pixelfed/app/Http/Controllers/RemoteOidcController.php

<?php

namespace App\Http\Controllers;

use App\Models\UserOidcMapping;
use Purify;
use App\Services\EmailService;
use App\Services\UserOidcService;
use App\User;
use Illuminate\Auth\Events\Registered;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Str;
use App\Rules\EmailNotBanned;
use App\Rules\PixelfedUsername;

class RemoteOidcController extends Controller
{
    protected $fractal;

    public function start(UserOidcService $provider, Request $request)
    {
        abort_unless((bool) config('remote-auth.oidc.enabled'), 404);
        if ($request->user()) {
            return redirect('/');
        }

        $url = $provider->getAuthorizationUrl([
            'scope' => $provider->getDefaultScopes(),
        ]);

        $request->session()->put('oauth2state', $provider->getState());

        return redirect($url);
    }

    public function handleCallback(UserOidcService $provider, Request $request)
    {
        abort_unless((bool) config('remote-auth.oidc.enabled'), 404);

        if ($request->user()) {
            return redirect('/');
        }

        abort_unless($request->input("state"), 400);
        abort_unless($request->input("code"), 400);

        abort_unless(hash_equals($request->session()->pull('oauth2state'), $request->input("state")), 400, "invalid state");

        $accessToken = $provider->getAccessToken('authorization_code', [
            'code' => $request->get('code')
        ]);

        $userInfo = $provider->getResourceOwner($accessToken);
        $userInfoId = $userInfo->getId();
        $userInfoData = $userInfo->toArray();

        $mappedUser = UserOidcMapping::where('oidc_id', $userInfoId)->first();
        if ($mappedUser) {
            $this->guarder()->login($mappedUser->user);
            return redirect('/');
        }

        abort_if(EmailService::isBanned($userInfoData["email"]), 400, 'Banned email.');

        $user = $this->createUser([
            'username' => $userInfoData[config('remote-auth.oidc.field_username')],
            'name' => $userInfoData["name"] ?? $userInfoData["display_name"] ?? $userInfoData[config('remote-auth.oidc.field_username')] ?? null,
            'email' => $userInfoData["email"],
        ]);

        UserOidcMapping::create([
            'user_id' => $user->id,
            'oidc_id' => $userInfoId,
        ]);

        return redirect('/');
    }

    protected function createUser($data)
    {
        $this->validate(new Request($data), [
            'email' => [
                'required',
                'string',
                'email:strict,filter_unicode,dns,spoof',
                'max:255',
                'unique:users',
                new EmailNotBanned(),
            ],
            'username' => [
                'required',
                'min:2',
                'max:30',
                'unique:users,username',
                new PixelfedUsername(),
            ],
            'name' => 'nullable|max:30',
        ]);

        event(new Registered($user = User::create([
            'name' => Purify::clean($data['name']),
            'username' => $data['username'],
            'email' => $data['email'],
            'password' => Hash::make(Str::password()),
            'email_verified_at' => now(),
            'app_register_ip' => request()->ip(),
            'register_source' => 'oidc',
        ])));

        $this->guarder()->login($user);

        return $user;
    }

    protected function guarder()
    {
        return Auth::guard();
    }
}
Staging (#5978) * Added current title as value for input so that the current value remains stored by default * Added parameter 'show_legal_notice_link' => (bool) config_cache('instance.has_legal_notice'), * Added conditional display of a link to legal notice if the page is active * Added key 'legalNotice' * feat translate story * translate auth - register - login * add remove follow * Update ApiV1Controller.php Co-Authored-By: Mathieu <385764+Casmo@users.noreply.github.com> * New translations web.php (Chinese Simplified) [ci skip] * Added current title as value for input so that the current value remains stored by default * Added parameter 'show_legal_notice_link' => (bool) config_cache('instance.has_legal_notice'), * Added conditional display of a link to legal notice if the page is active * Added key 'legalNotice' * add missing key * add missing keys * New translations web.php (Portuguese, Brazilian) [ci skip] * New translations web.php (Turkish) [ci skip] * New translations web.php (Italian) [ci skip] * translate custom filter * New translations web.php (Italian) [ci skip] * use configured alt text length limit when uploading multiple photos * in notifications sidebar, show popover on shared posts too, not just liked posts * use case insensitive search when tagging accounts * New translations web.php (Portuguese, Brazilian) [ci skip] * Generic OIDC Support * Everything should be configurable by env variables * Basic request tests * Fixes for items highlighted by review.ai * Consider using `hash_equals()` instead of `==` when comparing the state values to prevent timing attacks: `abort_unless(hash_equals($request->input('state'), $request->session()->pull('oauth2state')), 400, 'invalid state');` * For better data integrity, consider adding a foreign key constraint to the user_id column: `$table- >foreign('user_id')->references('id')->on('users')->onDelete('cascade');` * Does the OIDC provider guarantee that the username field exists in the userInfo data? Consider adding a null check or fallback: `$userInfoData[config('remote-auth.oidc.field_username')] ?? null` * field isnt accessTokenResourceOwnerId but responseResourceOwnerId * New translations web.php (Dutch) [ci skip] * Fix components * Update LandingService and Config util to properly support the legal_notice setting * Update footer to use legalNotice i18n * Update i18n * Update sidebar with gap padding for footer links * Update compiled assets * Update i18n json * Update OIDC config with comments, and disable tests as we dont have db tests configured * Update remove_from_followers api endpoint * Update i18n * Update compiled assets * Update changelog * New supported formats, Preserve ICC Color Profiles, libvips support Update image pipeline to handle avif, heic and webp and preserve ICC color profiles and added libvips support. * Fix tests * Update CHANGELOG.md --------- Co-authored-by: Samy Elshamy <elshamy@coderbutze.de> Co-authored-by: Felipe Mateus <eu@felipemateus.com> Co-authored-by: Mathieu <385764+Casmo@users.noreply.github.com> Co-authored-by: Mackenzie Morgan <macoafi@gmail.com> Co-authored-by: Gavin Mogan <git@gavinmogan.com> 2025-05-13 08:25:23 +00:00			`<?php`

