Emiliano Balbuena · Emiliano Balbuena · c1c6569a · c1c6569a · c1c6569a · c1c6569a
Hide whitespace changes
Inline Side-by-side

Showing with 65 additions and 76 deletions
--- a/Controllers/api/v2/sso/authorize.php
+++ b/Controllers/api/v2/sso/authorize.php
@@ -54,22 +54,15 @@ class authorize implements Interfaces\Api, Interfaces\ApiIgnorePam
        $sso
            ->setDomain($domain);

-        if (!$sso->isAllowed()) {
-            return Factory::response([
-                'status' => 'error',
-                'message' => 'Domain not allowed',
-            ]);
-        }
-
-        $jwt = $_POST['token'];
-
-        $success = $sso
-            ->authorize($jwt);
+        try {
+            $sso
+                ->authorize($_POST['token']);
+        } catch (Exception $e) {
+            error_log((string) $e);

-        if (!$success) {
            return Factory::response([
                'status' => 'error',
-                'message' => 'Invalid token',
+                'message' => 'Cannot authorize',
            ]);
        }


--- a/Controllers/api/v2/sso/connect.php
+++ b/Controllers/api/v2/sso/connect.php
@@ -52,16 +52,18 @@ class connect implements Interfaces\Api, Interfaces\ApiIgnorePam
        $sso
            ->setDomain($domain);

-        if (!$sso->isAllowed()) {
+        try {
+            return Factory::response([
+                'token' => $sso->generateToken()
+            ]);
+        } catch (Exception $e) {
+            error_log((string) $e);
+
            return Factory::response([
                'status' => 'error',
-                'message' => 'Domain not allowed'
+                'message' => 'Cannot connect',
            ]);
        }
-
-        return Factory::response([
-            'token' => $sso->generateToken()
-        ]);
    }

    /**

--- a/Core/SSO/Manager.php
+++ b/Core/SSO/Manager.php
@@ -16,7 +16,7 @@ use Minds\Core\Sessions\Manager as SessionsManager;
 class Manager
 {
    /** @var int */
-    const JTW_EXPIRE = 300;
+    const JWT_EXPIRE = 300;

    /** @var Config */
    protected $config;
@@ -71,7 +71,7 @@ class Manager
    /**
     * @return bool
     */
-    public function isAllowed(): bool
+    protected function isAllowed(): bool
    {
        if ($this->proDelegate->isAllowed($this->domain)) {
            return true;
@@ -86,6 +86,10 @@ class Manager
     */
    public function generateToken(): ?string
    {
+        if (!$this->isAllowed()) {
+            throw new Exception('Invalid domain');
+        }
+
        $now = time();
        $session = $this->sessions->getSession();

@@ -109,23 +113,27 @@ class Manager
            ->encode([
                'key' => $ssoKey,
                'domain' => $this->domain,
-            ], $now, $now + static::JTW_EXPIRE);
+            ], $now, $now + static::JWT_EXPIRE);

        $this->cache
-            ->set($ssoKey, $sessionToken, static::JTW_EXPIRE * 2);
+            ->set($ssoKey, $sessionToken, static::JWT_EXPIRE * 2);

        return $jwt;
    }

    /**
     * @param string $jwt
-     * @return bool
+     * @return void
     * @throws Exception
     */
-    public function authorize(string $jwt): bool
+    public function authorize(string $jwt): void
    {
        if (!$jwt) {
-            return false;
+            throw new Exception('Invalid JTW');
+        }
+
+        if (!$this->isAllowed()) {
+            throw new Exception('Invalid domain');
        }

        $key = $this->config->get('oauth')['encryption_key'] ?? '';
@@ -134,33 +142,26 @@ class Manager
            throw new Exception('Invalid encryption key');
        }

-        try {
-            $data = $this->jwt
-                ->setKey($key)
-                ->decode($jwt);
-
-            if ($this->domain !== $data['domain']) {
-                throw new Exception('Invalid domain');
-            }
+        $data = $this->jwt
+            ->setKey($key)
+            ->decode($jwt);

