5124: Cleaned up

Author: rimi-itk

CHANGELOG.md

@@ -8,6 +8,9 @@ Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+- [PR-375](https://github.com/itk-dev/os2loop/pull/375)
+  Added Cura login module
+
 ## [1.2.5]
 
 - [374](https://github.com/itk-dev/os2loop/pull/374)

README.md

@@ -140,8 +140,8 @@ for further details.
 ## Coding standards
 
 ```sh
-docker compose exec phpfpm composer coding-standards-apply
-docker compose exec phpfpm composer coding-standards-check
+docker compose exec phpfpm vendor/bin/phpcs
+docker compose exec phpfpm vendor/bin/phpcbf
 ```
 
 ```sh

web/profiles/custom/os2loop/modules/os2loop_cura_login/README.md

@@ -3,6 +3,30 @@
 Use `https://os2loop.example.com/os2loop-cura-login/start` as `linkURL` (or is it `formPostUrl`?) in the Cura link
 configuration.
 
+## How does it work?
+
+Cura will make a `POST` `multipart/form-data` request to `/os2loop-cura-login/start` with a `payload` parameter containing
+a JWT like
+
+``` json
+{
+  "header" : {
+    "alg" : "HS256"
+  },
+  "payload" : {
+    "brugerId" : "az…",
+    "organisationsNavn" : "Digitalisering",
+    "brugerensNavn" : "…",
+    "sorid" : "aarhus",
+    "exp" : 1756978913
+  },
+  "signature" : "…"
+}
+```
+
+However, it can also make a `GET` request to `/os2loop-cura-login/start/{payload}` or
+`/os2loop-cura-login/start/payload={payload}`.
+
 ## Example
 