			`namespace App\Http\Controllers;`

			`use App\Models\UserOidcMapping;`
			`use Purify;`
			`use App\Services\EmailService;`
			`use App\Services\UserOidcService;`
			`use App\User;`
			`use Illuminate\Auth\Events\Registered;`
			`use Illuminate\Http\Request;`
			`use Illuminate\Support\Facades\Auth;`
			`use Illuminate\Support\Facades\Hash;`
			`use Illuminate\Support\Str;`
			`use App\Rules\EmailNotBanned;`
			`use App\Rules\PixelfedUsername;`

			`class RemoteOidcController extends Controller`
			`{`
			`protected $fractal;`

			`public function start(UserOidcService $provider, Request $request)`
			`{`
			`abort_unless((bool) config('remote-auth.oidc.enabled'), 404);`
			`if ($request->user()) {`
			`return redirect('/');`
			`}`

			`$url = $provider->getAuthorizationUrl([`
			`'scope' => $provider->getDefaultScopes(),`
			`]);`

			`$request->session()->put('oauth2state', $provider->getState());`

			`return redirect($url);`
			`}`

			`public function handleCallback(UserOidcService $provider, Request $request)`
			`{`
			`abort_unless((bool) config('remote-auth.oidc.enabled'), 404);`

			`if ($request->user()) {`
			`return redirect('/');`
			`}`

			`abort_unless($request->input("state"), 400);`
			`abort_unless($request->input("code"), 400);`

			`abort_unless(hash_equals($request->session()->pull('oauth2state'), $request->input("state")), 400, "invalid state");`

			`$accessToken = $provider->getAccessToken('authorization_code', [`
			`'code' => $request->get('code')`
			`]);`

			`$userInfo = $provider->getResourceOwner($accessToken);`
			`$userInfoId = $userInfo->getId();`
			`$userInfoData = $userInfo->toArray();`

			`$mappedUser = UserOidcMapping::where('oidc_id', $userInfoId)->first();`
			`if ($mappedUser) {`
			`$this->guarder()->login($mappedUser->user);`
			`return redirect('/');`
			`}`

			`abort_if(EmailService::isBanned($userInfoData["email"]), 400, 'Banned email.');`

			`$user = $this->createUser([`
			`'username' => $userInfoData[config('remote-auth.oidc.field_username')],`
			`'name' => $userInfoData["name"] ?? $userInfoData["display_name"] ?? $userInfoData[config('remote-auth.oidc.field_username')] ?? null,`
			`'email' => $userInfoData["email"],`
			`]);`

			`UserOidcMapping::create([`
			`'user_id' => $user->id,`
			`'oidc_id' => $userInfoId,`
			`]);`

			`return redirect('/');`
			`}`

			`protected function createUser($data)`
			`{`
			`$this->validate(new Request($data), [`
			`'email' => [`
			`'required',`
			`'string',`
			`'email:strict,filter_unicode,dns,spoof',`
			`'max:255',`
			`'unique:users',`
			`new EmailNotBanned(),`
			`],`
			`'username' => [`
			`'required',`
			`'min:2',`
			`'max:30',`
			`'unique:users,username',`
			`new PixelfedUsername(),`
			`],`
			`'name' => 'nullable\|max:30',`
			`]);`

			`event(new Registered($user = User::create([`
			`'name' => Purify::clean($data['name']),`
			`'username' => $data['username'],`
			`'email' => $data['email'],`
			`'password' => Hash::make(Str::password()),`
			`'email_verified_at' => now(),`
			`'app_register_ip' => request()->ip(),`
			`'register_source' => 'oidc',`
			`])));`

			`$this->guarder()->login($user);`

			`return $user;`
			`}`

			`protected function guarder()`
			`{`
			`return Auth::guard();`
			`}`
			`}`