Varied fixes and additions

Plugin.php

@@ -7,12 +7,12 @@
 use Backend\Models\UserRole;
 use Config;
 use Event;
-use Lang;
 use Laravel\Socialite\Facades\Socialite;
 use Laravel\Socialite\SocialiteServiceProvider;
+use Request;
+use Session;
 use System\Classes\PluginBase;
 use System\Classes\SettingsManager;
-use Url;
 use View;
 
 /**
@@ -52,6 +52,11 @@ public function registerPermissions(): array
                 'tab' => 'winter.sso::lang.plugin.name',
                 'roles' => [UserRole::CODE_DEVELOPER],
             ],
+            'winter.sso.view_providers' => [
+                'label' => 'winter.sso::lang.permissions.view_providers',
+                'tab' => 'winter.sso::lang.plugin.name',
+                'roles' => [UserRole::CODE_DEVELOPER],
+            ],
         ];
     }
 
@@ -69,6 +74,14 @@ public function registerSettings(): array
                 'permissions' => ['winter.sso.view_logs'],
                 'category'    => SettingsManager::CATEGORY_LOGS,
             ],
+            'providers' => [
+                'label'       => 'winter.sso::lang.models.provider.label_plural',
+                'description' => 'winter.sso::lang.models.provider.menu_description',
+                'icon'        => 'icon-openid',
+                'url'         => Backend::url('winter/sso/providers'),
+                'permissions' => ['winter.sso.view_providers'],
+                'category'    => SettingsManager::CATEGORY_SYSTEM,
+            ],
         ];
     }
 
@@ -86,15 +99,23 @@ public function register(): void
      */
     protected function forceEmailLogin(): void
     {
-        User::$loginAttribute = 'email';
+        // only do this for the sso callback route, still allow username login for regular signin
+        if (str_starts_with(Request::url(), Backend::url('winter/sso/handle/callback/'))) {
+            User::$loginAttribute = 'email';
+        }
         User::extend(function ($model) {
-            $model->addDynamicMethod('getSsoId', function (string $provider) use ($model) {
-                return $model->metadata['winter.sso'][$provider]['id'] ?? null;
+            $model->addDynamicMethod('getSsoValue', function (string $provider, mixed $key) use ($model) {
+                return $model->metadata['winter.sso'][$provider][$key] ?? null;
             });
-            $model->addDynamicMethod('setSsoId', function (string $provider, string $id) use ($model) {
+            $model->addDynamicMethod('setSsoValues', function (string $provider, array $values, bool $save = false) use ($model) {
                 $metadata = $model->metadata ?? [];
-                $metadata['winter.sso'][$provider]['id'] = $id;
+                foreach ($values as $key => $value) {
+                    $metadata['winter.sso'][$provider][$key] = $value;
+                }
                 $model->metadata = $metadata;
+                if ($save) {
+                    $model->save();
+                }
             });
         });
     }
@@ -142,22 +163,12 @@ protected function extendAuthController(): void
     {
         // Extend the signin view to add the SSO buttons for the enabled providers
         Event::listen('backend.auth.extendSigninView', function ($controller) {
-            $buttonsHtml = '';
-
-            foreach (Config::get('winter.sso::enabled_providers', []) as $provider) {
-                $providerName = Lang::get("winter.sso::lang.providers.$provider");
-                $buttonsHtml .= View::make("winter.sso::buttons.provider", [
-                    'logoUrl' => Url::asset('/plugins/winter/sso/assets/images/providers/' . $provider . '.svg'),
-                    'logoAlt' => Lang::get('winter.sso::lang.provider_btn.alt_text', ['provider' => $providerName]),
-                    'url' => Backend::url('winter/sso/handle/redirect/' . $provider),
-                    'label' => Lang::get('winter.sso::lang.provider_btn.label', ['provider' => $providerName]),
-                ]);
-            }
-
             $controller->addCss('/plugins/winter/sso/assets/dist/css/sso.css', 'Winter.SSO');
 
-            if (!empty($buttonsHtml)) {
-                echo $buttonsHtml;
+            if ($view = View::make("winter.sso::providers", ['providers' => Config::get('winter.sso::enabled_providers', [])])) {
+                // save signin_url to redirect
+                Session::put('signin_url', Request::url());
+                echo $view;
             }
         });
     }

assets/images/providers/linkedin-openid.svg

@@ -0,0 +1 @@
+linkedin.svg

config/config.php

@@ -34,6 +34,7 @@
         // 'gitlab',
         // 'google',
         // 'linkedin',
+        // 'linkedin-openid',
         // 'twitter',
         // 'twitter-oauth-2',
     ],
@@ -112,6 +113,12 @@
             'guzzle' => [],
         ],
 
