Update provider uri and cipher to allow user session to be maintained on provider

Author: Greg Bowler

src/Authenticator.php

@@ -3,7 +3,7 @@
 
 use Authwave\ProviderUri\AbstractProviderUri;
 use Authwave\ProviderUri\AdminUri;
-use Authwave\ProviderUri\AuthUri;
+use Authwave\ProviderUri\LoginUri;
 use Authwave\ProviderUri\ProfileUri;
 use Gt\Http\Uri;
 use Gt\Session\SessionContainer;
@@ -76,15 +76,18 @@ public function login(Token $token = null):void {
 		$this->sessionData = new SessionData($token);
 		$this->session->set(self::SESSION_KEY, $this->sessionData);
 
-		$this->redirectHandler->redirect($this->getAuthUri($token));
+		$this->redirectHandler->redirect($this->getLoginUri($token));
 	}
 
-	public function logout(string $redirectToPath = "/"):void {
-		$this->session->remove(self::SESSION_KEY);
+	public function logout(Token $token = null):void {
+		if(is_null($token)) {
+			$token = new Token($this->clientKey);
+		}
+
+		$this->sessionData = new SessionData($token);
+		$this->session->set(self::SESSION_KEY, $this->sessionData);
 
-		$uri = (new Uri())
-			->withPath($redirectToPath);
-		$this->redirectHandler->redirect($uri);
+		$this->redirectHandler->redirect($this->getLogoutUri($token));
 	}
 
 	public function getUuid():string {
@@ -102,8 +105,16 @@ public function getField(string $name):?string {
 		return $userData->getField($name);
 	}
 
-	public function getAuthUri(Token $token):AbstractProviderUri {
-		return new AuthUri(
+	public function getLoginUri(Token $token):AbstractProviderUri {
+		return new LoginUri(
+			$token,
+			$this->currentUriPath,
+			$this->authwaveHost
+		);
+	}
+
+	private function getLogoutUri(Token $token):AbstractProviderUri {
+		return new LogoutUri(
 			$token,
 			$this->currentUriPath,
 			$this->authwaveHost
@@ -114,8 +125,17 @@ public function getAdminUri():UriInterface {
 		return new AdminUri($this->authwaveHost);
 	}
 
-	public function getProfileUri():UriInterface {
-		return new ProfileUri($this->authwaveHost);
+	public function getProfileUri(Token $token = null):UriInterface {
+		if(is_null($token)) {
+			$token = new Token($this->clientKey);
+		}
+
+		return new ProfileUri(
+			$token,
+			$this->getUuid(),
+			$this->currentUriPath,
+			$this->authwaveHost
+		);
 	}
 
 	private function completeAuth():void {
@@ -132,6 +152,8 @@ private function completeAuth():void {
 			new SessionData($token, $userData)
 		);
 
+		setcookie("authwave-trackshift", "test", 0, "/", "localhost");
+
 		$this->redirectHandler->redirect(
 			(new Uri($this->currentUriPath))
 			->withoutQueryValue(self::RESPONSE_QUERY_PARAMETER)

src/ProviderUri/AbstractProviderUri.php

@@ -2,10 +2,14 @@
 namespace Authwave\ProviderUri;
 
 use Authwave\InsecureProtocolException;
+use Authwave\Token;
 use Gt\Http\Uri;
 
 abstract class AbstractProviderUri extends Uri {
 	const DEFAULT_BASE_REMOTE_URI = "login.authwave.com";
+	const QUERY_STRING_CIPHER = "c";
+	const QUERY_STRING_INIT_VECTOR = "i";
+	const QUERY_STRING_CURRENT_PATH = "p";
 
 	protected function normaliseBaseUri(string $baseUri):Uri {
 		$scheme = parse_url($baseUri, PHP_URL_SCHEME)
@@ -27,4 +31,16 @@ protected function normaliseBaseUri(string $baseUri):Uri {
 
 		return $uri;
 	}
+
+	protected function buildQuery(
+		Token $token,
+		string $currentPath,
+		string $data = null
+	):string {
+		return http_build_query([
+			self::QUERY_STRING_CIPHER => (string)$token->generateRequestCipher($data),
+			self::QUERY_STRING_INIT_VECTOR => (string)$token->getIv(),
+			self::QUERY_STRING_CURRENT_PATH => bin2hex($currentPath),
+		]);
+	}
 }

src/ProviderUri/AuthUri.php renamed to src/ProviderUri/LoginUri.php

@@ -4,11 +4,13 @@
 use Authwave\Token;
 use Gt\Http\Uri;
 