 ``` shell
@@ -23,3 +47,11 @@ drush --uri='http://nginx:8080' os2loop-cura-login:get-login-url test@example.co
 # settings.local.php
 $config['os2loop_cura_login.settings']['log_level'] = \Drupal\Core\Logger\RfcLogLevel::DEBUG;
 ```
+
+Run
+
+``` shell
+drush config:get os2loop_cura_login.settings --include-overridden
+```
+
+to show the current module config.

web/profiles/custom/os2loop/modules/os2loop_cura_login/os2loop_cura_login.info.yml

@@ -1,7 +1,7 @@
-name: 'OS2Loop Cura login'
+name: "OS2Loop Cura login"
 type: module
-description: 'OS2Loop Cura login'
-package: 'OS2Loop'
+description: "OS2Loop Cura login"
+package: "OS2Loop"
 core_version_requirement: ^10 || ^11
 dependencies:
   - drupal:user

web/profiles/custom/os2loop/modules/os2loop_cura_login/os2loop_cura_login.links.menu.yml

@@ -1,6 +1,6 @@
 os2loop_cura_login.settings:
-  title: 'OS2Loop Cura login settings'
+  title: "OS2Loop Cura login settings"
   route_name: os2loop_cura_login.settings
-  description: 'Configure OS2Loop Cura login settings'
+  description: "Configure OS2Loop Cura login settings"
   parent: os2loop.group.admin
   weight: 100

web/profiles/custom/os2loop/modules/os2loop_cura_login/os2loop_cura_login.routing.yml

@@ -1,25 +1,34 @@
 os2loop_cura_login.start:
-  path: '/os2loop-cura-login/start'
+  path: "/os2loop-cura-login/start"
   defaults:
-    _title: 'Start Cura login'
+    _title: "Start Cura login with POST or GET"
     _controller: '\Drupal\os2loop_cura_login\Controller\Os2loopCuraLoginController::start'
   methods: [GET, POST]
   requirements:
-    _role: 'anonymous'
+    _role: "anonymous"
+
+os2loop_cura_login.start_get_jwt:
+  path: "/os2loop-cura-login/start/{jwt}"
+  defaults:
+    _title: "Start Cura login with JWT in request path"
+    _controller: '\Drupal\os2loop_cura_login\Controller\Os2loopCuraLoginController::start'
+  methods: [GET]
+  requirements:
+    _role: "anonymous"
 
 os2loop_cura_login.authenticate:
-  path: '/os2loop-login-hack/authenticate'
+  path: "/os2loop-login-hack/authenticate"
   defaults:
-    _title: 'Authenticate with Cura login'
+    _title: "Authenticate with Cura login"
     _controller: '\Drupal\os2loop_cura_login\Controller\Os2loopCuraLoginController::authenticate'
   methods: [GET]
   requirements:
-    _role: 'anonymous'
+    _role: "anonymous"
 
 os2loop_cura_login.settings:
-  path: '/admin/config/os2loop/os2loop_cura_login/settings'
+  path: "/admin/config/os2loop/os2loop_cura_login/settings"
   defaults:
     _form: '\Drupal\os2loop_cura_login\Form\SettingsForm'
-    _title: 'OS2Loop Cura login settings'
+    _title: "OS2Loop Cura login settings"
   requirements:
-    _permission: 'administer site settings'
+    _permission: "administer site settings"

web/profiles/custom/os2loop/modules/os2loop_cura_login/os2loop_cura_login.services.yml

@@ -1,4 +1,4 @@
 services:
   logger.channel.os2loop_cura_login:
     parent: logger.channel_base
-    arguments: ['os2loop_cura_login']
+    arguments: ["os2loop_cura_login"]

web/profiles/custom/os2loop/modules/os2loop_cura_login/src/Controller/Os2loopCuraLoginController.php

@@ -57,23 +57,29 @@ public function __construct(
   /**
    * Start user authentication.
    */
-  public function start(Request $request): Response {
+  public function start(Request $request, ?string $jwt): Response {
     try {
-            $content = NULL;
+      $content = NULL;
       try {
         $content = (string) $request->getContent();
-      } catch (\Exception) {}
+      }
+      catch (\Exception) {
+      }
       $this->debug('@debug', [
         '@debug' => json_encode([
           'method' => $request->getMethod(),
+          'headers' => $request->headers->all(),
           'query' => $request->query->all(),
           'content' => $content,
         ]),
       ]);
 
-      $jwt = Request::METHOD_POST === $request->getMethod()
-        ? $request->getContent()
-        : $request->query->getString($this->config->get('token_param_name') ?? 'token');
+      if (empty($jwt)) {
+        $name = $this->config->get('payload_name') ?? 'payload';
+        $jwt = Request::METHOD_POST === $request->getMethod()
+          ? $request->request->getString($name)
+          : $request->query->getString($name);
+      }
 
