From 9c646d9766dfdce6eafab9f2ca9d68223b326bf4 Mon Sep 17 00:00:00 2001
From: Sebastian Marcet <smarcet@gmail.com>
Date: Tue, 7 Aug 2018 16:58:00 -0300
Subject: [PATCH] Fixes on session cookies

Marked opbs and rps cookies a non encrypted
formerly these cookies were encrypted so were useless from
js side.

Change-Id: Ic1627ab91585bd70e66cf546fd98e0f81b60962f
---
 .../OAuth2/OAuth2ProviderController.php       |  4 +-
 app/Http/Middleware/EncryptCookies.php        |  3 +-
 app/Services/OAuth2/PrincipalService.php      |  6 +++
 app/libs/OAuth2/OAuth2Protocol.php            | 44 ++++++++++++++-----
 4 files changed, 45 insertions(+), 12 deletions(-)

diff --git a/app/Http/Controllers/OAuth2/OAuth2ProviderController.php b/app/Http/Controllers/OAuth2/OAuth2ProviderController.php
index 40e5ca05..2c743ca4 100644
--- a/app/Http/Controllers/OAuth2/OAuth2ProviderController.php
+++ b/app/Http/Controllers/OAuth2/OAuth2ProviderController.php
@@ -264,8 +264,10 @@ final class OAuth2ProviderController extends Controller
      */
     public function endSession()
     {
-        if(!$this->auth_service->isUserLogged())
+        if(!$this->auth_service->isUserLogged()) {
+            Log::debug("OAuth2ProviderController::endSession user is not logged!");
             return Response::view('errors.404', array(), 404);
+        }
 
         $request = new OAuth2LogoutRequest
         (
diff --git a/app/Http/Middleware/EncryptCookies.php b/app/Http/Middleware/EncryptCookies.php
index 89cfbb57..d8484dcf 100644
--- a/app/Http/Middleware/EncryptCookies.php
+++ b/app/Http/Middleware/EncryptCookies.php
@@ -15,7 +15,8 @@ class EncryptCookies extends BaseEncrypter
      * @var array
      */
     protected $except = [
-        //
+        'opbs',
+        'rps',
     ];
 
     protected function decrypt(Request $request)
diff --git a/app/Services/OAuth2/PrincipalService.php b/app/Services/OAuth2/PrincipalService.php
index abf3a087..25abe7b7 100644
--- a/app/Services/OAuth2/PrincipalService.php
+++ b/app/Services/OAuth2/PrincipalService.php
@@ -14,6 +14,7 @@
 
 use Illuminate\Support\Facades\Cookie;
 use Illuminate\Support\Facades\Session;
+use Illuminate\Support\Facades\Log;
 use OAuth2\Models\IPrincipal;
 use OAuth2\Models\Principal;
 use OAuth2\Services\IPrincipalService;
@@ -59,6 +60,8 @@ final class PrincipalService implements IPrincipalService
      */
     public function save(IPrincipal $principal)
     {
+        Log::debug("PrincipalService::save");
+
         $this->register
         (
             $principal->getUserId(),
@@ -73,10 +76,12 @@ final class PrincipalService implements IPrincipalService
      */
     public function register($user_id, $auth_time)
     {
+        Log::debug(sprintf("PrincipalService::register user_id %s auth_time %s", $user_id, $auth_time));
         Session::put(self::UserIdParam, $user_id);
         Session::put(self::AuthTimeParam, $auth_time);
         $opbs = bin2hex(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM));
         Cookie::queue('opbs', $opbs, $minutes = 2628000, $path = '/', $domain = null, $secure = false, $httpOnly = false);
+        Log::debug(sprintf("PrincipalService::register opbs %s", $opbs));
         Session::put(self::OPBrowserState, $opbs);
         Session::save();
     }
@@ -86,6 +91,7 @@ final class PrincipalService implements IPrincipalService
      */
     public function clear()
     {
+        Log::debug("PrincipalService::clear");
         Session::remove(self::UserIdParam);
         Session::remove(self::AuthTimeParam);
         Session::remove(self::OPBrowserState);
diff --git a/app/libs/OAuth2/OAuth2Protocol.php b/app/libs/OAuth2/OAuth2Protocol.php
index 9f51a1d1..89c83ae2 100644
--- a/app/libs/OAuth2/OAuth2Protocol.php
+++ b/app/libs/OAuth2/OAuth2Protocol.php
@@ -1363,51 +1363,75 @@ final class OAuth2Protocol implements IOAuth2Protocol
     {
         try
         {
+            $this->log_service->debug_msg("OAuth2Protocol::endSession");
+
             $this->last_request = $request;
 
