Initial commit

Sketched out first draft of how the library should work, stubbed a lot of the smaller utility classes required, and outlined the main handler functions for the IA Server.
2021-06-06 01:18:44 +02:00 · 2021-06-06 01:18:44 +02:00 · 8ab57bee25
commit 8ab57bee25
10 changed files with 1512 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,2 @@
 .DS_Store
 vendor
--- a/README.md
+++ b/README.md
@ -0,0 +1,2 @@
 # taproot/indieauth
--- a/composer.json
+++ b/composer.json
@ -0,0 +1,24 @@
 {
    "name": "taproot/indieauth",
    "description": "PHP PSR-7-compliant IndieAuth Server and Client implementation.",
    "type": "library",
    "license": "MIT",
    "authors": [
        {
            "name": "Barnaby Walters",
            "email": "barnaby@waterpigs.co.uk"
        }
    ],
    "require": {
        "psr/http-message": "^1.0",
        "psr/log": "^1.1",
        "nyholm/psr7": "^1.4",
        "indieauth/client": "^1.1",
        "psr/http-client": "^1.0",
        "psr/http-server-middleware": "^1.0",
        "dflydev/fig-cookies": "^3.0"
    },
    "require-dev": {
        "guzzlehttp/guzzle": "^7.3"
    }
 }
--- a/composer.lock
+++ b/composer.lock
--- a/src/Taproot/IndieAuth/ClosureRequestHandler.php
+++ b/src/Taproot/IndieAuth/ClosureRequestHandler.php
@ -0,0 +1,22 @@
 <?php declare(strict_types=1);
 namespace Taproot\IndieAuth;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Server\RequestHandlerInterface;
 class ClosureRequestHandler implements RequestHandlerInterface {
 	protected callable $callable;
 	protected array $args;
 	public function __construct(callable $callable) {
 		$this->callable = $callable;
 		$this->args = array_slice(func_get_args(), 1);
 	}
 	public function handle(ServerRequestInterface $request): ResponseInterface {
 		return call_user_func_array($this->callable, array_merge([$request], $this->args));
 	}
 }
--- a/src/Taproot/IndieAuth/DoubleSubmitCookieCsrfMiddleware.php
+++ b/src/Taproot/IndieAuth/DoubleSubmitCookieCsrfMiddleware.php
@ -0,0 +1,92 @@
 <?php declare(strict_types=1);
 namespace Taproot\IndieAuth;
 use Nyholm\Psr7\Response;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Server\MiddlewareInterface;
 use Psr\Http\Server\RequestHandlerInterface;
 use Dflydev\FigCookies;
 // From https://github.com/indieweb/indieauth-client-php/blob/main/src/IndieAuth/Client.php, thanks aaronpk.
 function generateRandomString($numBytes) {
 	if (function_exists('random_bytes')) {
 		$bytes = random_bytes($numBytes);
 	} elseif (function_exists('openssl_random_pseudo_bytes')){
 		$bytes = openssl_random_pseudo_bytes($numBytes);
 	} else {
 		$bytes = '';
 		for($i=0, $bytes=''; $i < $numBytes; $i++) {
 			$bytes .= chr(mt_rand(0, 255));
 		}
 	}
 	return bin2hex($bytes);
 }
 class DoubleSubmitCookieCsrfMiddleware implements MiddlewareInterface {
 	const READ_METHODS = ['HEAD', 'GET', 'OPTIONS'];
 	const TTL = 60 * 20;
 	const ATTRIBUTE = 'csrf';
 	const DEFAULT_ERROR_RESPONSE_STRING = 'Invalid or missing CSRF token!';
 	const CSRF_TOKEN_LENGTH = 128;
 	public string $attribute;
 	public int $ttl;
 	public callable $errorResponse;
 	public int $tokenLength;
 	public function __construct(string $attribute=self::ATTRIBUTE, int $ttl=self::TTL, $errorResponse=self::DEFAULT_ERROR_RESPONSE_STRING, $tokenLength=self::CSRF_TOKEN_LENGTH) {
 		$this->attribute = $attribute;
 		$this->ttl = $ttl;
 		$this->tokenLength = $tokenLength;
 		if (!is_callable($errorResponse)) {
 			if (!$errorResponse instanceof ResponseInterface) {
 				if (!is_string($errorResponse)) {
 					$errorResponse = self::DEFAULT_ERROR_RESPONSE_STRING;
 				}
 				$errorResponse = new Response(400, ['content-type' => 'text/plain'], $errorResponse);
 			}
 			$errorResponse = function (ServerRequestInterface $request) use ($errorResponse) { return $errorResponse; };
 		}
 		$this->errorResponse = $errorResponse;
 	}
 	public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface {
 		if (!in_array(strtoupper($request->getMethod()), self::READ_METHODS)) {
 			// This request is a write method and requires CSRF protection.
 			if (!$this->isValid($request)) {
 				return call_user_func($this->errorResponse, $request);
 			}
 		}
 		// Otherwise, generate a new CSRF token, add it to the request attributes, and as a cookie on the response.
