add functions to handle more of the indieauth client flow

aaronpk · aaronpk · commit 7eadaa8ca3f4 · 2018-02-07T11:21:32.000-08:00
diff --git a/README.md b/README.md
@@ -5,8 +5,110 @@ This is a simple library to help with IndieAuth. There are two ways you may want
 
 [![Build Status](https://travis-ci.org/indieweb/indieauth-client-php.png?branch=master)](http://travis-ci.org/indieweb/indieauth-client-php)
 
-Usage for Clients
------------------
+
+Quick Start
+-----------
+
+If you want to get started quickly, and if you're okay with letting the library store things in the PHP session itself, then you can follow the examples below. If you need more control or want to step into the details of the IndieAuth flow, see the [Detailed Usage for Clients](#detailed) below.
+
+### Create a Login Form
+
+You'll first need to create a login form to prompt the user to enter their website address. This might look something like the HTML below.
+
+```html
+<form action="/login.php" method="post">
+  <input type="url" name="url">
+  <input type="submit" value="Log In">
+</form>
+```
+
+### Begin the Login Flow
+
+In the `login.php` file, you'll need to initialize the session, and tell this library to discover the user's endpoints. If everything succeeds, the library will return a URL that you can use to redirect the user to begin the flow.
+
+The example below will have some really basic error handling, which you'll probably want to replace with something nicer looking.
+
+Example `login.php` file:
+
+```php
+<?php
+
+if(!isset($_POST['url'])) {
+  die('Missing URL');
+}
+
+// Start a session for the library to be able to save state between requests.
+session_start();
+
+// You'll need to set up two pieces of information before you can use the client,
+// the client ID and and the redirect URL.
+
+// The client ID should be the home page of your app.
+IndieAuth\Client::$clientID = 'https://example.com/';
+
+// The redirect URL is where the user will be returned to after they approve the request.
+IndieAuth\Client::$redirectURL = 'https://example.com/redirect.php';
+
+// Pass the user's URL and your requested scope to the client.
+// If you are writing a Micropub client, you should include at least the "create" scope.
+// If you are just trying to log the user in, you can omit the second parameter.
+
+list($authorizationURL, $error) = IndieAuth\Client::begin($_POST['url'], 'create');
+// or list($authorizationURL, $error) = IndieAuth\Client::begin($_POST['url']);
+
+// Check whether the library was able to discover the necessary endpoints
+if($error) {
+  echo "<p>Error: ".$error['error']."</p>";
+  echo "<p>".$error['error_description']."</p>";
+} else {
+  // Redirect the user to their authorization endpoint
+  header('Location: '.$authorizationURL);
+}
+
+```
+
+### Handling the Callback
+
+In your callback file, you just need to pass all the query string parameters to the library and it will take care of things! It will use the authorization or token endpoint it found in the initial step, and will check the authorization code or exchange it for an access token as appropriate.
+
+The result will be the response from the authorization endpoint, which will contain the user's final `me` URL as well as the access token if you requested one or more scopes.
+
+If there were any problems, the error information will be returned to you as well.
+
+The library takes care of canonicalizing the user's URL, as well as checking that the final URL is on the same domain as the entered URL.
+
+Example `redirect.php` file:
+
+```php
+<?php
+session_start();
+IndieAuth\Client::$clientID = 'https://example.com/';
+IndieAuth\Client::$redirectURL = 'https://example.com/redirect.php';
+
+list($user, $error) = IndieAuth\Client::complete($_GET);
+
+if($error) {
+  echo "<p>Error: ".$error['error']."</p>";
+  echo "<p>".$error['error_description']."</p>";
+} else {
+  // Login succeeded!
+  // If you requested a scope, then there will be an access token in the response.
+  // Otherwise there will just be the user's URL.
+  echo "URL: ".$user['me']."<br>";
+  if(isset($user['access_token'])) {
+    echo "Access Token: ".$user['access_token']."<br>";
+    echo "Scope: ".$user['scope']."<br>";
+  }
+
+  // You'll probably want to save the user's URL in the session
+  $_SESSION['user'] = $user['me'];
+}
+
+```
+
+
+Detailed Usage for Clients {#detailed}
+--------------------------
 