+        'linkedin-openid' => [
+            'client_id' => env('LINKEDIN_OPENID_CLIENT_ID'),
+            'client_secret' => env('LINKEDIN_OPENID_CLIENT_SECRET'),
+            'guzzle' => [],
+        ],
+
         'linkedin' => [
             'client_id' => env('LINKEDIN_CLIENT_ID'),
             'client_secret' => env('LINKEDIN_CLIENT_SECRET'),

controllers/Handle.php

@@ -3,15 +3,19 @@
 namespace Winter\SSO\Controllers;
 
 use Backend;
+use BackendAuth;
 use Backend\Classes\Controller;
 use Backend\Models\AccessLog;
-use BackendAuth;
 use Config;
+use Event;
 use Exception;
 use Flash;
 use Illuminate\Http\RedirectResponse;
+use Laravel\Socialite\Two\InvalidStateException;
+use Laravel\Socialite\Two\User as SocialiteUser;
 use Redirect;
 use Request;
+use Session;
 use Socialite;
 use System\Classes\UpdateManager;
 use Winter\SSO\Models\Log;
@@ -49,23 +53,47 @@ public function __construct()
         $this->enabledProviders = Config::get('winter.sso::enabled_providers', []);
     }
 
+    /**
+     * Returns the $authManager property.
+     */
+    public function getAuthManager() : AuthManager
+    {
+        return $this->authManager;
+    }
+
     /**
      * Processes a callback from the SSO provider
-     * @throws HttpException if the provider is not enabled
-     * @throws HttpException if the user cannot be found
+     * Redirect back to signin form on errors with Flash message.
      */
     public function callback(string $provider): RedirectResponse
     {
         if (!in_array($provider, $this->enabledProviders)) {
-            abort(404);
+            Flash::error(trans('winter.sso::lang.messages.inactive_provider'));
+            return $this->redirectToSignInPage();
+        }
+
+        if (!Request::input('code')) {
+            $error = sprintf("%s: %s", Request::input('error'), Request::input('error_description'));
+            Flash::error($error);
+            return $this->redirectToSignInPage();
         }
 
         // @TODO: Login or register the user / provide an event for plugins to handle
         // user registration themselves. Would like plugin to be able to handle frontend
         // or backend or even both. If event is used follow naming conventions from in progress
         // issues
-
-        $ssoUser = Socialite::driver($provider)->user();
+        try {
+            $ssoUser = Socialite::driver($provider)->user();
+            if ($signInResult = Event::fire('winter.sso.signin', [$this, $provider, $ssoUser])) {
+                // @TODO: handle event results
+            }
+        } catch (InvalidStateException $e) {
+            Flash::error(trans('winter.sso::lang.messages.invalid_state'));
+            return $this->redirectToSignInPage();
+        } catch (\Exception $e) {
+            Flash::error($e->getMessage());
+            return $this->redirectToSignInPage();
+        }
 
         try {
             // @TODO: Protection against service saying that [email protected] is authenticated
@@ -81,25 +109,39 @@ public function callback(string $provider): RedirectResponse
         }
 
         if (!$user) {
-            // $password = Str::random(400);
-            // $user = $this->authManager->register([
-            //     'email' => $ssoUser->getEmail(),
-            //     'password' => $password,
-            //     'password_confirmation' => $password,
-            //     'name' => $ssoUser->getName(),
-            // ]);
-            // $user->setSsoConfig('allow_password_auth', false);
-            // @TODO: Event here for registering user if desired, default fallback abort behaviour
-            abort(403, 'User not found');
+            Event::listen('winter.sso.register', function ($controller, $provider, $ssoUser) {
+                return;
+                $password = Str::random(400);
+                $user = $controller->getAuthManager()->register([
+                    'email' => $ssoUser->getEmail(),
+                    'password' => $password,
+                    'password_confirmation' => $password,
+                    'name' => $ssoUser->getName(),
+                ]);
+                $user->setSsoValues($provider, ['allow_password_auth' => false]);
+                return $user;
+            });
+            if (Config::get('winter.sso::allow_registration')) {
+                $user = Event::fire('winter.sso.register', [$this, $provider, $ssoUser]);
+            }
+            if (!$user) {
+                Flash::error(trans('winter.sso::lang.messages.user_not_found', ['user' => $ssoUser->getEmail()]));
+                return $this->redirectToSignInPage();
+            }
         }
 
