cedricAbonnel/folio
1
0
Fork 0
Code Issues 15 Pull Requests Actions Packages Projects Releases Wiki Activity

fix #29 : envoyer le lien magique par email (envoyer_mail_smtp)

Browse Source
This commit is contained in:
Cedric Abonnel
2026-05-13 23:41:58 +02:00
commit 8a85c15372
129 changed files with 22818 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
public/oidc/callback.php
+200
View File
@@ -0,0 +1,200 @@
<?php
declare(strict_types=1);
require_once dirname(__DIR__, 2) . '/vendor/autoload.php';
require_once dirname(__DIR__, 2) . '/bootstrap.php';
require_once dirname(__DIR__, 2) . '/config/config.php';
if (!function_exists('env')) {
function env(string $key, ?string $default = null): ?string
{
if (array_key_exists($key, $_ENV) && $_ENV[$key] !== '') {
return (string)$_ENV[$key];
}
$v = getenv($key);
if ($v !== false && $v !== '') {
return (string)$v;
}
return $default;
}
}
$debug = (env('APP_DEBUG', '0') === '1');
$OIDC_ISSUER = rtrim((string)(env('OIDC_ISSUER') ?? ''), '/');
$OIDC_CLIENT_ID = (string)(env('OIDC_CLIENT_ID') ?? '');
$OIDC_CLIENT_SECRET = (string)(env('OIDC_CLIENT_SECRET') ?? '');
$OIDC_REDIRECT_URI = (string)(env('OIDC_REDIRECT_URI') ?: url('oidc/callback'));
if (!$OIDC_ISSUER || !$OIDC_CLIENT_ID || !$OIDC_REDIRECT_URI) {
http_response_code(500);
echo $debug ? 'OIDC config manquante.' : 'Erreur.';
exit;
}
$tokenEndpoint = $OIDC_ISSUER . '/protocol/openid-connect/token';
$userInfoEndpoint = $OIDC_ISSUER . '/protocol/openid-connect/userinfo';
if (!isset($_GET['state'], $_SESSION['oidc_state']) || !hash_equals((string)$_SESSION['oidc_state'], (string)$_GET['state'])) {
http_response_code(400);
echo $debug ? 'State invalide.' : 'Requête invalide.';
exit;
}
unset($_SESSION['oidc_state']);
if (empty($_GET['code'])) {
http_response_code(400);
echo $debug ? 'Code manquant.' : 'Requête invalide.';
exit;
}
$code = (string)$_GET['code'];
$codeVerifier = $_SESSION['oidc_code_verifier'] ?? null;
unset($_SESSION['oidc_code_verifier'], $_SESSION['oidc_nonce']);
if (!$codeVerifier) {
http_response_code(400);
echo $debug ? 'PKCE code_verifier manquant.' : 'Requête invalide.';
exit;
}
// Échange code → tokens
$post = [
'grant_type' => 'authorization_code',
'code' => $code,
'redirect_uri' => $OIDC_REDIRECT_URI,
'client_id' => $OIDC_CLIENT_ID,
'code_verifier' => $codeVerifier,
];
if ($OIDC_CLIENT_SECRET !== '') {
$post['client_secret'] = $OIDC_CLIENT_SECRET;
}
$ch = curl_init($tokenEndpoint);
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($post, '', '&', PHP_QUERY_RFC3986),
CURLOPT_TIMEOUT => 15,
CURLOPT_SSL_VERIFYPEER => true,
CURLOPT_SSL_VERIFYHOST => 2,
]);
$tokenResponse = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$curlErr = curl_error($ch);
curl_close($ch);
if ($tokenResponse === false || $httpCode !== 200) {
http_response_code(500);
echo $debug ? 'Échec échange token : ' . htmlspecialchars($curlErr ?: (string)$tokenResponse) : 'Erreur d\'authentification.';
exit;
}
$tokens = json_decode((string)$tokenResponse, true) ?: [];
$accessToken = $tokens['access_token'] ?? null;
$idToken = $tokens['id_token'] ?? null;
if (!$accessToken) {
http_response_code(500);
echo $debug ? 'Access token manquant.' : 'Erreur d\'authentification.';
exit;
}
// UserInfo
$ch = curl_init($userInfoEndpoint);
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HTTPHEADER => ['Authorization: Bearer ' . $accessToken],
CURLOPT_TIMEOUT => 10,
CURLOPT_SSL_VERIFYPEER => true,
CURLOPT_SSL_VERIFYHOST => 2,
]);
$userInfoResponse = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($userInfoResponse === false || $httpCode !== 200) {