-            $ssoKey = $data['key'];
+        if ($this->domain !== $data['domain']) {
+            throw new Exception('Domain mismatch');
+        }

-            $sessionToken = $this->cache
-                ->get($ssoKey);
+        $ssoKey = $data['key'];

-            if ($sessionToken) {
-                $this->sessions
-                    ->withString($sessionToken)
-                    ->save();
+        $sessionToken = $this->cache
+            ->get($ssoKey);

-                $this->cache
-                    ->destroy($ssoKey);
-            }
+        if ($sessionToken) {
+            $this->sessions
+                ->withString($sessionToken)
+                ->save();

-            return true;
-        } catch (Exception $e) {
-            error_log((string) $e);
-            return false;
+            $this->cache
+                ->destroy($ssoKey);
        }
    }
 }
--- a/Spec/Core/SSO/ManagerSpec.php
+++ b/Spec/Core/SSO/ManagerSpec.php
@@ -2,6 +2,7 @@

 namespace Spec\Minds\Core\SSO;

+use Exception;
 use Minds\Common\Jwt;
 use Minds\Core\Config;
 use Minds\Core\Data\cache\abstractCacher;
@@ -61,33 +62,13 @@ class ManagerSpec extends ObjectBehavior
        $this->shouldHaveType(Manager::class);
    }

-    public function it_should_check_if_allowed()
-    {
+    public function it_should_generate_token(
+        Session $session
+    ) {
        $this->proDelegate->isAllowed('phpspec.test')
            ->shouldBeCalled()
            ->willReturn(true);

-        $this
-            ->setDomain('phpspec.test')
-            ->isAllowed()
-            ->shouldReturn(true);
-    }
-
-    public function it_should_check_if_not_allowed()
-    {
-        $this->proDelegate->isAllowed('phpspec.test')
-            ->shouldBeCalled()
-            ->willReturn(false);
-
-        $this
-            ->setDomain('phpspec.test')
-            ->isAllowed()
-            ->shouldReturn(false);
-    }
-
-    public function it_should_generate_token(
-        Session $session
-    ) {
        $this->sessions->getSession()
            ->shouldBeCalled()
            ->willReturn($session);
@@ -134,6 +115,10 @@ class ManagerSpec extends ObjectBehavior

    public function it_should_not_generate_a_token_if_logged_out()
    {
+        $this->proDelegate->isAllowed('phpspec.test')
+            ->shouldBeCalled()
+            ->willReturn(true);
+
        $this->sessions->getSession()
            ->shouldBeCalled()
            ->willReturn(null);
@@ -146,6 +131,10 @@ class ManagerSpec extends ObjectBehavior

    public function it_should_authorize()
    {
+        $this->proDelegate->isAllowed('phpspec.test')
+            ->shouldBeCalled()
+            ->willReturn(true);
+
        $this->jwt->setKey('~key~')
            ->shouldBeCalled()
            ->willReturn($this->jwt);
@@ -175,12 +164,16 @@ class ManagerSpec extends ObjectBehavior

        $this
            ->setDomain('phpspec.test')
-            ->authorize('~jwt~')
-            ->shouldReturn(true);
+            ->shouldNotThrow(Exception::class)
+            ->duringAuthorize('~jwt~');
    }

    public function it_should_not_authorize_if_domain_mismatches()
    {
+        $this->proDelegate->isAllowed('other-phpspec.test')
+            ->shouldBeCalled()
+            ->willReturn(true);
+
        $this->jwt->setKey('~key~')
            ->shouldBeCalled()
            ->willReturn($this->jwt);
@@ -196,8 +189,8 @@ class ManagerSpec extends ObjectBehavior
            ->shouldNotBeCalled();

        $this
-            ->setDomain('phpspec-invalid.test')
-            ->authorize('~jwt~')
-            ->shouldReturn(false);
+            ->setDomain('other-phpspec.test')
+            ->shouldThrow(new Exception('Domain mismatch'))
+            ->duringAuthorize('~jwt~');
    }
 }