diff options
| author | Jan-Hendrik Willms <tleilax+studip@gmail.com> | 2026-02-10 13:30:29 +0100 |
|---|---|---|
| committer | Jan-Hendrik Willms <tleilax+studip@gmail.com> | 2026-02-10 13:30:29 +0100 |
| commit | 85aeda74a7a5761c30bb16cdf84199689b934b7f (patch) | |
| tree | 7b1defcc4b5be2a2f4c137b3e20070dd5b86aa2b | |
| parent | e08d2d6e3f0c646d93ae39203962dfc7da512294 (diff) | |
store auth plugin name and additional values in session, implement for oidc and enable post logout redirect uri, fixes #5680
Closes #5680
Merge request studip/studip!4310
| -rw-r--r-- | app/controllers/login.php | 5 | ||||
| -rw-r--r-- | app/controllers/logout.php | 13 | ||||
| -rw-r--r-- | config/config_defaults.inc.php | 45 | ||||
| -rw-r--r-- | lib/authentication/Manager.php | 29 | ||||
| -rw-r--r-- | lib/classes/auth_plugins/StudipAuthAbstract.php | 34 | ||||
| -rw-r--r-- | lib/classes/auth_plugins/StudipAuthOIDC.php | 17 |
6 files changed, 109 insertions, 34 deletions
diff --git a/app/controllers/login.php b/app/controllers/login.php index 9da3a19..af8f3bd 100644 --- a/app/controllers/login.php +++ b/app/controllers/login.php @@ -81,7 +81,10 @@ class LoginController extends AuthenticatedController $this->redirect('login/activate_email', ['uid' => $uid]); return; } else { - auth()->setAuthenticatedUser($check_auth['user']); + auth()->setAuthenticatedUser( + $check_auth['user'], + ['auth_plugin' => 'standard'] + ); Metrics::increment('core.login.succeeded'); sess()->regenerateId(\Studip\Authentication\Manager::DEFAULT_KEPT_SESSION_VARIABLES); $this->redirect('start/index'); diff --git a/app/controllers/logout.php b/app/controllers/logout.php index 3c641de..cf0409d 100644 --- a/app/controllers/logout.php +++ b/app/controllers/logout.php @@ -29,8 +29,9 @@ class LogoutController extends AuthenticatedController return; } - if ($GLOBALS['user']->id !== 'nobody') { - $my_messaging_settings = $GLOBALS['user']->cfg->MESSAGING_SETTINGS; + $user = User::findCurrent(); + if ($user) { + $my_messaging_settings = $user->getConfiguration()->getValue('MESSAGING_SETTINGS'); //Wenn Option dafuer gewaehlt, alle ungelsesenen Nachrichten als gelesen speichern if (!empty($my_messaging_settings['logout_markreaded'])) { @@ -38,15 +39,17 @@ class LogoutController extends AuthenticatedController } $_language = $_SESSION['_language']; - $contrast = UserConfig::get($GLOBALS['user']->id)->USER_HIGH_CONTRAST; + $contrast = $user->getConfiguration()->getValue('USER_HIGH_CONTRAST'); // Get auth plugin of user before logging out since the $auth object will // be modified by the logout - $auth_plugin = StudipAuthAbstract::getInstance($GLOBALS['user']->auth_plugin); + $used_auth_plugin = auth()->getSessionVariable('auth_plugin') ?? $user->auth_plugin; + $auth_plugin = StudipAuthAbstract::getInstance($used_auth_plugin); sess()->destroy(); + //Session changed zuruecksetzen - $timeout=(time()-(15 * 60)); + $timeout = strtotime('-15 minutes'); $GLOBALS['user']->set_last_action($timeout); // Perform logout from auth plugin (if possible) diff --git a/config/config_defaults.inc.php b/config/config_defaults.inc.php index 1d90050..a550c5b 100644 --- a/config/config_defaults.inc.php +++ b/config/config_defaults.inc.php @@ -259,29 +259,32 @@ $STUDIP_AUTH_CONFIG_CAS = array("host" => "cas.studip.de", //example of OpenID Connect $STUDIP_AUTH_CONFIG_GOOGLE = [ - 'provider_url' => 