 The first thing an IndieAuth client needs to do is to prompt the user to enter their web address. This is the basis of IndieAuth, requiring each person to have their own website. A typical IndieAuth sign-in form may look something like the following.
 
diff --git a/src/IndieAuth/Client.php b/src/IndieAuth/Client.php
@@ -12,6 +12,127 @@ class Client {
 
   public static $http;
 
+  public static $clientID;
+  public static $redirectURL;
+
+  // Handles everything you need to start the authorization process.
+  // Discovers the user's auth endpoints, generates and stores a state in the session.
+  // Returns an authorization URL or an error array.
+  public static function begin($url, $scope=false) {
+    if(!isset(self::$clientID) || !isset(self::$redirectURL)) {
+      return [false, [
+        'error' => 'not_configured',
+        'error_description' => 'Before you can begin, you need to configure the clientID and redirectURL of the IndieAuth client'
+      ]];
+    }
+
+    $url = self::normalizeMeURL($url);
+
+    $authorizationEndpoint = self::discoverAuthorizationEndpoint($url);
+
+    if(!$authorizationEndpoint) {
+      return [false, [
+        'error' => 'missing_authorization_endpoint',
+        'error_description' => 'Could not find your authorization endpoint'
+      ]];
+    }
+
+    if($scope) {
+      $tokenEndpoint = self::discoverTokenEndpoint($url);
+
+      if(!$tokenEndpoint) {
+        return [false, [
+          'error' => 'missing_token_endpoint',
+          'error_description' => 'Could not find your token endpoint'
+        ]];
+      }
+    }
+
+    $state = self::generateStateParameter();
+
+    $_SESSION['indieauth_url'] = $url;
+    $_SESSION['indieauth_state'] = $state;
+    $_SESSION['indieauth_authorization_endpoint'] = $authorizationEndpoint;
+    if($scope)
+      $_SESSION['indieauth_token_endpoint'] = $tokenEndpoint;
+
+    $authorizationURL = self::buildAuthorizationURL($authorizationEndpoint, $url, self::$redirectURL, self::$clientID, $state, $scope);
+
+    return [$authorizationURL, false];
+  }
+
+  public static function complete($params) {
+    $requiredSessionKeys = ['indieauth_url', 'indieauth_state', 'indieauth_authorization_endpoint'];
+    foreach($requiredSessionKeys as $key) {
+      if(!isset($_SESSION[$key])) {
+        return [false, [
+          'error' => 'invalid_session',
+          'error_description' => 'The session was missing data. Ensure that you are initializing the session before using this library'
+        ]];
+      }
+    }
+
+    if(isset($params['error'])) {
+      return [false, [
+        'error' => $params['error'],
+        'error_description' => (isset($params['error_description']) ? $params['error_description'] : '')
+      ]];
+    }
+
+    if(!isset($params['code'])) {
+      return [false, [
+        'error' => 'invalid_response',
+        'error_description' => 'The response from the authorization server did not return an authorization code or error information'
+      ]];
+    }
+
+    if(!isset($params['state'])) {
+      return [false, [
+        'error' => 'missing_state',
+        'error_description' => 'The authorization server did not return the state parameter'
+      ]];
+    }
+
+    if($params['state'] != $_SESSION['indieauth_state']) {
+      return [false, [
+        'error' => 'invalid_state',
+        'error_description' => 'The authorization server returned an invalid state parameter'
+      ]];
+    }
+
+    if(isset($_SESSION['indieauth_token_endpoint'])) {
+      $verify = self::getAccessToken($_SESSION['indieauth_token_endpoint'], $params['code'], $_SESSION['indieauth_url'], self::$redirectURL, self::$clientID);
+    } else {
+      $verify = self::verifyIndieAuthCode($_SESSION['indieauth_authorization_endpoint'], $params['code'], null, self::$redirectURL, self::$clientID);
+    }
+
+    $expectedURL = $_SESSION['indieauth_url'];
+    unset($_SESSION['indieauth_url']);
+    unset($_SESSION['indieauth_state']);
+    unset($_SESSION['indieauth_authorization_endpoint']);
+    unset($_SESSION['indieauth_token_endpoint']);
+
+    if(!isset($verify['me'])) {
+      return [false, [
+        'error' => 'indieauth_error',
+        'error_description' => 'The authorization code was not able to be verified'
+      ]];
+    }
+
+    // Check that the returned URL is on the same domain as the original URL
+    if(parse_url($verify['me'], PHP_URL_HOST) != parse_url($expectedURL, PHP_URL_HOST)) {
+      return [false, [
+        'error' => 'invalid user',
+        'error_description' => 'The domain for the user returned did not match the domain of the user initially signing in'
+      ]];
+    }
+
+    $verify['me'] = self::normalizeMeURL($verify['me']);
+
+    return [$verify, false];
+  }
+
+
   public static function setUpHTTP() {
     // Unfortunately I've seen a bunch of websites return different content when the user agent is set to something like curl or other server-side libraries, so we have to pretend to be a browser to successfully get the real HTML
     if(!isset(self::$http)) {
@@ -102,6 +223,41 @@ private static function _extractEndpointFromHTML($html, $url, $name) {
     return false;
   }
 
