aboutsummaryrefslogtreecommitdiffstats
path: root/phpBB/phpbb/auth
diff options
context:
space:
mode:
Diffstat (limited to 'phpBB/phpbb/auth')
-rw-r--r--phpBB/phpbb/auth/auth.php13
-rw-r--r--phpBB/phpbb/auth/provider/db.php1
-rw-r--r--phpBB/phpbb/auth/provider/oauth/oauth.php47
-rw-r--r--phpBB/phpbb/auth/provider/oauth/service/twitter.php102
-rw-r--r--phpBB/phpbb/auth/provider/oauth/token_storage.php254
5 files changed, 393 insertions, 24 deletions
diff --git a/phpBB/phpbb/auth/auth.php b/phpBB/phpbb/auth/auth.php
index b7634e04ce..dbd83f1eb0 100644
--- a/phpBB/phpbb/auth/auth.php
+++ b/phpBB/phpbb/auth/auth.php
@@ -514,7 +514,7 @@ class auth
*/
function acl_clear_prefetch($user_id = false)
{
- global $db, $cache;
+ global $db, $cache, $phpbb_dispatcher;
// Rebuild options cache
$cache->destroy('_role_cache');
@@ -553,6 +553,16 @@ class auth
$where_sql";
$db->sql_query($sql);
+ /**
+ * Event is triggered after user(s) permission settings cache has been cleared
+ *
+ * @event core.acl_clear_prefetch_after
+ * @var mixed user_id User ID(s)
+ * @since 3.1.11-RC1
+ */
+ $vars = array('user_id');
+ extract($phpbb_dispatcher->trigger_event('core.acl_clear_prefetch_after', compact($vars)));
+
return;
}
@@ -930,6 +940,7 @@ class auth
global $db, $user, $phpbb_root_path, $phpEx, $phpbb_container;
global $phpbb_dispatcher;
+ /* @var $provider_collection \phpbb\auth\provider_collection */
$provider_collection = $phpbb_container->get('auth.provider_collection');
$provider = $provider_collection->get_provider();
diff --git a/phpBB/phpbb/auth/provider/db.php b/phpBB/phpbb/auth/provider/db.php
index d8c5fb72de..1adf85ee05 100644
--- a/phpBB/phpbb/auth/provider/db.php
+++ b/phpBB/phpbb/auth/provider/db.php
@@ -155,6 +155,7 @@ class db extends \phpbb\auth\provider\base
// Every auth module is able to define what to do by itself...
if ($show_captcha)
{
+ /* @var $captcha_factory \phpbb\captcha\factory */
$captcha_factory = $this->phpbb_container->get('captcha.factory');
$captcha = $captcha_factory->get_instance($this->config['captcha_plugin']);
$captcha->init(CONFIRM_LOGIN);
diff --git a/phpBB/phpbb/auth/provider/oauth/oauth.php b/phpBB/phpbb/auth/provider/oauth/oauth.php
index bd2a414033..fdc5f57df0 100644
--- a/phpBB/phpbb/auth/provider/oauth/oauth.php
+++ b/phpBB/phpbb/auth/provider/oauth/oauth.php
@@ -63,6 +63,13 @@ class oauth extends \phpbb\auth\provider\base
protected $auth_provider_oauth_token_storage_table;
/**
+ * OAuth state table
+ *
+ * @var string
+ */
+ protected $auth_provider_oauth_state_table;
+
+ /**
* OAuth account association table
*
* @var string
@@ -127,6 +134,7 @@ class oauth extends \phpbb\auth\provider\base
* @param \phpbb\request\request_interface $request
* @param \phpbb\user $user
* @param string $auth_provider_oauth_token_storage_table
+ * @param string $auth_provider_oauth_state_table
* @param string $auth_provider_oauth_token_account_assoc
* @param \phpbb\di\service_collection $service_providers Contains \phpbb\auth\provider\oauth\service_interface
* @param string $users_table
@@ -135,7 +143,7 @@ class oauth extends \phpbb\auth\provider\base
* @param string $phpbb_root_path
* @param string $php_ext
*/
- public function __construct(\phpbb\db\driver\driver_interface $db, \phpbb\config\config $config, \phpbb\passwords\manager $passwords_manager, \phpbb\request\request_interface $request, \phpbb\user $user, $auth_provider_oauth_token_storage_table, $auth_provider_oauth_token_account_assoc, \phpbb\di\service_collection $service_providers, $users_table, \Symfony\Component\DependencyInjection\ContainerInterface $phpbb_container, \phpbb\event\dispatcher_interface $dispatcher, $phpbb_root_path, $php_ext)
