dj_discourse_sso/Classes/Controller/SsoController.php

<?php
namespace Jahnke\DiscourseSso\Controller;

/***************************************************************
 *  Copyright notice
 *
 *  (c) 2016 Dirk Jahnke <dirk.jahnke@mailbox.org>
 *
 *  All rights reserved
 *
 *  This script is part of the TYPO3 project. The TYPO3 project is
 *  free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 3 of the License, or
 *  (at your option) any later version.
 *
 *  The GNU General Public License can be found at
 *  http://www.gnu.org/copyleft/gpl.html.
 *
 *  This script is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  This copyright notice MUST APPEAR in all copies of the script!
 ***************************************************************/

use TYPO3\CMS\Core\Utility\GeneralUtility;

/**
 * Controller for the Member object
 *
 * @version $Id$
 * @copyright Copyright belongs to the respective authors
 * @license http://www.gnu.org/licenses/gpl.html GNU General Public License, version 3 or later
 */
class SsoController extends \TYPO3\CMS\Scheduler\Task\AbstractTask
{
    private function hashs_are_equal($data, $sig) {
        if (!$data || !$sig || !is_string($data) || !is_string($sig))
            return false;
        if (strlen($data) != strlen($sig))
            return false;
        if (strcmp($data, $sig) === 0)
            return true;
        return false;
    }

    /**
     */
    public function authenticateAction() {
        $user = NULL;
        if (isset($GLOBALS['TSFE']) && isset($GLOBALS['TSFE']->fe_user) && isset($GLOBALS['TSFE']->fe_user->user)) {
            $user = $GLOBALS['TSFE']->fe_user->user;
        }
        if (isset($user)) {
            $sso = urldecode(GeneralUtility::_GP('sso'));
            $sig = GeneralUtility::_GP('sig');

            $userId = $user['uid'];
            $userEmail = $user['email'];
            $userName = $user['username'];
            $name = $user['name'];

            if (!$this->hashs_are_equal(hash_hmac('sha256', $sso, $this->settings['discourse_sso_shared_key']), $sig)) {
                header("HTTP/1.1 403 Forbidden");
                $this->throwStatus(403, "Bad SSO request");
            } else {
                // valid $sso string available, convert it
                parse_str(base64_decode($sso), $receivedPayload);
                $nonce = $receivedPayload['nonce'];
                $parameters = array(
                    'nonce' => $nonce,
                    'external_id' => $userId,
                    'email' => $userEmail,
                    'username' => $userName,
                    'name' => $name
                );
                $payload = base64_encode(http_build_query($parameters));
                $query = http_build_query(array('sso' => $payload, 'sig' => hash_hmac('sha256', $payload, $this->settings['discourse_sso_shared_key'])));
                $statusCode = $this->settings['discourse_sso_redirect_statuscode'];
                if (!$statusCode || ($statusCode < 300 || $statusCode > 308)) {
                    // set default:
                    $statusCode = 303;
                }
                $this->redirectToUri($this->settings['discourse_sso_redirect'] . '/session/sso_login?' . $query, 0, 302);
            }
        } else {
            // no user logged in
            // wrong setup! This plugin should be enabled only, if a user login exists
            return "<div><b>ERROR!</b> You should not see this message! This plugin should be made available only, if a Frontend User is logged in! Please change this in the setup of this content element.";
        }
    }
}
?>
First revision of purse SSO without additional features 2016-09-22 18:41:57 +00:00			`<?php`
			`namespace Jahnke\DiscourseSso\Controller;`

			`/***************************************************************`
			`* Copyright notice`
			`*`
			`* (c) 2016 Dirk Jahnke <dirk.jahnke@mailbox.org>`
			`*`
			`* All rights reserved`
			`*`
			`* This script is part of the TYPO3 project. The TYPO3 project is`
			`* free software; you can redistribute it and/or modify`
			`* it under the terms of the GNU General Public License as published by`
			`* the Free Software Foundation; either version 3 of the License, or`
			`* (at your option) any later version.`
			`*`
			`* The GNU General Public License can be found at`
			`* http://www.gnu.org/copyleft/gpl.html.`
			`*`
			`* This script is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU General Public License for more details.`
			`*`
			`* This copyright notice MUST APPEAR in all copies of the script!`
			`***************************************************************/`

			`use TYPO3\CMS\Core\Utility\GeneralUtility;`

			`/**`
			`* Controller for the Member object`
			`*`
			`* @version $Id$`
			`* @copyright Copyright belongs to the respective authors`
			`* @license http://www.gnu.org/licenses/gpl.html GNU General Public License, version 3 or later`
			`*/`
			`class SsoController extends \TYPO3\CMS\Scheduler\Task\AbstractTask`
			`{`
			`private function hashs_are_equal($data, $sig) {`
			`if (!$data \|\| !$sig \|\| !is_string($data) \|\| !is_string($sig))`
			`return false;`
			`if (strlen($data) != strlen($sig))`
			`return false;`
			`if (strcmp($data, $sig) === 0)`
			`return true;`
			`return false;`
			`}`

			`/**`
			`*/`
			`public function authenticateAction() {`
			`$user = NULL;`
			`if (isset($GLOBALS['TSFE']) && isset($GLOBALS['TSFE']->fe_user) && isset($GLOBALS['TSFE']->fe_user->user)) {`
			`$user = $GLOBALS['TSFE']->fe_user->user;`
			`}`
			`if (isset($user)) {`
			`$sso = urldecode(GeneralUtility::_GP('sso'));`
			`$sig = GeneralUtility::_GP('sig');`

			`$userId = $user['uid'];`
			`$userEmail = $user['email'];`
			`$userName = $user['username'];`
			`$name = $user['name'];`

			`if (!$this->hashs_are_equal(hash_hmac('sha256', $sso, $this->settings['discourse_sso_shared_key']), $sig)) {`
			`header("HTTP/1.1 403 Forbidden");`
			`$this->throwStatus(403, "Bad SSO request");`
			`} else {`
			`// valid $sso string available, convert it`
			`parse_str(base64_decode($sso), $receivedPayload);`
			`$nonce = $receivedPayload['nonce'];`
			`$parameters = array(`
			`'nonce' => $nonce,`
			`'external_id' => $userId,`
			`'email' => $userEmail,`
			`'username' => $userName,`
			`'name' => $name`
			`);`
			`$payload = base64_encode(http_build_query($parameters));`
			`$query = http_build_query(array('sso' => $payload, 'sig' => hash_hmac('sha256', $payload, $this->settings['discourse_sso_shared_key'])));`
			`$statusCode = $this->settings['discourse_sso_redirect_statuscode'];`
			`if (!$statusCode \|\| ($statusCode < 300 \|\| $statusCode > 308)) {`
			`// set default:`
			`$statusCode = 303;`
			`}`
			`$this->redirectToUri($this->settings['discourse_sso_redirect'] . '/session/sso_login?' . $query, 0, 302);`
			`}`
			`} else {`
			`// no user logged in`
			`// wrong setup! This plugin should be enabled only, if a user login exists`
			`return "<div><b>ERROR!</b> You should not see this message! This plugin should be made available only, if a Frontend User is logged in! Please change this in the setup of this content element.";`
			`}`
			`}`
			`}`
			`?>`