From ff9020aa199cff7aa798f370a3a1fcf38c22c726 Mon Sep 17 00:00:00 2001
From: garaone <garaone@co3.de>
Date: Thu, 25 Apr 2024 16:58:59 +0200
Subject: [PATCH 1/5] fix ... dont ob_flush empty buffer to avoid php notifies
 in output

---
 private/app/php/stream-api.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/private/app/php/stream-api.php b/private/app/php/stream-api.php
index e2b7460..ea5c21d 100644
--- a/private/app/php/stream-api.php
+++ b/private/app/php/stream-api.php
@@ -45,7 +45,9 @@
 ]);
 curl_setopt($ch, CURLOPT_WRITEFUNCTION, function($ch, $data) {
 	echo $data;
-	ob_flush();
+	if (ob_get_level() > 0) {
+		ob_flush();
+	}
 	flush();
 	return strlen($data);
 });

From 48df7fa76b82b6fd5ecb495da0fbf916dcb99145 Mon Sep 17 00:00:00 2001
From: garaone <garaone@co3.de>
Date: Fri, 26 Apr 2024 15:11:23 +0200
Subject: [PATCH 2/5] fix ... reinitialization of BOOTSTRAP_PATH im
 stream-api.php

---
 private/app/php/stream-api.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/private/app/php/stream-api.php b/private/app/php/stream-api.php
index ea5c21d..f417d3f 100644
--- a/private/app/php/stream-api.php
+++ b/private/app/php/stream-api.php
@@ -1,5 +1,9 @@
 <?php
-define('BOOTSTRAP_PATH',  '../../bootstrap.php');
+
+if (!defined('BOOTSTRAP_PATH')) {
+	define('BOOTSTRAP_PATH',  '../../bootstrap.php');
+}
+
 require_once BOOTSTRAP_PATH;
 
 session_start();

From 56b405e0d6f9af0a35d9e6f3bcba8e0fa38597f8 Mon Sep 17 00:00:00 2001
From: Ariansdf <38947447+Ariansdf@users.noreply.github.com>
Date: Fri, 3 May 2024 12:58:29 +0200
Subject: [PATCH 3/5] Shibboleth open id patch (#61)

* Correction - ODIC Var in .env.example

* Correction CSRF / Logout

* Typo Correction
---
 index.php                     |  5 -----
 private/.env.example          |  3 ++-
 private/app/php/auth.php      |  7 +++----
 private/pages/login.php       |  1 +
 private/pages/logout.php      | 26 +++++++++++++++++++-------
 private/pages/oidc_logout.php | 13 -------------
 6 files changed, 25 insertions(+), 30 deletions(-)
 delete mode 100644 private/pages/oidc_logout.php

diff --git a/index.php b/index.php
index 9caa225..78de8be 100644
--- a/index.php
+++ b/index.php
@@ -30,11 +30,6 @@
         include_once OIDC_LOGIN_PAGE_PATH;
         exit();
 
-    case('/oidc_logout'):
-        include_once OIDC_LOGOUT_PAGE_PATH;
-        exit();
-
-
     case('/impressum'):
         $imprintLocation = isset($env) ? $env["IMPRINT_LOCATION"] : getenv("IMPRINT_LOCATION");
         header("Location: $imprintLocation");
diff --git a/private/.env.example b/private/.env.example
index 9725a57..c3003ec 100644
--- a/private/.env.example
+++ b/private/.env.example
@@ -10,6 +10,7 @@ LDAP_PORT=""
 #Shibbolet
 SHIBBOLETH_LOGIN_PATH="Shibboleth.sso/Login?target="
 SHIBBOLETH_LOGIN_PAGE="login.php"
+SHIBBOLETH_LOGOUT_URL=""
 
