Merge pull request #11 from pdsinterop/redirect_uri

Redirect uri
pdsinterop · Sep 25, 2020 · 756bd17 · 756bd17
2 parents c11a6da + 3d9a1dd
commit 756bd17
Show file tree

Hide file tree

Showing 3 changed files with 70 additions and 53 deletions.
diff --git a/solid/lib/Controller/PageController.php b/solid/lib/Controller/PageController.php
@@ -77,13 +77,14 @@ public function profile($userId) {
 	 * @CORS
 	 */
 	public function approval($clientId) {
-		$clientRegistration = array( // FIXME: read from the registered clients;
+		$clientRegistration = $this->config->getClientRegistration($clientId);
+		$params = array(
 			"clientId" => $clientId,
-			"clientName" => "Solid.community",
+			"clientName" => $clientRegistration['client_name'],
 			"serverName" => "Nextcloud",
 			"returnUrl" => $_GET['returnUrl'],
 		);
-		$templateResponse = new TemplateResponse('solid', 'sharing', $clientRegistration);
+		$templateResponse = new TemplateResponse('solid', 'sharing', $params);
 		$policy = new ContentSecurityPolicy();
 		$policy->addAllowedStyleDomain("data:");
 		$templateResponse->setContentSecurityPolicy($policy);

diff --git a/solid/lib/Controller/ServerController.php b/solid/lib/Controller/ServerController.php
@@ -99,10 +99,9 @@ private function getKeys() {
 	}
 
 	private function createConfig() {
-		// if (isset($_GET['client_id'])) {
-			$clientId = $_GET['client_id'];
-			$client = $this->getClient($clientId);
-		// }
+		$clientId = $_GET['client_id'];
+		$client = $this->getClient($clientId);
+
 		try {
 			$config = (new \Pdsinterop\Solid\Auth\Factory\ConfigFactory(
 				$client,
@@ -171,16 +170,21 @@ public function authorize() {
 		}
 		$getVars['response_type'] = $this->getResponseType();
 		$getVars['scope'] = "openid";
-		
+
 		if (!isset($getVars['redirect_uri'])) {
-			$getVars['redirect_uri'] = 'https://solid.community/.well-known/solid/login'; // FIXME: a default could be in the registration, but if none is there we should probably just fail with a 400 bad request;
+			try {
+				$getVars['redirect_uri'] = $token->getClaim("redirect_uri");
+			} catch(\Exception $e) {
+				$result = new JSONResponse('Bad request, missing redirect uri');
+				$result->setStatus(400);
+				return $result;
+			}
 		}
 		$request = \Laminas\Diactoros\ServerRequestFactory::fromGlobals($_SERVER, $getVars, $_POST, $_COOKIE, $_FILES);
 		$response = new \Laminas\Diactoros\Response();
 		$server	= new \Pdsinterop\Solid\Auth\Server($this->authServerFactory, $this->authServerConfig, $response);
 
-		$clientId = $this->getClientId();
-
+		$clientId = $getVars['client_id'];
 		$approval = $this->checkApproval($clientId);	
 		if (!$approval) {
 			$result = new JSONResponse('Approval required');
@@ -271,10 +275,18 @@ public function logout() {
 	 * @CORS
 	 */
 	public function register() {
-		$clientId = $this->getClientId();
-
+		$clientData = file_get_contents('php://input');
+		$clientData = json_decode($clientData, true);
+		if (!$clientData['redirect_uris']) {
+			return new JSONReponse("Missing redirect URIs");
+		}
+		$clientData['client_id_issued_at'] = time();
+
+		$origin = $_SERVER['HTTP_ORIGIN'];
+		$clientId = $this->config->saveClientRegistration($origin, $clientData);
+
 		$registration = array(
-			'redirect_uris' => array('https://solid.community/.well-known/solid/login'), // FIXME: grab from registration request
+			'redirect_uris' => $clientData['redirect_uris'],
 			'response_types' => array("id_token token"),
 			'grant_types' => array("implicit"),
 			'application_type' => 'web',
@@ -283,7 +295,7 @@ public function register() {
 			'registration_access_token' => $this->generateRegistrationAccessToken($clientId),
 			'client_id' => $clientId,
 			'registration_client_uri' => $this->urlGenerator->getAbsoluteURL($this->urlGenerator->linkToRoute("solid.server.registeredClient", array("clientId" => $clientId))),
-			'client_id_issued_at' => time() // FIXME: should the the time that this client registered, not the current time;
+			'client_id_issued_at' => $clientData['client_id_issued_at']
 		);
 
 		return new JSONResponse($registration);
@@ -296,7 +308,9 @@ public function register() {
 	 * @CORS
 	 */
 	public function registeredClient($clientId) {
-		return new JSONResponse("ok $clientId");
+		$clientRegistration = getClientRegistration($clientId);
+		unset($clientRegistration['client_secret']);
+		return new JSONResponse($clientRegistration);
 	}
 
 
@@ -355,31 +369,15 @@ private function respond($response) {
 		return $result;
 	}
 
