LDAP/Shibboleth Adjustment - Minor improvements.

HAWK-Digital-Environments · May 3, 2024 · 6ae6684 · 6ae6684
2 parents b60f0e3 + ee384c8
commit 6ae6684
Show file tree

Hide file tree

Showing 8 changed files with 33 additions and 31 deletions.
diff --git a/README.md b/README.md
@@ -84,6 +84,7 @@ To get started you need to add a configuration file to the project first. Copy t
 | LDAP_BASE_DN     | string  | "cn=...,ou=...,dc=..."                 | Distinguised name that is used to initially bind to your LDAP server.                                                                              |
 | LDAP_SEARCH_DN   | string  | "ou=...,dc=..."                        | Distinguished name that is used for authenticating users.                                                                                          |
 | LDAP_PORT  | string  | "..."                        | The LDAP port.                                                                                          |
+| LDAP_FILTER  | string  | "..."  | LDAP Filter. Choose the filter based on your LDAP configuration. See .env.example for more details.|
 | SHIBBOLET_LOGIN_PATH    | string  | "..."                                  | Path to shibboleth login page.                                                                                               |
 | SHIBBOLET_LOGIN_PAGE    | string  | "..."                                  | Shibboleth login page.                                                                                               |
 | OIDC_IDP          | string  | "https://...."                         | URL of the Identity provider supporting OpenID Connect.                                                                                            |

diff --git a/index.php b/index.php
@@ -30,11 +30,6 @@
         include_once OIDC_LOGIN_PAGE_PATH;
         exit();
 
-    case('/oidc_logout'):
-        include_once OIDC_LOGOUT_PAGE_PATH;
-        exit();
-
-
     case('/impressum'):
         $imprintLocation = isset($env) ? $env["IMPRINT_LOCATION"] : getenv("IMPRINT_LOCATION");
         header("Location: $imprintLocation");

diff --git a/private/.env.example b/private/.env.example
@@ -15,6 +15,7 @@ LDAP_FILTER="(|(sAMAccountName=username)(mail=username))"
 #Shibbolet
 SHIBBOLETH_LOGIN_PATH="Shibboleth.sso/Login?target="
 SHIBBOLETH_LOGIN_PAGE="login.php"
+SHIBBOLETH_LOGOUT_URL=""
 
 # Open Ai config
 OPENAI_API_URL="https://api.openai.com/v1/chat/completions"

diff --git a/private/app/php/auth.php b/private/app/php/auth.php
@@ -4,13 +4,13 @@
         if (!isset($_POST['csrf_token']) || !hash_equals($_POST['csrf_token'], $_SESSION['csrf_token'])) {
             die('Invalid CSRF token');
         }
-
+        //REGENERATE CSRF TOKEN FOR MORE SECURITY
+        generate_csrf_token();
+
         if (array_key_exists('REMOTE_USER', $_SERVER) && !empty($_SERVER['REMOTE_USER'])) {
             // If user is already authenticated via shibboleth.
             $_SESSION['username'] = $_SERVER['REMOTE_USER'];
 
-            //REGENERATE CSRF TOKEN FOR MORE SECURITY
-            $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
             //REGENERATE SESSION ID
             session_regenerate_id();
 
@@ -28,7 +28,6 @@
                 $scheme = isset($_SERVER['REQUEST_SCHEME']) ? $_SERVER['REQUEST_SCHEME'] : 'http';
                 $shibLogin = 'Location: /' . $loginPath . $scheme. '://' . $_SERVER['HTTP_HOST'] . '/' . $loginPage;
                 header($shibLogin);
-                // header('Location: /Shibboleth.sso/Login?target='.$_SERVER['REQUEST_SCHEME'].'://'.$_SERVER['HTTP_HOST'].'/login.php');
                 exit;
             }
             else{

diff --git a/private/app/php/stream-api.php b/private/app/php/stream-api.php
@@ -1,5 +1,9 @@
 <?php
-define('BOOTSTRAP_PATH',  '../../bootstrap.php');
+
+if (!defined('BOOTSTRAP_PATH')) {
+	define('BOOTSTRAP_PATH',  '../../bootstrap.php');
+}
+
 require_once BOOTSTRAP_PATH;
 
 session_start();
@@ -45,7 +49,9 @@
 ]);
 curl_setopt($ch, CURLOPT_WRITEFUNCTION, function($ch, $data) {
 	echo $data;
-	ob_flush();
+	if (ob_get_level() > 0) {
+		ob_flush();
+	}
 	flush();
 	return strlen($data);
 });

diff --git a/private/pages/login.php b/private/pages/login.php
@@ -102,6 +102,7 @@
 							$login_available = true;
 							echo
 								'<form class="column" method = "post" >
+									<input type="hidden" name="csrf_token" value="' . $_SESSION['csrf_token'] . '">
 									<button type="submit" name="submit">' . $translation['Login'] . '</button >
 								</form>';
 						}

diff --git a/private/pages/logout.php b/private/pages/logout.php
@@ -1,5 +1,6 @@
 <?php
     session_start();
+
     // Unset all session variables
     $_SESSION = array();
     // If it's desired, regenerate session ID (good practice for login but optional on logout)
@@ -12,12 +13,23 @@
 
     // Finally, destroy the session.
     session_destroy();
-    // Redirect to the login page
-    if ((isset($env) ? $env["Authentication"] : getenv("Authentication")) == "OIDC") {
-        // Open ID Connect
-        header('Location: oidc_logout');
-    } else {
-        header('Location: login');
+
+
+    if (file_exists(ENV_FILE_PATH)){
+        $env = parse_ini_file(ENV_FILE_PATH);
+        if($env['Authentication'] === 'Shibboleth'){
+            $redirect_uri = $env['SHIBBOLETH_LOGOUT_URL'];
+        }
+        elseif($env['Authentication'] === 'OIDC'){
+            $redirect_uri = $env['OIDC_LOGOUT_URI'];
+        }
+        else{
+            // Redirect to the login page
+            $redirect_uri ='/login';
+        }
     }
-    exit;
+    header("Location: $redirect_uri");
+    exit();
+
+
 ?>
diff --git a/private/pages/oidc_logout.php b/private/pages/oidc_logout.php