+ public function __construct(\phpbb\db\driver\driver_interface $db, \phpbb\config\config $config, \phpbb\passwords\manager $passwords_manager, \phpbb\request\request_interface $request, \phpbb\user $user, $auth_provider_oauth_token_storage_table, $auth_provider_oauth_state_table, $auth_provider_oauth_token_account_assoc, \phpbb\di\service_collection $service_providers, $users_table, \Symfony\Component\DependencyInjection\ContainerInterface $phpbb_container, \phpbb\event\dispatcher_interface $dispatcher, $phpbb_root_path, $php_ext)
{
$this->db = $db;
$this->config = $config;
@@ -143,6 +151,7 @@ class oauth extends \phpbb\auth\provider\base
$this->request = $request;
$this->user = $user;
$this->auth_provider_oauth_token_storage_table = $auth_provider_oauth_token_storage_table;
+ $this->auth_provider_oauth_state_table = $auth_provider_oauth_state_table;
$this->auth_provider_oauth_token_account_assoc = $auth_provider_oauth_token_account_assoc;
$this->service_providers = $service_providers;
$this->users_table = $users_table;
@@ -197,11 +206,12 @@ class oauth extends \phpbb\auth\provider\base
// Get the service credentials for the given service
$service_credentials = $this->service_providers[$service_name]->get_service_credentials();
- $storage = new \phpbb\auth\provider\oauth\token_storage($this->db, $this->user, $this->auth_provider_oauth_token_storage_table);
+ $storage = new \phpbb\auth\provider\oauth\token_storage($this->db, $this->user, $this->auth_provider_oauth_token_storage_table, $this->auth_provider_oauth_state_table);
$query = 'mode=login&login=external&oauth_service=' . $service_name_original;
$service = $this->get_service($service_name_original, $storage, $service_credentials, $query, $this->service_providers[$service_name]->get_auth_scope());
- if ($this->request->is_set('code', \phpbb\request\request_interface::GET))
+ if (($service::OAUTH_VERSION === 2 && $this->request->is_set('code', \phpbb\request\request_interface::GET))
+ || ($service::OAUTH_VERSION === 1 && $this->request->is_set('oauth_token', \phpbb\request\request_interface::GET)))
{
$this->service_providers[$service_name]->set_external_service_provider($service);
$unique_id = $this->service_providers[$service_name]->perform_auth_login();
@@ -268,7 +278,15 @@ class oauth extends \phpbb\auth\provider\base
}
else
{
- $url = $service->getAuthorizationUri();
+ if ($service::OAUTH_VERSION === 1)
+ {
+ $token = $service->requestRequestToken();
+ $url = $service->getAuthorizationUri(array('oauth_token' => $token->getRequestToken()));
+ }
+ else
+ {
+ $url = $service->getAuthorizationUri();
+ }
header('Location: ' . $url);
}
}
@@ -483,7 +501,7 @@ class oauth extends \phpbb\auth\provider\base
*/
protected function link_account_login_link(array $link_data, $service_name)
{
- $storage = new \phpbb\auth\provider\oauth\token_storage($this->db, $this->user, $this->auth_provider_oauth_token_storage_table);
+ $storage = new \phpbb\auth\provider\oauth\token_storage($this->db, $this->user, $this->auth_provider_oauth_token_storage_table, $this->auth_provider_oauth_state_table);
// Check for an access token, they should have one
if (!$storage->has_access_token_by_session($service_name))
@@ -526,13 +544,14 @@ class oauth extends \phpbb\auth\provider\base
*/
protected function link_account_auth_link(array $link_data, $service_name)
{
- $storage = new \phpbb\auth\provider\oauth\token_storage($this->db, $this->user, $this->auth_provider_oauth_token_storage_table);