       $this->debug('@debug', [
         '@debug' => json_encode([
@@ -85,15 +91,25 @@ public function start(Request $request): Response {
         throw new BadRequestHttpException('Missing or empty JWT');
       }
 
-      $payload = (array) JWT::decode($jwt, new Key($this->config->get('signing_secret'), $this->config->get('signing_algorithm')));
+      $secret = $this->config->get('signing_secret');
+      // @todo Get rid of the double base64 encoding.
+      $secret = base64_decode($secret);
+
+      $originalLeeway = JWT::$leeway;
+      $leeway = (int) $this->config->get('jwt_leeway');
+      if ($leeway > 0) {
+        JWT::$leeway = $leeway;
+      }
+      $payload = (array) JWT::decode($jwt, new Key($secret, $this->config->get('signing_algorithm')));
+      JWT::$leeway = $originalLeeway;
 
       $this->debug('@debug', [
         '@debug' => json_encode([
           'payload' => $payload,
         ]),
       ]);
 
-      $username = $payload['username'] ?? NULL;
+      $username = $payload['username'] ?? $payload['brugerId'] ?? NULL;
       if (empty($username)) {
         throw new BadRequestHttpException('Missing username');
       }
@@ -221,9 +237,11 @@ private function getUserinfo(User $user): array {
     ];
   }
 
-  public function log($level, \Stringable|string $message, array $context = []): void
-  {
-    // Lifted from LoggerChannel
+  /**
+   * {@inheritdoc}
+   */
+  public function log($level, \Stringable|string $message, array $context = []): void {
+    // Lifted from LoggerChannel.
     $levels = [
       LogLevel::EMERGENCY => RfcLogLevel::EMERGENCY,
       LogLevel::ALERT => RfcLogLevel::ALERT,
@@ -235,7 +253,7 @@ public function log($level, \Stringable|string $message, array $context = []): v
       LogLevel::DEBUG => RfcLogLevel::DEBUG,
     ];
     $rfcLogLevel = $levels[$level] ?? RfcLogLevel::ERROR;
-    if ((int)$this->config->get('log_level') >= $rfcLogLevel) {
+    if ((int) $this->config->get('log_level') >= $rfcLogLevel) {
       $this->logger->log($level, $message, $context);
     }
   }

web/profiles/custom/os2loop/modules/os2loop_cura_login/src/Drush/Commands/Os2loopCuraLoginCommands.php

@@ -2,24 +2,19 @@
 
 namespace Drupal\os2loop_cura_login\Drush\Commands;
 
-use Consolidation\OutputFormatters\StructuredData\RowsOfFields;
 use Drupal\Component\Datetime\TimeInterface;
 use Drupal\Core\DependencyInjection\AutowireTrait;
 use Drupal\Core\Url;
-use Drupal\Core\Utility\Token;
 use Drush\Attributes as CLI;
 use Drush\Commands\DrushCommands;
 use Firebase\JWT\JWT;
-use Http\Client\HttpClient;
 use Psr\Http\Client\ClientInterface;
-use Symfony\Component\DependencyInjection\ContainerInterface;
 use Symfony\Component\HttpFoundation\Request;
 
 /**
  * A Drush commandfile.
  */
-final class Os2loopCuraLoginCommands extends DrushCommands
-{
+final class Os2loopCuraLoginCommands extends DrushCommands {
   use AutowireTrait;
 
   /**
@@ -42,10 +37,10 @@ public function __construct(
   public function commandName(
     $username,
     $options = [
-      'get' => null,
-      'secret' => null,
+      'get' => NULL,
+      'secret' => NULL,
       'algorithm' => 'HS256',
-    ]
+    ],
   ) {
     // https://github.com/firebase/php-jwt?tab=readme-ov-file#example
     $payload = [
@@ -62,11 +57,12 @@ public function commandName(
     if ($name = $options['get']) {
       $method = Request::METHOD_GET;
       $routeParameters[$name] = $jwt;
-    } else {
+    }
+    else {
       $method = Request::METHOD_POST;
       $requestOptions['body'] = $jwt;
     }
-    $url = Url::fromRoute('os2loop_cura_login.start', $routeParameters)->setAbsolute()->toString(true)->getGeneratedUrl();
+    $url = Url::fromRoute('os2loop_cura_login.start', $routeParameters)->setAbsolute()->toString(TRUE)->getGeneratedUrl();
     $this->io()->writeln($method === Request::METHOD_POST
       ? sprintf('POST\'ing to %s', $url)
       : sprintf('GET\'ing %s', $url),
@@ -78,7 +74,7 @@ public function commandName(
       $url,
       $request->getStatusCode(),
       $request->getBody()->getContents(),
-    ], true);
+    ], TRUE);
     die(__FILE__ . ':' . __LINE__ . ':' . __METHOD__);
   }
 

web/profiles/custom/os2loop/modules/os2loop_cura_login/src/Form/SettingsForm.php

