Rev 1304 | Rev 1306 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
| Rev 1304 | Rev 1305 | ||
|---|---|---|---|
| Line 66... | Line 66... | ||
| 66 | if (is_null($acs)) return 'null'; |
66 | if (is_null($acs)) return 'null'; |
| 67 | return get_class($acs); |
67 | return get_class($acs); |
| 68 | } |
68 | } |
| 69 | 69 | ||
| 70 | /** |
70 | /** |
| 71 | * @return OIDplusAuthContentStore|null |
71 | * @return OIDplusAuthContentStoreJWT|null |
| 72 | * @throws OIDplusException |
72 | * @throws OIDplusException |
| 73 | */ |
73 | */ |
| 74 | protected function getAuthContentStore()/*: ?OIDplusAuthContentStore*/ { |
74 | protected function getAuthContentStore()/*: ?OIDplusAuthContentStore*/ { |
| 75 | // Logged in via JWT |
75 | // Logged in via JWT |
| 76 | // (The JWT can come from a REST Authentication Bearer, an AJAX Cookie, or an Automated AJAX Call GET/POST token.) |
76 | // (The JWT can come from a login cookie, an REST Authentication Bearer, an AJAX Cookie, or an Automated AJAX Call GET/POST token.) |
| 77 | $tmp = OIDplusAuthContentStoreJWT::getActiveProvider(); |
77 | $tmp = OIDplusAuthContentStoreJWT::getActiveProvider(); |
| 78 | if ($tmp) return $tmp; |
78 | if ($tmp) return $tmp; |
| 79 | 79 | ||
| 80 | // Normal login via web-browser |
- | |
| 81 | // Cookie will only be created once content is stored |
- | |
| 82 | $tmp = OIDplusAuthContentStoreSession::getActiveProvider(); |
- | |
| 83 | if ($tmp) return $tmp; |
- | |
| 84 | - | ||
| 85 | // No active session and no JWT token available. User is not logged in. |
80 | // No active session and no JWT token available. User is not logged in. |
| 86 | return null; |
81 | return null; |
| 87 | } |
82 | } |
| 88 | 83 | ||
| 89 | /** |
84 | /** |
| Line 185... | Line 180... | ||
| 185 | 180 | ||
| 186 | // "High level" function including logging and checking for valid JWT alternations |
181 | // "High level" function including logging and checking for valid JWT alternations |
| 187 | 182 | ||
| 188 | /** |
183 | /** |
| 189 | * @param string $email |
184 | * @param string $email |
| 190 | * @param bool $remember_me |
- | |
| 191 | * @param string $origin |
185 | * @param string $origin |
| 192 | * @return void |
186 | * @return void |
| 193 | * @throws OIDplusException |
187 | * @throws OIDplusException |
| 194 | */ |
188 | */ |
| 195 | public function raLoginEx(string $email, bool $remember_me, string $origin='') { |
189 | public function raLoginEx(string $email, string $origin='') { |
| 196 | $loginfo = ''; |
190 | $loginfo = ''; |
| 197 | $acs = $this->getAuthContentStore(); |
191 | $acs = $this->getAuthContentStore(); |
| 198 | if (!is_null($acs)) { |
192 | if (!is_null($acs)) { |
| 199 | // User is already logged in (a session or JWT exists), so we modify their login status |
193 | // User is already logged in (a session or JWT exists), so we modify their login status |
| 200 | $acs->raLoginEx($email, $loginfo); |
194 | $acs->raLoginEx($email, $loginfo); |
| 201 | $acs->activate(); |
195 | $acs->activate(); |
| 202 | } else { |
196 | } else { |
| 203 | // No user is logged in (no session or JWT exists). We now create a auth content store and activate it (cookies will be set etc.) |
197 | // No user is logged in (no session or JWT exists). We now create a auth content store and activate it (cookies will be set etc.) |
| 204 | if ($remember_me) { |
- | |
| 205 | if (!OIDplus::baseConfig()->getValue('JWT_ALLOW_LOGIN_USER', true)) { |
198 | if (!OIDplus::baseConfig()->getValue('JWT_ALLOW_LOGIN_USER', true)) { |
| 206 | throw new OIDplusException(_L('The administrator has disabled this feature. (Base configuration setting %1).','JWT_ALLOW_LOGIN_USER')); |
199 | throw new OIDplusException(_L('The administrator has disabled this feature. (Base configuration setting %1).','JWT_ALLOW_LOGIN_USER')); |
| 207 | } |
200 | } |
| 208 | $ttl = OIDplus::baseConfig()->getValue('JWT_TTL_LOGIN_USER', 10*365*24*60*60); |
201 | $ttl = OIDplus::baseConfig()->getValue('JWT_TTL_LOGIN_USER', 10*365*24*60*60); |
| 209 | $newAuthStore = new OIDplusAuthContentStoreJWT(); |
202 | $newAuthStore = new OIDplusAuthContentStoreJWT(); |
