Controller for cross-domain iframes added
This commit is contained in:
		| @@ -72,7 +72,7 @@ $pageLayout['full_alt'] = <<<'FULL_ALT' | |||||||
| </html> | </html> | ||||||
| FULL_ALT; | FULL_ALT; | ||||||
|  |  | ||||||
| $pageLayout['bare'] = <<<'BARE' | $pageLayout['frames'] = <<<'FRAMES' | ||||||
| <!DOCTYPE html> | <!DOCTYPE html> | ||||||
| <html lang="nl"> | <html lang="nl"> | ||||||
|   <head> |   <head> | ||||||
| @@ -81,12 +81,13 @@ $pageLayout['bare'] = <<<'BARE' | |||||||
| 	<meta name="application-name" content="lucidAuth" /> | 	<meta name="application-name" content="lucidAuth" /> | ||||||
|     <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.js"></script> |     <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.js"></script> | ||||||
|     <script src="misc/script.iframe.js"></script> |     <script src="misc/script.iframe.js"></script> | ||||||
|  |     <script>%1$s</script> | ||||||
|   </head> |   </head> | ||||||
|   <body> |   <body> | ||||||
|   	%1$s |   	%2$s | ||||||
|   </body> |   </body> | ||||||
| </html> | </html> | ||||||
| BARE; | FRAMES; | ||||||
|  |  | ||||||
| $contentLayout['login'] = <<<'LOGIN' | $contentLayout['login'] = <<<'LOGIN' | ||||||
| 		  <script src="misc/script.index.js"></script> | 		  <script src="misc/script.index.js"></script> | ||||||
|   | |||||||
| @@ -14,10 +14,9 @@ | |||||||
| 					"Result"			=>	"Failure", | 					"Result"			=>	"Failure", | ||||||
| 					"Reason"			=>	"Failed storing authentication token in database and/or cookie" | 					"Reason"			=>	"Failed storing authentication token in database and/or cookie" | ||||||
| 				]); | 				]); | ||||||
| #				echo '{"Result":"Fail","Reason":"Failed storing authentication token in database and/or cookie"}' . PHP_EOL; |  | ||||||
| 				exit; | 				exit; | ||||||
| 			} | 			} | ||||||
|              |  | ||||||
| 			// Convert base64 encoded string back from JSON; | 			// Convert base64 encoded string back from JSON; | ||||||
| 			//   forcing it into an associative array (instead of javascript's default StdClass object) | 			//   forcing it into an associative array (instead of javascript's default StdClass object) | ||||||
| 			try { | 			try { | ||||||
| @@ -30,7 +29,6 @@ | |||||||
| 					"Result"			=>	"Failure", | 					"Result"			=>	"Failure", | ||||||
| 					"Reason"			=>	"Original request-URI lost in transition" | 					"Reason"			=>	"Original request-URI lost in transition" | ||||||
| 				]); | 				]); | ||||||
| #				echo '{"Result":"Fail","Reason":"Original request URI lost in transition"}' . PHP_EOL; |  | ||||||
| 				exit; | 				exit; | ||||||
| 			} | 			} | ||||||
| 			$originalUri = !empty($proxyHeaders) ? $proxyHeaders['XForwardedProto'] . '://' . $proxyHeaders['XForwardedHost'] . $proxyHeaders['XForwardedUri'] : 'lucidAuth.manage.php'; | 			$originalUri = !empty($proxyHeaders) ? $proxyHeaders['XForwardedProto'] . '://' . $proxyHeaders['XForwardedHost'] . $proxyHeaders['XForwardedUri'] : 'lucidAuth.manage.php'; | ||||||
| @@ -40,7 +38,9 @@ | |||||||
| 			echo json_encode([ | 			echo json_encode([ | ||||||
| 				"Result"			=>	"Success", | 				"Result"			=>	"Success", | ||||||
| 				"Location"			=>	$originalUri, | 				"Location"			=>	$originalUri, | ||||||
| 				"CrossDomainLogin"	=>	$settings->Session['CrossDomainLogin'] | 				"CrossDomainLogin"	=>	$settings->Session['CrossDomainLogin'], | ||||||
|  |                 "CookieDomains"     =>  json_encode(array_diff($settings->Session['CookieDomains'], [$_SERVER['HTTP_HOST']])), | ||||||
|  |                 "SecureToken"       =>  $result['token'] | ||||||
| 			]); | 			]); | ||||||
| 		} else { | 		} else { | ||||||
| 			switch ($result['reason']) { | 			switch ($result['reason']) { | ||||||
| @@ -63,8 +63,8 @@ | |||||||
| 	} else { | 	} else { | ||||||
| 		include_once('../include/lucidAuth.template.php'); | 		include_once('../include/lucidAuth.template.php'); | ||||||
|  |  | ||||||
| 		echo sprintf($pageLayout['full'],  | 		echo sprintf($pageLayout['full'], | ||||||
| 			sprintf($contentLayout['login'],  | 			sprintf($contentLayout['login'], | ||||||
| 				$_GET['ref'] | 				$_GET['ref'] | ||||||
| 			) | 			) | ||||||
| 		); | 		); | ||||||
|   | |||||||
| @@ -4,38 +4,54 @@ | |||||||