 		$csrfToken = generateRandomString($this->tokenLength);
 		$request = $request->withAttribute($this->attribute, $csrfToken);
 		$response = $handler->handle($request);
 		// Add the new CSRF cookie, restricting its scope to match the current request.
 		$response = FigCookies\FigResponseCookies::set($response, FigCookies\SetCookie::create($this->attribute)
 			->withValue($csrfToken)
 			->withMaxAge($this->ttl)
 			->withSecure($request->getUri()->getScheme() == 'https')
 			->withDomain($request->getUri()->getHost())
 			->withPath($request->getUri()->getPath()));
 		return $response;
 	}
 	protected function isValid(ServerRequestInterface $request) {
 		if (in_array($this->attribute, $request->getParsedBody())) {
 			if (in_array($this->attribute, $request->getCookieParams())) {
 				return hash_equals($request->getParsedBody()[$this->attribute], $request->getCookieParams()[$this->attribute]);
 			}
 		}
 		return false;
 	}
 }
--- a/src/Taproot/IndieAuth/FilesystemJsonStorage.php
+++ b/src/Taproot/IndieAuth/FilesystemJsonStorage.php
@ -0,0 +1,68 @@
 <?php declare(strict_types=1);
 namespace Taproot\IndieAuth;
 use DirectoryIterator;
 class FilesystemJsonStorage implements TokenStorageInterface {
 	protected $path;
 	protected $ttl;
 	public function __construct(string $path, $ttl=0, $cleanUpNow=false) {
 		$this->path = rtrim($path, DIRECTORY_SEPARATOR) . DIRECTORY_SEPARATOR;
 		$this->ttl = $ttl;
 		if ($cleanUpNow) {
 			$this->cleanUp();
 		}
 	}
 	public function cleanUp($ttl=null): int {
 		$ttl = $ttl ?? $this->ttl;
 		$deleted = 0;
 		// A TTL of 0 means the token should live until deleted, and negative TTLs are invalid.
 		if ($ttl >= 0) {
 			foreach (new DirectoryIterator($this->path) as $fileInfo) {
 				if ($fileInfo->isFile() && time() - max($fileInfo->getMTime(), $fileInfo->getCTime()) > $ttl) {
 					unlink($fileInfo->getPathname());
 					$deleted++;
 				}
 			}
 		}
 		return $deleted;
 	}
 	public function get(string $key): ?array {
 		$path = $this->getPath($key);
 		if (file_exists($path)) {
 			$result = json_decode(file_get_contents($path), true);
 			if (is_array($result)) {
 				return $result;
 			}
 		}
 		return null;
 	}
 	public function put(string $key, array $data): bool {
 		// Ensure that the containing folder exists.
 		mkdir($this->path, 0777, true);
 		return file_put_contents($this->getPath($key), json_encode($data)) !== false;
 	}
 	public function delete(string $key): bool {
 		if (file_exists($this->getPath($key))) {
 			return unlink($this->getPath($key));
 		}
 		return false;
 	}
 	public function getPath(string $key): string {
 		return $this->path . "$key.json";
 	}
 }
--- a/src/Taproot/IndieAuth/NoOpMiddleware.php
+++ b/src/Taproot/IndieAuth/NoOpMiddleware.php
@ -0,0 +1,14 @@
 <?php declare(strict_types=1);
 namespace Taproot\IndieAuth;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Server\MiddlewareInterface;
 use Psr\Http\Server\RequestHandlerInterface;
 class NoOpMiddleware implements MiddlewareInterface {
 	public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface {
 		return $handler->handle($request);
 	}
 }
--- a/src/Taproot/IndieAuth/Server.php
+++ b/src/Taproot/IndieAuth/Server.php
@ -0,0 +1,206 @@
 <?php declare(strict_types=1);
 namespace Taproot\IndieAuth;
 use Exception;
 use Nyholm\Psr7\Response;
 use GuzzleHttp\Psr7\ServerRequest;
 use Psr\Http\Message\RequestInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Log\LoggerInterface;
 use Psr\Log\NullLogger;
 use IndieAuth\Client as IndieAuthClient;
 use Psr\Http\Server\MiddlewareInterface;
 /**
 * Development Reference
 *
 * Specification: https://indieauth.spec.indieweb.org/
 * Error responses: https://www.rfc-editor.org/rfc/rfc6749.html#section-5.2
 * indieweb/indieauth-client: https://github.com/indieweb/indieauth-client-php
 * CSRF protection cheat sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
 * Example CSRF protection cookie middleware: https://github.com/zakirullin/csrf-middleware/blob/master/src/CSRF.php
 */
 // TODO: maybe move these to a functions file so they’re usable by consumers even when the class isn’t loaded.