+ $storage = new \phpbb\auth\provider\oauth\token_storage($this->db, $this->user, $this->auth_provider_oauth_token_storage_table, $this->auth_provider_oauth_state_table);
$query = 'i=ucp_auth_link&mode=auth_link&link=1&oauth_service=' . strtolower($link_data['oauth_service']);
$service_credentials = $this->service_providers[$service_name]->get_service_credentials();
$scopes = $this->service_providers[$service_name]->get_auth_scope();
$service = $this->get_service(strtolower($link_data['oauth_service']), $storage, $service_credentials, $query, $scopes);
- if ($this->request->is_set('code', \phpbb\request\request_interface::GET))
+ if (($service::OAUTH_VERSION === 2 && $this->request->is_set('code', \phpbb\request\request_interface::GET))
+ || ($service::OAUTH_VERSION === 1 && $this->request->is_set('oauth_token', \phpbb\request\request_interface::GET)))
{
$this->service_providers[$service_name]->set_external_service_provider($service);
$unique_id = $this->service_providers[$service_name]->perform_auth_login();
@@ -548,7 +567,15 @@ class oauth extends \phpbb\auth\provider\base
}
else
{
- $url = $service->getAuthorizationUri();
+ if ($service::OAUTH_VERSION === 1)
+ {
+ $token = $service->requestRequestToken();
+ $url = $service->getAuthorizationUri(array('oauth_token' => $token->getRequestToken()));
+ }
+ else
+ {
+ $url = $service->getAuthorizationUri();
+ }
header('Location: ' . $url);
}
}
@@ -583,7 +610,7 @@ class oauth extends \phpbb\auth\provider\base
public function logout($data, $new_session)
{
// Clear all tokens belonging to the user
- $storage = new \phpbb\auth\provider\oauth\token_storage($this->db, $this->user, $this->auth_provider_oauth_token_storage_table);
+ $storage = new \phpbb\auth\provider\oauth\token_storage($this->db, $this->user, $this->auth_provider_oauth_token_storage_table, $this->auth_provider_oauth_state_table);
$storage->clearAllTokens();
return;
@@ -666,7 +693,7 @@ class oauth extends \phpbb\auth\provider\base
// Clear all tokens belonging to the user on this servce
$service_name = 'auth.provider.oauth.service.' . strtolower($link_data['oauth_service']);
- $storage = new \phpbb\auth\provider\oauth\token_storage($this->db, $this->user, $this->auth_provider_oauth_token_storage_table);
+ $storage = new \phpbb\auth\provider\oauth\token_storage($this->db, $this->user, $this->auth_provider_oauth_token_storage_table, $this->auth_provider_oauth_state_table);
$storage->clearToken($service_name);
}
}
diff --git a/phpBB/phpbb/auth/provider/oauth/service/twitter.php b/phpBB/phpbb/auth/provider/oauth/service/twitter.php
new file mode 100644
index 0000000000..06beac51e2
--- /dev/null
+++ b/phpBB/phpbb/auth/provider/oauth/service/twitter.php
@@ -0,0 +1,102 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\auth\provider\oauth\service;
+
+/**
+* Twitter OAuth service
+*/
+class twitter extends \phpbb\auth\provider\oauth\service\base
+{
+ /**
+ * phpBB config
+ *
+ * @var \phpbb\config\config
+ */
+ protected $config;
+
+ /**
+ * phpBB request
+ *
+ * @var \phpbb\request\request_interface
+ */
+ protected $request;
+
+ /**
+ * Constructor
+ *
+ * @param \phpbb\config\config $config
+ * @param \phpbb\request\request_interface $request
+ */
+ public function __construct(\phpbb\config\config $config, \phpbb\request\request_interface $request)
+ {
+ $this->config = $config;
+ $this->request = $request;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function get_service_credentials()
+ {
+ return array(
+ 'key' => $this->config['auth_oauth_twitter_key'],
+ 'secret' => $this->config['auth_oauth_twitter_secret'],
+ );
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function perform_auth_login()
