From 70c4d50177364a175492dc2bbd610ac4fa9bfd38 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ko=C5=A1t=C3=AD=C5=99=20Miloslav?= Date: Fri, 27 Sep 2024 09:41:03 +0200 Subject: [PATCH 1/7] OAuth: option not to create user during authentication --- resources/views/auth/unauthorized.blade.php | 6 +++++- src/Http/Controllers/OAuthController.php | 23 ++++++++++++++++----- src/OAuth/Provider.php | 18 ++++++++++++++-- 3 files changed, 39 insertions(+), 8 deletions(-) diff --git a/resources/views/auth/unauthorized.blade.php b/resources/views/auth/unauthorized.blade.php index 3502faa78b..d781cefc79 100644 --- a/resources/views/auth/unauthorized.blade.php +++ b/resources/views/auth/unauthorized.blade.php @@ -10,7 +10,11 @@
{{ __('Unauthorized') }}
- {{ __('Log out') }} + @auth + {{ __('Log out') }} + @else + {{ __('Log in') }} + @endauth
diff --git a/src/Http/Controllers/OAuthController.php b/src/Http/Controllers/OAuthController.php index 880a6ea922..cebbb7714f 100644 --- a/src/Http/Controllers/OAuthController.php +++ b/src/Http/Controllers/OAuthController.php @@ -36,14 +36,22 @@ public function handleProviderCallback(Request $request, string $provider) return $this->redirectToProvider($request, $provider); } - $user = $oauth->findOrCreateUser($providerUser); + if (config('statamic.oauth.create_user', true)) { + $user = $oauth->findOrCreateUser($providerUser); + } else { + $user = $oauth->findUser($providerUser); + } - session()->put('oauth-provider', $provider); + if ($user) { + session()->put('oauth-provider', $provider); - Auth::guard($request->session()->get('statamic.oauth.guard')) - ->login($user, config('statamic.oauth.remember_me', true)); + Auth::guard($request->session()->get('statamic.oauth.guard')) + ->login($user, config('statamic.oauth.remember_me', true)); - return redirect()->to($this->successRedirectUrl()); + return redirect()->to($this->successRedirectUrl()); + } else { + return redirect()->to($this->unauthorizedRedirectUrl()); + } } protected function successRedirectUrl() @@ -60,4 +68,9 @@ protected function successRedirectUrl() return Arr::get($query, 'redirect', $default); } + + protected function unauthorizedRedirectUrl() + { + return config('statamic.oauth.unauthorized_redirect', '/cp/auth/unauthorized'); + } } diff --git a/src/OAuth/Provider.php b/src/OAuth/Provider.php index b200052228..571636ff4c 100644 --- a/src/OAuth/Provider.php +++ b/src/OAuth/Provider.php @@ -45,15 +45,29 @@ public function getUserId(string $id): ?string } public function findOrCreateUser($socialite): StatamicUser + { + if ($user = $this->findUser($socialite)) { + return $this->mergeUser($user, $socialite); + } + + return $this->createUser($socialite); + } + + /** + * Find a Statamic user by a Socialite user. + * + * @param SocialiteUser $socialite + */ + public function findUser($socialite): ?StatamicUser { if ( ($user = User::findByOAuthId($this, $socialite->getId())) || ($user = User::findByEmail($socialite->getEmail())) ) { - return $this->mergeUser($user, $socialite); + return $user; } - return $this->createUser($socialite); + return null; } /** From c58a472403e2416c574de81846249e07f4b246fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ko=C5=A1t=C3=AD=C5=99=20Miloslav?= Date: Fri, 27 Sep 2024 10:03:42 +0200 Subject: [PATCH 2/7] OAuth: option merge or not to merge user data during authentication --- src/Http/Controllers/OAuthController.php | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/Http/Controllers/OAuthController.php b/src/Http/Controllers/OAuthController.php index cebbb7714f..432c58d8ea 100644 --- a/src/Http/Controllers/OAuthController.php +++ b/src/Http/Controllers/OAuthController.php @@ -36,10 +36,12 @@ public function handleProviderCallback(Request $request, string $provider) return $this->redirectToProvider($request, $provider); } - if (config('statamic.oauth.create_user', true)) { - $user = $oauth->findOrCreateUser($providerUser); - } else { - $user = $oauth->findUser($providerUser); + if ($user = $oauth->findUser($providerUser)) { + if (config('statamic.oauth.merge_user_data', true)) { + $user = $oauth->mergeUser($user, $providerUser); + } + } elseif (config('statamic.oauth.create_user', true)) { + $user = $oauth->createUser($providerUser); } if ($user) { From c5d780ae67b86ae6752717656ccf3102b7cda51e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ko=C5=A1t=C3=AD=C5=99=20Miloslav?