 // Alternatively, make them static methods so they can be autoloaded.
 function isIndieAuthAuthorizationCodeRedeemingRequest(ServerRequestInterface $request) {
 	return strtolower($request->getMethod()) == 'post'
 		&& array_key_exists('grant_type', $request->getParsedBody())
 		&& $request->getParsedBody()['grant_type'] == 'authorization_code';
 }
 function isIndieAuthAuthorizationRequest(ServerRequestInterface $request, $permittedMethods=['get']) {
 	return in_array(strtolower($request->getMethod()), array_map('strtolower', $permittedMethods))
 		&& array_key_exists('response_type', $request->getQueryParams())
 		&& $request->getQueryParams()['response_type'] == 'code';
 }
 function isAuthorizationApprovalRequest(ServerRequestInterface $request) {
 	return strtolower($request->getMethod()) == 'post'
 		&& array_key_exists('taproot_indieauth_action', $request->getParsedBody())
 		&& $request->getParsedBody()['taproot_indieauth_action'] == 'approve';
 }
 function buildQueryString(array $parameters) {
 	$qs = [];
 	foreach ($parameters as $k => $v) {
 		$qs[] = urlencode($k) . '=' . urlencode($v);
 	}
 	return join('&', $qs);
 }
 class Server {
 	const CUSTOMIZE_AUTHORIZATION_CODE = 'customise_authorization_code';
 	const SHOW_AUTHORIZATION_PAGE = 'show_authorization_page';
 	const HANDLE_NON_INDIEAUTH_REQUEST = 'handle_non_indieauth_request';
 	const HANDLE_AUTHENTICATION_REQUEST = 'handle_authentication_request';
 	const DEFAULT_CSRF_KEY = 'taproot_indieauth_server_csrf';
 	public $callbacks;
 	public TokenStorageInterface $authorizationCodeStorage;
 	public TokenStorageInterface $accessTokenStorage;
 	public MiddlewareInterface $csrfMiddleware;
 	public LoggerInterface $logger;
 	public string $csrfKey;
 	public function __construct(array $callbacks, $authorizationCodeStorage, $accessTokenStorage, $csrfMiddleware=null, string $csrfKey=self::DEFAULT_CSRF_KEY, LoggerInterface $logger=null) {
 		$callbacks = array_merge([
 			self::CUSTOMIZE_AUTHORIZATION_CODE => function (array $code) { return $code; }, // Default to no-op.
 			self::SHOW_AUTHORIZATION_PAGE => function (ServerRequestInterface $request, array $authenticationResult, string $authenticationRedirect) {  }, // TODO: Put the default implementation here.
 			self::HANDLE_NON_INDIEAUTH_REQUEST => function (ServerRequestInterface $request) { return null; }, // Default to no-op.
 		], $callbacks);
 		if (!(array_key_exists(self::HANDLE_AUTHENTICATION_REQUEST, $callbacks) and is_callable($callbacks[self::HANDLE_AUTHENTICATION_REQUEST]))) {
 			throw new Exception('$callbacks[\'' . self::HANDLE_AUTHENTICATION_REQUEST .'\'] must be present and callable.');
 		}
 		$this->callbacks = $callbacks;
 		if (!$authorizationCodeStorage instanceof TokenStorageInterface) {
 			if (is_string($authorizationCodeStorage)) {
 				$authorizationCodeStorage = new FilesystemJsonStorage($authorizationCodeStorage, 600, true);
 			} else {
 				throw new Exception('$authorizationCodeStorage parameter must be either a string (path) or an instance of Taproot\IndieAuth\TokenStorageInterface.');
 			}
 		}
 		$this->authorizationCodeStorage = $authorizationCodeStorage;
 		if (!$accessTokenStorage instanceof TokenStorageInterface) {
 			if (is_string($accessTokenStorage)) {
 				// Create a default access token storage with a TTL of 7 days.
 				$accessTokenStorage = new FilesystemJsonStorage($accessTokenStorage, 60 * 60 * 24 * 7, true);
 			} else {
 				throw new Exception('$accessTokenStorage parameter must be either a string (path) or an instance of Taproot\IndieAuth\TokenStorageInterface.');
 			}
 		}
 		$this->accessTokenStorage = $accessTokenStorage;
 		$this->csrfKey = $csrfKey;
 		if (!$csrfMiddleware instanceof MiddlewareInterface) {
 			// Default to the statless Double-Submit Cookie CSRF Middleware, with default settings.
