mirror of
https://github.com/espocrm/espocrm.git
synced 2026-06-28 15:06:06 +00:00
334 lines
9.6 KiB
PHP
334 lines
9.6 KiB
PHP
<?php
|
|
/************************************************************************
|
|
* This file is part of EspoCRM.
|
|
*
|
|
* EspoCRM - Open Source CRM application.
|
|
* Copyright (C) 2014-2022 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
|
|
* Website: https://www.espocrm.com
|
|
*
|
|
* EspoCRM is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* EspoCRM is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with EspoCRM. If not, see http://www.gnu.org/licenses/.
|
|
*
|
|
* The interactive user interfaces in modified source and object code versions
|
|
* of this program must display Appropriate Legal Notices, as required under
|
|
* Section 5 of the GNU General Public License version 3.
|
|
*
|
|
* In accordance with Section 7(b) of the GNU General Public License version 3,
|
|
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
|
|
************************************************************************/
|
|
|
|
namespace Espo\Core\Api;
|
|
|
|
use Espo\Core\Exceptions\BadRequest;
|
|
use Espo\Core\Exceptions\HasBody;
|
|
use Espo\Core\Exceptions\ServiceUnavailable;
|
|
use Espo\Core\Exceptions\Forbidden;
|
|
use Espo\Core\Authentication\ConfigDataProvider;
|
|
use Espo\Core\Authentication\Authentication;
|
|
use Espo\Core\Authentication\AuthenticationData;
|
|
use Espo\Core\Authentication\Result;
|
|
use Espo\Core\Utils\Log;
|
|
use Espo\Core\Utils\Json;
|
|
|
|
use Exception;
|
|
|
|
/**
|
|
* Determines which auth method to use. Fetches a username and password from headers and server parameters.
|
|
* Then tries to log in.
|
|
*/
|
|
class Auth
|
|
{
|
|
private const HEADER_ESPO_AUTHORIZATION = 'Espo-Authorization';
|
|
|
|
public function __construct(
|
|
private Log $log,
|
|
private Authentication $authentication,
|
|
private ConfigDataProvider $configDataProvider,
|
|
private bool $authRequired = true,
|
|
private bool $isEntryPoint = false
|
|
) {}
|
|
|
|
/**
|
|
* @throws BadRequest
|
|
* @throws Exception
|
|
*/
|
|
public function process(Request $request, Response $response): AuthResult
|
|
{
|
|
$username = null;
|
|
$password = null;
|
|
|
|
$authenticationMethod = $this->obtainAuthenticationMethodFromRequest($request);
|
|
|
|
if (!$authenticationMethod) {
|
|
list($username, $password) = $this->obtainUsernamePasswordFromRequest($request);
|
|
}
|
|
|
|
$authenticationData = AuthenticationData::create()
|
|
->withUsername($username)
|
|
->withPassword($password)
|
|
->withMethod($authenticationMethod);
|
|
|
|
$hasAuthData = $username || $authenticationMethod;
|
|
|
|
if (!$hasAuthData) {
|
|
$password = $this->obtainTokenFromCookies($request);
|
|
|
|
if ($password) {
|
|
$authenticationData = AuthenticationData::create()
|
|
->withPassword($password)
|
|
->withByTokenOnly(true);
|
|
|
|
$hasAuthData = true;
|
|
}
|
|
}
|
|
|
|
if (!$this->authRequired && !$this->isEntryPoint && $hasAuthData) {
|
|
$authResult = $this->processAuthNotRequired(
|
|
$authenticationData,
|
|
$request,
|
|
$response
|
|
);
|
|
|
|
if ($authResult) {
|
|
return $authResult;
|
|
}
|
|
}
|
|
|
|
if (!$this->authRequired) {
|
|
return AuthResult::createResolvedUseNoAuth();
|
|
}
|
|
|
|
if ($hasAuthData) {
|
|
return $this->processWithAuthData($authenticationData, $request, $response);
|
|
}
|
|
|
|
$showDialog =
|
|
($this->isEntryPoint || !$this->isXMLHttpRequest($request)) &&
|
|
!$request->getHeader('Referer');
|
|
|
|
$this->handleUnauthorized($response, $showDialog);
|
|
|
|
return AuthResult::createNotResolved();
|
|
}
|
|
|
|
/**
|
|
* @throws Exception
|
|
*/
|
|
private function processAuthNotRequired(
|
|
AuthenticationData $data,
|
|
Request $request,
|
|
Response $response
|
|
): ?AuthResult {
|
|
|
|
try {
|
|
$result = $this->authentication->login($data, $request, $response);
|
|
}
|
|
catch (Exception $e) {
|
|
$this->handleException($response, $e);
|
|
|
|
return AuthResult::createNotResolved();
|
|
}
|
|
|
|
if (!$result->isFail()) {
|
|
return AuthResult::createResolved();
|
|
}
|
|
|
|
return null;
|
|
}
|
|
|
|
/**
|
|
* @throws Exception
|
|
*/
|
|
private function processWithAuthData(
|
|
AuthenticationData $data,
|
|
Request $request,
|
|
Response $response
|
|
): AuthResult {
|
|
|
|
try {
|
|
