Fixes issue where certain errors would not show to the user
due to extra navigation jumps which lost the error message
in the process.
This simplifies and aligns exceptions with more directly
handled exception usage at the controller level.
Fixes #3264
--- /dev/null
+<?php
+
+namespace BookStack\Auth\Access\Oidc;
+
+use Exception;
+
+class OidcException extends Exception {}
namespace BookStack\Auth\Access\Oidc;
namespace BookStack\Auth\Access\Oidc;
-class OidcIssuerDiscoveryException extends \Exception
-{
-}
+use Exception;
+
+class OidcIssuerDiscoveryException extends Exception {}
namespace BookStack\Auth\Access\Oidc;
namespace BookStack\Auth\Access\Oidc;
use BookStack\Auth\Access\LoginService;
use BookStack\Auth\Access\RegistrationService;
use BookStack\Auth\User;
use BookStack\Exceptions\JsonDebugException;
use BookStack\Auth\Access\LoginService;
use BookStack\Auth\Access\RegistrationService;
use BookStack\Auth\User;
use BookStack\Exceptions\JsonDebugException;
-use BookStack\Exceptions\OpenIdConnectException;
use BookStack\Exceptions\StoppedAuthenticationException;
use BookStack\Exceptions\UserRegistrationException;
use BookStack\Exceptions\StoppedAuthenticationException;
use BookStack\Exceptions\UserRegistrationException;
-use function config;
-use Exception;
use Illuminate\Support\Facades\Cache;
use League\OAuth2\Client\OptionProvider\HttpBasicAuthOptionProvider;
use Illuminate\Support\Facades\Cache;
use League\OAuth2\Client\OptionProvider\HttpBasicAuthOptionProvider;
-use Psr\Http\Client\ClientExceptionInterface;
+use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
use Psr\Http\Client\ClientInterface as HttpClient;
use Psr\Http\Client\ClientInterface as HttpClient;
+use function auth;
+use function config;
use function trans;
use function url;
use function trans;
use function url;
- protected $registrationService;
- protected $loginService;
- protected $httpClient;
+ protected RegistrationService $registrationService;
+ protected LoginService $loginService;
+ protected HttpClient $httpClient;
/**
* OpenIdService constructor.
/**
* OpenIdService constructor.
* Initiate an authorization flow.
*
* @return array{url: string, state: string}
* Initiate an authorization flow.
*
* @return array{url: string, state: string}
+ * @throws OidcException
*/
public function login(): array
{
*/
public function login(): array
{
/**
* Process the Authorization response from the authorization server and
/**
* Process the Authorization response from the authorization server and
- * return the matching, or new if registration active, user matched to
- * the authorization server.
- * Returns null if not authenticated.
+ * return the matching, or new if registration active, user matched to the
+ * authorization server. Throws if the user cannot be auth if not authenticated.
- * @throws Exception
- * @throws ClientExceptionInterface
+ * @throws JsonDebugException
+ * @throws OidcException
+ * @throws StoppedAuthenticationException
+ * @throws IdentityProviderException
- public function processAuthorizeResponse(?string $authorizationCode): ?User
+ public function processAuthorizeResponse(?string $authorizationCode): User
{
$settings = $this->getProviderSettings();
$provider = $this->getProvider($settings);
{
$settings = $this->getProviderSettings();
$provider = $this->getProvider($settings);
return $this->processAccessTokenCallback($accessToken, $settings);
}
return $this->processAccessTokenCallback($accessToken, $settings);
}
- * @throws OidcIssuerDiscoveryException
- * @throws ClientExceptionInterface
+ * @throws OidcException
*/
protected function getProviderSettings(): OidcProviderSettings
{
*/
protected function getProviderSettings(): OidcProviderSettings
{
// Run discovery
if ($config['discover'] ?? false) {
// Run discovery
if ($config['discover'] ?? false) {
- $settings->discoverFromIssuer($this->httpClient, Cache::store(null), 15);
+ try {
+ $settings->discoverFromIssuer($this->httpClient, Cache::store(null), 15);
+ } catch (OidcIssuerDiscoveryException $exception) {
+ throw new OidcException('OIDC Discovery Error: ' . $exception->getMessage());
+ }
* Processes a received access token for a user. Login the user when
* they exist, optionally registering them automatically.
*
* Processes a received access token for a user. Login the user when
* they exist, optionally registering them automatically.
*
- * @throws OpenIdConnectException
+ * @throws OidcException
* @throws JsonDebugException
* @throws JsonDebugException
- * @throws UserRegistrationException
* @throws StoppedAuthenticationException
*/
protected function processAccessTokenCallback(OidcAccessToken $accessToken, OidcProviderSettings $settings): User
* @throws StoppedAuthenticationException
*/
protected function processAccessTokenCallback(OidcAccessToken $accessToken, OidcProviderSettings $settings): User
try {
$idToken->validate($settings->clientId);
} catch (OidcInvalidTokenException $exception) {
try {
$idToken->validate($settings->clientId);
} catch (OidcInvalidTokenException $exception) {
- throw new OpenIdConnectException("ID token validate failed with error: {$exception->getMessage()}");
+ throw new OidcException("ID token validate failed with error: {$exception->getMessage()}");
}
$userDetails = $this->getUserDetails($idToken);
$isLoggedIn = auth()->check();
if (empty($userDetails['email'])) {
}
$userDetails = $this->getUserDetails($idToken);
$isLoggedIn = auth()->check();
if (empty($userDetails['email'])) {
- throw new OpenIdConnectException(trans('errors.oidc_no_email_address'));
+ throw new OidcException(trans('errors.oidc_no_email_address'));
- throw new OpenIdConnectException(trans('errors.oidc_already_logged_in'), '/login');
+ throw new OidcException(trans('errors.oidc_already_logged_in'));
- $user = $this->registrationService->findOrRegister(
- $userDetails['name'],
- $userDetails['email'],
- $userDetails['external_id']
- );
-
- if ($user === null) {
- throw new OpenIdConnectException(trans('errors.oidc_user_not_registered', ['name' => $userDetails['external_id']]), '/login');
+ try {
+ $user = $this->registrationService->findOrRegister(
+ $userDetails['name'],
+ $userDetails['email'],
+ $userDetails['external_id']
+ );
+ } catch (UserRegistrationException $exception) {
+ throw new OidcException($exception->getMessage());
}
$this->loginService->login($user, 'oidc');
}
$this->loginService->login($user, 'oidc');
namespace BookStack\Exceptions;
use Exception;
namespace BookStack\Exceptions;
use Exception;
+use Illuminate\Http\JsonResponse;
class JsonDebugException extends Exception
{
class JsonDebugException extends Exception
{
/**
* JsonDebugException constructor.