| 210 | $newAuthStore->setValue('oidplus_generator', OIDplusAuthContentStoreJWT::JWT_GENERATOR_LOGIN); |
203 | $newAuthStore->setValue(OIDplusAuthContentStoreJWT::CLAIM_GENERATOR, OIDplusAuthContentStoreJWT::JWT_GENERATOR_LOGIN); |
| 211 | $newAuthStore->setValue('exp', time()+$ttl); // JWT "exp" attribute |
204 | $newAuthStore->setValue('exp', time()+$ttl); // JWT "exp" attribute |
| 212 | } else { |
- | |
| 213 | $newAuthStore = new OIDplusAuthContentStoreSession(); |
- | |
| 214 | } |
- | |
| 215 | $newAuthStore->raLoginEx($email, $loginfo); |
205 | $newAuthStore->raLoginEx($email, $loginfo); |
| 216 | $newAuthStore->activate(); |
206 | $newAuthStore->activate(); |
| 217 | } |
207 | } |
| 218 | $logmsg = "RA '$email' logged in"; |
208 | $logmsg = "RA '$email' logged in"; |
| 219 | if ($origin != '') $logmsg .= " via $origin"; |
209 | if ($origin != '') $logmsg .= " via $origin"; |
| Line 315... | Line 305... | ||
| 315 | } |
305 | } |
| 316 | } |
306 | } |
| 317 | 307 | ||
| 318 | /** |
308 | /** |
| 319 | * "High level" function including logging and checking for valid JWT alternations |
309 | * "High level" function including logging and checking for valid JWT alternations |
| 320 | * @param bool $remember_me |
- | |
| 321 | * @param string $origin |
310 | * @param string $origin |
| 322 | * @return void |
311 | * @return void |
| 323 | * @throws OIDplusException |
312 | * @throws OIDplusException |
| 324 | */ |
313 | */ |
| 325 | public function adminLoginEx(bool $remember_me, string $origin='') { |
314 | public function adminLoginEx(string $origin='') { |
| 326 | $loginfo = ''; |
315 | $loginfo = ''; |
| 327 | $acs = $this->getAuthContentStore(); |
316 | $acs = $this->getAuthContentStore(); |
| 328 | if (!is_null($acs)) { |
317 | if (!is_null($acs)) { |
| 329 | // User is already logged in (a session or JWT exists), so we modify their login status |
318 | // User is already logged in (a session or JWT exists), so we modify their login status |
| 330 | $acs->adminLoginEx($loginfo); |
319 | $acs->adminLoginEx($loginfo); |
| 331 | $acs->activate(); |
320 | $acs->activate(); |
| 332 | } else { |
321 | } else { |
| 333 | // No user is logged in (no session or JWT exists). We now create a auth content store and activate it (cookies will be set etc.) |
322 | // No user is logged in (no session or JWT exists). We now create a auth content store and activate it (cookies will be set etc.) |
| 334 | if ($remember_me) { |
- | |
| 335 | if (!OIDplus::baseConfig()->getValue('JWT_ALLOW_LOGIN_ADMIN', true)) { |
323 | if (!OIDplus::baseConfig()->getValue('JWT_ALLOW_LOGIN_ADMIN', true)) { |
| 336 | throw new OIDplusException(_L('The administrator has disabled this feature. (Base configuration setting %1).','JWT_ALLOW_LOGIN_ADMIN')); |
324 | throw new OIDplusException(_L('The administrator has disabled this feature. (Base configuration setting %1).','JWT_ALLOW_LOGIN_ADMIN')); |
| 337 | } |
325 | } |
| 338 | $ttl = OIDplus::baseConfig()->getValue('JWT_TTL_LOGIN_ADMIN', 10*365*24*60*60); |
326 | $ttl = OIDplus::baseConfig()->getValue('JWT_TTL_LOGIN_ADMIN', 10*365*24*60*60); |
| 339 | $newAuthStore = new OIDplusAuthContentStoreJWT(); |
327 | $newAuthStore = new OIDplusAuthContentStoreJWT(); |
| 340 | $newAuthStore->setValue('oidplus_generator', OIDplusAuthContentStoreJWT::JWT_GENERATOR_LOGIN); |
328 | $newAuthStore->setValue(OIDplusAuthContentStoreJWT::CLAIM_GENERATOR, OIDplusAuthContentStoreJWT::JWT_GENERATOR_LOGIN); |
| 341 | $newAuthStore->setValue('exp', time()+$ttl); // JWT "exp" attribute |
329 | $newAuthStore->setValue('exp', time()+$ttl); // JWT "exp" attribute |
| 342 | } else { |
- | |
| 343 | $newAuthStore = new OIDplusAuthContentStoreSession(); |
- | |
| 344 | } |
- | |
| 345 | $newAuthStore->adminLoginEx($loginfo); |
330 | $newAuthStore->adminLoginEx($loginfo); |
| 346 | $newAuthStore->activate(); |
331 | $newAuthStore->activate(); |
| 347 | } |
332 | } |
| 348 | $logmsg = "Admin logged in"; |
333 | $logmsg = "Admin logged in"; |
| 349 | if ($origin != '') $logmsg .= " via $origin"; |
334 | if ($origin != '') $logmsg .= " via $origin"; |