Add external authenticator (social login) API

Allows registrations to be completed with a pre-confirmed email address and no password.
2025-08-19 23:01:56 +02:00 · 2015-09-15 11:27:31 +09:30
parent 53f7112248
commit 6beb4fe898
27 changed files with 516 additions and 96 deletions
--- a/src/Admin/Middleware/LoginWithCookieAndCheckAdmin.php
+++ b/src/Admin/Middleware/LoginWithCookieAndCheckAdmin.php
@@ -15,36 +15,32 @@ use Illuminate\Contracts\Container\Container;
 use Psr\Http\Message\ResponseInterface as Response;
 use Psr\Http\Message\ServerRequestInterface as Request;
 use Zend\Stratigility\MiddlewareInterface;
+use Flarum\Forum\Middleware\LoginWithCookie;
+use Flarum\Core\Exceptions\PermissionDeniedException;

-class LoginWithCookieAndCheckAdmin implements MiddlewareInterface
+class LoginWithCookieAndCheckAdmin extends LoginWithCookie
 {
-    /**
-     * @var Container
-     */
-    protected $app;
-
-    /**
-     * @param Container $app
-     */
-    public function __construct(Container $app)
-    {
-        $this->app = $app;
-    }
-
    /**
     * {@inheritdoc}
     */
    public function __invoke(Request $request, Response $response, callable $out = null)
    {
-        if (($token = array_get($request->getCookieParams(), 'flarum_remember')) &&
-            ($accessToken = AccessToken::valid($token)) &&
-            $accessToken->user->isAdmin()
-        ) {
-            $this->app->instance('flarum.actor', $accessToken->user);
-        } else {
-            die('Access Denied');
+        if (! $this->logIn($request)) {
+            throw new PermissionDeniedException;
        }

        return $out ? $out($request, $response) : $response;
    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function getToken(Request $request)
+    {
+        $token = parent::getToken($request);
+
+        if ($token && $token->user && $token->user->isAdmin()) {
+            return $token;
+        }
+    }
 }
--- a/src/Api/AccessToken.php
+++ b/src/Api/AccessToken.php
@@ -12,6 +12,7 @@ namespace Flarum\Api;

 use Flarum\Core\Model;
 use DateTime;
+use Exception;

 /**
 * @todo document database columns with @property
@@ -55,14 +56,13 @@ class AccessToken extends Model
    }

    /**
-     * Get the given token only if it is valid.
+     * Check that the token has not expired.
     *
-     * @param string $token
-     * @return static|null
+     * @return bool
     */
-    public static function valid($token)
+    public function isValid()
    {
-        return static::where('id', $token)->where('expires_at', '>', new DateTime)->first();
+        return $this->expires_at > new DateTime;
    }

    /**
--- a/src/Api/Actions/Users/CreateAction.php
+++ b/src/Api/Actions/Users/CreateAction.php
@@ -73,8 +73,12 @@ class CreateAction extends BaseCreateAction
     */
    protected function create(JsonApiRequest $request)
    {
-        return $this->bus->dispatch(
+        $user = $this->bus->dispatch(
            new RegisterUser($request->actor, $request->get('data'))
        );
+
+        $request->actor = $user;
+
+        return $user;
    }
 }
--- a/src/Api/Middleware/LoginWithHeader.php
+++ b/src/Api/Middleware/LoginWithHeader.php
@@ -50,7 +50,7 @@ class LoginWithHeader implements MiddlewareInterface
        if (isset($parts[0]) && starts_with($parts[0], $this->prefix)) {
            $token = substr($parts[0], strlen($this->prefix));

-            if ($accessToken = AccessToken::valid($token)) {
+            if (($accessToken = AccessToken::find($token)) && $accessToken->isValid()) {
                $this->app->instance('flarum.actor', $user = $accessToken->user);

                $user->updateLastSeen()->save();
--- a/src/Core/Users/Commands/ConfirmEmailHandler.php
+++ b/src/Core/Users/Commands/ConfirmEmailHandler.php
@@ -13,7 +13,6 @@ namespace Flarum\Core\Users\Commands;
 use Flarum\Core\Users\UserRepository;
 use Flarum\Events\UserWillBeSaved;
 use Flarum\Core\Support\DispatchesEvents;
-use Flarum\Core\Exceptions\InvalidConfirmationTokenException;
 use Flarum\Core\Users\EmailToken;
 use DateTime;