-class AuthUri extends AbstractProviderUri {
-	const QUERY_STRING_CIPHER = "cipher";
-	const QUERY_STRING_INIT_VECTOR = "iv";
-	const QUERY_STRING_CURRENT_PATH = "path";
-
+/**
+ * The AuthUri class represents the Uri used to redirect the user agent to the
+ * Authwave provider in order to initiate authentication. A Token is used to
+ * pass the secret IV to the provider, encrypted with the API key. The secret
+ * IV is only ever stored in the client's session, and is unique to the session.
+ */
+class LoginUri extends AbstractProviderUri {
 	/**
 	 * @param Token $token This must be the same instance of the Token when
 	 * creating Authenticator for the first time as it is when checking the
@@ -25,11 +27,6 @@ public function __construct(
 	) {
 		$baseRemoteUri = $this->normaliseBaseUri($baseRemoteUri);
 		parent::__construct($baseRemoteUri);
-
-		$this->query = http_build_query([
-			self::QUERY_STRING_CIPHER => (string)$token->generateRequestCipher(),
-			self::QUERY_STRING_INIT_VECTOR => (string)$token->getIv(),
-			self::QUERY_STRING_CURRENT_PATH => $currentPath,
-		]);
+		$this->query = $this->buildQuery($token, $currentPath);
 	}
 }

src/ProviderUri/ProfileUri.php

@@ -1,12 +1,18 @@
 <?php
 namespace Authwave\ProviderUri;
 
+use Authwave\Token;
+
 class ProfileUri extends AbstractProviderUri {
 	public function __construct(
+		Token $token,
+		string $uuid,
+		string $currentPath,
 		string $baseRemoteUri
 	) {
 		$baseRemoteUri = $this->normaliseBaseUri($baseRemoteUri);
 		parent::__construct($baseRemoteUri);
 		$this->path = "/profile";
+		$this->query = $this->buildQuery($token, $uuid);
 	}
 }

src/Token.php

@@ -24,13 +24,22 @@ public function getIv():InitVector {
 		return $this->iv;
 	}
 
-// The request cipher is sent to the remote provider in the querystring. It
-// consists of the secret IV, encrypted with the client key. The remote provider
-// will decrypt the secret and use it as the key when encrypting the response
-// cipher, which will be sent back to the client application in the querystring.
-	public function generateRequestCipher():string {
+/**
+ * The request cipher is sent to the remote provider in the querystring. It
+ * consists of the token's secret IV, encrypted with the client key, along with
+ * an optional message. The secret IV is required for two-way encryption. The
+ * remote provider will decrypt the secret and use it as the key if encrypting a
+ * response cipher, which will be sent back to the client application in the
+ * querystring.
+ */
+	public function generateRequestCipher(string $message = null):string {
+		$data = $this->secretIv;
+		if($message) {
+			$data .= "|" . $message;
+		}
+
 		$rawCipher = openssl_encrypt(
-			$this->secretIv,
+			$data,
 			self::ENCRYPTION_METHOD,
 			$this->key,
 			0,

