YunoHost-Apps/synapse_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/synapse_ynh.git synced 2024-09-03 20:26:38 +02:00
Code Issues Activity Actions

Add some comment for CAS server

Browse source
This commit is contained in:
Josué Tille 2020-03-31 11:27:02 +02:00
parent 91aafe7d42
commit 5709265a5a
No known key found for this signature in database
GPG key ID: 716A6C99B04194EF
1 changed files with 24 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
sources/cas_server.php
View file

@ -1,15 +1,31 @@
<?php <?php
$base_url = "/_matrix/cas_server.php"; /*
This is simple implementation of a CAS server to provide a SSO with synapse and Riot
The authentication mecanisme is documented here: https://matrix.org/docs/spec/client_server/latest#sso-client-login
Note that it's not a full implementation of a CAS server, but just the minimum to work with synapse and Riot.
Mainly this CAS server will:
1. Authenticate the user from the authentication header from ssowat
2. Save the user authentication data in a php session
3. Redirect the user to the homeserver (synapse)
4. Answer to the homeserver if the user with a specific ticket number is authenticated and give his username.
*/
// Get the URL of the request
$base_url = "/_matrix/cas_server.php";
$url = explode('?', $_SERVER['REQUEST_URI'], 2)[0]; $url = explode('?', $_SERVER['REQUEST_URI'], 2)[0];
switch ($url) { switch ($url) {
// Request from the homeserver (synapse)
case $base_url . "/proxyValidate": case $base_url . "/proxyValidate":
// Get the session created by the client request
session_id($_GET['ticket']); session_id($_GET['ticket']);
session_start(); session_start();
// Check if this user was cleanly authenticated
if ($_SESSION['user_authenticated']) { if ($_SESSION['user_authenticated']) {
// Give the authentication information to the server
?> ?>
<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas"> <cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
<cas:authenticationSuccess> <cas:authenticationSuccess>
@ -29,11 +45,17 @@ switch ($url) {
} }
break; break;
// First request from the client
case $base_url . "/login": case $base_url . "/login":
// Generate a random number ticket which will be used by the client to authenticate to the server
$ticket = bin2hex(random_bytes(50)); $ticket = bin2hex(random_bytes(50));
// Use the Ticket number as the session ID.
// This give the possiblity in the next request from the server to to find this session and the information related to.
session_id($ticket); session_id($ticket);
session_start(); session_start();
// If the user is authenticated by ssowat save the username and set it as cleanly authenticated
if (array_key_exists('REMOTE_USER', $_SERVER) && strlen($_SERVER['REMOTE_USER']) > 0) { if (array_key_exists('REMOTE_USER', $_SERVER) && strlen($_SERVER['REMOTE_USER']) > 0) {
$_SESSION['user_authenticated'] = true; $_SESSION['user_authenticated'] = true;
$_SESSION['user'] = $_SERVER['REMOTE_USER']; $_SESSION['user'] = $_SERVER['REMOTE_USER'];
@ -47,7 +69,6 @@ switch ($url) {
break; break;
case $base_url: case $base_url:
header('Status: 302 Moved Temporarily', false, 302); header('Status: 302 Moved Temporarily', false, 302);
header('Location: ' . $_GET['redirectUrl']); header('Location: ' . $_GET['redirectUrl']);