fix: corrected review notes

Author: thorsten

phpmyfaq/src/phpMyFAQ/Auth/AuthKeycloak.php

@@ -67,13 +67,35 @@ public function create(string $login, #[SensitiveParameter] string $password, st
             return false;
         }
 
+        try {
+            $saved = $user->setUserData([
+                'display_name' => $this->getDisplayName(),
+                'email' => $this->getEmail(),
+                'keycloak_sub' => $this->getSubject(),
+            ]);
+        } catch (\Exception $exception) {
+            $this->configuration
+                ->getLogger()
+                ->error(sprintf(
+                    'Keycloak user data persistence failed for "%s": %s',
+                    $this->redactIdentifier($login),
+                    $exception->getMessage(),
+                ));
+            return false;
+        }
+
+        if (!$saved) {
+            $this->configuration
+                ->getLogger()
+                ->error(sprintf(
+                    'Keycloak user data persistence returned false for "%s"',
+                    $this->redactIdentifier($login),
+                ));
+            return false;
+        }
+
         $user->setStatus('active');
         $user->setAuthSource(AuthenticationSourceType::AUTH_KEYCLOAK->value);
-        $user->setUserData([
-            'display_name' => $this->getDisplayName(),
-            'email' => $this->getEmail(),
-            'keycloak_sub' => $this->getSubject(),
-        ]);
 
         if ($this->shouldAssignGroups()) {
             $this->assignUserToGroups($user->getUserId());
@@ -280,7 +302,10 @@ private function toBool(mixed $value): bool
 
     private function shouldSynchronizeGroupsOnLogin(): bool
     {
-        return $this->toBool($this->configuration->get(item: 'keycloak.groupSyncOnLogin'));
+        return (
+            $this->toBool($this->configuration->get(item: 'keycloak.groupSyncOnLogin'))
+            && $this->configuration->get(item: 'security.permLevel') === 'medium'
+        );
     }
 
     private function redactIdentifier(string $identifier): string

phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcIdTokenValidator.php

@@ -151,12 +151,17 @@ private function validateClaims(
         if (!array_key_exists('exp', $claims) || !is_numeric($claims['exp'])) {
             throw new RuntimeException('OIDC id_token is missing the expiration claim');
         }
-        if ((int) $claims['exp'] < $now) {
+        if ($now >= (int) $claims['exp']) {
             throw new RuntimeException('OIDC id_token has expired');
         }
 
-        if (array_key_exists('nbf', $claims) && is_numeric($claims['nbf']) && (int) $claims['nbf'] > $now) {
-            throw new RuntimeException('OIDC id_token is not valid yet');
+        if (array_key_exists('nbf', $claims)) {
+            if (!is_numeric($claims['nbf'])) {
+                throw new RuntimeException('OIDC id_token has a non-numeric nbf claim');
+            }
+            if ($now < (int) $claims['nbf']) {
+                throw new RuntimeException('OIDC id_token is not valid yet');
+            }
         }
 
         if (!array_key_exists('iat', $claims) || !is_numeric($claims['iat'])) {

phpmyfaq/src/phpMyFAQ/Controller/Frontend/KeycloakAuthenticationController.php

@@ -191,6 +191,10 @@ public function callback(Request $request): Response
             }
 
             $login = $this->resolveLocalLogin($claims);
+            if ($login === '') {
+                $this->oidcSession->clearAuthorizationState();
+                return $redirect;
+            }
             $auth = new AuthKeycloak($this->configuration, $providerConfig, $claims, $login, $this->userFactory);
 
             if (!$auth->isValidLogin($login)) {
@@ -289,7 +293,13 @@ private function resolveLocalLogin(array $claims): string
             return $email;
         }
 
-        return $subject;
+        $this->configuration
+            ->getLogger()
+            ->warning(
+                'Keycloak login rejected: claims are missing both preferred_username and email; refusing to auto-provision the sub.',
+            );
+
+        return '';
     }
 
     private function maskLogin(string $login): string
@@ -299,7 +309,9 @@ private function maskLogin(string $login): string
             return '<empty>';
         }
 
-        return 'sha256:' . substr(hash('sha256', $login), 0, 12);
+        $secret = (string) $this->configuration->get('security.salt');
+
+        return 'hmac:' . substr(hash_hmac('sha256', $login, $secret), 0, 12);
     }
 