 # Open Ai config
 OPENAI_API_URL="https://api.openai.com/v1/chat/completions"
@@ -31,7 +32,7 @@ OIDC_CLIENT_ID="xxx"
 ; Client secret
 OIDC_CLIENT_SECRET="xxx"
 ; oidc logout uri
-OIDC_LOGOUT=""
+OIDC_LOGOUT_URI=""
 
 ; Path to composer autoload file (without /vendor/autoload.php)
 ; normally set to "."
diff --git a/private/app/php/auth.php b/private/app/php/auth.php
index 9ad6dee..f7b9a15 100644
--- a/private/app/php/auth.php
+++ b/private/app/php/auth.php
@@ -4,13 +4,13 @@
         if (!isset($_POST['csrf_token']) || !hash_equals($_POST['csrf_token'], $_SESSION['csrf_token'])) {
             die('Invalid CSRF token');
         }
-
+        //REGENERATE CSRF TOKEN FOR MORE SECURITY
+        generate_csrf_token();
+        
         if (array_key_exists('REMOTE_USER', $_SERVER) && !empty($_SERVER['REMOTE_USER'])) {
             // If user is already authenticated via shibboleth.
             $_SESSION['username'] = $_SERVER['REMOTE_USER'];
             
-            //REGENERATE CSRF TOKEN FOR MORE SECURITY
-            $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
             //REGENERATE SESSION ID
             session_regenerate_id();
 
@@ -28,7 +28,6 @@
                 $scheme = isset($_SERVER['REQUEST_SCHEME']) ? $_SERVER['REQUEST_SCHEME'] : 'http';
                 $shibLogin = 'Location: /' . $loginPath . $scheme. '://' . $_SERVER['HTTP_HOST'] . '/' . $loginPage;
                 header($shibLogin);
-                // header('Location: /Shibboleth.sso/Login?target='.$_SERVER['REQUEST_SCHEME'].'://'.$_SERVER['HTTP_HOST'].'/login.php');
                 exit;
             }
             else{
diff --git a/private/pages/login.php b/private/pages/login.php
index 8a65ffd..02ee56d 100644
--- a/private/pages/login.php
+++ b/private/pages/login.php
@@ -102,6 +102,7 @@
 							$login_available = true;
 							echo
 								'<form class="column" method = "post" >
+									<input type="hidden" name="csrf_token" value="' . $_SESSION['csrf_token'] . '">
 									<button type="submit" name="submit">' . $translation['Login'] . '</button >
 								</form>';
 						}
diff --git a/private/pages/logout.php b/private/pages/logout.php
index 5acda99..3b9c1cc 100644
--- a/private/pages/logout.php
+++ b/private/pages/logout.php
@@ -1,5 +1,6 @@
 <?php
     session_start();
+
     // Unset all session variables
     $_SESSION = array();
     // If it's desired, regenerate session ID (good practice for login but optional on logout)
@@ -12,12 +13,23 @@
 
     // Finally, destroy the session.
     session_destroy();
-    // Redirect to the login page
-    if ((isset($env) ? $env["Authentication"] : getenv("Authentication")) == "OIDC") {
-        // Open ID Connect
-        header('Location: oidc_logout');
-    } else {
-        header('Location: login');
+
+
+    if (file_exists(ENV_FILE_PATH)){
+        $env = parse_ini_file(ENV_FILE_PATH);
+        if($env['Authentication'] === 'Shibboleth'){
+            $redirect_uri = $env['SHIBBOLETH_LOGOUT_URL'];
+        }
+        elseif($env['Authentication'] === 'OIDC'){
+            $redirect_uri = $env['OIDC_LOGOUT_URI'];
+        }
+        else{
+            // Redirect to the login page
+            $redirect_uri ='/login';
+        }
     }
-    exit;
+    header("Location: $redirect_uri");
+    exit();
+
+
 ?>
diff --git a/private/pages/oidc_logout.php b/private/pages/oidc_logout.php
deleted file mode 100644
index 9e7c768..0000000
--- a/private/pages/oidc_logout.php
+++ /dev/null
@@ -1,13 +0,0 @@
-<?php
-session_start();
-session_destroy();
-
-define('BOOTSTRAP_PATH',  '../bootstrap.php');
-require_once BOOTSTRAP_PATH;
-if (file_exists(ENV_FILE_PATH)){
-    $env = parse_ini_file(ENV_FILE_PATH);
-}
-$logout_uri = isset($env) ? $env['OIDC_LOGOUT_URI'] : getenv('OIDC_LOGOUT_URI');
-header("Location: $logout_uri");
-exit;
-?>
\ No newline at end of file