@@ -36,16 +35,14 @@ class ConfirmEmailHandler

    /**
     * @param ConfirmEmail $command
-     * @return \Flarum\Core\Users\User
+     *
     * @throws InvalidConfirmationTokenException
+     *
+     * @return \Flarum\Core\Users\User
     */
    public function handle(ConfirmEmail $command)
    {
-        $token = EmailToken::find($command->token);
-
-        if (! $token || $token->created_at < new DateTime('-1 day')) {
-            throw new InvalidConfirmationTokenException;
-        }
+        $token = EmailToken::validOrFail($command->token);

        $user = $token->user;
        $user->changeEmail($token->email);
--- a/src/Core/Users/Commands/RegisterUserHandler.php
+++ b/src/Core/Users/Commands/RegisterUserHandler.php
@@ -11,17 +11,25 @@
 namespace Flarum\Core\Users\Commands;

 use Flarum\Core\Users\User;
+use Flarum\Core\Users\EmailToken;
 use Flarum\Events\UserWillBeSaved;
 use Flarum\Core\Support\DispatchesEvents;
 use Flarum\Core\Settings\SettingsRepository;
 use Flarum\Core\Exceptions\PermissionDeniedException;
+use DateTime;

 class RegisterUserHandler
 {
    use DispatchesEvents;

+    /**
+     * @var SettingsRepository
+     */
    protected $settings;

+    /**
+     * @param SettingsRepository $settings
+     */
    public function __construct(SettingsRepository $settings)
    {
        $this->settings = $settings;
@@ -29,27 +37,57 @@ class RegisterUserHandler

    /**
     * @param RegisterUser $command
+     *
+     * @throws PermissionDeniedException if signup is closed and the actor is
+     *     not an administrator.
+     * @throws \Flarum\Core\Exceptions\InvalidConfirmationTokenException if an
+     *     email confirmation token is provided but is invalid.
+     *
     * @return User
-     * @throws PermissionDeniedException
     */
    public function handle(RegisterUser $command)
    {
-        if (! $this->settings->get('allow_sign_up')) {
-            throw new PermissionDeniedException;
-        }
-
        $actor = $command->actor;
        $data = $command->data;

+        if (! $this->settings->get('allow_sign_up') && ! $actor->isAdmin()) {
+            throw new PermissionDeniedException;
+        }
+
+        // If a valid email confirmation token was provided as an attribute,
+        // then we can create a random password for this user and consider their
+        // email address confirmed.
+        if (isset($data['attributes']['token'])) {
+            $token = EmailToken::whereNull('user_id')->validOrFail($data['attributes']['token']);
+
+            $email = $token->email;
+            $password = array_get($data, 'attributes.password', str_random(20));
+        } else {
+            $email = array_get($data, 'attributes.email');
+            $password = array_get($data, 'attributes.password');
+        }
+
+        // Create the user's new account. If their email was set via token, then
+        // we can activate their account from the get-go, and they won't need
+        // to confirm their email address.
        $user = User::register(
            array_get($data, 'attributes.username'),
-            array_get($data, 'attributes.email'),
-            array_get($data, 'attributes.password')
+            $email,
+            $password
        );

+        if (isset($token)) {
+            $user->activate();
+        }
+
        event(new UserWillBeSaved($user, $actor, $data));

        $user->save();
+
+        if (isset($token)) {
+            $token->delete();
+        }
+
        $this->dispatchEventsFor($user);

        return $user;
--- a/src/Core/Users/EmailToken.php
+++ b/src/Core/Users/EmailToken.php
@@ -11,6 +11,8 @@
 namespace Flarum\Core\Users;

 use Flarum\Core\Model;
+use Flarum\Core\Exceptions\InvalidConfirmationTokenException;
+use DateTime;

 /**
 * @todo document database columns with @property
@@ -37,11 +39,12 @@ class EmailToken extends Model
    /**
     * Generate an email token for the specified user.
     *
-     * @param int $userId
     * @param string $email
+     * @param int $userId
+     *
     * @return static
     */
-    public static function generate($userId, $email)
+    public static function generate($email, $userId = null)
    {
        $token = new static;

