Fixed decryption error on RP cookies
* added a exception handler for decryption error * updates opbs cookie name to op_bs * refactoring * added OP browser state lifetime to configuration Change-Id: Ib0f713e2670b4bec94dde19a15dafd93c4b536b6
This commit is contained in:
parent
9c646d9766
commit
fccca4cb19
|
@ -1,5 +1,6 @@
|
|||
<?php namespace App\Http\Middleware;
|
||||
|
||||
use OAuth2\Services\IPrincipalService;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
use Illuminate\Cookie\Middleware\EncryptCookies as BaseEncrypter;
|
||||
use Illuminate\Contracts\Encryption\DecryptException;
|
||||
|
@ -15,8 +16,7 @@ class EncryptCookies extends BaseEncrypter
|
|||
* @var array
|
||||
*/
|
||||
protected $except = [
|
||||
'opbs',
|
||||
'rps',
|
||||
IPrincipalService::OP_BROWSER_STATE_COOKIE_NAME
|
||||
];
|
||||
|
||||
protected function decrypt(Request $request)
|
||||
|
|
|
@ -18,7 +18,6 @@ use Illuminate\Support\Facades\Log;
|
|||
use OAuth2\Models\IPrincipal;
|
||||
use OAuth2\Models\Principal;
|
||||
use OAuth2\Services\IPrincipalService;
|
||||
|
||||
/**
|
||||
* Class PrincipalService
|
||||
* @package Services\OAuth2
|
||||
|
@ -80,7 +79,7 @@ final class PrincipalService implements IPrincipalService
|
|||
Session::put(self::UserIdParam, $user_id);
|
||||
Session::put(self::AuthTimeParam, $auth_time);
|
||||
$opbs = bin2hex(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM));
|
||||
Cookie::queue('opbs', $opbs, $minutes = 2628000, $path = '/', $domain = null, $secure = false, $httpOnly = false);
|
||||
Cookie::queue(IPrincipalService::OP_BROWSER_STATE_COOKIE_NAME, $opbs, $minutes = config("session.op_browser_state_lifetime"), $path = '/', $domain = null, $secure = false, $httpOnly = false);
|
||||
Log::debug(sprintf("PrincipalService::register opbs %s", $opbs));
|
||||
Session::put(self::OPBrowserState, $opbs);
|
||||
Session::save();
|
||||
|
@ -96,7 +95,7 @@ final class PrincipalService implements IPrincipalService
|
|||
Session::remove(self::AuthTimeParam);
|
||||
Session::remove(self::OPBrowserState);
|
||||
Session::save();
|
||||
Cookie::queue('opbs', null, $minutes = -2628000, $path = '/', $domain = null, $secure = false, $httpOnly = false);
|
||||
Cookie::queue(IPrincipalService::OP_BROWSER_STATE_COOKIE_NAME, null, $minutes = -2628000, $path = '/', $domain = null, $secure = false, $httpOnly = false);
|
||||
}
|
||||
|
||||
}
|
|
@ -26,6 +26,7 @@ use Utils\Services\ICacheService;
|
|||
use jwe\compression_algorithms\CompressionAlgorithms_Registry;
|
||||
use jwe\compression_algorithms\CompressionAlgorithmsNames;
|
||||
use Exception;
|
||||
use Illuminate\Support\Facades\Log;
|
||||
/**
|
||||
* Class AuthService
|
||||
* @package Auth
|
||||
|
@ -122,7 +123,7 @@ final class AuthService implements IAuthService
|
|||
{
|
||||
Auth::logout();
|
||||
$this->principal_service->clear();
|
||||
Cookie::queue('rps', null, $minutes = -2628000, $path = '/', $domain = null, $secure = false, $httpOnly = false);
|
||||