= Date: Fri, 27 Sep 2024 10:48:58 +0200 Subject: [PATCH 3/7] OAuthTest update --- tests/OAuth/ProviderTest.php | 50 +++++++++++++++++++++++++++++++++++- 1 file changed, 49 insertions(+), 1 deletion(-) diff --git a/tests/OAuth/ProviderTest.php b/tests/OAuth/ProviderTest.php index e5d2edecd9..425a8d4e3f 100644 --- a/tests/OAuth/ProviderTest.php +++ b/tests/OAuth/ProviderTest.php @@ -122,7 +122,39 @@ public function it_creates_a_user() } #[Test] - public function it_finds_an_existing_user_by_email() + public function it_finds_an_existing_user_via_find_user_method() + { + $provider = $this->provider(); + + $savedUser = $this->user()->save(); + + $this->assertCount(1, UserFacade::all()); + $this->assertEquals([$savedUser], UserFacade::all()->all()); + + $foundUser = $provider->findUser($this->socialite()); + + $this->assertCount(1, UserFacade::all()); + $this->assertEquals([$savedUser], UserFacade::all()->all()); + $this->assertEquals($savedUser, $foundUser); + } + + #[Test] + public function it_does_not_find_or_create_a_user_via_find_user_method() + { + $this->assertCount(0, UserFacade::all()); + + $provider = $this->provider(); + $foundUser = $provider->findUser($this->socialite()); + + $this->assertNull($foundUser); + + $this->assertCount(0, UserFacade::all()); + $user = UserFacade::all()->get(0); + $this->assertNull($user); + } + + #[Test] + public function it_finds_an_existing_user_via_find_or_create_user_method() { $provider = $this->provider(); @@ -138,6 +170,22 @@ public function it_finds_an_existing_user_by_email() $this->assertEquals($savedUser, $foundUser); } + #[Test] + public function it_creates_a_user_via_find_or_create_user_method() + { + $this->assertCount(0, UserFacade::all()); + + $provider = $this->provider(); + $provider->findOrCreateUser($this->socialite()); + + $this->assertCount(1, UserFacade::all()); + $user = UserFacade::all()->get(0); + $this->assertNotNull($user); + $this->assertEquals('foo@bar.com', $user->email()); + $this->assertEquals('Foo Bar', $user->name()); + $this->assertEquals($user->id(), $provider->getUserId('foo-bar')); + } + #[Test] public function it_gets_the_user_by_id_after_merging_data() { From 8e18e1a0bbbff8092852f268b9b2fe480b9e2108 Mon Sep 17 00:00:00 2001 From: Jason Varga Date: Mon, 16 Dec 2024 13:31:12 -0500 Subject: [PATCH 4/7] config --- config/oauth.php | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/config/oauth.php b/config/oauth.php index 2b5b931b1a..d7e3fd2488 100644 --- a/config/oauth.php +++ b/config/oauth.php @@ -15,6 +15,44 @@ 'callback' => 'oauth/{provider}/callback', ], + /* + |-------------------------------------------------------------------------- + | Create User + |-------------------------------------------------------------------------- + | + | Whether or not a user account should be created upon authentication + | with an OAuth provider. If disabled, a user account will be need + | to be explicitly created ahead of time. + | + */ + + 'create_user' => true, + + /* + |-------------------------------------------------------------------------- + | Merge User Data + |-------------------------------------------------------------------------- + | + | When authenticating with an OAuth provider, the user data returned + | such as their name will be merged with the existing user account. + | + */ + + 'merge_user_data' => true, + + /* + |-------------------------------------------------------------------------- + | Unauthorized Redirect + |-------------------------------------------------------------------------- + | + | This controls where the user is taken after authenticating with + | an OAuth provider but their account is unauthorized. This may + | happen when the create_user option has been set to false. + | + */ + + 'unauthorized_redirect' => null, + /* |-------------------------------------------------------------------------- | Remember Me From 05264544d986085c6ba959200517f961fa6e6444 Mon Sep 17 00:00:00 2001 From: Jason Varga Date: Mon, 16 Dec 2024 14:12:03 -0500 Subject: [PATCH 5/7] make findOrCreateUser use the merge_user_data config, adjust tests. --- src/OAuth/Provider.php | 4 +++- tests/OAuth/ProviderTest.php | 25 +++++++++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/src/OAuth/Provider.php b/src/OAuth/Provider.php index 571636ff4c..0aeafdf8fe 