http_response_code(500);
echo $debug ? 'Échec UserInfo.' : 'Erreur d\'authentification.';
exit;
}
$claims = json_decode((string)$userInfoResponse, true) ?: [];
$email = $claims['email'] ?? null;
// Fallback : lire l'email depuis le payload du id_token
if (!$email && $idToken && substr_count($idToken, '.') === 2) {
[, $p, ] = explode('.', $idToken, 3);
$payload = json_decode((string)base64_decode(strtr($p, '-_', '+/'), true), true);
if (is_array($payload) && !empty($payload['email'])) {
$email = $payload['email'];
}
}
if (!$email) {
http_response_code(400);
echo $debug ? 'Email non fourni par l\'IdP.' : 'Impossible de récupérer votre email.';
exit;
}
// Nom d'affichage depuis les claims SSO
$ssoName = '';
if (!empty($claims['given_name']) || !empty($claims['family_name'])) {
$ssoName = trim(($claims['given_name'] ?? '') . ' ' . ($claims['family_name'] ?? ''));
} elseif (!empty($claims['name'])) {
$ssoName = trim($claims['name']);
} elseif (!empty($claims['preferred_username'])) {
$ssoName = trim($claims['preferred_username']);
}
// Charge le nom personnalisé depuis la base (prioritaire sur le SSO)
require_once dirname(__DIR__, 2) . '/src/auth.php';
$pdo = dbPdo();
$dbName = '';
if ($pdo) {
try {
$st = $pdo->prepare('SELECT display_name FROM user_profiles WHERE email = :e');
$st->execute([':e' => strtolower(trim($email))]);
$dbName = (string)($st->fetchColumn() ?: '');
} catch (\Throwable) {
}
}
if ($dbName !== '') {
// Nom personnalisé existant → on le conserve, le SSO ne l'écrase pas
$sessionName = $dbName;
} else {
// Première connexion → on persiste le nom SSO
$sessionName = $ssoName;
if ($ssoName !== '' && $pdo) {
try {
$pdo->prepare(
'INSERT INTO user_profiles (email, display_name, updated_at)
VALUES (:e, :n, now())
ON CONFLICT (email) DO NOTHING'
)->execute([':e' => strtolower(trim($email)), ':n' => $ssoName]);
} catch (\Throwable) {
}
}
}
// Ouvre la session authentifiée
session_regenerate_id(true);
$_SESSION['user_email'] = strtolower(trim($email));
$_SESSION['user_display_name'] = $sessionName;
$_SESSION['oidc'] = [
'issuer' => $OIDC_ISSUER,
'sub' => $claims['sub'] ?? null,
'access_token' => $accessToken,
'id_token' => $idToken,
'expires_at' => time() + (int)($tokens['expires_in'] ?? 3600),
];
$target = $_SESSION['oidc_return_to'] ?? '/';
unset($_SESSION['oidc_return_to'], $_SESSION['oidc_flow']);
if (!is_string($target) || $target === '' || $target[0] !== '/') {
$target = '/';
}
header('Location: ' . $target, true, 303);
exit;
public/oidc/me.php
+194
View File
@@ -0,0 +1,194 @@
<?php
// projet : mug.a5l.fr
// fichier : pages/oidc/me.php
// version : 20251005
declare(strict_types=1);
require_once dirname(__DIR__, 2) . '/vendor/autoload.php';
require_once dirname(__DIR__, 2) . '/bootstrap.php';
require_once dirname(__DIR__, 2) . '/config/config.php';
function maskToken(?string $t): string
{
if (!$t) {
return '';
}
$len = strlen($t);
if ($len <= 12) {
return str_repeat('•', $len);
}
return substr($t, 0, 6) . str_repeat('•', max(0, $len - 12)) . substr($t, -6);
}
function b64url_decode_str(string $s): string|false
{
$s = strtr($s, '-_', '+/');
$pad = strlen($s) % 4;
if ($pad) {
$s .= str_repeat('=', 4 - $pad);
}
return base64_decode($s, true);
}
function decode_jwt(string $jwt): array
{
if (substr_count($jwt, '.') !== 2) {
return [];
}
[, $payload, ] = explode('.', $jwt, 3);
$json = b64url_decode_str($payload);
if ($json === false) {
return [];
}
$arr = json_decode($json, true);
return is_array($arr) ? $arr : [];
}
