Authentication system moved + Persona comes back!

AuthController is dedicated to auhentication.
Persona is back, greater than ever!

See https://github.com/marienfressinaud/FreshRSS/issues/655

app/Controllers/authController.php

@@ -0,0 +1,182 @@
+<?php
+
+/**
+ * This controller handles action about authentication.
+ */
+class FreshRSS_auth_Controller extends Minz_ActionController {
+	/**
+	 * This action handles the login page.
+	 *
+	 * It forwards to the correct login page (form or Persona) or main page if
+	 * the user is already connected.
+	 */
+	public function loginAction() {
+		if (FreshRSS_Auth::hasAccess()) {
+			Minz_Request::forward(array('c' => 'index', 'a' => 'index'), true);
+		}
+
+		$auth_type = Minz_Configuration::authType();
+		switch ($auth_type) {
+		case 'form':
+			Minz_Request::forward(array('c' => 'auth', 'a' => 'formLogin'));
+			break;
+		case 'persona':
+			Minz_Request::forward(array('c' => 'auth', 'a' => 'personaLogin'));
+			break;
+		case 'http_auth':
+		case 'none':
+			// It should not happened!
+			Minz_Error::error(404);
+		default:
+			// TODO load plugin instead
+			Minz_Error::error(404);
+		}
+	}
+
+	/**
+	 * This action handles form login page.
+	 *
+	 * If this action is reached through a POST request, username and password
+	 * are compared to login the current user.
+	 *
+	 * Parameters are:
+	 *   - nonce (default: false)
+	 *   - username (default: '')
+	 *   - challenge (default: '')
+	 *   - keep_logged_in (default: false)
+	 */
+	public function formLoginAction() {
+		invalidateHttpCache();
+
+		$file_mtime = @filemtime(PUBLIC_PATH . '/scripts/bcrypt.min.js');
+		Minz_View::appendScript(Minz_Url::display('/scripts/bcrypt.min.js?' . $file_mtime));
+
+		if (Minz_Request::isPost()) {
+			$nonce = Minz_Session::param('nonce');
+			$username = Minz_Request::param('username', '');
+			$challenge = Minz_Request::param('challenge', '');
+			try {
+				$conf = new FreshRSS_Configuration($username);
+			} catch(Minz_Exception $e) {
+				// $username is not a valid user, nor the configuration file!
+				Minz_Log::warning('Login failure: ' . $e->getMessage());
+				Minz_Request::bad(_t('invalid_login'),
+				                  array('c' => 'auth', 'a' => 'login'));
+			}
+
+			$ok = FreshRSS_FormAuth::checkCredentials(
+				$username, $conf->passwordHash, $nonce, $challenge
+			);
+			if ($ok) {
+				// Set session parameter to give access to the user.
+				Minz_Session::_param('currentUser', $username);
+				Minz_Session::_param('passwordHash', $conf->passwordHash);
+				FreshRSS_Auth::giveAccess();
+
+				// Set cookie parameter if nedded.
+				if (Minz_Request::param('keep_logged_in')) {
+					FreshRSS_FormAuth::makeCookie($username, $conf->passwordHash);
+				} else {
+					FreshRSS_FormAuth::deleteCookie();
+				}
+
+				// All is good, go back to the index.
+				Minz_Request::good(_t('login'),