100644 --- a/src/OAuth/Provider.php +++ b/src/OAuth/Provider.php @@ -47,7 +47,9 @@ public function getUserId(string $id): ?string public function findOrCreateUser($socialite): StatamicUser { if ($user = $this->findUser($socialite)) { - return $this->mergeUser($user, $socialite); + return config('statamic.oauth.merge_user_data', true) + ? $this->mergeUser($user, $socialite) + : $user; } return $this->createUser($socialite); diff --git a/tests/OAuth/ProviderTest.php b/tests/OAuth/ProviderTest.php index 425a8d4e3f..917aba151e 100644 --- a/tests/OAuth/ProviderTest.php +++ b/tests/OAuth/ProviderTest.php @@ -74,6 +74,8 @@ public function it_merges_data() $user = $this->user()->save(); + $this->assertEquals(['name' => 'foo', 'extra' => 'bar'], $user->data()->all()); + $provider->mergeUser($user, $this->socialite()); $this->assertEquals(['name' => 'Foo Bar', 'extra' => 'bar'], $user->data()->all()); @@ -162,12 +164,35 @@ public function it_finds_an_existing_user_via_find_or_create_user_method() $this->assertCount(1, UserFacade::all()); $this->assertEquals([$savedUser], UserFacade::all()->all()); + $this->assertEquals('foo', $savedUser->name); + + $foundUser = $provider->findOrCreateUser($this->socialite()); + + $this->assertCount(1, UserFacade::all()); + $this->assertEquals([$savedUser], UserFacade::all()->all()); + $this->assertEquals($savedUser, $foundUser); + $this->assertEquals('Foo Bar', $savedUser->name); + } + + #[Test] + public function it_finds_an_existing_user_via_find_or_create_user_method_but_doesnt_merge_data() + { + config(['statamic.oauth.merge_user_data' => false]); + + $provider = $this->provider(); + + $savedUser = $this->user()->save(); + + $this->assertCount(1, UserFacade::all()); + $this->assertEquals([$savedUser], UserFacade::all()->all()); + $this->assertEquals('foo', $savedUser->name); $foundUser = $provider->findOrCreateUser($this->socialite()); $this->assertCount(1, UserFacade::all()); $this->assertEquals([$savedUser], UserFacade::all()->all()); $this->assertEquals($savedUser, $foundUser); + $this->assertEquals('foo', $savedUser->name); } #[Test] From af1a4b885bdf98f151156b38e1d9e4571c89e734 Mon Sep 17 00:00:00 2001 From: Jason Varga Date: Mon, 16 Dec 2024 14:18:59 -0500 Subject: [PATCH 6/7] simplify --- src/Http/Controllers/OAuthController.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Http/Controllers/OAuthController.php b/src/Http/Controllers/OAuthController.php index 432c58d8ea..08e91f3919 100644 --- a/src/Http/Controllers/OAuthController.php +++ b/src/Http/Controllers/OAuthController.php @@ -51,9 +51,9 @@ public function handleProviderCallback(Request $request, string $provider) ->login($user, config('statamic.oauth.remember_me', true)); return redirect()->to($this->successRedirectUrl()); - } else { - return redirect()->to($this->unauthorizedRedirectUrl()); } + + return redirect()->to($this->unauthorizedRedirectUrl()); } protected function successRedirectUrl() From ca9e12abe14a0572b545ff43b121ff3c049be9a8 Mon Sep 17 00:00:00 2001 From: Jason Varga Date: Mon, 16 Dec 2024 14:40:28 -0500 Subject: [PATCH 7/7] Only fall back to the cp unauthorized url if they were going to the cp. --- src/Http/Controllers/OAuthController.php | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/src/Http/Controllers/OAuthController.php b/src/Http/Controllers/OAuthController.php index 08e91f3919..ac98813dfa 100644 --- a/src/Http/Controllers/OAuthController.php +++ b/src/Http/Controllers/OAuthController.php @@ -73,6 +73,28 @@ protected function successRedirectUrl() protected function unauthorizedRedirectUrl() { - return config('statamic.oauth.unauthorized_redirect', '/cp/auth/unauthorized'); + // If a URL has been explicitly defined, use that. + if ($url = config('statamic.oauth.unauthorized_redirect')) { + return $url; + } + + // We'll check the redirect to see if they were intending on + // accessing the CP. If they were, we'll redirect them to + // the unauthorized page in the CP. Otherwise, to home. + + $default = '/'; + $previous = session('_previous.url'); + + if (! $query = Arr::get(parse_url($previous), 'query')) { + return $default; + } + + parse_str($query, $query); + + if (! $redirect = Arr::get($query, 'redirect')) { + return $default; + } + + return $redirect === '/'.config('statamic.cp.route') ? cp_route('unauthorized') : $default; } }