Controller for cross-domain iframes added
This commit is contained in:
		| @@ -72,7 +72,7 @@ $pageLayout['full_alt'] = <<<'FULL_ALT' | ||||
| </html> | ||||
| FULL_ALT; | ||||
|  | ||||
| $pageLayout['bare'] = <<<'BARE' | ||||
| $pageLayout['frames'] = <<<'FRAMES' | ||||
| <!DOCTYPE html> | ||||
| <html lang="nl"> | ||||
|   <head> | ||||
| @@ -81,12 +81,13 @@ $pageLayout['bare'] = <<<'BARE' | ||||
| 	<meta name="application-name" content="lucidAuth" /> | ||||
|     <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.js"></script> | ||||
|     <script src="misc/script.iframe.js"></script> | ||||
|     <script>%1$s</script> | ||||
|   </head> | ||||
|   <body> | ||||
|   	%1$s | ||||
|   	%2$s | ||||
|   </body> | ||||
| </html> | ||||
| BARE; | ||||
| FRAMES; | ||||
|  | ||||
| $contentLayout['login'] = <<<'LOGIN' | ||||
| 		  <script src="misc/script.index.js"></script> | ||||
|   | ||||
| @@ -14,7 +14,6 @@ | ||||
| 					"Result"			=>	"Failure", | ||||
| 					"Reason"			=>	"Failed storing authentication token in database and/or cookie" | ||||
| 				]); | ||||
| #				echo '{"Result":"Fail","Reason":"Failed storing authentication token in database and/or cookie"}' . PHP_EOL; | ||||
| 				exit; | ||||
| 			} | ||||
|  | ||||
| @@ -30,7 +29,6 @@ | ||||
| 					"Result"			=>	"Failure", | ||||
| 					"Reason"			=>	"Original request-URI lost in transition" | ||||
| 				]); | ||||
| #				echo '{"Result":"Fail","Reason":"Original request URI lost in transition"}' . PHP_EOL; | ||||
| 				exit; | ||||
| 			} | ||||
| 			$originalUri = !empty($proxyHeaders) ? $proxyHeaders['XForwardedProto'] . '://' . $proxyHeaders['XForwardedHost'] . $proxyHeaders['XForwardedUri'] : 'lucidAuth.manage.php'; | ||||
| @@ -40,7 +38,9 @@ | ||||
| 			echo json_encode([ | ||||
| 				"Result"			=>	"Success", | ||||
| 				"Location"			=>	$originalUri, | ||||
| 				"CrossDomainLogin"	=>	$settings->Session['CrossDomainLogin'] | ||||
| 				"CrossDomainLogin"	=>	$settings->Session['CrossDomainLogin'], | ||||
|                 "CookieDomains"     =>  json_encode(array_diff($settings->Session['CookieDomains'], [$_SERVER['HTTP_HOST']])), | ||||
|                 "SecureToken"       =>  $result['token'] | ||||
| 			]); | ||||
| 		} else { | ||||
| 			switch ($result['reason']) { | ||||
|   | ||||
| @@ -4,38 +4,54 @@ | ||||
| 	include_once('../include/lucidAuth.functions.php'); | ||||
|  | ||||
|     // Start with checking $_REQUEST['ref'] | ||||
| 	// What do we need? | ||||
| 	//   token again? | ||||
|  | ||||
| 	// approach 1: | ||||
| 	//   origin domain, so we can intersect with $settings->Session['CookieDomains'] and iterate through the remaining domains, serving them in one page (which contains iframes already) | ||||
| 	//   this might be slower because it means one additional roundtrip between client and server | ||||
|  | ||||
| 	// approach 2: | ||||
| 	//   let the client setup multiple iframes for all domains other than origin domains | ||||
| 	//   this requires passing an array of domains to the client in asynchronous reply; which feels insecure | ||||
|  | ||||
| 	if (!empty($_REQUEST['ref'])) { | ||||
| 		try { | ||||
| 			$queryString = json_decode(base64_decode($_REQUEST['ref']), JSON_OBJECT_AS_ARRAY); | ||||
| 		} | ||||
| 		catch (Exception $e) { | ||||
| 			// Silently fail, unless explicitly specified otherwise | ||||
|             header("HTTP/1.1 400 Bad Request"); | ||||
| 			if ($settings->Debug['Verbose']) throw new Exception($e); | ||||
|             exit; | ||||
| 		} | ||||
|  | ||||
|         switch ($queryString['action']) { | ||||
|             case 'login': | ||||
|                 if (validateToken($queryString['token'])['status'] === "Success") { | ||||
|                     // This request appears valid; try storing a cookie | ||||
|                     $httpHost = $_SERVER['HTTP_HOST']; | ||||
|                     $httpOrigin = $_SERVER['HTTP_ORIGIN']; | ||||
|                     // Check if $_SERVER['HTTP_HOST'] and $_SERVER['HTTP_ORIGIN'] match any of the configured domains (either explicitly or as a subdomain) | ||||
|                     //   This might seem backwards, but relying on $_SERVER directly allows spoofed values with potential security risks | ||||
