<?php
namespace Jahnke\DiscourseSso\Controller;

/***************************************************************
 *  Copyright notice
 *
 *  (c) 2016 Dirk Jahnke <dirk.jahnke@mailbox.org>
 *
 *  All rights reserved
 *
 *  This script is part of the TYPO3 project. The TYPO3 project is
 *  free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 3 of the License, or
 *  (at your option) any later version.
 *
 *  The GNU General Public License can be found at
 *  http://www.gnu.org/copyleft/gpl.html.
 *
 *  This script is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  This copyright notice MUST APPEAR in all copies of the script!
 ***************************************************************/

use TYPO3\CMS\Core\Utility\GeneralUtility;

/**
 * Controller for the Member object
 *
 * @version $Id$
 * @copyright Copyright belongs to the respective authors
 * @license http://www.gnu.org/licenses/gpl.html GNU General Public License, version 3 or later
 */
class SsoController extends \TYPO3\CMS\Scheduler\Task\AbstractTask
{
    private function hashs_are_equal($data, $sig) {
        if (!$data || !$sig || !is_string($data) || !is_string($sig))
            return false;
        if (strlen($data) != strlen($sig))
            return false;
        if (strcmp($data, $sig) === 0)
            return true;
        return false;
    }

    /**
     */
    public function authenticateAction() {
        $user = NULL;
        if (isset($GLOBALS['TSFE']) && isset($GLOBALS['TSFE']->fe_user) && isset($GLOBALS['TSFE']->fe_user->user)) {
            $user = $GLOBALS['TSFE']->fe_user->user;
        }
        if (isset($user)) {
            $sso = urldecode(GeneralUtility::_GP('sso'));
            $sig = GeneralUtility::_GP('sig');

            $userId = $user['uid'];
            $userEmail = $user['email'];
            $userName = $user['username'];
            $name = $user['name'];

            if (!$this->hashs_are_equal(hash_hmac('sha256', $sso, $this->settings['discourse_sso_shared_key']), $sig)) {
                header("HTTP/1.1 403 Forbidden");
                $this->throwStatus(403, "Bad SSO request");
            } else {
                // valid $sso string available, convert it
                parse_str(base64_decode($sso), $receivedPayload);
                $nonce = $receivedPayload['nonce'];
                $parameters = array(
                    'nonce' => $nonce,
                    'external_id' => $userId,
                    'email' => $userEmail,
                    'username' => $userName,
                    'name' => $name
                );
                $payload = base64_encode(http_build_query($parameters));
                $query = http_build_query(array('sso' => $payload, 'sig' => hash_hmac('sha256', $payload, $this->settings['discourse_sso_shared_key'])));
                $statusCode = $this->settings['discourse_sso_redirect_statuscode'];
                if (!$statusCode || ($statusCode < 300 || $statusCode > 308)) {
                    // set default:
                    $statusCode = 303;
                }
                $this->redirectToUri($this->settings['discourse_sso_redirect'] . '/session/sso_login?' . $query, 0, 302);
            }
        } else {
            // no user logged in
            // wrong setup! This plugin should be enabled only, if a user login exists
            return "<div><b>ERROR!</b> You should not see this message! This plugin should be made available only, if a Frontend User is logged in! Please change this in the setup of this content element.";
        }
    }
}
?>