-            if (is_null($this->last_request))
+            if (is_null($this->last_request)) {
+                $this->log_service->debug_msg("OAuth2Protocol::endSession last request is null");
                 throw new InvalidOAuth2Request;
+            }
 
-            if(!$this->last_request->isValid())
+            if(!$this->last_request->isValid()) {
+                $this->log_service->debug_msg(sprintf("OAuth2Protocol::endSession last request is invalid error %s", $this->last_request->getLastValidationError()));
                 throw new InvalidOAuth2Request($this->last_request->getLastValidationError());
+            }
 
-            if(! $this->last_request instanceof OAuth2LogoutRequest) throw new InvalidOAuth2Request;
+            if(!$this->last_request instanceof OAuth2LogoutRequest) throw new InvalidOAuth2Request;
 
             $id_token_hint = $this->last_request->getIdTokenHint();
 
             $jwt = BasicJWTFactory::build($id_token_hint);
 
-            if((!$jwt instanceof IJWT))
+            if((!$jwt instanceof IJWT)) {
+                $this->log_service->debug_msg("OAuth2Protocol::endSession invalid id_token_hint!");
                 throw new InvalidOAuth2Request('invalid id_token_hint!');
+            }
 
             $client_id = $jwt->getClaimSet()->getAudience();
 
-            if(is_null($client_id)) throw new InvalidClientException('claim aud not set on id_token_hint!');
+            if(is_null($client_id)) {
+                $this->log_service->debug_msg("OAuth2Protocol::endSession claim aud not set on id_token_hint!");
+                throw new InvalidClientException('claim aud not set on id_token_hint!');
+            }
 
             $client = $this->client_repository->getClientById($client_id->getString());
 
-            if(is_null($client)) throw new InvalidClientException('client not found!');
+            if(is_null($client)){
+                $this->log_service->debug_msg("OAuth2Protocol::endSession client not found!");
+                throw new InvalidClientException('client not found!');
+            }
 
             $redirect_logout_uri = $this->last_request->getPostLogoutRedirectUri();
 
             $state               = $this->last_request->getState();
 
 
-            if(!empty($redirect_logout_uri) && !$client->isPostLogoutUriAllowed($redirect_logout_uri))
+            if(!empty($redirect_logout_uri) && !$client->isPostLogoutUriAllowed($redirect_logout_uri)) {
+                $this->log_service->debug_msg("OAuth2Protocol::endSession post_logout_redirect_uri not allowed!");
                 throw new InvalidOAuth2Request('post_logout_redirect_uri not allowed!');
+            }
 
             $user_id = $jwt->getClaimSet()->getSubject();
 
-            if(is_null($user_id)) throw new InvalidOAuth2Request('claim sub not set on id_token_hint!');
+            if(is_null($user_id)){
+                $this->log_service->debug_msg("OAuth2Protocol::endSession claim sub not set on id_token_hint!");
+                throw new InvalidOAuth2Request('claim sub not set on id_token_hint!');
+            }
 
             $user_id = $this->auth_service->unwrapUserId(intval($user_id->getString()));
 
             $user    = $this->auth_service->getUserByExternalId($user_id);
 
-            if(is_null($user)) throw new InvalidOAuth2Request('user not found!');
+            if(is_null($user)){
+                $this->log_service->debug_msg("OAuth2Protocol::endSession user not found!");
+                throw new InvalidOAuth2Request('user not found!');
+            }
 
-            if($this->principal_service->get()->getUserId() !== $user->getId())
+            if($this->principal_service->get()->getUserId() !== $user->getId()) {
+                $this->log_service->debug_msg("OAuth2Protocol::endSession user does not match with current session!");
                 throw new InvalidOAuth2Request('user does not match with current session!');
+            }
 
             $this->auth_service->logout();