+  public static function resolveMeURL($url, $max=4) {
+    // Follow redirects and return the identity URL at the end of the chain.
+    // Permanent redirects affect the identity URL, temporary redirects do not.
+    // A maximum of N redirects will be followed.
+    self::setUpHTTP();
+
+    $oldmax = self::$http->_max_redirects;
+    self::$http->_max_redirects = 0;
+
+    $i = 0;
+    while($i < $max) {
+      $result = self::$http->head($url);
+      if($result['code'] == 200) {
+        break;
+      } elseif($result['code'] == 301) {
+        // Follow the permanent redirect
+        if(isset($result['headers']['Location']) && is_string($result['headers']['Location'])) {
+          $url = $result['headers']['Location'];
+        } else {
+          $url = false; // something wrong with the Location header
+        }
+      } elseif($result['code'] == 302) {
+        // Temporary redirect, so abort with the current URL
+        break;
+      } else {
+        $url = false;
+        break;
+      }
+      $i++;
+    }
+
+    self::$http->_max_redirects = $oldmax;
+    return $url;
+  }
+
   public static function discoverAuthorizationEndpoint($url) {
     return self::_discoverEndpoint($url, 'authorization_endpoint');
   }
@@ -209,7 +365,7 @@ public static function build_url($parsed_url) {
   public static function getAccessToken($tokenEndpoint, $code, $me, $redirectURI, $clientID, $debug=false) {
     self::setUpHTTP();
 
-    $response = self::$http->post($url, http_build_query(array(
+    $response = self::$http->post($tokenEndpoint, http_build_query(array(
       'grant_type' => 'authorization_code',
       'me' => $me,
       'code' => $code,
@@ -237,11 +393,11 @@ public static function getAccessToken($tokenEndpoint, $code, $me, $redirectURI,
     }
   }
 
-  // Used by a token endpoint to verify the auth code
+  // Note: the $me parameter is deprecated and you can just pass null instead
   public static function verifyIndieAuthCode($authorizationEndpoint, $code, $me, $redirectURI, $clientID, $debug=false) {
     self::setUpHTTP();
 
-    $response = self::$http->post($url, http_build_query(array(
+    $response = self::$http->post($authorizationEndpoint, http_build_query(array(
       'code' => $code,
       'redirect_uri' => $redirectURI,
       'client_id' => $clientID
