Auth token and avatarUrl security improvements (#1514)

* Remove AbstractOAuth2Controller There is no reason to provide an implementation for a specific oAuth2 library in core; it's not generic enough (eg. auth-twitter can't use it). This code could be moved into another package which auth extensions depend on, but it's a negligible amount of relatively simple code that I don't think it's worth the trouble. * Introduce login providers Users can have many login providers (a combination of a provider name and an identifier for that user, eg. their Facebook ID). After retrieving user data from a provider (eg. Facebook), you pass the login provider details into the Auth\ResponseFactory. If an associated user is found, a response that logs them in will be returned. If not, a registration token will be created so the user can proceed to sign up. Once the token is fulfilled, the login provider will be associated with the user.
2025-07-30 13:10:24 +02:00 · 2018-09-22 13:48:27 +09:30
parent fcb97b256f
commit 5dfb9b474c
16 changed files with 462 additions and 358 deletions
--- a/migrations/2018_09_22_004100_change_registration_tokens_columns.php
+++ b/migrations/2018_09_22_004100_change_registration_tokens_columns.php
@@ -0,0 +1,33 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * (c) Toby Zerner <toby.zerner@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Database\Schema\Builder;
+
+return [
+    'up' => function (Builder $schema) {
+        $schema->table('registration_tokens', function (Blueprint $table) {
+            $table->string('provider');
+            $table->string('identifier');
+            $table->text('user_attributes')->nullable();
+
+            $table->text('payload')->nullable()->change();
+        });
+    },
+
+    'down' => function (Builder $schema) {
+        $schema->table('auth_tokens', function (Blueprint $table) {
+            $table->dropColumn('provider', 'identifier', 'user_attributes');
+
+            $table->string('payload', 150)->change();
+        });
+    }
+];
--- a/migrations/2018_09_22_004200_create_login_providers_table.php
+++ b/migrations/2018_09_22_004200_create_login_providers_table.php
@@ -0,0 +1,28 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * (c) Toby Zerner <toby.zerner@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+use Flarum\Database\Migration;
+use Illuminate\Database\Schema\Blueprint;
+
+return Migration::createTable(
+    'login_providers',
+    function (Blueprint $table) {
+        $table->increments('id');
+        $table->unsignedInteger('user_id');
+        $table->string('provider', 100);
+        $table->string('identifier', 100);
+        $table->dateTime('created_at')->nullable();
+        $table->dateTime('last_login_at')->nullable();
+
+        $table->unique(['provider', 'identifier']);
+        $table->foreign('user_id')->references('id')->on('users')->onDelete('cascade');
+    }
+);