test/phpunit/AuthenticatorTest.php

@@ -5,7 +5,7 @@
 use Authwave\InitVector;
 use Authwave\NotLoggedInException;
 use Authwave\ProviderUri\AdminUri;
-use Authwave\ProviderUri\AuthUri;
+use Authwave\ProviderUri\LoginUri;
 use Authwave\ProviderUri\LogoutUri;
 use Authwave\RedirectHandler;
 use Authwave\SessionData;
@@ -74,7 +74,7 @@ public function testLogoutClearsSession() {
 		$sut = new Authenticator(
 			"test-key",
 			"/",
-			AuthUri::DEFAULT_BASE_REMOTE_URI,
+			LoginUri::DEFAULT_BASE_REMOTE_URI,
 			null,
 			$redirectHandler
 		);
@@ -89,13 +89,13 @@ public function testLoginRedirects() {
 		$redirectHandler->expects(self::once())
 			->method("redirect")
 			->with(self::callback(fn(UriInterface $uri) =>
-				$uri->getHost() === AuthUri::DEFAULT_BASE_REMOTE_URI
+				$uri->getHost() === LoginUri::DEFAULT_BASE_REMOTE_URI
 			));
 
 		$sut = new Authenticator(
 			"test-key",
 			"/",
-			AuthUri::DEFAULT_BASE_REMOTE_URI,
+			LoginUri::DEFAULT_BASE_REMOTE_URI,
 			null,
 			$redirectHandler
 		);
@@ -144,9 +144,9 @@ public function testLoginRedirectsWithCorrectQueryString() {
 			->willReturn($iv);
 
 		$expectedQueryParts = [
-			AuthUri::QUERY_STRING_CIPHER => $cipher,
-			AuthUri::QUERY_STRING_INIT_VECTOR => $ivString,
-			AuthUri::QUERY_STRING_CURRENT_PATH => $currentPath,
+			LoginUri::QUERY_STRING_CIPHER => $cipher,
+			LoginUri::QUERY_STRING_INIT_VECTOR => $ivString,
+			LoginUri::QUERY_STRING_CURRENT_PATH => $currentPath,
 		];
 		$expectedQuery = http_build_query($expectedQueryParts);
 
@@ -160,7 +160,7 @@ public function testLoginRedirectsWithCorrectQueryString() {
 		$sut = new Authenticator(
 			$key,
 			$currentPath,
-			AuthUri::DEFAULT_BASE_REMOTE_URI,
+			LoginUri::DEFAULT_BASE_REMOTE_URI,
 			null,
 			$redirectHandler
 		);
@@ -180,7 +180,7 @@ public function testLoginDoesNothingWhenAlreadyLoggedIn() {
 		$sut = new Authenticator(
 			"test-key",
 			"/",
-			AuthUri::DEFAULT_BASE_REMOTE_URI,
+			LoginUri::DEFAULT_BASE_REMOTE_URI,
 			null,
 			$redirectHandler
 		);
@@ -290,7 +290,7 @@ public function testCompleteAuth() {
 		new Authenticator(
 			"test-key",
 			$currentUri,
-			AuthUri::DEFAULT_BASE_REMOTE_URI,
+			LoginUri::DEFAULT_BASE_REMOTE_URI,
 			null,
 			$redirectHandler
 		);
@@ -317,7 +317,7 @@ public function testCompleteAuthNotAffectedByQueryString() {
 		new Authenticator(
 			"test-key",
 			"/example-path?filter=something",
-			AuthUri::DEFAULT_BASE_REMOTE_URI,
+			LoginUri::DEFAULT_BASE_REMOTE_URI,
 			null,
 			$redirectHandler
 		);
@@ -328,7 +328,7 @@ public function testGetAdminUri() {
 		$auth = new Authenticator(
 			"test-key",
 			"/example-path",
-			AuthUri::DEFAULT_BASE_REMOTE_URI
+			LoginUri::DEFAULT_BASE_REMOTE_URI
 		);
 		$sut = $auth->getAdminUri();
 		self::assertEquals(

test/phpunit/ProviderUri/AbstractProviderUriTest.php

@@ -3,7 +3,7 @@
 
 use Authwave\InitVector;
 use Authwave\InsecureProtocolException;
-use Authwave\ProviderUri\AuthUri;
+use Authwave\ProviderUri\LoginUri;
 use Authwave\Token;
 use PHPUnit\Framework\TestCase;
 use Psr\Http\Message\UriInterface;
@@ -15,7 +15,7 @@ public function testAuthUriHttps() {
 			->willReturn("https://example.com");
 		$token = self::createMock(Token::class);
 