$env = static function (string $k, ?string $d = null): ?string {
if (array_key_exists($k, $_ENV) && $_ENV[$k] !== '') {
return (string)$_ENV[$k];
}
$v = getenv($k);
if ($v !== false && $v !== '') {
return (string)$v;
}
return $d;
};
$debugEnabled = ($env('DEBUG_OIDC') === 'true') || (isset($_GET['debug']) && $_GET['debug'] === '1');
$oidc = $_SESSION['oidc'] ?? [];
$claims = $_SESSION['oidc_userinfo'] ?? [];
$issuer = (string)($oidc['issuer'] ?? '');
$sub = (string)($oidc['sub'] ?? '');
$idToken = (string)($oidc['id_token'] ?? '');
$accTok = (string)($oidc['access_token'] ?? '');
$expAt = (int) ($oidc['expires_at'] ?? 0);
$now = time();
$left = $expAt ? max(0, $expAt - $now) : null;
// Fallback 1 : si pas de claims userinfo, essayer de les lire dans l'id_token
if (!$claims && $idToken) {
$claims = decode_jwt($idToken);
}
// Fallback 2 (debug) : tenter un appel live au UserInfo si access_token présent
if ($debugEnabled && $claims === [] && $accTok && $issuer) {
$userinfoEndpoint = rtrim($issuer, '/') . '/protocol/openid-connect/userinfo';
$ch = curl_init($userinfoEndpoint);
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HTTPHEADER => ['Authorization: Bearer ' . $accTok],
CURLOPT_TIMEOUT => 6,
]);
$resp = curl_exec($ch);
$code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($resp !== false && $code === 200) {
$tmp = json_decode((string)$resp, true);
if (is_array($tmp)) {
$claims = $tmp;
}
}
}
// Extraire rôles groupés (Keycloak)
$roles = [];
if (isset($claims['realm_access']['roles']) && is_array($claims['realm_access']['roles'])) {
$roles = array_merge($roles, $claims['realm_access']['roles']);
}
if (isset($claims['resource_access']) && is_array($claims['resource_access'])) {
foreach ($claims['resource_access'] as $clientId => $data) {
if (!empty($data['roles']) && is_array($data['roles'])) {
foreach ($data['roles'] as $r) {
$roles[] = $clientId . ':' . $r;
}
}
}
}
$roles = array_values(array_unique($roles));
?>
<!DOCTYPE html>
<html lang="fr">
<head>
<meta charset="utf-8">
<title>OIDC • Profil</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href="/assets/bootstrap/bootstrap.min.css" rel="stylesheet">
<style>
.kv { display:grid; grid-template-columns: 220px 1fr; gap:.5rem 1rem; }
.kv dt { font-weight: 600; color: #555; }
pre { background: #f8f9fa; padding: .75rem; border-radius: .5rem; overflow:auto; }
</style>
</head>
<body class="container py-4">
<h1 class="mb-4">Profil A5L</h1>
<?php if (!$oidc): ?>
<div class="alert alert-warning">Aucune session A5L. Connecte-toi via A5L d'abord.</div>
<?php else: ?>
<div class="card mb-4">
<div class="card-header">Session / Jetons</div>
<div class="card-body">
<dl class="kv">
<dt>Issuer</dt><dd><?= htmlspecialchars($issuer) ?></dd>
<dt>Subject (sub)</dt><dd><?= htmlspecialchars($sub) ?></dd>
<dt>ID Token</dt><dd><code><?= htmlspecialchars(maskToken($idToken)) ?></code></dd>
<dt>Access Token</dt><dd><code><?= htmlspecialchars(maskToken($accTok)) ?></code></dd>
<dt>Expire à</dt><dd><?= $expAt ? date('Y-m-d H:i:s', $expAt) : '—' ?></dd>
<dt>Temps restant</dt><dd><?= $left !== null ? ($left . ' s') : '—' ?></dd>
</dl>
<?php if ($debugEnabled): ?>
<details class="mt-3">
<summary>Voir jetons non masqués (danger)</summary>
<div class="mt-2">
<div><strong>ID Token</strong></div>
<pre><?= htmlspecialchars($idToken) ?></pre>
<div><strong>Access Token</strong></div>
<pre><?= htmlspecialchars($accTok) ?></pre>
</div>
</details>
<?php endif; ?>
</div>
</div>
<div class="card mb-4">
<div class="card-header">Claims</div>
<div class="card-body">