Cookie::queue(IAuthService::LOGGED_RELAYING_PARTIES_COOKIE_NAME, null, $minutes = -2628000, $path = '/', $domain = null, $secure = false, $httpOnly = false);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -309,23 +310,28 @@ final class AuthService implements IAuthService
|
|||
*/
|
||||
public function registerRPLogin($client_id)
|
||||
{
|
||||
$rps = Cookie::get('rps');
|
||||
$zlib = CompressionAlgorithms_Registry::getInstance()->get(CompressionAlgorithmsNames::ZLib);
|
||||
|
||||
if(!empty($rps))
|
||||
{
|
||||
$rps = $this->decrypt($rps);
|
||||
$rps = $zlib->uncompress($rps);
|
||||
$rps .= '|';
|
||||
try {
|
||||
$rps = Cookie::get(IAuthService::LOGGED_RELAYING_PARTIES_COOKIE_NAME);
|
||||
$zlib = CompressionAlgorithms_Registry::getInstance()->get(CompressionAlgorithmsNames::ZLib);
|
||||
|
||||
if (!empty($rps)) {
|
||||
$rps = $this->decrypt($rps);
|
||||
$rps = $zlib->uncompress($rps);
|
||||
$rps .= '|';
|
||||
}
|
||||
|
||||
if (!str_contains($rps, $client_id))
|
||||
$rps .= $client_id;
|
||||
|
||||
$rps = $zlib->compress($rps);
|
||||
$rps = $this->encrypt($rps);
|
||||
}
|
||||
|
||||
if(!str_contains($rps, $client_id))
|
||||
$rps .= $client_id;
|
||||
|
||||
$rps = $zlib->compress($rps);
|
||||
$rps = $this->encrypt($rps);
|
||||
|
||||
Cookie::queue('rps', $rps, $minutes = 2628000, $path = '/', $domain = null, $secure = false, $httpOnly = false);
|
||||
catch(Exception $ex){
|
||||
Log::warning($ex);
|
||||
$rps = "";
|
||||
}
|
||||
Cookie::queue(IAuthService::LOGGED_RELAYING_PARTIES_COOKIE_NAME, $rps, $minutes = config("session.op_browser_state_lifetime"), $path = '/', $domain = null, $secure = false, $httpOnly = false);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -333,7 +339,7 @@ final class AuthService implements IAuthService
|
|||
*/
|
||||
public function getLoggedRPs()
|
||||
{
|
||||
$rps = Cookie::get('rps');
|
||||
$rps = Cookie::get(IAuthService::LOGGED_RELAYING_PARTIES_COOKIE_NAME);
|
||||
$zlib = CompressionAlgorithms_Registry::getInstance()->get(CompressionAlgorithmsNames::ZLib);
|
||||
|
||||
if(!empty($rps))
|
||||
|
|
|
@ -44,4 +44,5 @@ interface IPrincipalService
|
|||
*/
|
||||
public function clear();
|
||||
|
||||
const OP_BROWSER_STATE_COOKIE_NAME = 'op_bs';
|
||||
}
|
|
@ -125,4 +125,6 @@ interface IAuthService
|
|||
*/
|
||||
public function reloadSession($jti);
|
||||
|
||||
const LOGGED_RELAYING_PARTIES_COOKIE_NAME = 'rps';
|
||||
|
||||
}
|
|
@ -162,5 +162,9 @@ return [
|
|||
*/
|
||||
|
||||
'http_only' => env('SESSION_COOKIE_HTTP_ONLY', true),
|
||||
|
||||
/*
|
||||
* http://openid.net/specs/openid-connect-session-1_0.html#OPiframe
|
||||
* OP Browser state lifetime
|
||||
*/
|
||||
'op_browser_state_lifetime' => env('SESSION_OP_BROWSER_STATE_LIFETIME', 120)
|
||||
];
|
||||
|
|
|
@ -67,7 +67,7 @@
|
|||
return "error";
|
||||
}
|
||||
|
||||
var opbs = $.cookie('opbs');
|
||||
var opbs = $.cookie('op_bs');
|
||||
var expectedHash = computeSessionStateHash(clientId, origin, opbs, salt);
|
||||
return clientHash === expectedHash ? "unchanged" : "changed";
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue