dc/d62/microsoft__oauthcallback_8php_source.html

<?php

/* Copyright (C) 2022       Laurent Destailleur  <eldy@users.sourceforge.net>

 * Copyright (C) 2015-2024  Frédéric France      <frederic.france@free.fr>

 * Copyright (C) 2024   MDW             <mdeweerd@users.noreply.github.com>

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License as published by

 * the Free Software Foundation; either version 3 of the License, or

 * (at your option) any later version.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * along with this program. If not, see <https://www.gnu.org/licenses/>.

 */


// Load Dolibarr environment

require '../../../main.inc.php';

require_once DOL_DOCUMENT_ROOT.'/includes/OAuth/bootstrap.php';

use OAuth\Common\Storage\DoliStorage;

use OAuth\Common\Consumer\Credentials;


// Define $urlwithroot

$urlwithouturlroot = preg_replace('/'.preg_quote(DOL_URL_ROOT, '/').'$/i', '', trim($dolibarr_main_url_root));

$urlwithroot = $urlwithouturlroot.DOL_URL_ROOT; // This is to use external domain name found into config file

//$urlwithroot=DOL_MAIN_URL_ROOT;         // This is to use same domain name than current


$action = GETPOST('action', 'aZ09');

$backtourl = GETPOST('backtourl', 'alpha');

$keyforprovider = GETPOST('keyforprovider', 'aZ09');

if (empty($keyforprovider) && !empty($_SESSION["oauthkeyforproviderbeforeoauthjump"]) && (GETPOST('code') || $action == 'delete')) {

  $keyforprovider = $_SESSION["oauthkeyforproviderbeforeoauthjump"];

}

$genericstring = 'MICROSOFT';


$uriFactory = new \OAuth\Common\Http\Uri\UriFactory();

//$currentUri = $uriFactory->createFromSuperGlobalArray($_SERVER);

//$currentUri->setQuery('');

$currentUri = $uriFactory->createFromAbsolute($urlwithroot.'/core/modules/oauth/microsoft_oauthcallback.php');


$serviceFactory = new \OAuth\ServiceFactory();

$httpClient = new \OAuth\Common\Http\Client\CurlClient();

// TODO Set options for proxy and timeout

// $params=array('CURLXXX'=>value, ...)

//$httpClient->setCurlParameters($params);

$serviceFactory->setHttpClient($httpClient);


// Setup the credentials for the requests

$keyforparamid = 'OAUTH_'.$genericstring.($keyforprovider ? '-'.$keyforprovider : '').'_ID';

$keyforparamsecret = 'OAUTH_'.$genericstring.($keyforprovider ? '-'.$keyforprovider : '').'_SECRET';

$keyforparamtenant = 'OAUTH_'.$genericstring.($keyforprovider ? '-'.$keyforprovider : '').'_TENANT';


// Dolibarr storage

$storage = new DoliStorage($db, $conf, $keyforprovider, getDolGlobalString($keyforparamtenant));


$credentials = new Credentials(

  getDolGlobalString($keyforparamid),

  getDolGlobalString($keyforparamsecret),

  $currentUri->getAbsoluteUri()

);


$state = GETPOST('state');


$requestedpermissionsarray = array();

if ($state) {

  $requestedpermissionsarray = explode(',', $state); // Example: 'user'. 'state' parameter is standard to retrieve some parameters back

}

if ($action != 'delete' && empty($requestedpermissionsarray)) {

  print 'Error, parameter state is not defined';

  exit;

}

//var_dump($requestedpermissionsarray);exit;


// Instantiate the Api service using the credentials, http client and storage mechanism for the token

// ucfirst(strtolower($genericstring)) must be the name of a class into OAuth/OAuth2/Services/Xxxx

// $requestedpermissionsarray contains list of scopes.

// Conversion into URL is done by Reflection on constant with name SCOPE_scope_in_uppercase

try {

  $nameofservice = ucfirst(strtolower($genericstring));

  $apiService = $serviceFactory->createService($nameofservice, $credentials, $storage, $requestedpermissionsarray);

  '@phan-var-force  OAuth\OAuth2\Service\AbstractService|OAuth\OAuth1\Service\AbstractService $apiService'; // createService is only ServiceInterface

} catch (Exception $e) {

  print $e->getMessage();

  exit;

}

/*

var_dump($genericstring.($keyforprovider ? '-'.$keyforprovider : ''));

var_dump($credentials);

var_dump($storage);

var_dump($requestedpermissionsarray);

*/


if (empty($apiService)) {

  print 'Error, failed to create serviceFactory';

  exit;

}


// access type needed to have oauth provider refreshing token

//$apiService->setAccessType('offline');


$langs->load("oauth");


if (!getDolGlobalString($keyforparamid)) {

  accessforbidden('Setup of service is not complete. Customer ID is missing');

}

if (!getDolGlobalString($keyforparamsecret)) {

  accessforbidden('Setup of service is not complete. Secret key is missing');