*/
/**
* JsonDebugException constructor.
*/
- public function __construct($data)
+ public function __construct(array $data)
}
/**
* Covert this exception into a response.
*/
}
/**
* Covert this exception into a response.
*/
- public function render()
+ public function render(): JsonResponse
{
return response()->json($this->data);
}
{
return response()->json($this->data);
}
public $redirectLocation;
protected $status;
public $redirectLocation;
protected $status;
- /**
- * NotifyException constructor.
- */
public function __construct(string $message, string $redirectLocation = '/', int $status = 500)
{
$this->message = $message;
public function __construct(string $message, string $redirectLocation = '/', int $status = 500)
{
$this->message = $message;
+++ /dev/null
-<?php
-
-namespace BookStack\Exceptions;
-
-class OpenIdConnectException extends NotifyException
-{
-}
namespace BookStack\Http\Controllers\Auth;
use BookStack\Auth\Access\Oidc\OidcService;
namespace BookStack\Http\Controllers\Auth;
use BookStack\Auth\Access\Oidc\OidcService;
+use BookStack\Auth\Access\Oidc\OidcException;
use BookStack\Http\Controllers\Controller;
use Illuminate\Http\Request;
class OidcController extends Controller
{
use BookStack\Http\Controllers\Controller;
use Illuminate\Http\Request;
class OidcController extends Controller
{
- protected $oidcService;
+ protected OidcService $oidcService;
/**
* OpenIdController constructor.
/**
* OpenIdController constructor.
*/
public function login()
{
*/
public function login()
{
- $loginDetails = $this->oidcService->login();
+ try {
+ $loginDetails = $this->oidcService->login();
+ } catch (OidcException $exception) {
+ $this->showErrorNotification($exception->getMessage());
+ return redirect('/login');
+ }
+
session()->flash('oidc_state', $loginDetails['state']);
return redirect($loginDetails['url']);
session()->flash('oidc_state', $loginDetails['state']);
return redirect($loginDetails['url']);
return redirect('/login');
}
return redirect('/login');
}
- $this->oidcService->processAuthorizeResponse($request->query('code'));
+ try {
+ $this->oidcService->processAuthorizeResponse($request->query('code'));
+ } catch (OidcException $oidcException) {
+ $this->showErrorNotification($oidcException->getMessage());
+ return redirect('/login');
+ }
return redirect()->intended();
}
return redirect()->intended();
}
use BookStack\Auth\User;
use GuzzleHttp\Psr7\Request;
use GuzzleHttp\Psr7\Response;
use BookStack\Auth\User;
use GuzzleHttp\Psr7\Request;
use GuzzleHttp\Psr7\Response;
-use Illuminate\Filesystem\Cache;
use Tests\Helpers\OidcJwtHelper;
use Tests\TestCase;
use Tests\TestResponse;
class OidcTest extends TestCase
{
use Tests\Helpers\OidcJwtHelper;
use Tests\TestCase;
use Tests\TestResponse;
class OidcTest extends TestCase
{
- protected $keyFilePath;
+ protected string $keyFilePath;
protected $keyFile;
protected function setUp(): void
protected $keyFile;
protected function setUp(): void
$this->assertFalse(auth()->check());
$this->assertFalse(auth()->check());
+ $resp = $this->runLogin([
'email' => $editor->email,
'sub' => 'benny505',
]);
'email' => $editor->email,
'sub' => 'benny505',
]);
+ $resp = $this->followRedirects($resp);
- $this->assertSessionError('A user with the email ' . $editor->email . ' already exists but with different credentials.');
+ $resp->assertSeeText('A user with the email ' . $editor->email . ' already exists but with different credentials.');
$this->assertFalse(auth()->check());
}
public function test_auth_login_with_invalid_token_fails()
{
$this->assertFalse(auth()->check());
}
public function test_auth_login_with_invalid_token_fails()
{
+ $resp = $this->runLogin([
+ $resp = $this->followRedirects($resp);
- $this->assertSessionError('ID token validate failed with error: Missing token subject value');
+ $resp->assertSeeText('ID token validate failed with error: Missing token subject value');
$this->assertFalse(auth()->check());
}
$this->assertFalse(auth()->check());
}
new Response(404, [], 'Not found'),
]);
new Response(404, [], 'Not found'),
]);
+ $resp = $this->followRedirects($this->runLogin());
$this->assertFalse(auth()->check());
$this->assertFalse(auth()->check());
- $this->assertSessionError('Login using SingleSignOn-Testing failed, system did not provide successful authorization');
+ $resp->assertSeeText('Login using SingleSignOn-Testing failed, system did not provide successful authorization');
}
public function test_autodiscovery_calls_are_cached()
}
public function test_autodiscovery_calls_are_cached()
projects / bookstack / commitdiff