'https://accounts.google.com', - 'client_id' => '', - 'client_secret' => '', - 'plugin_class' => 'StudipAuthOIDC', - 'plugin_name' => 'google', - 'domain' => 'google', - 'plugin_fullname' => 'Google', - 'login_description' => 'Login with Google', - 'ssl_options' => ['certPath' => null, 'verifyPeer' => true, 'verifyHost' => true], - 'user_data_mapping' => [ - 'auth_user_md5.username' => ['callback' => 'dummy', 'map_args' => ''], - 'auth_user_md5.password' => ['callback' => 'dummy', 'map_args' => ''], - 'auth_user_md5.Email' => ['callback' => 'getUserData', 'map_args' => 'email'], - 'auth_user_md5.Nachname' => ['callback' => 'getUserData', 'map_args' => 'family_name'], - 'auth_user_md5.Vorname' => ['callback' => 'getUserData', 'map_args' => 'given_name'] - ], + 'provider_url' => 'https://accounts.google.com', + 'client_id' => '', + 'client_secret' => '', + 'plugin_class' => 'StudipAuthOIDC', + 'plugin_name' => 'google', + 'domain' => 'google', + 'plugin_fullname' => 'Google', + 'login_description' => 'Login with Google', + 'ssl_options' => ['certPath' => null, 'verifyPeer' => true, 'verifyHost' => true], + 'user_data_mapping' => [ + 'auth_user_md5.username' => ['callback' => 'dummy', 'map_args' => ''], + 'auth_user_md5.password' => ['callback' => 'dummy', 'map_args' => ''], + 'auth_user_md5.Email' => ['callback' => 'getUserData', 'map_args' => 'email'], + 'auth_user_md5.Nachname' => ['callback' => 'getUserData', 'map_args' => 'family_name'], + 'auth_user_md5.Vorname' => ['callback' => 'getUserData', 'map_args' => 'given_name'] + ], - // Enable the next line to allow setting your own scopes - // 'scopes' => [], + // Enable the next line to allow setting your own scopes + // 'scopes' => [], - // Enable the next line to set a custom redirect uri - // 'redirect_uri' => '', - ]; + // Enable the next line to set a custom redirect uri + // 'redirect_uri' => '', + + // Enable the next line to set a custom post logout redirect uri + // 'logout_redirect_uri' => '', +]; $STUDIP_AUTH_CONFIG_LTI = [ 'consumer_keys' => [ diff --git a/lib/authentication/Manager.php b/lib/authentication/Manager.php index 4267de4..3514afe 100644 --- a/lib/authentication/Manager.php +++ b/lib/authentication/Manager.php @@ -52,7 +52,6 @@ class Manager $this->nobody = $allow_nobody; } - public function start(): bool { $this->auth =& $_SESSION['auth']; @@ -81,7 +80,7 @@ class Manager } Metrics::increment('core.sso_login.succeeded'); - $this->setAuthenticatedUser($user); + $this->setAuthenticatedUser($user, $authplugin->getKeptVariables()); sess()->regenerateId(self::DEFAULT_KEPT_SESSION_VARIABLES); } else { PageLayout::postMessage( @@ -122,7 +121,7 @@ class Manager //check if the user got kicked meanwhile, or if user is locked out $user = null; - if (!empty($this->auth['uid']) && $this->auth['uid'] != 'nobody') { + if (!empty($this->auth['uid']) && $this->auth['uid'] !== 'nobody') { if (isset($GLOBALS['user']) && $GLOBALS['user']->id === $this->auth['uid']) { $user = User::findCurrent(); } else { @@ -141,10 +140,21 @@ class Manager return $this->auth['uid'] ?? false; } - public function setAuthenticatedUser(User $user): void + /** + * Sets the authenticated user and initializes global user and permission + * objects. + * + * @param User $user The user object representing the authenticated user. + * @param array $additional Additional key-value data to store in the