|                     $cookieDomain = array_values(array_filter($settings->Session['CookieDomains'], function ($value) use ($httpHost) { | ||||
|                         return (strlen($value) > strlen($httpHost)) ? false : (0 === substr_compare($httpHost, $value, -strlen($value))); | ||||
|                     }))[0]; | ||||
|                     $originDomain = array_values(array_filter($settings->Session['CookieDomains'], function ($value) use ($httpOrigin) { | ||||
|                         return (strlen($value) > strlen($httpOrigin)) ? false : (0 === substr_compare($httpOrigin, $value, -strlen($value))); | ||||
|                     }))[0]; | ||||
|                     if (($cookieDomain && (is_null($httpOrigin) || $originDomain)) && setcookie('JWT', $queryString['token'], (time() + $settings->Session['Duration']), '/', '.' . $cookieDomain)) { | ||||
|                         header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}"); | ||||
|                         header("HTTP/1.1 202 Accepted"); | ||||
|                         exit; | ||||
|                     } | ||||
|                     else { | ||||
|                         header("HTTP/1.1 400 Bad Request"); | ||||
|                         exit; | ||||
|                     } | ||||
|                 } | ||||
|                 else { | ||||
|                     header("HTTP/1.1 401 Unauthorized"); | ||||
|                     exit; | ||||
|                 } | ||||
|                 break; | ||||
|             default: | ||||
|                 header("HTTP/1.1 400 Bad Request"); | ||||
|                 exit; | ||||
|                 break; | ||||
|         } | ||||
| 	} | ||||
|  | ||||
| 	include_once('../include/lucidAuth.template.php'); | ||||
|  | ||||
| 	echo sprintf($pageLayout['bare'], | ||||
| 		'// iFrames go here' | ||||
| 	); | ||||
|     else { | ||||
|         header("HTTP/1.1 400 Bad Request"); | ||||
|         exit; | ||||
|     } | ||||
| ?> | ||||
| @@ -22,7 +22,7 @@ | ||||
|  | ||||
| 	if (sizeof($proxyHeaders) === 0) { | ||||
| 		// Non-proxied request; this is senseless, go fetch! | ||||
| 		header("HTTP/1.1 403 Forbidden"); | ||||
| 		header("HTTP/1.1 400 Bad Request"); | ||||
| 		exit; | ||||
| 	} | ||||
|  | ||||
|   | ||||
| @@ -31,11 +31,34 @@ $(document).ready(function(){ | ||||
| 						'color':		'#FFF' | ||||
| 					}); | ||||
| 					if (data.CrossDomainLogin) { | ||||
| 						// Create iframes for other domains | ||||
| console.log('CrossDomainLogin initiated'); | ||||
| // do ajax in parallel, show progress, | ||||
| // redirect once all finished loading or timeout after $X ms | ||||
| // origin domain should be exempted from timeout | ||||
| //   (because origin domain can/will be different from current domain --due to traefik design). | ||||
|  | ||||
|                         var cookieDomains = JSON.parse(data.CookieDomains); | ||||
|                         var XHR = []; | ||||
|                         cookieDomains.forEach(function(domain) { | ||||
|                             XHR.push($.get({ | ||||
|                                 url: "https://auth." + domain + "/lucidAuth.setXDomainCookie.php", | ||||
|                                 crossDomain: true, | ||||
|                                 data: { | ||||
|                                     ref: btoa(JSON.stringify({ | ||||
|                                         action: 'login', | ||||
|                                         token: data.SecureToken | ||||
|                                     })) | ||||
|                                 } | ||||
| console.log("Navigating to :" + data.Location); | ||||
| 					window.location.replace(data.Location); | ||||
|                             })); | ||||
|                         }); | ||||
|                         $.when.apply($, XHR).then(function(){ | ||||
|                             $.each(arguments, function(_index, arg) { | ||||
|                                 console.log(JSON.stringify(arg)); | ||||
|                             }); | ||||
|                         }); | ||||
| 					} | ||||
|                     // Finished (either succesfully or through timeout) cross-domain logins | ||||
| 					//window.location.replace(data.Location); | ||||
| 				}, 2250); | ||||
| 			} else { | ||||
| 				$('#btnlogin').css({ | ||||
|   | ||||
		Reference in New Issue
	
	Block a user