+ {
+ if (!($this->service_provider instanceof \OAuth\OAuth1\Service\Twitter))
+ {
+ throw new \phpbb\auth\provider\oauth\service\exception('AUTH_PROVIDER_OAUTH_ERROR_INVALID_SERVICE_TYPE');
+ }
+
+ $storage = $this->service_provider->getStorage();
+ $token = $storage->retrieveAccessToken('Twitter');
+ $tokensecret = $token->getRequestTokenSecret();
+
+ // This was a callback request from twitter, get the token
+ $this->service_provider->requestAccessToken(
+ $this->request->variable('oauth_token', ''),
+ $this->request->variable('oauth_verifier', ''),
+ $tokensecret
+ );
+
+ // Send a request with it
+ $result = json_decode($this->service_provider->request('account/verify_credentials.json'), true);
+
+ // Return the unique identifier returned from twitter
+ return $result['id'];
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function perform_token_auth()
+ {
+ if (!($this->service_provider instanceof \OAuth\OAuth1\Service\Twitter))
+ {
+ throw new \phpbb\auth\provider\oauth\service\exception('AUTH_PROVIDER_OAUTH_ERROR_INVALID_SERVICE_TYPE');
+ }
+
+ // Send a request with it
+ $result = json_decode($this->service_provider->request('account/verify_credentials.json'), true);
+
+ // Return the unique identifier returned from twitter
+ return $result['id'];
+ }
+}
diff --git a/phpBB/phpbb/auth/provider/oauth/token_storage.php b/phpBB/phpbb/auth/provider/oauth/token_storage.php
index 9b6afae255..b0c2fd0d62 100644
--- a/phpBB/phpbb/auth/provider/oauth/token_storage.php
+++ b/phpBB/phpbb/auth/provider/oauth/token_storage.php
@@ -17,6 +17,7 @@ use OAuth\OAuth1\Token\StdOAuth1Token;
use OAuth\Common\Token\TokenInterface;
use OAuth\Common\Storage\TokenStorageInterface;
use OAuth\Common\Storage\Exception\TokenNotFoundException;
+use OAuth\Common\Storage\Exception\AuthorizationStateNotFoundException;
/**
* OAuth storage wrapper for phpbb's cache
@@ -42,7 +43,14 @@ class token_storage implements TokenStorageInterface
*
* @var string
*/
- protected $auth_provider_oauth_table;
+ protected $oauth_token_table;
+
+ /**
+ * OAuth state table
+ *
+ * @var string
+ */
+ protected $oauth_state_table;
/**
* @var object|TokenInterface
@@ -50,17 +58,24 @@ class token_storage implements TokenStorageInterface
protected $cachedToken;
/**
+ * @var string
+ */
+ protected $cachedState;
+
+ /**
* Creates token storage for phpBB.
*
* @param \phpbb\db\driver\driver_interface $db
* @param \phpbb\user $user
- * @param string $auth_provider_oauth_table
+ * @param string $oauth_token_table
+ * @param string $oauth_state_table
*/
- public function __construct(\phpbb\db\driver\driver_interface $db, \phpbb\user $user, $auth_provider_oauth_table)
+ public function __construct(\phpbb\db\driver\driver_interface $db, \phpbb\user $user, $oauth_token_table, $oauth_state_table)
{
$this->db = $db;
$this->user = $user;
- $this->auth_provider_oauth_table = $auth_provider_oauth_table;
+ $this->oauth_token_table = $oauth_token_table;
+ $this->oauth_state_table = $oauth_state_table;
}
/**
@@ -98,15 +113,31 @@ class token_storage implements TokenStorageInterface
$this->cachedToken = $token;
$data = array(
- 'user_id' => (int) $this->user->data['user_id'],
- 'provider' => $service,
'oauth_token' => $this->json_encode_token($token),
- 'session_id' => $this->user->data['session_id'],
);
- $sql = 'INSERT INTO ' . $this->auth_provider_oauth_table . '
- ' . $this->db->sql_build_array('INSERT', $data);
+ $sql = 'UPDATE ' . $this->oauth_token_table . '
+ SET ' . $this->db->sql_build_array('UPDATE', $data) . '
+ WHERE user_id = ' . (int) $this->user->data['user_id'] . '