-	private function getClientId() {
-			return "CoolApp"; // FIXME: this should be the generated clientId from the registration
-	}
 	private function getClient($clientId) {
-		if (!$clientId) {
-			$clientId = $this->getClientId(); // FIXME: only continue if a clientId is set;
-		}
-
-		if ($clientId) { // FIXME: and check that we know this client and get the client secret/client name for this client;
-			$clientSecret = "super-secret-secret-squirrel"; // FIXME: should be generated on registration instead of hard-coded;
-
-			// FIXME: use the redirect URIs as indicated by the client;
-			$clientRedirectUris = array(
-				$this->urlGenerator->getAbsoluteURL($this->urlGenerator->linkToRoute("solid.server.token")),
-				'https://solid.community/.well-known/solid/login',
-				'http://localhost:3001/redirect',
-				'http://localhost:3002/redirect'
-			);
-			$clientName = "Nextcloud";
+		$clientRegistration = $this->config->getClientRegistration($clientId);
 
+		if ($clientId && sizeof($clientRegistration)) {
 			return new \Pdsinterop\Solid\Auth\Config\Client(
 				$clientId,
-				$clientSecret,
-				$clientRedirectUris,
-				$clientName
+				$clientRegistration['client_secret'],
+				$clientRegistration['redirect_uris'],
+				$clientRegistration['client_name']
 			);
 		} else {
 			return new \Pdsinterop\Solid\Auth\Config\Client('','',array(),'');
@@ -404,7 +402,7 @@ private function generateIdToken($accessToken) {
 		// FIXME: this function should be provided by Solid\Auth\Server
 		$privateKey = $this->getKeys()['privateKey'];
 		$publicKey = $this->getKeys()['publicKey'];
-		$clientId = $this->getClientId();
+		$clientId = $_GET['client_id'];
 		$subject = $this->getProfilePage();
 
 		// Create JWT
@@ -426,7 +424,6 @@ private function generateIdToken($accessToken) {
 			->setExpiration(time() + 14*24*60*60)
 			->set("azp", $clientId)
 			->set("sub", $subject)
-			->set("jti", "f5c26b8d481a98c7") // FIXME: should be a generated token identifier
 			->set("nonce", $this->session->get("nonce"))
 			->set("at_hash", $tokenHash) //FIXME: at_hash should only be added if the response_type is a token
 			->set("c_hash", $tokenHash) // FIXME: c_hash should only be added if the response_type is a code

diff --git a/solid/lib/ServerConfig.php b/solid/lib/ServerConfig.php
@@ -120,6 +120,39 @@ public function removeClientConfig($clientId) {
 			unset($scopes[$clientId]);
 			$this->config->setAppValue('solid', 'clientScopes', $scopes);
 		}
+		public function getAllowedClients($userId) {
+			return json_decode($this->config->getUserValue($userId, 'solid', "allowedClients", "[]"), true);
+		}
+
+		public function addAllowedClient($userId, $clientId) {
+			$allowedClients = $this->getAllowedClients($userId);
+			$allowedClients[] = $clientId;
+			$this->config->setUserValue($userId, "solid", "allowedClients", json_encode($allowedClients));
+		}
+		public function removeAllowedClient($userId, $clientId) {
+			$allowedClients = $this->getAllowedClients($userId);
+			$allowedClients = array_diff($allowedClients, array($clientId));
+			$this->config->setUserValue($userId, "solid", "allowedClients", json_encode($allowedClients));
+		}
+
+		public function saveClientRegistration($origin, $clientData) {
+			$originHash = md5($origin);
+			$existingRegistration = $this->getClientRegistration($originHash);
+			if ($existingRegistration && isset($existingRegistration['client_name'])) {
+				return $originHash;
+			}
+
+			$clientData['client_name'] = $origin;
+			$clientData['client_secret'] = md5(random_bytes(32));
+			$this->config->setAppValue('solid', "client-" . $originHash, json_encode($clientData));
+			return $originHash;
+		}
+
+		public function getClientRegistration($clientId) {
+			$data = $this->config->getAppValue('solid', "client-" . $clientId, "{}");
+			return json_decode($data, true);
+		}
+
 		private function generateKeySet() {
 			$config = array(
 				"digest_alg" => "sha256",
@@ -138,18 +171,4 @@ private function generateKeySet() {
 			);
 			return $result;
 		}
-		public function getAllowedClients($userId) {
-			return json_decode($this->config->getUserValue($userId, 'solid', "allowedClients", "[]"), true);
-		}
-
-		public function addAllowedClient($userId, $clientId) {
-			$allowedClients = $this->getAllowedClients($userId);
-			$allowedClients[] = $clientId;
-			$this->config->setUserValue($userId, "solid", "allowedClients", json_encode($allowedClients));
-		}
-		public function removeAllowedClient($userId, $clientId) {
-			$allowedClients = $this->getAllowedClients($userId);
-			$allowedClients = array_diff($allowedClients, array($clientId));
-			$this->config->setUserValue($userId, "solid", "allowedClients", json_encode($allowedClients));
-		}
 	}