+				                   array('c' => 'index', 'a' => 'index'));
+			} else {
+				Minz_Log::warning('Password mismatch for' .
+				                  ' user=' . $username .
+				                  ', nonce=' . $nonce .
+				                  ', c=' . $challenge);
+				Minz_Request::bad(_t('invalid_login'),
+				                  array('c' => 'auth', 'a' => 'login'));
+			}
+		}
+	}
+
+	/**
+	 * This action handles Persona login page.
+	 *
+	 * If this action is reached through a POST request, assertion from Persona
+	 * is verificated and user connected if all is ok.
+	 *
+	 * Parameter is:
+	 *   - assertion (default: false)
+	 *
+	 * @todo: Persona system should be moved to a plugin
+	 */
+	public function personaLoginAction() {
+		$this->view->res = false;
+
+		if (Minz_Request::isPost()) {
+			$this->view->_useLayout(false);
+
+			$assert = Minz_Request::param('assertion');
+			$url = 'https://verifier.login.persona.org/verify';
+			$params = 'assertion=' . $assert . '&audience=' .
+			          urlencode(Minz_Url::display(null, 'php', true));
+			$ch = curl_init();
+			$options = array(
+				CURLOPT_URL => $url,
+				CURLOPT_RETURNTRANSFER => TRUE,
+				CURLOPT_POST => 2,
+				CURLOPT_POSTFIELDS => $params
+			);
+			curl_setopt_array($ch, $options);
+			$result = curl_exec($ch);
+			curl_close($ch);
+
+			$res = json_decode($result, true);
+
+			$login_ok = false;
+			$reason = '';
+			if ($res['status'] === 'okay') {
+				$email = filter_var($res['email'], FILTER_VALIDATE_EMAIL);
+				if ($email != '') {
+					$persona_file = DATA_PATH . '/persona/' . $email . '.txt';
+					if (($current_user = @file_get_contents($persona_file)) !== false) {
+						$current_user = trim($current_user);
+						try {
+							$conf = new FreshRSS_Configuration($current_user);
+							$login_ok = strcasecmp($email, $conf->mail_login) === 0;
+						} catch (Minz_Exception $e) {
+							//Permission denied or conf file does not exist
+							$reason = 'Invalid configuration for user ' .
+							          '[' . $current_user . '] ' . $e->getMessage();
+						}
+					}
+				} else {
+					$reason = 'Invalid email format [' . $res['email'] . ']';
+				}
+			} else {
+				$reason = $res['reason'];
+			}
+
+			if ($login_ok) {
+				Minz_Session::_param('currentUser', $current_user);
+				Minz_Session::_param('mail', $email);
+				FreshRSS_Auth::giveAccess();
+				invalidateHttpCache();
+			} else {
+				Minz_Log::error($reason);
+
+				$res = array();
+				$res['status'] = 'failure';
+				$res['reason'] = _t('invalid_login');
+			}
+
+			header('Content-Type: application/json; charset=UTF-8');
+			$this->view->res = $res;
+		}
+	}
+
+	/**
+	 * This action removes all accesses of the current user.
+	 */
+	public function logoutAction() {
+		invalidateHttpCache();
+		FreshRSS_Auth::removeAccess();
+		Minz_Request::good(_t('disconnected'),
+		                   array('c' => 'index', 'a' => 'index'));
+	}
+}