+ ' . ((int) $this->user->data['user_id'] === ANONYMOUS ? "AND session_id = '" . $this->db->sql_escape($this->user->data['session_id']) . "'" : '') . "
+ AND provider = '" . $this->db->sql_escape($service) . "'";
$this->db->sql_query($sql);
+
+ if (!$this->db->sql_affectedrows())
+ {
+ $data = array(
+ 'user_id' => (int) $this->user->data['user_id'],
+ 'provider' => $service,
+ 'oauth_token' => $this->json_encode_token($token),
+ 'session_id' => $this->user->data['session_id'],
+ );
+
+ $sql = 'INSERT INTO ' . $this->oauth_token_table . $this->db->sql_build_array('INSERT', $data);
+
+ $this->db->sql_query($sql);
+ }
+
+ return $this;
}
/**
@@ -143,7 +174,7 @@ class token_storage implements TokenStorageInterface
$this->cachedToken = null;
- $sql = 'DELETE FROM ' . $this->auth_provider_oauth_table . '
+ $sql = 'DELETE FROM ' . $this->oauth_token_table . '
WHERE user_id = ' . (int) $this->user->data['user_id'] . "
AND provider = '" . $this->db->sql_escape($service) . "'";
@@ -153,6 +184,8 @@ class token_storage implements TokenStorageInterface
}
$this->db->sql_query($sql);
+
+ return $this;
}
/**
@@ -162,7 +195,7 @@ class token_storage implements TokenStorageInterface
{
$this->cachedToken = null;
- $sql = 'DELETE FROM ' . $this->auth_provider_oauth_table . '
+ $sql = 'DELETE FROM ' . $this->oauth_token_table . '
WHERE user_id = ' . (int) $this->user->data['user_id'];
if ((int) $this->user->data['user_id'] === ANONYMOUS)
@@ -171,6 +204,124 @@ class token_storage implements TokenStorageInterface
}
$this->db->sql_query($sql);
+
+ return $this;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function storeAuthorizationState($service, $state)
+ {
+ $service = $this->get_service_name_for_db($service);
+
+ $this->cachedState = $state;
+
+ $data = array(
+ 'user_id' => (int) $this->user->data['user_id'],
+ 'provider' => $service,
+ 'oauth_state' => $state,
+ 'session_id' => $this->user->data['session_id'],
+ );
+
+ $sql = 'INSERT INTO ' . $this->oauth_state_table . '
+ ' . $this->db->sql_build_array('INSERT', $data);
+ $this->db->sql_query($sql);
+
+ return $this;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function hasAuthorizationState($service)
+ {
+ $service = $this->get_service_name_for_db($service);
+
+ if ($this->cachedState)
+ {
+ return true;
+ }
+
+ $data = array(
+ 'user_id' => (int) $this->user->data['user_id'],
+ 'provider' => $service,
+ );
+
+ if ((int) $this->user->data['user_id'] === ANONYMOUS)
+ {
+ $data['session_id'] = $this->user->data['session_id'];
+ }
+
+ return (bool) $this->get_state_row($data);
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function retrieveAuthorizationState($service)
+ {
+ $service = $this->get_service_name_for_db($service);
+
+ if ($this->cachedState)
+ {
+ return $this->cachedState;
+ }
+
+ $data = array(
+ 'user_id' => (int) $this->user->data['user_id'],
+ 'provider' => $service,
+ );
+
+ if ((int) $this->user->data['user_id'] === ANONYMOUS)
+ {
+ $data['session_id'] = $this->user->data['session_id'];
+ }
+
+ return $this->get_state_row($data);
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function clearAuthorizationState($service)
+ {
+ $service = $this->get_service_name_for_db($service);
+
+ $this->cachedState = null;
+
+ $sql = 'DELETE FROM ' . $this->oauth_state_table . '
+ WHERE user_id = ' . (int) $this->user->data['user_id'] . "
+ AND provider = '" . $this->db->sql_escape($service) . "'";
+
+ if ((int) $this->user->data['user_id'] === ANONYMOUS)
+ {
+ $sql .= " AND session_id = '" . $this->db->sql_escape($this->user->data['session_id']) . "'";
