!');
|
||||
}
|
||||
|
||||
$client = $this->client_repository->getClientById($client_id->getString());
|
||||
|
||||
if(is_null($client)) throw new InvalidClientException('client not found!');
|
||||
if(is_null($client)){
|
||||
$this->log_service->debug_msg("OAuth2Protocol::endSession client not found!");
|
||||
throw new InvalidClientException('client not found!');
|
||||
}
|
||||
|
||||
$redirect_logout_uri = $this->last_request->getPostLogoutRedirectUri();
|
||||
|
||||
$state = $this->last_request->getState();
|
||||
|
||||
|
||||
if(!empty($redirect_logout_uri) && !$client->isPostLogoutUriAllowed($redirect_logout_uri))
|
||||
if(!empty($redirect_logout_uri) && !$client->isPostLogoutUriAllowed($redirect_logout_uri)) {
|
||||
$this->log_service->debug_msg("OAuth2Protocol::endSession post_logout_redirect_uri not allowed!");
|
||||
throw new InvalidOAuth2Request('post_logout_redirect_uri not allowed!');
|
||||
}
|
||||
|
||||
$user_id = $jwt->getClaimSet()->getSubject();
|
||||
|
||||
if(is_null($user_id)) throw new InvalidOAuth2Request('claim sub not set on id_token_hint!');
|
||||
if(is_null($user_id)){
|
||||
$this->log_service->debug_msg("OAuth2Protocol::endSession claim sub not set on id_token_hint!");
|
||||
throw new InvalidOAuth2Request('claim sub not set on id_token_hint!');
|
||||
}
|
||||
|
||||
$user_id = $this->auth_service->unwrapUserId(intval($user_id->getString()));
|
||||
|
||||
$user = $this->auth_service->getUserByExternalId($user_id);
|
||||
|
||||
if(is_null($user)) throw new InvalidOAuth2Request('user not found!');
|
||||
if(is_null($user)){
|
||||
$this->log_service->debug_msg("OAuth2Protocol::endSession user not found!");
|
||||
throw new InvalidOAuth2Request('user not found!');
|
||||
}
|
||||
|
||||
if($this->principal_service->get()->getUserId() !== $user->getId())
|
||||
if($this->principal_service->get()->getUserId() !== $user->getId()) {
|
||||
$this->log_service->debug_msg("OAuth2Protocol::endSession user does not match with current session!");
|
||||
throw new InvalidOAuth2Request('user does not match with current session!');
|
||||
}
|
||||
|
||||
$this->auth_service->logout();
|
||||
|
||||
|
|
Loading…
Reference in New Issue