app/Controllers/indexController.php

@@ -20,7 +20,7 @@ class FreshRSS_index_Controller extends Minz_ActionController {
 			} elseif ($output !== 'rss') {
 				// "hard" redirection is not required, just ask dispatcher to
 				// forward to the login form without 302 redirection
-				Minz_Request::forward(array('c' => 'index', 'a' => 'login'));
+				Minz_Request::forward(array('c' => 'auth', 'a' => 'login'));
 				return;
 			}
 		}
@@ -228,92 +228,4 @@ class FreshRSS_index_Controller extends Minz_ActionController {
 		$this->view->logsPaginator->_nbItemsPerPage(50);
 		$this->view->logsPaginator->_currentPage($page);
 	}
-
-	/**
-	 * This action handles the login page.
-	 */
-	public function loginAction() {
-		if (FreshRSS_Auth::hasAccess()) {
-			Minz_Request::forward(array('c' => 'index', 'a' => 'index'), true);
-		}
-
-		invalidateHttpCache();
-
-		$auth_type = Minz_Configuration::authType();
-		switch ($auth_type) {
-		case 'form':
-			Minz_Request::forward(array('c' => 'index', 'a' => 'formLogin'));
-			break;
-		case 'http_auth':
-		case 'none':
-			// It should not happened!
-			Minz_Error::error(404);
-		default:
-			// TODO load plugin instead
-			Minz_Error::error(404);
-		}
-	}
-
-	/**
-	 *
-	 */
-	public function formLoginAction() {
-		if (FreshRSS_Auth::hasAccess()) {
-			Minz_Request::forward(array('c' => 'index', 'a' => 'index'), true);
-		}
-
-		invalidateHttpCache();
-
-		$file_mtime = @filemtime(PUBLIC_PATH . '/scripts/bcrypt.min.js');
-		Minz_View::appendScript(Minz_Url::display('/scripts/bcrypt.min.js?' . $file_mtime));
-
-		if (Minz_Request::isPost()) {
-			$nonce = Minz_Session::param('nonce');
-			$username = Minz_Request::param('username', '');
-			$challenge = Minz_Request::param('challenge', '');
-			try {
-				$conf = new FreshRSS_Configuration($username);
-			} catch(Minz_Exception $e) {
-				// $username is not a valid user, nor the configuration file!
-				Minz_Log::warning('Login failure: ' . $e->getMessage());
-				Minz_Request::bad(_t('invalid_login'),
-				                  array('c' => 'index', 'a' => 'login'));
-			}
-
-			$ok = FreshRSS_FormAuth::checkCredentials(
-				$username, $conf->passwordHash, $nonce, $challenge
-			);
-			if ($ok) {
-				// Set session parameter to give access to the user.
-				Minz_Session::_param('currentUser', $username);
-				Minz_Session::_param('passwordHash', $conf->passwordHash);
-				FreshRSS_Auth::giveAccess();
-
-				// Set cookie parameter if nedded.
-				if (Minz_Request::param('keep_logged_in', false)) {
-					FreshRSS_FormAuth::makeCookie($username, $conf->passwordHash);
-				} else {
-					FreshRSS_FormAuth::deleteCookie();
-				}
-
-				// All is good, go back to the index.
-				Minz_Request::good(_t('login'),
-				                   array('c' => 'index', 'a' => 'index'));
-			} else {
-				Minz_Log::warning('Password mismatch for' .
-				                  ' user=' . $username .
-				                  ', nonce=' . $nonce .
-				                  ', c=' . $challenge);
-				Minz_Request::bad(_t('invalid_login'),
-				                  array('c' => 'index', 'a' => 'login'));
-			}
-		}
-	}
-
-	public function logoutAction() {
-		invalidateHttpCache();
-		FreshRSS_Auth::removeAccess();
-		Minz_Request::good(_t('disconnected'),
-		                   array('c' => 'index', 'a' => 'index'));
-	}
 }

app/FreshRSS.php

@@ -64,6 +64,14 @@ class FreshRSS extends Minz_FrontController {
 		Minz_View::appendScript(Minz_Url::display('/scripts/jquery.min.js?' . @filemtime(PUBLIC_PATH . '/scripts/jquery.min.js')));
 		Minz_View::appendScript(Minz_Url::display('/scripts/shortcut.js?' . @filemtime(PUBLIC_PATH . '/scripts/shortcut.js')));
 		Minz_View::appendScript(Minz_Url::display('/scripts/main.js?' . @filemtime(PUBLIC_PATH . '/scripts/main.js')));
+
+		if (Minz_Configuration::authType() === 'persona') {
+			// TODO move it in a plugin
+			// Needed for login AND logout with Persona.
+			Minz_View::appendScript('https://login.persona.org/include.js');
+			$file_mtime = @filemtime(PUBLIC_PATH . '/scripts/persona.js');
+			Minz_View::appendScript(Minz_Url::display('/scripts/persona.js?' . $file_mtime));
+		}
 	}
 
 	private function loadNotifications() {

app/Models/Auth.php

@@ -20,7 +20,7 @@ class FreshRSS_Auth {
 			Minz_Session::_param('currentUser', $current_user);
 		}
 