+ }
+
+ $this->db->sql_query($sql);
+
+ return $this;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function clearAllAuthorizationStates()
+ {
+ $this->cachedState = null;
+
+ $sql = 'DELETE FROM ' . $this->oauth_state_table . '
+ WHERE user_id = ' . (int) $this->user->data['user_id'];
+
+ if ((int) $this->user->data['user_id'] === ANONYMOUS)
+ {
+ $sql .= " AND session_id = '" . $this->db->sql_escape($this->user->data['session_id']) . "'";
+ }
+
+ $this->db->sql_query($sql);
+
+ return $this;
}
/**
@@ -185,7 +336,7 @@ class token_storage implements TokenStorageInterface
return;
}
- $sql = 'UPDATE ' . $this->auth_provider_oauth_table . '
+ $sql = 'UPDATE ' . $this->oauth_token_table . '
SET ' . $this->db->sql_build_array('UPDATE', array(
'user_id' => (int) $user_id
)) . '
@@ -218,6 +369,29 @@ class token_storage implements TokenStorageInterface
}
/**
+ * Checks to see if a state exists solely by the session_id of the user
+ *
+ * @param string $service The name of the OAuth service
+ * @return bool true if they have state, false if they don't
+ */
+ public function has_state_by_session($service)
+ {
+ $service = $this->get_service_name_for_db($service);
+
+ if ($this->cachedState)
+ {
+ return true;
+ }
+
+ $data = array(
+ 'session_id' => $this->user->data['session_id'],
+ 'provider' => $service,
+ );
+
+ return (bool) $this->get_state_row($data);
+ }
+
+ /**
* A helper function that performs the query for has access token functions
*
* @param array $data
@@ -245,6 +419,23 @@ class token_storage implements TokenStorageInterface
return $this->_retrieve_access_token($data);
}
+ public function retrieve_state_by_session($service)
+ {
+ $service = $this->get_service_name_for_db($service);
+
+ if ($this->cachedState)
+ {
+ return $this->cachedState;
+ }
+
+ $data = array(
+ 'session_id' => $this->user->data['session_id'],
+ 'provider' => $service,
+ );
+
+ return $this->_retrieve_state($data);
+ }
+
/**
* A helper function that performs the query for retrieve access token functions
* Also checks if the token is a valid token
@@ -276,6 +467,26 @@ class token_storage implements TokenStorageInterface
}
/**
+ * A helper function that performs the query for retrieve state functions
+ *
+ * @param array $data
+ * @return mixed
+ * @throws \OAuth\Common\Storage\Exception\AuthorizationStateNotFoundException
+ */
+ protected function _retrieve_state($data)
+ {
+ $row = $this->get_state_row($data);
+
+ if (!$row)
+ {
+ throw new AuthorizationStateNotFoundException();
+ }
+
+ $this->cachedState = $row['oauth_state'];
+ return $this->cachedState;
+ }
+
+ /**
* A helper function that performs the query for retrieving an access token
*
* @param array $data
@@ -283,7 +494,24 @@ class token_storage implements TokenStorageInterface
*/
protected function get_access_token_row($data)
{
- $sql = 'SELECT oauth_token FROM ' . $this->auth_provider_oauth_table . '
+ $sql = 'SELECT oauth_token FROM ' . $this->oauth_token_table . '
+ WHERE ' . $this->db->sql_build_array('SELECT', $data);
+ $result = $this->db->sql_query($sql);
+ $row = $this->db->sql_fetchrow($result);
+ $this->db->sql_freeresult($result);
+
+ return $row;
+ }
+
+ /**
+ * A helper function that performs the query for retrieving a state
+ *
+ * @param array $data
+ * @return mixed
+ */
+ protected function get_state_row($data)
+ {
+ $sql = 'SELECT oauth_state FROM ' . $this->oauth_state_table . '
WHERE ' . $this->db->sql_build_array('SELECT', $data);
$result = $this->db->sql_query($sql);
$row = $this->db->sql_fetchrow($result);
generated by cgit v1.2.1 (git 2.21.0) at 2025-10-31 16:27:10 +0000