@@ -62,4 +65,25 @@ class EmailToken extends Model
    {
        return $this->belongsTo('Flarum\Core\Users\User');
    }
+
+    /**
+     * Find the token with the given ID, and assert that it has not expired.
+     *
+     * @param \Illuminate\Database\Eloquent\Builder $query
+     * @param string $id
+     *
+     * @throws InvalidConfirmationTokenException
+     *
+     * @return static
+     */
+    public function scopeValidOrFail($query, $id)
+    {
+        $token = $query->find($id);
+
+        if (! $token || $token->created_at < new DateTime('-1 day')) {
+            throw new InvalidConfirmationTokenException;
+        }
+
+        return $token;
+    }
 }
--- a/src/Core/Users/Listeners/EmailConfirmationMailer.php
+++ b/src/Core/Users/Listeners/EmailConfirmationMailer.php
@@ -57,6 +57,11 @@ class EmailConfirmationMailer
    public function whenUserWasRegistered(UserWasRegistered $event)
    {
        $user = $event->user;
+
+        if ($user->is_activated) {
+            return;
+        }
+
        $data = $this->getEmailData($user, $user->email);

        $this->mailer->send(['text' => 'flarum::emails.activateAccount'], $data, function (Message $message) use ($user) {
@@ -82,11 +87,12 @@ class EmailConfirmationMailer
    /**
     * @param User $user
     * @param string $email
+     *
     * @return EmailToken
     */
    protected function generateToken(User $user, $email)
    {
-        $token = EmailToken::generate($user->id, $email);
+        $token = EmailToken::generate($email, $user->id);
        $token->save();

        return $token;
@@ -97,6 +103,7 @@ class EmailConfirmationMailer
     *
     * @param User $user
     * @param string $email
+     *
     * @return array
     */
    protected function getEmailData(User $user, $email)
--- a/src/Forum/Actions/ClientAction.php
+++ b/src/Forum/Actions/ClientAction.php
@@ -56,7 +56,6 @@ class ClientAction extends BaseClientAction
        'core.discussion_started',
        'core.discussion_title',
        'core.discussions',
-        'core.dismiss',
        'core.edit',
        'core.editing_post',
        'core.email',
--- a/src/Forum/Actions/ExternalAuthenticatorTrait.php
+++ b/src/Forum/Actions/ExternalAuthenticatorTrait.php
@@ -0,0 +1,70 @@
+<?php
+/*
+ * This file is part of Flarum.
+ *
+ * (c) Toby Zerner <toby.zerner@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Flarum\Forum\Actions;
+
+use Flarum\Core\Users\User;
+use Zend\Diactoros\Response\HtmlResponse;
+use Flarum\Api\Commands\GenerateAccessToken;
+use Flarum\Core\Users\EmailToken;
+
+trait ExternalAuthenticatorTrait
+{
+    use WritesRememberCookie;
+
+    /**
+     * @var \Illuminate\Contracts\Bus\Dispatcher
+     */
+    protected $bus;
+
+    /**
+     * Respond with JavaScript to tell the Flarum app that the user has been
+     * authenticated, or with information about their sign up status.
+     *
+     * @param string $email The email of the user's account.
+     * @param string $username A suggested username for the user's account.
+     * @return HtmlResponse
+     */
+    protected function authenticated($email, $username)
+    {
+        $user = User::where('email', $email)->first();
+
+        // If a user with this email address doesn't already exist, then we will
+        // generate a unique confirmation token for this email address and add
+        // it to the response, along with the email address and a suggested
+        // username. Otherwise, we will log in the existing user by generating
+        // an access token.
+        if (! $user) {
+            $token = EmailToken::generate($email);
+            $token->save();
+
+            $payload = compact('email', 'username');
+
+            $payload['token'] = $token->id;
+        } else {
+            $accessToken = $this->bus->dispatch(new GenerateAccessToken($user->id));
+
+            $payload = ['authenticated' => true];
+        }
+
+        $content = sprintf('<script>
+window.opener.app.authenticationComplete(%s);
+window.close();
+</script>', json_encode($payload));
+
+        $response = new HtmlResponse($content);
+
+        if (isset($accessToken)) {
+            $response = $this->withRememberCookie($response, $accessToken->id);
+        }
+
+        return $response;
+    }
+}
--- a/src/Forum/Actions/LoginAction.php
+++ b/src/Forum/Actions/LoginAction.php
@@ -47,7 +47,7 @@ class LoginAction extends Action
    /**
     * @param Request $request
     * @param array $routeParams
-     * @return \Psr\Http\Message\ResponseInterface|EmptyResponse
+     * @return JsonResponse|EmptyResponse
     */
    public function handle(Request $request, array $routeParams = [])
    {
--- a/src/Forum/Actions/RegisterAction.php
+++ b/src/Forum/Actions/RegisterAction.php
@@ -0,0 +1,80 @@
+<?php
+/*
+ * This file is part of Flarum.
+ *
+ * (c) Toby Zerner <toby.zerner@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Flarum\Forum\Actions;
+
+use Flarum\Api\Client;
+use Flarum\Api\AccessToken;
+use Flarum\Events\UserLoggedIn;
+use Flarum\Support\Action;
+use Flarum\Api\Commands\GenerateAccessToken;
+use Psr\Http\Message\ServerRequestInterface as Request;
+use Zend\Diactoros\Response\EmptyResponse;
+use Zend\Diactoros\Response\JsonResponse;
+use Illuminate\Contracts\Bus\Dispatcher;
+use DateTime;
+
+class RegisterAction extends Action
+{
+    use WritesRememberCookie;
+
+    /**
+     * @var Dispatcher
+     */
+    protected $bus;
+
+    /**
+     * @var Client
+     */
+    protected $apiClient;
+
+    /**
+     * @param Dispatcher $bus
+     * @param Client $apiClient
+     */
+    public function __construct(Dispatcher $bus, Client $apiClient)
+    {
+        $this->bus = $bus;
+        $this->apiClient = $apiClient;
+    }
+
+    /**
+     * @param Request $request
+     * @param array $routeParams
+     *
+     * @return JsonResponse
+     */
+    public function handle(Request $request, array $routeParams = [])
+    {
+        $params = ['data' => ['attributes' => $request->getAttributes()]];
+
+        $apiResponse = $this->apiClient->send(app('flarum.actor'), 'Flarum\Api\Actions\Users\CreateAction', $params);
+
+        $body = $apiResponse->getBody();
+        $statusCode = $apiResponse->getStatusCode();
+
+        $response = new JsonResponse($body, $statusCode);
+
+        if (! empty($body->data->attributes->isActivated)) {
+            $token = $this->bus->dispatch(new GenerateAccessToken($body->data->id));
+
+            // Extend the token's expiry to 2 weeks so that we can set a
+            // remember cookie
+            AccessToken::where('id', $token->id)->update(['expires_at' => new DateTime('+2 weeks')]);
+
+            return $this->withRememberCookie(
+                $response,
+                $token->id
+            );
+        }
+
+        return $response;
+    }
+}
--- a/src/Forum/ForumServiceProvider.php
+++ b/src/Forum/ForumServiceProvider.php
@@ -102,6 +102,12 @@ class ForumServiceProvider extends ServiceProvider
            $this->action('Flarum\Forum\Actions\LoginAction')
        );

