ee/psso: prepare backchannel browser

ee/psso/PSSO/EnterpriseSSO.swift

@@ -4,17 +4,12 @@ import Bridge
 extension AuthenticationViewController: ASAuthorizationProviderExtensionAuthorizationRequestHandler
 {
 
-    static let ssoExtURLPath = "/endpoint/agent/apple_ssoext/"
-    static let queryChallenge = "challenge"
-    static let queryResponse = "response"
+    static let ssoExtURLPath = "/endpoints/agent/browser-backchannel/"
+    static let queryChallenge = "xak-agent-challenge"
+    static let queryResponse = "xak-agent-response"
 
     private func shouldSkip(request: ASAuthorizationProviderExtensionAuthorizationRequest) -> Bool {
-        //        if !(request.loginManager?.isDeviceRegistered ?? false)
-        //            || !(request.loginManager?.isUserRegistered ?? false)
-        //        {
-        //            self.logger.info("SSOE: Skipping due to unregistered user or device")
-        //            return true
-        //        }
+        // We specifically don't check for PSSO registration status as this functionality doesn't require PSSO
         let callerBundle = request.callerBundleIdentifier
         if let exclusions = request.extensionData["ExcludedApps"] as? [String],
             exclusions.contains(callerBundle)
@@ -26,21 +21,7 @@ extension AuthenticationViewController: ASAuthorizationProviderExtensionAuthoriz
             self.logger.info("SSOE: No login manager, skipping")
             return true
         }
-        //        guard let base = URL(string: config.BaseURL) else {
-        //            self.logger.info("SSOE: Unable to parse base URL")
-        //            return true
-        //        }
-        //        if request.url.scheme != base.scheme
-        //            || request.url
-        //                .host()
-        //                != base
-        //                .host()
-        //            || !request.url.path().starts(with: base.path())
-        //        {
-        //            self.logger.info("SSOE: Skipping due to mismatching base URL")
-        //            return true
-        //        }
-        if request.url.valueOf(AuthenticationViewController.queryResponse) == nil {
+        if request.url.valueOf(AuthenticationViewController.queryResponse) != nil {
             self.logger.info("SSOE: Skipping due to existing response")
             return true
         }
@@ -66,6 +47,12 @@ extension AuthenticationViewController: ASAuthorizationProviderExtensionAuthoriz
             request.doNotHandle()
             return
         }
+#if os(macOS)
+        return getSignedResponseMac(challenge: challenge, request: request)
+#endif
+    }
+
+    public func getSignedResponseMac(challenge: String, request: ASAuthorizationProviderExtensionAuthorizationRequest) {
         Task {
             do {
                 let header = try await SysdBridge.shared.platformSignedEndpointHeader(
@@ -92,25 +79,4 @@ extension AuthenticationViewController: ASAuthorizationProviderExtensionAuthoriz
             }
         }
     }
-
-    private func injectSession(
-        with request: ASAuthorizationProviderExtensionAuthorizationRequest
-    ) -> Bool {
-        let sessionKey = request.loginManager?.ssoTokens?["session_key"]
-        if let sk = sessionKey as? String {
-            self.logger.debug("SSOE: Injecting session \(sk)")
-            let url = request.url.appending(queryItems: [URLQueryItem(name: "ak-ssoe", value: "1")])
-            let headers: [String: String] = [
-                "Location": url.absoluteString,
-                "Set-Cookie": "authentik_session=\(sk); Path=/; Secure; HttpOnly",
-            ]
-            if let response = HTTPURLResponse.init(
-                url: request.url, statusCode: 302, httpVersion: nil, headerFields: headers)
-            {
-                request.complete(httpResponse: response, httpBody: nil)
-                return true
-            }
-        }
-        return false
-    }
 }