}

if (!getDolGlobalString($keyforparamtenant)) {

  accessforbidden('Setup of service is not complete. Tenant/Annuary ID key is missing');

}


/*

 * Actions

 */


if ($action == 'delete' && (!empty($user->admin) || $user->id == GETPOSTINT('userid'))) {

  $storage->userid = GETPOSTINT('userid');

  $storage->clearToken($genericstring);


  setEventMessages($langs->trans('TokenDeleted'), null, 'mesgs');


  if (empty($backtourl)) {

    $backtourl = DOL_URL_ROOT.'/';

  }


  header('Location: '.$backtourl);

  exit();

}


//dol_syslog("GET=".join(',', $_GET));


if (GETPOST('code') || GETPOST('error')) {     // We are coming from oauth provider page

  // We should have

  //$_GET=array('code' => string 'aaaaaaaaaaaaaa' (length=20), 'state' => string 'user,public_repo' (length=16))


  dol_syslog(basename(__FILE__)." We are coming from the oauth provider page code=".dol_trunc(GETPOST('code'), 5)." error=".GETPOST('error'));


  // This was a callback request from service, get the token

  try {

    //var_dump($state);

    //var_dump($apiService);      // OAuth\OAuth2\Service\Microsoft


    if (GETPOST('error')) {

      setEventMessages(GETPOST('error').' '.GETPOST('error_description'), null, 'errors');

    } else {

      //print GETPOST('code');exit;


      //$token = $apiService->requestAccessToken(GETPOST('code'), $state);

      $token = $apiService->requestAccessToken(GETPOST('code'));

      // Microsoft is a service that does not need state to be stored as second parameter of requestAccessToken


      //print $token->getAccessToken().'<br><br>';

      //print $token->getExtraParams()['id_token'].'<br><br>';

      //print $token->getRefreshToken().'<br>';exit;


      setEventMessages($langs->trans('NewTokenStored'), null, 'mesgs'); // Stored into object managed by class DoliStorage so into table oauth_token

    }


    $backtourl = $_SESSION["backtourlsavedbeforeoauthjump"];

    unset($_SESSION["backtourlsavedbeforeoauthjump"]);


    header('Location: '.$backtourl);

    exit();

  } catch (Exception $e) {

    print $e->getMessage();

  }

} else {

  // If we enter this page without 'code' parameter, we arrive here. This is the case when we want to get the redirect

  // to the OAuth provider login page.

  $_SESSION["backtourlsavedbeforeoauthjump"] = $backtourl;

  $_SESSION["oauthkeyforproviderbeforeoauthjump"] = $keyforprovider;

  $_SESSION['oauthstateanticsrf'] = $state;


  //if (!preg_match('/^forlogin/', $state)) {

  //  $apiService->setApprouvalPrompt('auto');

  //}


  // This may create record into oauth_state before the header redirect.

  // Creation of record with state in this tables depend on the Provider used (see its constructor).

  if ($state) {

    $url = $apiService->getAuthorizationUri(array('state' => $state));

  } else {

    $url = $apiService->getAuthorizationUri(); // Parameter state will be randomly generated

  }


  // Show url to get authorization

  //var_dump((string) $url);exit;

  dol_syslog("Redirect to url=".$url);


  // we go on oauth provider authorization page

  header('Location: '.$url);

  exit();

}


/*

 * View

 */


// No view at all, just actions


$db->close();

Exception

setEventMessages
setEventMessages($mesg, $mesgs, $style='mesgs', $messagekey='', $noduplicate=0, $attop=0)
Set event messages in dol_events session object.
Definition functions.lib.php:9981

GETPOSTINT
GETPOSTINT($paramname, $method=0)
Return the value of a $_GET or $_POST supervariable, converted into integer.
Definition functions.lib.php:1120

GETPOST
GETPOST($paramname, $check='alphanohtml', $method=0, $filter=null, $options=null, $noreplace=0)
Return value of a param into GET or POST supervariable.
Definition functions.lib.php:792

dol_trunc
dol_trunc($string, $size=40, $trunc='right', $stringencoding='UTF-8', $nodot=0, $display=0)
Truncate a string to a particular length adding '…' if string larger than length.
Definition functions.lib.php:4854

getDolGlobalString
getDolGlobalString($key, $default='')
Return a Dolibarr global constant string value.
Definition functions.lib.php:217

dol_syslog
dol_syslog($message, $level=LOG_INFO, $ident=0, $suffixinfilename='', $restricttologhandler='', $logcontext=null)
Write log message into outputs.
Definition functions.lib.php:2253

$conf
global $conf
The following vars must be defined: $type2label $form $conf, $lang, The following vars may also be de...
Definition member.php:79

$uriFactory
$uriFactory
Create a new instance of the URI class with the current URI, stripping the query string.
Definition microsoft_oauthcallback.php:58

accessforbidden
accessforbidden($message='', $printheader=1, $printfooter=1, $showonlymessage=0, $params=null)
Show a message to say access is forbidden and stop program.
Definition security.lib.php:1233