<dl class="kv">
<dt>Email</dt><dd><?= htmlspecialchars((string)($claims['email'] ?? '')) ?></dd>
<dt>Preferred username</dt><dd><?= htmlspecialchars((string)($claims['preferred_username'] ?? '')) ?></dd>
<dt>Given name</dt><dd><?= htmlspecialchars((string)($claims['given_name'] ?? '')) ?></dd>
<dt>Family name</dt><dd><?= htmlspecialchars((string)($claims['family_name'] ?? '')) ?></dd>
<dt>Name</dt><dd><?= htmlspecialchars((string)($claims['name'] ?? '')) ?></dd>
<dt>Locale</dt><dd><?= htmlspecialchars((string)($claims['locale'] ?? '')) ?></dd>
<dt>Rôles</dt>
<dd>
<?php if ($roles): ?>
<ul class="mb-0">
<?php foreach ($roles as $r): ?>
<li><?= htmlspecialchars((string)$r) ?></li>
<?php endforeach; ?>
</ul>
<?php else: ?>
<?php endif; ?>
</dd>
</dl>
<?php if ($debugEnabled): ?>
<h6 class="mt-3">Claims (JSON complet)</h6>
<pre><?= htmlspecialchars(json_encode($claims, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES)) ?></pre>
<?php endif; ?>
<?php if (!$claims): ?>
<div class="alert alert-info mt-3">
Aucun claim reçu. Vérifie que ton <code>callback</code> remplit bien <code>$_SESSION['oidc_userinfo']</code> ou que l<code>ID Token</code> contient les champs.
</div>
<?php endif; ?>
</div>
</div>
<?php endif; ?>
<a class="btn btn-secondary" href="<?= htmlspecialchars(url('')) ?>">Retour</a>
</body>
</html>
public/oidc/start.php
+72
View File
@@ -0,0 +1,72 @@
<?php
declare(strict_types=1);
require_once dirname(__DIR__, 2) . '/vendor/autoload.php';
require_once dirname(__DIR__, 2) . '/bootstrap.php';
require_once dirname(__DIR__, 2) . '/config/config.php';
if (!function_exists('env')) {
function env(string $key, ?string $default = null): ?string
{
if (array_key_exists($key, $_ENV) && $_ENV[$key] !== '') {
return (string)$_ENV[$key];
}
$v = getenv($key);
if ($v !== false && $v !== '') {
return (string)$v;
}
return $default;
}
}
$flow = $_GET['flow'] ?? 'login'; // 'login' ou 'register'
if (!in_array($flow, ['login','register'], true)) {
$flow = 'login';
}
// return_to (URL relative uniquement)
$defaultReturn = '/';
$rawReturn = $_GET['return_to'] ?? ($_SERVER['HTTP_REFERER'] ?? $defaultReturn);
$returnTo = (is_string($rawReturn) && str_starts_with($rawReturn, '/')) ? $rawReturn : $defaultReturn;
// Mémorise flow + cible
$_SESSION['oidc_flow'] = $flow;
$_SESSION['oidc_return_to'] = $returnTo;
// --- OIDC conf ---
$issuer = rtrim((string)env('OIDC_ISSUER', ''), '/');
$clientId = (string)env('OIDC_CLIENT_ID', '');
$redirectUri = (string)(env('OIDC_REDIRECT_URI') ?: url('oidc/callback'));
if (!$issuer || !$clientId || !$redirectUri) {
http_response_code(500);
echo 'OIDC non configuré (OIDC_ISSUER / OIDC_CLIENT_ID / OIDC_REDIRECT_URI).';
exit;
}
// --- Endpoints & PKCE ---
$authEndpoint = $issuer . '/protocol/openid-connect/auth';
$state = bin2hex(random_bytes(16));
$nonce = bin2hex(random_bytes(16));
$codeVerifier = rtrim(strtr(base64_encode(random_bytes(32)), '+/', '-_'), '=');
$codeChallenge = rtrim(strtr(base64_encode(hash('sha256', $codeVerifier, true)), '+/', '-_'), '=');
$_SESSION['oidc_state'] = $state;
$_SESSION['oidc_nonce'] = $nonce;
$_SESSION['oidc_code_verifier'] = $codeVerifier;
// --- URL dauth ---
$params = [
'response_type' => 'code',
'client_id' => $clientId,
'redirect_uri' => $redirectUri,
'scope' => 'openid email profile',
'state' => $state,
'nonce' => $nonce,
'code_challenge' => $codeChallenge,
'code_challenge_method' => 'S256',
'ui_locales' => 'fr',
];
header('Location: ' . $authEndpoint . '?' . http_build_query($params, '', '&', PHP_QUERY_RFC3986), true, 302);
exit;