-		$access_ok = self::accessControl($current_user);
+		$access_ok = self::accessControl();
 
 		if ($access_ok) {
 			self::giveAccess();
@@ -36,10 +36,9 @@ class FreshRSS_Auth {
 	 * Required session parameters are also set in this method (such as
 	 * currentUser).
 	 *
-	 * @param string $username username of the user to check access.
 	 * @return boolean true if user can be connected, false else.
 	 */
-	public static function accessControl($username) {
+	public static function accessControl() {
 		if (self::$login_ok) {
 			return true;
 		}
@@ -61,6 +60,16 @@ class FreshRSS_Auth {
 				Minz_Session::_param('currentUser', $current_user);
 			}
 			return $login_ok;
+		case 'persona':
+			$email = filter_var(Minz_Session::param('mail'), FILTER_VALIDATE_EMAIL);
+			$persona_file = DATA_PATH . '/persona/' . $email . '.txt';
+			if (($current_user = @file_get_contents($persona_file)) !== false) {
+				$current_user = trim($current_user);
+				Minz_Session::_param('currentUser', $current_user);
+				Minz_Session::_param('mail', $email);
+				return true;
+			}
+			return false;
 		case 'none':
 			return true;
 		default:
@@ -87,6 +96,9 @@ class FreshRSS_Auth {
 		case 'http_auth':
 			self::$login_ok = strcasecmp($current_user, httpAuthUser()) === 0;
 			break;
+		case 'persona':
+			self::$login_ok = strcasecmp(Minz_Session::param('mail'), $conf->mail_login) === 0;
+			break;
 		case 'none':
 			self::$login_ok = true;
 			break;
@@ -131,6 +143,9 @@ class FreshRSS_Auth {
 			Minz_Session::_param('passwordHash');
 			FreshRSS_FormAuth::deleteCookie();
 			break;
+		case 'persona':
+			Minz_Session::_param('mail');
+			break;
 		case 'http_auth':
 		case 'none':
 			// Nothing to do...

app/layout/header.phtml

@@ -2,9 +2,9 @@
 if (Minz_Configuration::canLogIn()) {
 	?><ul class="nav nav-head nav-login"><?php
 		if (FreshRSS_Auth::hasAccess()) {
-			?><li class="item"><?php echo _i('logout'); ?> <a class="signout" href="<?php echo _url('index', 'logout'); ?>"><?php echo _t('logout'); ?></a></li><?php
+			?><li class="item"><?php echo _i('logout'); ?> <a class="signout" href="<?php echo _url('auth', 'logout'); ?>"><?php echo _t('logout'); ?></a></li><?php
 		} else {
-			?><li class="item"><?php echo _i('login'); ?> <a class="signin" href="<?php echo _url('index', 'login'); ?>"><?php echo _t('login'); ?></a></li><?php
+			?><li class="item"><?php echo _i('login'); ?> <a class="signin" href="<?php echo _url('auth', 'login'); ?>"><?php echo _t('login'); ?></a></li><?php
 		}
 	?></ul><?php
 }
@@ -74,21 +74,14 @@ if (Minz_Configuration::canLogIn()) {
 				<?php
 				if (Minz_Configuration::canLogIn()) {
 					?><li class="separator"></li>
-				<li class="item"><a class="signout" href="<?php echo _url('index', 'logout'); ?>"><?php echo _i('logout'), ' ', _t('logout'); ?></a></li><?php
+				<li class="item"><a class="signout" href="<?php echo _url('auth', 'logout'); ?>"><?php echo _i('logout'), ' ', _t('logout'); ?></a></li><?php
 				} ?>
 			</ul>
 		</div>
 	</div>
-	<?php } elseif (Minz_Configuration::canLogIn()) {
-		?><div class="item configure"><?php
-		switch (Minz_Configuration::authType()) {
-		case 'form':
-			echo _i('login'); ?><a class="signin" href="<?php echo _url('index', 'formLogin'); ?>"><?php echo _t('login'); ?></a></li><?php
-			break;
-		case 'persona':
-			echo _i('login'); ?><a class="signin" href="#"><?php echo _t('login'); ?></a></li><?php
-			break;
-		}
-		?></div><?php
-	} ?>
+	<?php } elseif (Minz_Configuration::canLogIn()) { ?>
+	<div class="item configure">
+		<?php echo _i('login'); ?><a class="signin" href="<?php echo _url('auth', 'login'); ?>"><?php echo _t('login'); ?></a>
+	</div>
+	<?php } ?>
 </div>

app/views/index/formLogin.phtml → app/views/auth/formLogin.phtml

@@ -1,9 +1,7 @@
 <div class="prompt">
-	<h1><?php echo _t('login'); ?></h1><?php
+	<h1><?php echo _t('login'); ?></h1>
 