From 5c800f878eace31757634d83896c3b08e8075c61 Mon Sep 17 00:00:00 2001
From: Ariansdf <38947447+Ariansdf@users.noreply.github.com>
Date: Fri, 3 May 2024 13:29:11 +0200
Subject: [PATCH 4/5] Readme Update

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 9918382..c7394ad 100644
--- a/README.md
+++ b/README.md
@@ -84,6 +84,7 @@ To get started you need to add a configuration file to the project first. Copy t
 | LDAP_BASE_DN     | string  | "cn=...,ou=...,dc=..."                 | Distinguised name that is used to initially bind to your LDAP server.                                                                              |
 | LDAP_SEARCH_DN   | string  | "ou=...,dc=..."                        | Distinguished name that is used for authenticating users.                                                                                          |
 | LDAP_PORT  | string  | "..."                        | The LDAP port.                                                                                          |
+| LDAP_FILTER  | string  | `"(|(sAMAccountName=username)(mail=username))"` or `"(|(uid=username)(mail=username))"`| LDAP Filter. Choose the filter based on your LDAP configuration. the value "username" is used as a placeholder and will be replaced with the actual username in authentication function.|
 | SHIBBOLET_LOGIN_PATH    | string  | "..."                                  | Path to shibboleth login page.                                                                                               |
 | SHIBBOLET_LOGIN_PAGE    | string  | "..."                                  | Shibboleth login page.                                                                                               |
 | OIDC_IDP          | string  | "https://...."                         | URL of the Identity provider supporting OpenID Connect.                                                                                            |

From ee384c8cdff45b24319d9bd297e7914ba294bace Mon Sep 17 00:00:00 2001
From: Ariansdf <38947447+Ariansdf@users.noreply.github.com>
Date: Fri, 3 May 2024 13:33:56 +0200
Subject: [PATCH 5/5] Readme Typo Correction

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index c7394ad..719748c 100644
--- a/README.md
+++ b/README.md
@@ -84,7 +84,7 @@ To get started you need to add a configuration file to the project first. Copy t
 | LDAP_BASE_DN     | string  | "cn=...,ou=...,dc=..."                 | Distinguised name that is used to initially bind to your LDAP server.                                                                              |
 | LDAP_SEARCH_DN   | string  | "ou=...,dc=..."                        | Distinguished name that is used for authenticating users.                                                                                          |
 | LDAP_PORT  | string  | "..."                        | The LDAP port.                                                                                          |
-| LDAP_FILTER  | string  | `"(|(sAMAccountName=username)(mail=username))"` or `"(|(uid=username)(mail=username))"`| LDAP Filter. Choose the filter based on your LDAP configuration. the value "username" is used as a placeholder and will be replaced with the actual username in authentication function.|
+| LDAP_FILTER  | string  | "..."  | LDAP Filter. Choose the filter based on your LDAP configuration. See .env.example for more details.|
 | SHIBBOLET_LOGIN_PATH    | string  | "..."                                  | Path to shibboleth login page.                                                                                               |
 | SHIBBOLET_LOGIN_PAGE    | string  | "..."                                  | Shibboleth login page.                                                                                               |
 | OIDC_IDP          | string  | "https://...."                         | URL of the Identity provider supporting OpenID Connect.                                                                                            |