$result = $this->authentication->login($data, $request, $response);
|
|
}
|
|
catch (Exception $e) {
|
|
$this->handleException($response, $e);
|
|
|
|
return AuthResult::createNotResolved();
|
|
}
|
|
|
|
if ($result->isSuccess()) {
|
|
return AuthResult::createResolved();
|
|
}
|
|
|
|
if ($result->isFail()) {
|
|
$showDialog =
|
|
$this->isEntryPoint &&
|
|
!$request->getHeader('Referer');
|
|
|
|
$this->handleUnauthorized($response, $showDialog);
|
|
}
|
|
|
|
if ($result->isSecondStepRequired()) {
|
|
$this->handleSecondStepRequired($response, $result);
|
|
}
|
|
|
|
return AuthResult::createNotResolved();
|
|
}
|
|
|
|
/**
|
|
* @return array{string,string}
|
|
* @throws BadRequest
|
|
*/
|
|
private function decodeAuthorizationString(string $string): array
|
|
{
|
|
/** @var string $stringDecoded */
|
|
$stringDecoded = base64_decode($string);
|
|
|
|
if (!str_contains($stringDecoded, ':')) {
|
|
throw new BadRequest("Auth: Bad authorization string provided.");
|
|
}
|
|
|
|
/** @var array{string,string} */
|
|
return explode(':', $stringDecoded, 2);
|
|
}
|
|
|
|
protected function handleSecondStepRequired(Response $response, Result $result): void
|
|
{
|
|
$response->setStatus(401);
|
|
$response->setHeader('X-Status-Reason', 'second-step-required');
|
|
|
|
$bodyData = [
|
|
'status' => $result->getStatus(),
|
|
'message' => $result->getMessage(),
|
|
'view' => $result->getView(),
|
|
'token' => $result->getToken(),
|
|
'data' => $result->getData(),
|
|
];
|
|
|
|
$response->writeBody(Json::encode($bodyData));
|
|
}
|
|
|
|
/**
|
|
* @throws Exception
|
|
*/
|
|
protected function handleException(Response $response, Exception $e): void
|
|
{
|
|
if (
|
|
$e instanceof BadRequest ||
|
|
$e instanceof ServiceUnavailable ||
|
|
$e instanceof Forbidden
|
|
) {
|
|
$reason = $e->getMessage();
|
|
|
|
if ($reason) {
|
|
$response->setHeader('X-Status-Reason', $e->getMessage());
|
|
}
|
|
|
|
$response->setStatus($e->getCode());
|
|
|
|
if ($e->getBody()) {
|
|
$response->writeBody($e->getBody());
|
|
}
|
|
|
|
$this->log->notice("Auth: " . $e->getMessage());
|
|
|
|
return;
|
|
}
|
|
|
|
throw $e;
|
|
}
|
|
|
|
private function handleUnauthorized(Response $response, bool $showDialog): void
|
|
{
|
|
if ($showDialog) {
|
|
$response->setHeader('WWW-Authenticate', 'Basic realm=""');
|
|
}
|
|
|
|
$response->setStatus(401);
|
|
}
|
|
|
|
private function isXMLHttpRequest(Request $request): bool
|
|
{
|
|
if (strtolower($request->getHeader('X-Requested-With') ?? '') == 'xmlhttprequest') {
|
|
return true;
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
private function obtainAuthenticationMethodFromRequest(Request $request): ?string
|
|
{
|
|
if ($request->hasHeader(self::HEADER_ESPO_AUTHORIZATION)) {
|
|
return null;
|
|
}
|
|
|
|
$paramsList = array_values(array_filter(
|
|
$this->configDataProvider->getLoginMetadataParamsList(),
|
|
function ($params) use ($request): bool {
|
|
$header = $params->getCredentialsHeader();
|
|
|
|
if (!$header || !$params->isApi()) {
|
|
return false;
|
|
}
|
|
|
|
return $request->hasHeader($header);
|
|
}
|
|
));
|
|
|
|
if (count($paramsList)) {
|
|
return $paramsList[0]->getMethod();
|
|
}
|
|
|
|
return null;
|
|
}
|
|
|
|
/**
|
|
* @return array{?string,?string}
|
|
* @throws BadRequest
|
|
*/
|
|
private function obtainUsernamePasswordFromRequest(Request $request): array
|
|
{
|
|
if ($request->hasHeader(self::HEADER_ESPO_AUTHORIZATION)) {
|
|
list($username, $password) = $this->decodeAuthorizationString(
|
|
$request->getHeader(self::HEADER_ESPO_AUTHORIZATION) ?? ''
|
|
);
|
|
|
|
return [$username, $password];
|
|
}
|
|
|
|
if (
|
|
$request->getServerParam('PHP_AUTH_USER') &&
|
|
$request->getServerParam('PHP_AUTH_PW')
|
|
) {
|
|
$username = $request->getServerParam('PHP_AUTH_USER');
|
|
$password = $request->getServerParam('PHP_AUTH_PW');
|
|
|
|
return [$username, $password];
|
|
}
|
|
|
|
$cgiAuthString = $request->getHeader('Http-Espo-Cgi-Auth') ??
|
|
$request->getHeader('Redirect-Http-Espo-Cgi-Auth');
|
|
|
|
if ($cgiAuthString) {
|
|
list($username, $password) = $this->decodeAuthorizationString(substr($cgiAuthString, 6));
|
|
|
|
return [$username, $password];
|
|
}
|
|
|
|
return [null, null];
|
|
}
|
|
|
|
private function obtainTokenFromCookies(Request $request): ?string
|
|
{
|
|
return $request->getCookieParam('auth-token');
|
|
}
|
|
}
|