Fixed decryption error on RP cookies

* added a exception handler for decryption error
* updates opbs cookie name to op_bs
* refactoring
* added OP browser state lifetime to configuration

Change-Id: Ib0f713e2670b4bec94dde19a15dafd93c4b536b6

app/Http/Middleware/EncryptCookies.php

@@ -1,5 +1,6 @@
 <?php namespace App\Http\Middleware;
 
+use OAuth2\Services\IPrincipalService;
 use Symfony\Component\HttpFoundation\Request;
 use Illuminate\Cookie\Middleware\EncryptCookies as BaseEncrypter;
 use Illuminate\Contracts\Encryption\DecryptException;
@@ -15,8 +16,7 @@ class EncryptCookies extends BaseEncrypter
      * @var array
      */
     protected $except = [
-        'opbs',
-        'rps',
+        IPrincipalService::OP_BROWSER_STATE_COOKIE_NAME
     ];
 
     protected function decrypt(Request $request)

app/Services/OAuth2/PrincipalService.php

@@ -18,7 +18,6 @@ use Illuminate\Support\Facades\Log;
 use OAuth2\Models\IPrincipal;
 use OAuth2\Models\Principal;
 use OAuth2\Services\IPrincipalService;
-
 /**
  * Class PrincipalService
  * @package Services\OAuth2
@@ -80,7 +79,7 @@ final class PrincipalService implements IPrincipalService
         Session::put(self::UserIdParam, $user_id);
         Session::put(self::AuthTimeParam, $auth_time);
         $opbs = bin2hex(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM));
-        Cookie::queue('opbs', $opbs, $minutes = 2628000, $path = '/', $domain = null, $secure = false, $httpOnly = false);
+        Cookie::queue(IPrincipalService::OP_BROWSER_STATE_COOKIE_NAME, $opbs, $minutes = config("session.op_browser_state_lifetime"), $path = '/', $domain = null, $secure = false, $httpOnly = false);
         Log::debug(sprintf("PrincipalService::register opbs %s", $opbs));
         Session::put(self::OPBrowserState, $opbs);
         Session::save();
@@ -96,7 +95,7 @@ final class PrincipalService implements IPrincipalService
         Session::remove(self::AuthTimeParam);
         Session::remove(self::OPBrowserState);
         Session::save();
-        Cookie::queue('opbs', null, $minutes = -2628000, $path = '/', $domain = null, $secure = false, $httpOnly = false);
+        Cookie::queue(IPrincipalService::OP_BROWSER_STATE_COOKIE_NAME, null, $minutes = -2628000, $path = '/', $domain = null, $secure = false, $httpOnly = false);
     }
 
 }

app/libs/Auth/AuthService.php

@@ -26,6 +26,7 @@ use Utils\Services\ICacheService;
 use jwe\compression_algorithms\CompressionAlgorithms_Registry;
 use jwe\compression_algorithms\CompressionAlgorithmsNames;
 use Exception;
+use Illuminate\Support\Facades\Log;
 /**
  * Class AuthService
  * @package Auth
@@ -122,7 +123,7 @@ final class AuthService implements IAuthService
     {
         Auth::logout();
         $this->principal_service->clear();
-        Cookie::queue('rps', null, $minutes = -2628000, $path = '/', $domain = null, $secure = false, $httpOnly = false);
+        Cookie::queue(IAuthService::LOGGED_RELAYING_PARTIES_COOKIE_NAME, null, $minutes = -2628000, $path = '/', $domain = null, $secure = false, $httpOnly = false);
     }
 
     /**
@@ -309,23 +310,28 @@ final class AuthService implements IAuthService
      */
     public function registerRPLogin($client_id)
     {
-        $rps  = Cookie::get('rps');
-        $zlib = CompressionAlgorithms_Registry::getInstance()->get(CompressionAlgorithmsNames::ZLib);
 
-        if(!empty($rps))
-        {
-            $rps = $this->decrypt($rps);
-            $rps = $zlib->uncompress($rps);
-            $rps .= '|';
+        try {
+            $rps = Cookie::get(IAuthService::LOGGED_RELAYING_PARTIES_COOKIE_NAME);
+            $zlib = CompressionAlgorithms_Registry::getInstance()->get(CompressionAlgorithmsNames::ZLib);
+
+            if (!empty($rps)) {
+                $rps = $this->decrypt($rps);
+                $rps = $zlib->uncompress($rps);
+                $rps .= '|';
+            }
+
+            if (!str_contains($rps, $client_id))
+                $rps .= $client_id;
+
+            $rps = $zlib->compress($rps);
+            $rps = $this->encrypt($rps);
         }
-
-        if(!str_contains($rps, $client_id))
-            $rps .= $client_id;
-
-        $rps  = $zlib->compress($rps);
-        $rps  = $this->encrypt($rps);
-
-        Cookie::queue('rps', $rps, $minutes = 2628000, $path = '/', $domain = null, $secure = false, $httpOnly = false);
+        catch(Exception $ex){
+            Log::warning($ex);
+            $rps = "";
+        }
+        Cookie::queue(IAuthService::LOGGED_RELAYING_PARTIES_COOKIE_NAME, $rps, $minutes = config("session.op_browser_state_lifetime"), $path = '/', $domain = null, $secure = false, $httpOnly = false);
     }
 
     /**
@@ -333,7 +339,7 @@ final class AuthService implements IAuthService
      */
     public function getLoggedRPs()
     {
-        $rps  = Cookie::get('rps');
+        $rps  = Cookie::get(IAuthService::LOGGED_RELAYING_PARTIES_COOKIE_NAME);
         $zlib = CompressionAlgorithms_Registry::getInstance()->get(CompressionAlgorithmsNames::ZLib);
 
         if(!empty($rps))

app/libs/OAuth2/Services/IPrincipalService.php

@@ -44,4 +44,5 @@ interface IPrincipalService
      */
     public function clear();
 
+    const OP_BROWSER_STATE_COOKIE_NAME = 'op_bs';
 }

app/libs/Utils/Services/IAuthService.php

@@ -125,4 +125,6 @@ interface IAuthService
      */
     public function reloadSession($jti);
 
+    const LOGGED_RELAYING_PARTIES_COOKIE_NAME = 'rps';
+
 }

config/session.php

@@ -162,5 +162,9 @@ return [
     */
 
     'http_only' => env('SESSION_COOKIE_HTTP_ONLY', true),
-
+    /*
+     * http://openid.net/specs/openid-connect-session-1_0.html#OPiframe
+     * OP Browser state lifetime
+     */
+    'op_browser_state_lifetime' => env('SESSION_OP_BROWSER_STATE_LIFETIME', 120)
 ];

public/assets/js/oauth2/session/check.session.js

@@ -67,7 +67,7 @@
                 return "error";
             }
 
-            var opbs         = $.cookie('opbs');
+            var opbs         = $.cookie('op_bs');
             var expectedHash = computeSessionStateHash(clientId, origin, opbs, salt);
             return clientHash === expectedHash ? "unchanged" : "changed";
         }