diff --git a/lib/REST/Microsub/Auth.php b/lib/REST/Microsub/Auth.php index c4e7f07b..087b50e7 100644 --- a/lib/REST/Microsub/Auth.php +++ b/lib/REST/Microsub/Auth.php @@ -6,6 +6,7 @@ declare(strict_types=1); namespace JKingWeb\Arsse\REST\Microsub; +use JKingWeb\Arsse\Arsse; use JKingWeb\Arsse\Misc\URL; use Psr\Http\Message\ServerRequestInterface; use Psr\Http\Message\ResponseInterface; @@ -33,16 +34,22 @@ class Auth extends \JKingWeb\Arsse\REST\AbstractHandler { } } - protected function doDiscovery(string $user, ServerRequestInterface $req): ResponseInterface { + protected function buildIdentifier(ServerRequestInterface $req, bool $baseOnly = false): string { // construct the base user identifier URL; the user is never checked against the database - // as this route is publicly accessible, for reasons of privacy requests for user discovery work regardless of whether the user exists $s = $req->getServerParams(); + $path = $req->getRequestTarget()['path']; $https = (strlen($s['HTTPS'] ?? "") && $s['HTTPS'] !== "off"); $port = (int) $s['SERVER_PORT']; $port = (!$port || ($https && $port == 443) || (!$https && $port == 80)) ? "" : ":$port"; $base = URL::normalize(($https ? "https" : "http")."://".$s['HTTP_HOST'].$port."/"); - $id = $base."u/".rawurlencode($user); + return !$baseOnly ? URL::normalize($base.$path) : $base; + } + + protected function doDiscovery(string $user, ServerRequestInterface $req): ResponseInterface { + // as this route is publicly accessible, for reasons of privacy requests for user discovery work regardless of whether the user exists // prepare authroizer, token, and Microsub endpoint URLs + $base = $this->buildIdentifier($req, true); + $id = $this->buildIdentifier($req); $urlAuth = $id."?proc=login"; $urlToken = $id."?proc=issue"; $urlService = $base."microsub"; @@ -54,4 +61,22 @@ class Auth extends \JKingWeb\Arsse\REST\AbstractHandler { "Link: <$urlService>; rel=\"microsub\"", ]); } + + protected function doLogin(string $user, ServerRequestInterface $req): ResponseInterface { + if (!$req->getAttribute("authenticated", false)) { + // user has not yet logged in, or has failed to log in + return new EmptyResponse(401); + } else { + // user has logged in + // ensure the logged-in user matches the IndieAuth identifier URL + $id = $req->getAttribute("authenticatedUser"); + $query = $req->getQueryParams(); + $url = buildIdentifier($req); + if ($user !== $id || URL::normalize($query['me']) !== $url) { + return new EmptyResponse(403); + } else { + // redirect + } + } + } }