-	switch (Minz_Configuration::authType()) {
-	case 'form':
-	?><form id="crypto-form" method="post" action="<?php echo _url('index', 'formLogin'); ?>">
+	<form id="crypto-form" method="post" action="<?php echo _url('auth', 'login'); ?>">
 		<div>
 			<label for="username"><?php echo _t('username'); ?></label>
 			<input type="text" id="username" name="username" size="16" required="required" maxlength="16" pattern="[0-9a-zA-Z]{1,16}" autofocus="autofocus" />
@@ -24,23 +22,7 @@
 		<div>
 			<button id="loginButton" type="submit" class="btn btn-important"><?php echo _t('login'); ?></button>
 		</div>
-	</form><?php
-		break;
-
-	case 'persona':
-		?><p>
-			<a class="signin btn btn-important" href="#">
-				<?php echo _i('login'); ?>
-				<?php echo _t('login_with_persona'); ?>
-			</a><br /><br />
-
-			<?php echo _i('help'); ?>
-			<small>
-				<a href="<?php echo _url('index', 'resetAuth'); ?>"><?php echo _t('login_persona_problem'); ?></a>
-			</small>
-		</p><?php
-		break;
-	} ?>
+	</form>
 
 	<p><a href="<?php echo _url('index', 'about'); ?>"><?php echo _t('about_freshrss'); ?></a></p>
 </div>

app/views/auth/personaLogin.phtml

@@ -0,0 +1,24 @@
+<?php if ($this->res === false) { ?>
+<div class="prompt">
+	<h1><?php echo _t('login'); ?></h1>
+
+	<p>
+		<a class="signin btn btn-important" href="<?php echo _url('auth', 'login'); ?>">
+			<?php echo _i('login'); ?> <?php echo _t('login_with_persona'); ?>
+		</a>
+
+		<br /><br />
+
+		<?php echo _i('help'); ?>
+		<small>
+			<a href="<?php echo _url('auth', 'resetAuth'); ?>"><?php echo _t('login_persona_problem'); ?></a>
+		</small>
+	</p>
+
+	<p><a href="<?php echo _url('index', 'about'); ?>"><?php echo _t('about_freshrss'); ?></a></p>
+</div>
+<?php
+} else {
+	echo json_encode($this->res);
+}
+?>

app/views/helpers/javascript_vars.phtml

@@ -8,6 +8,15 @@ $hide_posts = ($this->conf->display_posts ||
                Minz_Request::param('output') === 'reader');
 $s = $this->conf->shortcuts;
 
+$url_login = Minz_Url::display(array(
+	'c' => 'auth',
+	'a' => 'login'
+), 'php');
+$url_logout = Minz_Url::display(array(
+	'c' => 'auth',
+	'a' => 'logout'
+), 'php');
+
 echo 'var context={',
 	'hide_posts:', $hide_posts ? 'false' : 'true', ',',
 	'display_order:"', Minz_Request::param('order', $this->conf->sort_order), '",',
@@ -43,8 +52,8 @@ echo 'shortcuts={',
 
 echo 'url={',
 	'index:"', _url('index', 'index'), '",',
-	'login:"', _url('index', 'login'), '",',
-	'logout:"', _url('index', 'logout'), '",',
+	'login:"', $url_login, '",',
+	'logout:"', $url_logout, '",',
 	'help:"', FRESHRSS_WIKI, '"',
 "},\n";
 

p/scripts/main.js

@@ -1034,67 +1034,7 @@ function init_crypto_form() {
 }
 //</crypto form (Web login)>
 
-//<persona>
-function init_persona() {
-	if (!(navigator.id)) {
-		if (window.console) {
-			console.log('FreshRSS waiting for Persona…');
-		}
-		window.setTimeout(init_persona, 100);
-		return;
-	}
-	$('a.signin').click(function() {
-		navigator.id.request();
-		return false;
-	});
-
-	$('a.signout').click(function() {
-		navigator.id.logout();
-		return false;
-	});
 
