Implement completeAuth functionality

Author: Greg Bowler

composer.json

@@ -5,6 +5,7 @@
 	"require": {
 		"php": ">=7.4",
 		"ext-openssl": "*",
+		"ext-json": "*",
 		"phpgt/http": "1.*",
 		"phpgt/session": ">=1.1"
 	},

src/AuthUri.php

@@ -28,7 +28,7 @@ public function __construct(
 		parent::__construct($baseUri);
 
 		$this->query = http_build_query([
-			self::QUERY_STRING_CIPHER => (string)$token->generateCipher(),
+			self::QUERY_STRING_CIPHER => (string)$token->generateRequestCipher(),
 			self::QUERY_STRING_INIT_VECTOR => (string)$token->getIv(),
 			self::QUERY_STRING_CURRENT_PATH => $currentPath,
 		]);

src/Authenticator.php

@@ -1,13 +1,14 @@
 <?php
 namespace Authwave;
 
+use Gt\Http\Uri;
 use Gt\Session\SessionContainer;
 
 class Authenticator {
 	const SESSION_KEY = "AUTHWAVE_SESSION";
+	const RESPONSE_QUERY_PARAMETER = "AUTHWAVE_RESPONSE_DATA";
 
 	private string $clientKey;
-	private string $clientSecret;
 	private string $currentUriPath;
 	private string $authwaveHost;
 	private SessionContainer $session;
@@ -16,7 +17,6 @@ class Authenticator {
 
 	public function __construct(
 		string $clientKey,
-		string $clientSecret,
 		string $currentUriPath,
 		string $authwaveHost = "login.authwave.com",
 		SessionContainer $session = null,
@@ -27,20 +27,19 @@ public function __construct(
 		}
 
 		if(!$session->contains(self::SESSION_KEY)) {
+// TODO: If there is no Token or UserData in the SessionData, do we even
+// need to store it to the current session at all?
 			$session->set(self::SESSION_KEY, new SessionData());
 		}
 
 		$this->clientKey = $clientKey;
-		$this->clientSecret = $clientSecret;
 		$this->currentUriPath = $currentUriPath;
 		$this->authwaveHost = $authwaveHost;
 		$this->session = $session;
 		$this->sessionData = $session->get(self::SESSION_KEY);
 		$this->redirectHandler = $redirectHandler ?? new RedirectHandler();
 
-		if($this->authInProgress()) {
-			$this->completeAuth();
-		}
+		$this->completeAuth();
 	}
 
 	public function isLoggedIn():bool {
@@ -62,9 +61,12 @@ public function login(Token $token = null):void {
 		}
 
 		if(is_null($token)) {
-			$token = new Token($this->clientKey, $this->clientSecret);
+			$token = new Token($this->clientKey);
 		}
 
+		$this->sessionData = new SessionData($token);
+		$this->session->set(self::SESSION_KEY, $this->sessionData);
+
 		$loginUri = new AuthUri(
 			$token,
 			$this->currentUriPath,
@@ -88,11 +90,41 @@ public function getEmail():string {
 		return $userData->getEmail();
 	}
 
-	private function authInProgress():bool {
-		return false;
+	private function completeAuth():void {
+		$responseCipher = $this->getResponseCipher();
+
+		if(!$responseCipher) {
+			return;
+		}
+
+		$token = $this->sessionData->getToken();
+		$userData = $token->decryptResponseCipher($responseCipher);
+		$this->session->set(
+			self::SESSION_KEY,
+			new SessionData($token, $userData)
+		);
+
+		$this->redirectHandler->redirect(
+			(new Uri($this->currentUriPath))
+			->withoutQueryValue(self::RESPONSE_QUERY_PARAMETER)
+		);
 	}
 
-	private function completeAuth():void {
+	private function getResponseCipher():?string {
+		$queryString = parse_url(
+			$this->currentUriPath,
+			PHP_URL_QUERY
+		);
+		if(!$queryString) {
+			return null;
+		}
+
+		$queryParts = [];
+		parse_str($queryString, $queryParts);
+		if(empty($queryParts[self::RESPONSE_QUERY_PARAMETER])) {
+			return null;
+		}
 
+		return $queryParts[self::RESPONSE_QUERY_PARAMETER];
 	}
 }

src/InitVector.php

@@ -4,10 +4,14 @@
 class InitVector {
 	private string $bytes;
 
-	public function __construct(int $length = 8) {
+	public function __construct(int $length = 16) {
 		$this->bytes = random_bytes($length);
 	}
 