-		$sut = new AuthUri(
+		$sut = new LoginUri(
 			$token,
 			"",
 			$baseUri
@@ -35,7 +35,7 @@ public function testAuthUriWithNonStandardPort() {
 			->willReturn("http://localhost:8081");
 		$token = self::createMock(Token::class);
 
-		$sut = new AuthUri(
+		$sut = new LoginUri(
 			$token,
 			"",
 			$baseUri
@@ -54,7 +54,7 @@ public function testAuthUriWithNonStandardPort() {
 // But it should still default to HTTPS on localhost.
 	public function testGetAuthUriHostnameLocalhostHttpsByDefault() {
 		$token = self::createMock(Token::class);
-		$sut = new AuthUri(
+		$sut = new LoginUri(
 			$token,
 			"/",
 			"localhost"
@@ -69,7 +69,7 @@ public function testGetAuthUriHostnameLocalhostHttpsByDefault() {
 // We should be able to set the scheme to HTTP for localhost hostname only.
 	public function testGetAuthUriHostnameLocalhostHttpAllowed() {
 		$token = self::createMock(Token::class);
-		$sut = new AuthUri(
+		$sut = new LoginUri(
 			$token,
 			"/",
 			"http://localhost"
@@ -84,7 +84,7 @@ public function testGetAuthUriHostnameLocalhostHttpAllowed() {
 	public function testGetAuthUriHostnameNotLocalhostHttpNotAllowed() {
 		$token = self::createMock(Token::class);
 		self::expectException(InsecureProtocolException::class);
-		new AuthUri(
+		new LoginUri(
 			$token,
 			"/",
 			"http://localhost.com"
@@ -98,7 +98,7 @@ public function testAuthUriHttpsInferred() {
 // Note on the line above, no scheme is passed in - we must assume https.
 		$token = self::createMock(Token::class);
 
-		$sut = new AuthUri(
+		$sut = new LoginUri(
 			$token,
 			"/",
 			$baseUri);

test/phpunit/ProviderUri/AuthUriTest.php renamed to test/phpunit/ProviderUri/LoginUriTest.php

@@ -2,12 +2,12 @@
 namespace Authwave\Test\ProviderUri;
 
 use Authwave\InitVector;
-use Authwave\ProviderUri\AuthUri;
+use Authwave\ProviderUri\LoginUri;
 use Authwave\Token;
 use PHPUnit\Framework\TestCase;
 use Psr\Http\Message\UriInterface;
 
-class AuthUriTest extends TestCase {
+class LoginUriTest extends TestCase {
 	public function testQueryString() {
 		$mockCipherValue = str_repeat("f", 16);
 		$mockIvValue = str_repeat("0", 16);
@@ -23,7 +23,7 @@ public function testQueryString() {
 			->willReturn($iv);
 
 		$returnPath = "/examplePage";
-		$sut = new AuthUri(
+		$sut = new LoginUri(
 			$token,
 			$returnPath,
 			$baseUri
@@ -32,17 +32,17 @@ public function testQueryString() {
 
 		self::assertEquals(
 			$mockCipherValue,
-			$queryParts[AuthUri::QUERY_STRING_CIPHER],
+			$queryParts[LoginUri::QUERY_STRING_CIPHER],
 		);
 
 		self::assertEquals(
 			$mockIvValue,
-			$queryParts[AuthUri::QUERY_STRING_INIT_VECTOR]
+			$queryParts[LoginUri::QUERY_STRING_INIT_VECTOR]
 		);
 
 		self::assertEquals(
 			$returnPath,
-			$queryParts[AuthUri::QUERY_STRING_CURRENT_PATH]
+			$queryParts[LoginUri::QUERY_STRING_CURRENT_PATH]
 		);
 	}
 }