NixLabs/lwaf
Template
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial Commit

Browse Source
This commit is contained in:
Owen Rummage
2025-07-29 17:44:43 -05:00
commit 6653bc5e47
13 changed files with 525 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

236
app/middlewares/auth.php Normal file
View File

@@ -0,0 +1,236 @@
<?php
class Auth
{
private static $oidc_issuer;
private static $client_id;
private static $client_secret;
private static $initialized = false;
private static function init()
{
if (!self::$initialized) {
self::$oidc_issuer = $_ENV["OIDC_ISSUER"] ?? getenv("OIDC_ISSUER");
self::$client_id =
$_ENV["OIDC_CLIENT_ID"] ?? getenv("OIDC_CLIENT_ID");
self::$client_secret =
$_ENV["OIDC_CLIENT_SECRET"] ?? getenv("OIDC_CLIENT_SECRET");
if (session_status() == PHP_SESSION_NONE) {
session_start();
}
self::$initialized = true;
}
}
private static function getRedirectUri()
{
$protocol =
isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] === "on"
? "https"
: "http";
$host = $_SERVER["HTTP_HOST"];
$path = "/auth/login";
return $protocol . "://" . $host . $path;
}
public static function middleware()
{
self::init();
return function () {
if (!isset($_SESSION["access_token"])) {
Flight::redirect("/auth/login");
return;
}
// Validate the token by making a request to userinfo endpoint
$userinfo_endpoint = self::getDiscoveryEndpoint(
"userinfo_endpoint",
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $userinfo_endpoint);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
"Authorization: Bearer " . $_SESSION["access_token"],
]);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
// If token validation fails, clear session and redirect to login
if ($http_code !== 200) {
unset($_SESSION["access_token"]);
if (isset($_SESSION["id_token"])) {
unset($_SESSION["id_token"]);
}
if (isset($_SESSION["refresh_token"])) {
unset($_SESSION["refresh_token"]);
}
Flight::redirect("/auth/login");
}
};
}
public static function login($redirect_url)
{
self::init();
if (isset($_GET["code"])) {
// Handle callback
$code = $_GET["code"];
$token_endpoint = self::getDiscoveryEndpoint("token_endpoint");
$post_data = [
"grant_type" => "authorization_code",
"code" => $code,
"redirect_uri" => self::getRedirectUri(),
"client_id" => self::$client_id,
"client_secret" => self::$client_secret,
];
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $token_endpoint);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
"Content-Type: application/x-www-form-urlencoded",
]);
$response = curl_exec($ch);
curl_close($ch);
$token_data = json_decode($response, true);
if (isset($token_data["access_token"])) {
$_SESSION["access_token"] = $token_data["access_token"];
$_SESSION["id_token"] = $token_data["id_token"] ?? null;
$_SESSION["refresh_token"] =
$token_data["refresh_token"] ?? null;
Flight::redirect($redirect_url);
} else {
Flight::halt(500, "Failed to obtain access token");
}
} else {
// Show login page
$auth_endpoint = self::getDiscoveryEndpoint(
"authorization_endpoint",
);
$state = bin2hex(random_bytes(16));
$_SESSION["oauth_state"] = $state;
$params = [
"response_type" => "code",
"client_id" => self::$client_id,
"redirect_uri" => self::getRedirectUri(),
"scope" => "openid profile email",
"state" => $state,
];
$login_url = $auth_endpoint . "?" . http_build_query($params);
echo '<!DOCTYPE html>
<html>
<head>
<title>Login</title>
<style>
body { font-family: Arial, sans-serif; text-align: center; margin-top: 100px; }
.login-btn {
background-color: #007cba;
color: white;
padding: 15px 30px;
text-decoration: none;
border-radius: 5px;
font-size: 16px;
}
.login-btn:hover { background-color: #005a87; }
</style>
</head>
<body>
<h1>Login Required</h1>
<p>Please click the button below to authenticate</p>
<a href="' .
htmlspecialchars($login_url) .
'" class="login-btn">Login with OIDC</a>
</body>
</html>';
}
}
public static function user()
{
self::init();
if (!isset($_SESSION["access_token"])) {
return null;
}
$userinfo_endpoint = self::getDiscoveryEndpoint("userinfo_endpoint");
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $userinfo_endpoint);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
"Authorization: Bearer " . $_SESSION["access_token"],
]);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($http_code === 200) {
return json_decode($response, true);
}
return null;
}
public static function logout()
{
self::init();
// Clear session
if (isset($_SESSION["access_token"])) {
unset($_SESSION["access_token"]);
}
if (isset($_SESSION["id_token"])) {
unset($_SESSION["id_token"]);
}
if (isset($_SESSION["refresh_token"])) {
unset($_SESSION["refresh_token"]);
}
Flight::redirect("/");
}
private static function getDiscoveryEndpoint($endpoint)
{
$discovery_url =
rtrim(self::$oidc_issuer, "/") .
"/.well-known/openid-configuration";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $discovery_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
$response = curl_exec($ch);
curl_close($ch);
$discovery = json_decode($response, true);
if (!isset($discovery[$endpoint])) {
throw new Exception(
"Endpoint {$endpoint} not found in OIDC discovery: " .
$discovery_url,
);
}
return $discovery[$endpoint];
}
}