| 	include_once('../include/lucidAuth.functions.php'); | 	include_once('../include/lucidAuth.functions.php'); | ||||||
|  |  | ||||||
|     // Start with checking $_REQUEST['ref'] |     // Start with checking $_REQUEST['ref'] | ||||||
| 	// What do we need? |  | ||||||
| 	//   token again? |  | ||||||
|  |  | ||||||
| 	// approach 1: |  | ||||||
| 	//   origin domain, so we can intersect with $settings->Session['CookieDomains'] and iterate through the remaining domains, serving them in one page (which contains iframes already) |  | ||||||
| 	//   this might be slower because it means one additional roundtrip between client and server |  | ||||||
|  |  | ||||||
| 	// approach 2: |  | ||||||
| 	//   let the client setup multiple iframes for all domains other than origin domains |  | ||||||
| 	//   this requires passing an array of domains to the client in asynchronous reply; which feels insecure |  | ||||||
|  |  | ||||||
| 	if (!empty($_REQUEST['ref'])) { | 	if (!empty($_REQUEST['ref'])) { | ||||||
| 		try { | 		try { | ||||||
| 			$queryString = json_decode(base64_decode($_REQUEST['ref']), JSON_OBJECT_AS_ARRAY); | 			$queryString = json_decode(base64_decode($_REQUEST['ref']), JSON_OBJECT_AS_ARRAY); | ||||||
| 		} | 		} | ||||||
| 		catch (Exception $e) { | 		catch (Exception $e) { | ||||||
| 			// Silently fail, unless explicitly specified otherwise | 			// Silently fail, unless explicitly specified otherwise | ||||||
|  |             header("HTTP/1.1 400 Bad Request"); | ||||||
| 			if ($settings->Debug['Verbose']) throw new Exception($e); | 			if ($settings->Debug['Verbose']) throw new Exception($e); | ||||||
|             exit; |             exit; | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
|         switch ($queryString['action']) { |         switch ($queryString['action']) { | ||||||
|             case 'login': |             case 'login': | ||||||
|  |                 if (validateToken($queryString['token'])['status'] === "Success") { | ||||||
|  |                     // This request appears valid; try storing a cookie | ||||||
|  |                     $httpHost = $_SERVER['HTTP_HOST']; | ||||||
|  |                     $httpOrigin = $_SERVER['HTTP_ORIGIN']; | ||||||
|  |                     // Check if $_SERVER['HTTP_HOST'] and $_SERVER['HTTP_ORIGIN'] match any of the configured domains (either explicitly or as a subdomain) | ||||||
|  |                     //   This might seem backwards, but relying on $_SERVER directly allows spoofed values with potential security risks | ||||||
|  |                     $cookieDomain = array_values(array_filter($settings->Session['CookieDomains'], function ($value) use ($httpHost) { | ||||||
|  |                         return (strlen($value) > strlen($httpHost)) ? false : (0 === substr_compare($httpHost, $value, -strlen($value))); | ||||||
|  |                     }))[0]; | ||||||
|  |                     $originDomain = array_values(array_filter($settings->Session['CookieDomains'], function ($value) use ($httpOrigin) { | ||||||
|  |                         return (strlen($value) > strlen($httpOrigin)) ? false : (0 === substr_compare($httpOrigin, $value, -strlen($value))); | ||||||
|  |                     }))[0]; | ||||||
|  |                     if (($cookieDomain && (is_null($httpOrigin) || $originDomain)) && setcookie('JWT', $queryString['token'], (time() + $settings->Session['Duration']), '/', '.' . $cookieDomain)) { | ||||||
|  |                         header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}"); | ||||||
|  |                         header("HTTP/1.1 202 Accepted"); | ||||||
|  |                         exit; | ||||||
|  |                     } | ||||||
|  |                     else { | ||||||
|  |                         header("HTTP/1.1 400 Bad Request"); | ||||||
|  |                         exit; | ||||||
|  |                     } | ||||||
|  |                 } | ||||||
|  |                 else { | ||||||
|  |                     header("HTTP/1.1 401 Unauthorized"); | ||||||
|  |                     exit; | ||||||
|  |                 } | ||||||
|                 break; |                 break; | ||||||
|             default: |             default: | ||||||
|  |                 header("HTTP/1.1 400 Bad Request"); | ||||||