@@ -66,11 +66,17 @@ public function buildForm(array $form, FormStateInterface $form_state): array {
       '#description' => $this->t('Check this to generate a new random secret'),
     ];
 
-    $form['token_param_name'] = [
+    $form['payload_name'] = [
       '#type' => 'textfield',
-      '#title' => $this->t('Token param name'),
-      '#default_value' => $config->get('token_param_name'),
-      '#description' => $this->t('Query string param name used for JWT token on GET request'),
+      '#title' => $this->t('Payload name'),
+      '#default_value' => $config->get('payload_name') ?? 'payload',
+      '#description' => $this->t('Name of parameter used for payload'),
+    ];
+
+    $form['jwt_leeway'] = [
+      '#type' => 'textfield',
+      '#title' => $this->t('JWT leeway'),
+      '#default_value' => $config->get('jwt_leeway') ?? 0,
     ];
 
     $form['log_level'] = [
@@ -80,42 +86,31 @@ public function buildForm(array $form, FormStateInterface $form_state): array {
       '#default_value' => $config->get('log_level') ?? RfcLogLevel::ERROR,
     ];
 
-    $authenticationStartUrl = Url::fromRoute('os2loop_cura_login.start')->setAbsolute()->toString(true)->getGeneratedUrl();
+    $authenticationStartUrl = Url::fromRoute('os2loop_cura_login.start')->setAbsolute()->toString(TRUE)->getGeneratedUrl();
     $form['info'] = [
       '#theme' => 'item_list',
       '#items' => [
-        '#markup' => $this->t('Use <a href=":url">:url</a> as <code>linkURL</code>.', [':url' => $authenticationStartUrl]),
+        '#markup' => $this->t('Use <a href=":url">:url</a> as <code>linkURL</code> for <code>postToGetLinkURL ≡ true</code>.', [':url' => $authenticationStartUrl]),
       ],
     ];
 
-    if ($name = $config->get('token_param_name')) {
-      $authenticationStartUrl = Url::fromRoute('os2loop_cura_login.start', [$name => '…'])->setAbsolute()->toString(true)->getGeneratedUrl();
-      $authenticationStartUrl = str_replace(urlencode('…'), '…', $authenticationStartUrl);
+    $authenticationStartUrl = Url::fromRoute('os2loop_cura_login.start', [])->setAbsolute()->toString(TRUE)->getGeneratedUrl();
+    $authenticationStartUrl = rtrim($authenticationStartUrl, '/') . '/';
+    $form['info']['#items'][] = [
+      '#markup' => $this->t('Use <a href=":url">:url</a> as <code>linkURL</code> for <core><code>postToGetLinkURL ≡ false</code>.', [':url' => $authenticationStartUrl]),
+    ];
+
+    if ($name = $config->get('payload_name')) {
+      $authenticationStartUrl = Url::fromRoute('os2loop_cura_login.start', [$name => '…'])->setAbsolute()->toString(TRUE)->getGeneratedUrl();
+      $authenticationStartUrl = str_replace(urlencode('…'), '', $authenticationStartUrl);
       $form['info']['#items'][] = [
-        '#markup' => $this->t('Use <a href=":url">:url</a> as <code>linkURL</code> for <core>GET</core>.', [':url' => $authenticationStartUrl]),
+        '#markup' => $this->t('Use <a href=":url">:url</a> as <code>linkURL</code> for <core><code>postToGetLinkURL ≡ false</code>.', [':url' => $authenticationStartUrl]),
       ];
     }
 
     return parent::buildForm($form, $form_state);
   }
 
-  /**
-   * {@inheritdoc}
-   */
-  public function validateForm(array &$form, FormStateInterface $form_state): void {
-    // @todo Validate the form here.
-    // Example:
-    // @code
-    //   if ($form_state->getValue('example') === 'wrong') {
-    //     $form_state->setErrorByName(
-    //       'message',
-    //       $this->t('The value is not correct.'),
-    //     );
-    //   }
-    // @endcode
-    parent::validateForm($form, $form_state);
-  }
-
   /**
    * {@inheritdoc}
    */
@@ -127,7 +122,8 @@ public function submitForm(array &$form, FormStateInterface $form_state): void {
     $this->config('os2loop_cura_login.settings')
       ->set('signing_algorithm', $form_state->getValue('signing_algorithm'))
       ->set('signing_secret', $secret)
-      ->set('token_param_name', $form_state->getValue('token_param_name'))
+      ->set('payload_name', $form_state->getValue('payload_name'))
+      ->set('jwt_leeway', $form_state->getValue('jwt_leeway'))
       ->set('log_level', $form_state->getValue('log_level'))
       ->save();
     parent::submitForm($form, $form_state);