-        if (
-            $ssoUser->getId()
-            && $user->getSsoId($provider) !== $ssoUser->getId()
-        ) {
+        $updates = [];
+        if ($ssoUser->getId() && $user->getSsoValue($provider, 'id') !== $ssoUser->getId()) {
             // @TODO: Check if request / user is allowed to associate this account to this provider's ID
-            $user->setSsoId($provider, $ssoUser->getId());
-            $user->save();
+            $updates['id'] = $ssoUser->getId();
+        }
+
+        if ($ssoUser->token && $user->getSsoValue($provider, 'token') !== $ssoUser->token) {
+            $updates['token'] = $ssoUser->token;
+        }
+
+        if ($updates) {
+            $user->setSsoValues($provider, $updates, save:true);
         }
 
         // Check if the user is allowed to keep a persistent session
@@ -146,21 +188,34 @@ public function callback(string $provider): RedirectResponse
 
     /**
      * Redirects the user to the authentication page of the given provider.
+     * Redirect back to signin form on errors with Flash message.
      */
     public function redirect(string $provider): RedirectResponse
     {
         if (!in_array($provider, $this->enabledProviders)) {
-            abort(404);
+            Flash::error(trans('winter.sso::lang.messages.inactive_provider'));
+            return $this->redirectToSignInPage();
+        }
+
+        $config = Config::get('services.' . $provider, []);
+        if (!isset($config['client_id'])) {
+            Flash::error(trans('winter.sso::lang.messages.misconfigured_provider'));
+            return $this->redirectToSignInPage();
         }
 
         if ($this->authManager->getUser()) {
             // @TODO:
             // - Handle case of user explicitly attaching a SSO provider to their account
-            // - Localization
-            Flash::error("You are already logged in. Please log out first.");
-            return Redirect::back();
+            Flash::error(trans('winter.sso::lang.messages.already_logged_in'));
+            return Backend::redirect('backend');
         }
 
-        return Socialite::driver($provider)->redirect();
+        return Socialite::driver($provider)->scopes($config['scopes'] ?? [])->redirect();
+    }
+
+    public function redirectToSignInPage()
+    {
+        $signin_url = Session::pull('signin_url', Backend::url('backend/auth/signin'));
+        return Redirect::to($signin_url);
     }
 }

controllers/Providers.php

@@ -0,0 +1,27 @@
+<?php namespace Winter\SSO\Controllers;
+
+use BackendMenu;
+use Backend\Classes\Controller;
+
+/**
+ * Providers Backend Controller
+ */
+class Providers extends Controller
+{
+    /**
+     * @var array Behaviors that are implemented by this controller.
+     */
+    public $implement = [
+        \Backend\Behaviors\FormController::class,
+        \Backend\Behaviors\ListController::class,
+    ];
+
+    public $bodyClass = 'compact-container';
+
+    public function __construct()
+    {
+        parent::__construct();
+
+        BackendMenu::setContext('Winter.SSO', 'sso', 'providers');
+    }
+}

controllers/providers/_list_toolbar.php

@@ -0,0 +1,21 @@
+<div data-control="toolbar">
+    <a
+        href="<?= Backend::url('winter/sso/providers/create') ?>"
+        class="btn btn-primary wn-icon-plus">
+        <?= e(trans('backend::lang.form.create_title', ['name' => trans('winter.sso::lang.models.provider.label')])); ?>
+    </a>
+
+    <button
+        class="btn btn-danger wn-icon-trash-o"
+        disabled="disabled"
+        onclick="$(this).data('request-data', { checked: $('.control-list').listWidget('getChecked') })"
+        data-request="onDelete"
+        data-request-confirm="<?= e(trans('backend::lang.list.delete_selected_confirm')); ?>"
+        data-trigger-action="enable"
+        data-trigger=".control-list input[type=checkbox]"
+        data-trigger-condition="checked"
+        data-request-success="$(this).prop('disabled', 'disabled')"
+        data-stripe-load-indicator>
+        <?= e(trans('backend::lang.list.delete_selected')); ?>
+    </button>
+</div>

controllers/providers/config_form.yaml

@@ -0,0 +1,31 @@
+# ===================================
+#  Form Behavior Config
+# ===================================
+
+# Record name
+name: 'winter.sso::lang.models.provider.label'
+
+# Model Form Field configuration
+form: $/winter/sso/models/provider/fields.yaml
+
+# Model Class name
+modelClass: Winter\SSO\Models\Provider
+
+# Default redirect location
+defaultRedirect: winter/sso/providers
+
+# Create page
+create:
+    title: backend::lang.form.create_title
+    redirect: winter/sso/providers/update/:id
+    redirectClose: winter/sso/providers
+
+# Update page
+update:
+    title: backend::lang.form.update_title
+    redirect: winter/sso/providers
+    redirectClose: winter/sso/providers
+
+# Preview page
+preview:
+    title: backend::lang.form.preview_title