authentication context. + */ + public function setAuthenticatedUser(User $user, array $additional = []): void { $this->auth['uid'] = $user->id; + foreach ($additional as $key => $value) { + $this->auth[$key] = $value; + } + $GLOBALS['user'] = new Seminar_User($user); $GLOBALS['perm'] = new Seminar_Perm(); } @@ -179,4 +189,15 @@ class Manager ->setBodyText($mailbody ?? '') ->send(); } + + /** + * Retrieves a session variable from the authentication context by its name. + * + * @param string $name The name of the session variable to retrieve + * @return mixed The value of the session variable, or null if it does not exist. + */ + public function getSessionVariable(string $name): mixed + { + return $this->auth[$name] ?? null; + } } diff --git a/lib/classes/auth_plugins/StudipAuthAbstract.php b/lib/classes/auth_plugins/StudipAuthAbstract.php index c4f9c73..4859ae6 100644 --- a/lib/classes/auth_plugins/StudipAuthAbstract.php +++ b/lib/classes/auth_plugins/StudipAuthAbstract.php @@ -108,6 +108,8 @@ class StudipAuthAbstract private $config_data = []; + private array $kept_variables = []; + /** * static method to instantiate and retrieve a reference to an object (singleton) * @@ -327,12 +329,22 @@ class StudipAuthAbstract //get configuration array set in local inc if (empty($config)) { $this->plugin_name = strtolower(substr(get_class($this), 10)); - $config = $GLOBALS['STUDIP_AUTH_CONFIG_' . strtoupper($this->plugin_name)]; + $config = $GLOBALS['STUDIP_AUTH_CONFIG_' . strtoupper($this->plugin_name)] ?? []; } //assign each key in the config array as a member of the plugin object foreach ($config as $key => $value) { $this->$key = $value; } + + // Store variables in this instance + // This is needed for the logout where we cannot obtain these variables + // from the session since it is destroyed before the auth's logout is + // called + $this->kept_variables = array_diff_key( + $_SESSION['auth'] ?? [], + $this->getKeptVariables() + + ); } /** @@ -592,4 +604,24 @@ class StudipAuthAbstract { unset($this->config_data[$offset]); } + + /** + * This method returns an associative array containing specific + * variables relevant to the current instance. + */ + public function getKeptVariables(): array + { + return [ + 'auth_plugin' => $this->plugin_name, + ]; + } + + /** + * Returns a variable that was previously kept. Returns null if no content + * could be found. + */ + public function getKeptVariable(string $key): mixed + { + return $this->kept_variables[$key] ?? null; + } } diff --git a/lib/classes/auth_plugins/StudipAuthOIDC.php b/lib/classes/auth_plugins/StudipAuthOIDC.php index 153bd43..e2b9723 100644 --- a/lib/classes/auth_plugins/StudipAuthOIDC.php +++ b/lib/classes/auth_plugins/StudipAuthOIDC.php @@ -36,6 +36,8 @@ class StudipAuthOIDC extends StudipAuthSSO public ?string $redirect_uri = null; + public ?string $logout_redirect_uri = null; + /** * @var string[] */ @@ -132,8 +134,19 @@ class StudipAuthOIDC extends StudipAuthSSO public function logout(): void { $this->getClient()->signOut( - $this->getClient()->getIdToken(), - null + $this->getKeptVariable('id_token') ?? '', + $this->logout_redirect_uri ); } + + public function getKeptVariables(): array + { + $variables = parent::getKeptVariables(); + + if ($this->getClient()->getIdToken()) { + $variables['id_token'] = $this->getClient()->getIdToken(); + } + + return $variables; + } } |