 			$csrfMiddleware = new DoubleSubmitCookieCsrfMiddleware($this->csrfKey);
 		}
 		$this->csrfMiddleware = $csrfMiddleware;
 		$this->logger = $logger ?? new NullLogger();
 	}
 	public function handleAuthorizationEndpointRequest(ServerRequestInterface $request): ResponseInterface {
 		// If it’s a profile information request:
 		if (isIndieAuthAuthorizationCodeRedeemingRequest($request)) {
 			// Verify that the authorization code is valid and has not yet been used.
 			$this->authorizationCodeStorage->get($request->getParsedBody()['code']);
 			// Verify that it was issued for the same client_id and redirect_uri
 			// Check that the supplied code_verifier hashes to the stored code_challenge
 			// If everything checked out, return {"me": "https://example.com"} response
 			// (a response containing any additional information must contain a valid scope value, and 
 			// be handled by the token_endpoint).
 			// TODO: according to the spec, it is technically permitted for the authorization endpoint
 			// to additional provide profile information. Leave it up to the library consumer to decide
 			// whether to add it or not.
 		}
 		// Because the special case above isn’t allowed to be CSRF-protected, we have to do some rather silly
 		// gymnastics here to selectively-CSRF-protect requests which do need it.
 		return $this->csrfMiddleware->process($request, new ClosureRequestHandler(function (ServerRequestInterface $request) {
 			// If this is an authorization or approval request (allowing POST requests as well to accommodate 
 			// approval requests and custom auth form submission.
 			if (isIndieAuthAuthorizationRequest($request, ['get', 'post'])) {
 				// Build a URL for the authentication flow to redirect to, if it needs to.
 				// TODO: perhaps filter queryParams to only include the indieauth-relevant params?
 				$authenticationRedirect = $request->getUri() . '?' . buildQueryString($request->getQueryParams());
 				$authenticationResult = call_user_func($this->callbacks[self::HANDLE_AUTHENTICATION_REQUEST], $request, $authenticationRedirect);
 				// If the authentication handler returned a Response, return that as-is.
 				if ($authenticationResult instanceof Response) {
 					return $authenticationResult;
 				} elseif (is_array($authenticationResult)) {
 					// Check the resulting array for errors.
 					// The user is logged in.
 					// If this is a POST request sent from the authorization (i.e. scope-choosing) form:
 					if (isAuthorizationApprovalRequest($request)) {
 						// Assemble the data for the authorization code, store it somewhere persistent.
 						$code = [
 						];
 						// Pass it to the auth code customisation callback, if any.
 						$code = call_user_func($this->callbacks[self::CUSTOMIZE_AUTHORIZATION_CODE], $code, $request);
 						// Store the authorization code.
 						$this->authorizationCodeStorage->put($code['code'], $code);
 						// Return a redirect to the client app.
 					}
 					// Otherwise, the user is authenticated and needs to authorize the client app + choose scopes.
 					// Fetch the client_id URL to find information about the client to present to the user.
 					// If the authority of the redirect_uri does not match the client_id or one of their redirect URLs, return an error.
 					// Present the authorization UI.
 					return call_user_func($this->callbacks[self::SHOW_AUTHORIZATION_PAGE], $request, $authenticationResult, $authenticationRedirect);
 				}
 			}
 			// If the request isn’t an IndieAuth Authorization or Code-redeeming request, it’s either an invalid
 			// request or something to do with a custom auth handler (e.g. sending a one-time code in an email.)
 			$nonIndieAuthRequestResult = call_user_func($this->callbacks[self::HANDLE_NON_INDIEAUTH_REQUEST], $request);
 			if ($nonIndieAuthRequestResult instanceof ResponseInterface) {
 				return $nonIndieAuthRequestResult;
 			} else {
 				return new Response(400, ['content-type' => 'application/json'], json_encode([
 					'error' => 'invalid_request'
 				]));
 			}
 		}));
 	}
 	public function handleTokenEndpointRequest(ServerRequestInterface $request): ResponseInterface {
 		// This is a request to redeem an authorization_code for an access_token.
 		// Verify that the authorization code is valid and has not yet been used.
 		// Verify that it was issued for the same client_id and redirect_uri
 		// Check that the supplied code_verifier hashes to the stored code_challenge
 		// If the auth code was issued with no scope, return an error.
 		// If everything checks out, generate an access token and return it.
 	}
 }
--- a/src/Taproot/IndieAuth/TokenStorageInterface.php
+++ b/src/Taproot/IndieAuth/TokenStorageInterface.php
@ -0,0 +1,15 @@
 <?php declare(strict_types=1);
 namespace Taproot\IndieAuth;
 // TODO: document.
 interface TokenStorageInterface {
 	public function cleanUp($ttl=null): int;
 	public function get(string $key): ?array;
 	public function put(string $key, array $data): bool;
 	public function delete(string $key): bool;
 }