|  |                 exit; | ||||||
|                 break; |                 break; | ||||||
|         } |         } | ||||||
| 	} | 	} | ||||||
|  |     else { | ||||||
| 	include_once('../include/lucidAuth.template.php'); |         header("HTTP/1.1 400 Bad Request"); | ||||||
|  |         exit; | ||||||
| 	echo sprintf($pageLayout['bare'], |     } | ||||||
| 		'// iFrames go here' |  | ||||||
| 	); |  | ||||||
| ?> | ?> | ||||||
| @@ -14,7 +14,7 @@ | |||||||
| 	$proxyHeaders = array_filter($proxyHeaders, function ($key) { | 	$proxyHeaders = array_filter($proxyHeaders, function ($key) { | ||||||
| 		return substr($key, 0, 10) === 'XForwarded'; | 		return substr($key, 0, 10) === 'XForwarded'; | ||||||
| 	}, ARRAY_FILTER_USE_KEY); | 	}, ARRAY_FILTER_USE_KEY); | ||||||
| 	 |  | ||||||
| 	// For debugging purposes - enable it in ../lucidAuth.config.php | 	// For debugging purposes - enable it in ../lucidAuth.config.php | ||||||
| 	if ($settings->Debug['LogToFile']) { | 	if ($settings->Debug['LogToFile']) { | ||||||
| 		file_put_contents('../requestHeaders.log', (new DateTime())->format('Y-m-d\TH:i:s.u') . ' --- ' . (json_encode($proxyHeaders, JSON_FORCE_OBJECT)) . PHP_EOL, FILE_APPEND); | 		file_put_contents('../requestHeaders.log', (new DateTime())->format('Y-m-d\TH:i:s.u') . ' --- ' . (json_encode($proxyHeaders, JSON_FORCE_OBJECT)) . PHP_EOL, FILE_APPEND); | ||||||
| @@ -22,7 +22,7 @@ | |||||||
|  |  | ||||||
| 	if (sizeof($proxyHeaders) === 0) { | 	if (sizeof($proxyHeaders) === 0) { | ||||||
| 		// Non-proxied request; this is senseless, go fetch! | 		// Non-proxied request; this is senseless, go fetch! | ||||||
| 		header("HTTP/1.1 403 Forbidden"); | 		header("HTTP/1.1 400 Bad Request"); | ||||||
| 		exit; | 		exit; | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
|   | |||||||
| @@ -31,11 +31,34 @@ $(document).ready(function(){ | |||||||
| 						'color':		'#FFF' | 						'color':		'#FFF' | ||||||
| 					}); | 					}); | ||||||
| 					if (data.CrossDomainLogin) { | 					if (data.CrossDomainLogin) { | ||||||
| 						// Create iframes for other domains |  | ||||||
| console.log('CrossDomainLogin initiated'); | console.log('CrossDomainLogin initiated'); | ||||||
|  | // do ajax in parallel, show progress, | ||||||
|  | // redirect once all finished loading or timeout after $X ms | ||||||
|  | // origin domain should be exempted from timeout | ||||||
|  | //   (because origin domain can/will be different from current domain --due to traefik design). | ||||||
|  |  | ||||||
|  |                         var cookieDomains = JSON.parse(data.CookieDomains); | ||||||
|  |                         var XHR = []; | ||||||
|  |                         cookieDomains.forEach(function(domain) { | ||||||
|  |                             XHR.push($.get({ | ||||||
|  |                                 url: "https://auth." + domain + "/lucidAuth.setXDomainCookie.php", | ||||||
|  |                                 crossDomain: true, | ||||||
|  |                                 data: { | ||||||
|  |                                     ref: btoa(JSON.stringify({ | ||||||
|  |                                         action: 'login', | ||||||
|  |                                         token: data.SecureToken | ||||||
|  |                                     })) | ||||||
|  |                                 } | ||||||
|  |                             })); | ||||||
|  |                         }); | ||||||
|  |                         $.when.apply($, XHR).then(function(){ | ||||||
|  |                             $.each(arguments, function(_index, arg) { | ||||||
|  |                                 console.log(JSON.stringify(arg)); | ||||||
|  |                             }); | ||||||
|  |                         }); | ||||||
| 					} | 					} | ||||||
| console.log("Navigating to :" + data.Location); |                     // Finished (either succesfully or through timeout) cross-domain logins | ||||||
| 					window.location.replace(data.Location); | 					//window.location.replace(data.Location); | ||||||
| 				}, 2250); | 				}, 2250); | ||||||
| 			} else { | 			} else { | ||||||
| 				$('#btnlogin').css({ | 				$('#btnlogin').css({ | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user