Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide login hook, phpcs linting #34

Merged
merged 1 commit into from
Aug 8, 2023
Merged

Provide login hook, phpcs linting #34

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 16 additions & 5 deletions src/Control/SAMLController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@
namespace SilverStripe\SAML\Control;

use Exception;

use function gmmktime;

use OneLogin\Saml2\Auth;
use OneLogin\Saml2\Constants;
use OneLogin\Saml2\Utils;
Expand All @@ -23,6 +25,7 @@
use SilverStripe\Security\IdentityStore;
use SilverStripe\Security\Member;
use SilverStripe\Security\Security;

use function uniqid;

/**
Expand Down Expand Up @@ -158,7 +161,8 @@ public function acs()
// Write a rudimentary member with basic fields on every login, so that we at least have something
// if there is no further sync (e.g. via LDAP)
$member = Member::get()->filter('GUID', $guid)->limit(1)->first();
if (!($member && $member->exists())
if (
!($member && $member->exists())
&& Config::inst()->get(SAMLConfiguration::class, 'allow_insecure_email_linking')
&& isset($fieldToClaimMap['Email'])
) {
Expand Down Expand Up @@ -200,6 +204,9 @@ public function acs()
// Both SAML and LDAP identify Members by the same GUID field.
$member->write();

// Hook for modifying login behaviour
$this->extend('updateLogin');

/** @var IdentityStore $identityStore */
$identityStore = Injector::inst()->get(IdentityStore::class);
$identityStore->logIn($member, false, $this->getRequest());
Expand Down Expand Up @@ -241,14 +248,18 @@ public function metadata()
protected function getRedirect()
{
// Absolute redirection URLs may cause spoofing
if ($this->getRequest()->getSession()->get('BackURL')
&& Director::is_site_url($this->getRequest()->getSession()->get('BackURL'))) {
if (
$this->getRequest()->getSession()->get('BackURL')
&& Director::is_site_url($this->getRequest()->getSession()->get('BackURL'))
) {
return $this->redirect($this->getRequest()->getSession()->get('BackURL'));
}

// Spoofing attack, redirect to homepage instead of spoofing url
if ($this->getRequest()->getSession()->get('BackURL')
&& !Director::is_site_url($this->getRequest()->getSession()->get('BackURL'))) {
if (
$this->getRequest()->getSession()->get('BackURL')
&& !Director::is_site_url($this->getRequest()->getSession()->get('BackURL'))
) {
return $this->redirect(Director::absoluteBaseURL());
}

Expand Down