     /** @param array<string, mixed> $claims */

phpmyfaq/src/phpMyFAQ/Setup/Migration/AbstractMigration.php

@@ -169,8 +169,10 @@ protected function createIndex(string $table, string $indexName, string|array $c
 
         if ($this->isSqlServer()) {
             return sprintf(
-                "IF NOT EXISTS (SELECT * FROM sys.indexes WHERE name = '%s') " . 'CREATE INDEX %s ON %s (%s)',
+                "IF NOT EXISTS (SELECT * FROM sys.indexes WHERE name = '%s' AND object_id = OBJECT_ID('%s')) "
+                . 'CREATE INDEX %s ON %s (%s)',
                 $indexName,
+                $tableName,
                 $indexName,
                 $tableName,
                 $columnList,
@@ -208,9 +210,10 @@ protected function createUniqueIndex(string $table, string $indexName, string|ar
                 $col,
             ), $columns));
             return sprintf(
-                "IF NOT EXISTS (SELECT * FROM sys.indexes WHERE name = '%s') "
+                "IF NOT EXISTS (SELECT * FROM sys.indexes WHERE name = '%s' AND object_id = OBJECT_ID('%s')) "
                 . 'CREATE UNIQUE INDEX %s ON %s (%s) WHERE %s',
                 $indexName,
+                $tableName,
                 $indexName,
                 $tableName,
                 $columnList,

phpmyfaq/src/phpMyFAQ/User/UserData.php

@@ -279,6 +279,11 @@ public function load(int $userId): bool
      */
     public function save(): bool
     {
+        $keycloakSubRaw = $this->data['keycloak_sub'] ?? null;
+        $keycloakSubValue = is_string($keycloakSubRaw) && trim($keycloakSubRaw) !== ''
+            ? "'" . $this->configuration->getDb()->escape($keycloakSubRaw) . "'"
+            : 'NULL';
+
         $update = sprintf(
             "
             UPDATE
@@ -287,7 +292,7 @@ public function save(): bool
                 last_modified = '%s',
                 display_name = '%s',
                 email = '%s',
-                keycloak_sub = '%s',
+                keycloak_sub = %s,
                 is_visible = %d,
                 twofactor_enabled = %d,
                 secret = '%s'
@@ -297,7 +302,7 @@ public function save(): bool
             date(format: 'YmdHis', timestamp: Request::createFromGlobals()->server->get('REQUEST_TIME')),
             $this->configuration->getDb()->escape((string) ($this->data['display_name'] ?? '')),
             $this->configuration->getDb()->escape((string) ($this->data['email'] ?? '')),
-            $this->configuration->getDb()->escape((string) ($this->data['keycloak_sub'] ?? '')),
+            $keycloakSubValue,
             $this->data['is_visible'] ?? 0,
             $this->data['twofactor_enabled'] ?? 0,
             $this->data['secret'] ?? '',

tests/phpMyFAQ/Auth/AuthKeycloakTest.php

@@ -47,6 +47,7 @@ public function testCheckCredentialsSynchronizesGroupsForExistingUserWhenEnabled
                 'keycloak.groupSyncOnLogin' => 'true',
                 'keycloak.groupMapping' => '{"manage-users":"Administrators","faq-editors":"faq-editors"}',
                 'keycloak.clientId' => 'phpmyfaq',
+                'security.permLevel' => 'medium',
                 default => null,
             });
         $configuration->method('getLogger')->willReturn($this->createMock(Logger::class));
@@ -125,7 +126,8 @@ public function testCheckCredentialsAutoProvisionsUserWhenEnabled(): void
                 'display_name' => 'John Doe',
                 'email' => 'john@example.com',
                 'keycloak_sub' => 'subject-123',
-            ]);
+            ])
+            ->willReturn(true);
 
         $auth = new AuthKeycloak(
             $configuration,
@@ -169,7 +171,8 @@ public function testCreateAssignsMappedGroupsFromKeycloakRoles(): void
                 'display_name' => 'John Doe',
                 'email' => 'john@example.com',
                 'keycloak_sub' => 'subject-123',
-            ]);
+            ])
+            ->willReturn(true);
         $user->expects($this->once())->method('getUserId')->willReturn(42);
 
         $permission = $this->createMock(MediumPermission::class);
@@ -230,7 +233,7 @@ public function testCreateSynchronizesMappedGroupsWhenEnabled(): void
         $user->expects($this->once())->method('createUser')->with('john', '', '')->willReturn(true);
         $user->expects($this->once())->method('setStatus')->with('active');
         $user->expects($this->once())->method('setAuthSource')->with(AuthenticationSourceType::AUTH_KEYCLOAK->value);
-        $user->expects($this->once())->method('setUserData');
+        $user->expects($this->once())->method('setUserData')->willReturn(true);
         $user->expects($this->once())->method('getUserId')->willReturn(42);
 
         $permission = $this->createMock(MediumPermission::class);

tests/phpMyFAQ/Functional/ControllerWebTestCase.php

@@ -118,7 +118,7 @@ private function normalizeConfigurationValue(mixed $value): string
         }
 
         if (is_array($value)) {
-            return (string) json_encode($value);
+            return json_encode($value, JSON_THROW_ON_ERROR);
         }
 
         return (string) $value;