+        $routes->post(
+            '/register',
+            'flarum.forum.register',
+            $this->action('Flarum\Forum\Actions\RegisterAction')
+        );
+
        $routes->get(
            '/confirm/{token}',
            'flarum.forum.confirmEmail',
--- a/src/Forum/Middleware/LoginWithCookie.php
+++ b/src/Forum/Middleware/LoginWithCookie.php
@@ -36,14 +36,46 @@ class LoginWithCookie implements MiddlewareInterface
     */
    public function __invoke(Request $request, Response $response, callable $out = null)
    {
-        if (($token = array_get($request->getCookieParams(), 'flarum_remember')) &&
-            ($accessToken = AccessToken::valid($token))
-        ) {
-            $this->app->instance('flarum.actor', $user = $accessToken->user);
-
-            $user->updateLastSeen()->save();
-        }
+        $this->logIn($request);

        return $out ? $out($request, $response) : $response;
    }
+
+    /**
+     * Set the application's actor instance according to the request token.
+     *
+     * @param Request $request
+     * @return bool
+     */
+    protected function logIn(Request $request)
+    {
+        if ($token = $this->getToken($request)) {
+            if (! $token->isValid()) {
+                // TODO: https://github.com/flarum/core/issues/253
+            } elseif ($token->user) {
+                $this->app->instance('flarum.actor', $user = $token->user);
+
+                $user->updateLastSeen()->save();
+
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Get the access token referred to by the request cookie.
+     *
+     * @param Request $request
+     * @return AccessToken|null
+     */
+    protected function getToken(Request $request)
+    {
+        $token = array_get($request->getCookieParams(), 'flarum_remember');
+
+        if ($token) {
+            return AccessToken::find($token);
+        }
+    }
 }