-	navigator.id.watch({
-		loggedInUser: context['current_user_mail'],
-
-		onlogin: function(assertion) {
-			// A user has logged in! Here you need to:
-			// 1. Send the assertion to your backend for verification and to create a session.
-			// 2. Update your UI.
-			$.ajax ({
-				type: 'POST',
-				url: url['login'],
-				data: {assertion: assertion},
-				success: function(res, status, xhr) {
-					/*if (res.status === 'failure') {
-						alert (res_obj.reason);
-					} else*/ if (res.status === 'okay') {
-						location.href = url['index'];
-					}
-				},
-				error: function(res, status, xhr) {
-					alert("Login failure: " + res);
-				}
-			});
-		},
-		onlogout: function() {
-			// A user has logged out! Here you need to:
-			// Tear down the user's session by redirecting the user or making a call to your backend.
-			// Also, make sure loggedInUser will get set to null on the next page load.
-			// (That's a literal JavaScript null. Not false, 0, or undefined. null.)
-			$.ajax ({
-				type: 'POST',
-				url: url['logout'],
-				success: function(res, status, xhr) {
-					location.href = url['index'];
-				},
-				error: function(res, status, xhr) {
-					//alert("logout failure" + res);
-				}
-			});
-		}
-	});
-}
-//</persona>
 
 function init_confirm_action() {
 	$('body').on('click', '.confirm', function () {
@@ -1274,11 +1214,6 @@ function init_all() {
 		return;
 	}
 	init_notifications();
-	switch (context['auth_type']) {
-		case 'persona':
-			init_persona();
-			break;
-	}
 	init_confirm_action();
 	$stream = $('#stream');
 	if ($stream.length > 0) {

p/scripts/persona.js

@@ -0,0 +1,76 @@
+"use strict";
+
+function init_persona() {
+	if (!(navigator.id && window.$)) {
+		if (window.console) {
+			console.log('FreshRSS (Persona) waiting for JS…');
+		}
+		window.setTimeout(init_persona, 100);
+		return;
+	}
+
+	$('a.signin').click(function() {
+		navigator.id.request();
+		return false;
+	});
+
+	$('a.signout').click(function() {
+		navigator.id.logout();
+		return false;
+	});
+
+	navigator.id.watch({
+		loggedInUser: context['current_user_mail'],
+
+		onlogin: function(assertion) {
+			// A user has logged in! Here you need to:
+			// 1. Send the assertion to your backend for verification and to create a session.
+			// 2. Update your UI.
+			$.ajax ({
+				type: 'POST',
+				url: url['login'],
+				data: {assertion: assertion},
+				success: function(res, status, xhr) {
+					if (res.status === 'failure') {
+						openNotification(res.reason, 'bad');
+					} else if (res.status === 'okay') {
+						location.href = url['index'];
+					}
+				},
+				error: function(res, status, xhr) {
+					// alert(res);
+				}
+			});
+		},
+		onlogout: function() {
+			// A user has logged out! Here you need to:
+			// Tear down the user's session by redirecting the user or making a call to your backend.
+			// Also, make sure loggedInUser will get set to null on the next page load.
+			// (That's a literal JavaScript null. Not false, 0, or undefined. null.)
+			$.ajax ({
+				type: 'POST',
+				url: url['logout'],
+				success: function(res, status, xhr) {
+					location.href = url['index'];
+				},
+				error: function(res, status, xhr) {
+					// alert(res);
+				}
+			});
+		}
+	});
+}
+
+if (document.readyState && document.readyState !== 'loading') {
+	if (window.console) {
+		console.log('FreshRSS (Persona) immediate init…');
+	}
+	init_persona();
+} else if (document.addEventListener) {
+	document.addEventListener('DOMContentLoaded', function () {
+		if (window.console) {
+			console.log('FreshRSS (Persona) waiting for DOMContentLoaded…');
+		}
+		init_persona();
+	}, false);
+}