+	public function getBytes():string {
+		return $this->bytes;
+	}
+
 	public function __toString():string {
 		return bin2hex($this->bytes);
 	}

src/InvalidUserDataSerializationException.php

@@ -0,0 +1,4 @@
+<?php
+namespace Authwave;
+
+class InvalidUserDataSerializationException extends AuthwaveException {}

src/ResponseCipherDecryptionException.php

@@ -0,0 +1,4 @@
+<?php
+namespace Authwave;
+
+class ResponseCipherDecryptionException extends AuthwaveException {}

src/SessionData.php

@@ -2,29 +2,30 @@
 namespace Authwave;
 
 class SessionData {
-	private InitVector $iv;
+	private ?Token $token;
+	private ?UserData $userData;
 
-	public function getIv():InitVector {
-		if(!isset($this->iv)) {
-			throw new InitVectorNotSetException();
-		}
-
-		return $this->iv;
+	public function __construct(
+		Token $token = null,
+		UserData $userData = null
+	) {
+		$this->token = $token;
+		$this->userData = $userData;
 	}
 
-	public function setIv(InitVector $iv):void {
-		$this->iv = $iv;
-	}
+	public function getToken():Token {
+		if(!isset($this->token)) {
+			throw new NotLoggedInException();
+		}
 
-	public function removeIv():void {
-		unset($this->iv);
+		return $this->token;
 	}
 
 	public function getUserData():UserData {
 		if(!isset($this->userData)) {
 			throw new NotLoggedInException();
 		}
 
-		return $this->getUserData();
+		return $this->userData;
 	}
 }

src/Token.php

@@ -1,35 +1,74 @@
 <?php
 namespace Authwave;
 
+use Authwave\Test\MalformedReponseDataException;
+use JsonException;
+
 class Token {
 	const ENCRYPTION_METHOD = "aes128";
 
 	private string $key;
-	private string $secret;
+	private string $secretIv;
 	private InitVector $iv;
 
 	public function __construct(
 		string $key,
-		string $secret,
+		InitVector $secretIv = null,
 		InitVector $iv = null
 	) {
 		$this->key = $key;
-		$this->secret = $secret;
+		$this->secretIv = $secretIv ?? new InitVector();
 		$this->iv = $iv ?? new InitVector();
 	}
 
-	public function generateCipher():string {
+// The request cipher is sent to the remote provider in the querystring. It
+// consists of the secret IV, encrypted with the client key. The remote provider
+// will decrypt the secret and use it as the key when encrypting the response
+// cipher, which will be sent back to the client application in the querystring.
+	public function generateRequestCipher():string {
 		$rawCipher = openssl_encrypt(
-			$this->secret,
+			$this->secretIv,
 			self::ENCRYPTION_METHOD,
 			$this->key,
 			0,
-			$this->iv
+			$this->iv->getBytes()
 		);
 
 		return base64_encode($rawCipher);
 	}
 
+// The response cipher is send from the remote provider back to the client
+// application after a successful authentication and includes a serialised
+// UserData object, encrypted using the secret IV, which was created when
+// encrypting the original request cipher.
+	public function decryptResponseCipher(string $cipher):UserData {
+		$decrypted = openssl_decrypt(
+			base64_decode($cipher),
+			self::ENCRYPTION_METHOD,
+			$this->secretIv->getBytes(),
+			0,
+			$this->iv->getBytes()
+		);
+
+		if(!$decrypted) {
+			throw new ResponseCipherDecryptionException();
+		}
+
+		try {
+			$obj = json_decode(
+				$decrypted,
+				false,
+				2,
+				JSON_THROW_ON_ERROR
+			);
+		}
+		catch(JsonException $exception) {
+			throw new InvalidUserDataSerializationException();
+		}
+
+		return new UserData($obj->uuid, $obj->email);
+	}
+
 	public function getIv():InitVector {
 		return $this->iv;
 	}

src/UserData.php

@@ -5,6 +5,11 @@ class UserData {
 	private string $uuid;
 	private string $email;
 
+	public function __construct(string $uuid, string $email) {
+		$this->uuid = $uuid;
+		$this->email = $email;
+	}
+
 	public function getUuid():string {
 		return $this->uuid;
 	}

test/phpunit/AuthUriTest.php

@@ -73,7 +73,7 @@ public function testQueryString() {
 
 		$baseUri = self::createMock(UriInterface::class);
 		$token = self::createMock(Token::class);
-		$token->method("generateCipher")
+		$token->method("generateRequestCipher")
 			->willReturn($mockCipherValue);
 		$token->method("getIv")
 			->willReturn($iv);