From 7fc5d9058ee44006818b321bcaf995d3d8cf39c7 Mon Sep 17 00:00:00 2001 From: Jos Groot Lipman Date: Sun, 26 Mar 2017 15:46:37 +0000 Subject: [PATCH] FSN#39750 Authenticatie 'Apps', savepoint svn path=/Website/trunk/; revision=33262 --- APPL/API/shorturl.asp | 4 +-- APPL/API2/model_aut_client_perslid.inc | 45 ++++++++++++++++++++++---- APPL/AUT/getapptoken.asp | 38 +++++++++++++--------- APPL/AUT/loginTry.asp | 17 ++++++++++ APPL/PRS/prs_perslid_qr_confirm.asp | 1 + APPL/Shared/locale.inc | 5 ++- 6 files changed, 85 insertions(+), 25 deletions(-) diff --git a/APPL/API/shorturl.asp b/APPL/API/shorturl.asp index 26a85e4809..8396bdbcf7 100644 --- a/APPL/API/shorturl.asp +++ b/APPL/API/shorturl.asp @@ -47,9 +47,9 @@ __Log("== Entering shorturl.asp =="); } var keyparam = getQParamInt("k", -1); -/* // TODO: beschermen met hmac + var locked_user_key = getQParamInt("locked_user_key", -1); +/* // TODO: beschermen met hmac // Daarom nog niet geactiveerd - var locked_user_key = getQParamInt("locked_user_key", -1); if (locked_user_key > 0) { Session("locked_user_key") = locked_user_key; diff --git a/APPL/API2/model_aut_client_perslid.inc b/APPL/API2/model_aut_client_perslid.inc index 269815421f..be750a357d 100644 --- a/APPL/API2/model_aut_client_perslid.inc +++ b/APPL/API2/model_aut_client_perslid.inc @@ -3,7 +3,7 @@ $Id$ File: model_aut_client_perslid.inc - Description: Persoonlijke instellingen per SP + Description: Persoonlijke instellingen per Client/app Notes: */ @@ -31,6 +31,11 @@ function model_aut_client_perslid() "hidden_fld": true, "required": true }, + "device": { + "dbs": "aut_client_perslid_device_id", + "label": L("aut_client_perslid_device"), + "typ": "varchar" + }, "scope": { "dbs": "aut_client_perslid_scope", "label": L("aut_client_perslid_scope"), @@ -39,17 +44,35 @@ function model_aut_client_perslid() "pushtoken": { "dbs": "aut_client_perslid_pushtoken", "label": L("aut_client_perslid_pushtoken"), - "typ": "varchar" + "typ": "varchar", + "filter": "exact" }, "refreshtoken": { "dbs": "aut_client_perslid_refreshtkn", "label": L("aut_client_perslid_refreshtoken"), - "typ": "varchar" + "typ": "varchar", + "filter": "exact" + }, + "refreshdate": { + "dbs": "aut_client_perslid_refreshdate", + "label": L("aut_client_perslid_refreshdate"), + "typ": "datetime" }, "accesstoken": { "dbs": "aut_client_perslid_accesstoken", "label": L("aut_client_perslid_accesstoken"), - "typ": "varchar" + "typ": "varchar", + "filter": "exact" + }, + "accessdate": { + "dbs": "aut_client_perslid_accessdate", + "label": L("aut_client_perslid_accessdate"), + "typ": "datetime" + }, + "login": { + "dbs": "aut_client_perslid_login", + "label": L("aut_client_perslid_login"), + "typ": "datetime" }, "person": { "dbs": "prs_perslid_key", @@ -64,12 +87,20 @@ function model_aut_client_perslid() }; this.list = { - "columns": ["person", "scope"] + "columns": ["person", "scope", "device"] }; - this.REST_GET = generic_REST_GET(this); + this.REST_GET = function (params, jsondata) + { + if (user_key > 0 && "filter" in params && params.filter.id == user_key) + this.autfunction = false; + else if ("filter" in params && "accesstoken" in params.filter) + this.autfunction = false; + + return generic_REST_GET(this)(params, jsondata); + } this.REST_POST = generic_REST_POST(this); - //this.REST_PUT = generic_REST_PUT(this); + this.REST_PUT = generic_REST_PUT(this); this.REST_DELETE = generic_REST_DELETE(this); } %> \ No newline at end of file diff --git a/APPL/AUT/getapptoken.asp b/APPL/AUT/getapptoken.asp index 94d26db14e..ecfb59a0e1 100644 --- a/APPL/AUT/getapptoken.asp +++ b/APPL/AUT/getapptoken.asp @@ -11,6 +11,7 @@ noodzakelijkerwijs compatible mee. */ +var JSON_Result = true; %> @@ -18,6 +19,7 @@ <% var client_id = getQParam("client_id"); + var device_id = getQParam("device_id", ""); // optional device identification var model_client = new model_aut_client(); var client_data = api2.GET(model_client, { filter: { "code": client_id } }); // sp moet er dan zijn voor Service Provider if (!client_data && client_id == "NWNX") // Voor NWNX ondersteunen we auto-create @@ -43,28 +45,34 @@ INTERNAL_ERROR_MISSING_SP; var model_client_perslid = new model_aut_client_perslid(); - var cp_data = api2.GET(model_client_perslid, { filter: { "autclient": client_data.id, "person": user_key } }); - if (!cp_data) + //altijd nieuwe cp_data maken. Het kan zijn dat je een ander device aan het registreren bent + //var cp_data = api2.GET(model_client_perslid, { filter: { "autclient": client_data.id, "person": user_key, "device_id": device_id } }); + //if (!cp_data) { - var cp_data = { "autclient": client_data.id, - "scope": "*", - "refreshtoken": customerId + "_" + shared.random(32), // unused yet - "accesstoken": customerId + "_" + shared.random(32), // Does not expire yet? - "person": user_key, - "pushtoken": customerId + "_" + shared.random(32) + var cp_data = { "autclient" : client_data.id, + "scope" : "*", + "device_id" : device_id, + "refreshtoken": '1$' + customerId + "_" + shared.random(32), // unused yet + "refreshdate" : new Date(), + "accesstoken" : '1$' + customerId + "_" + shared.random(32), // Does not expire yet? + "accessdate" : new Date(), + "person" : user_key, + "pushtoken" : customerId + "_" + shared.random(32) } var result = model_client_perslid.REST_POST({}, cp_data); cp_data = api2.GET(model_client_perslid, result.key ); } var result = { - weburl: HTTP.urlzelf() + "?mobile=1", - push_token: cp_data.pushtoken, - access_token: cp_data.accesstoken // JWT met SP 'NWNX'? Of JWT met IDP 'FACILITOR'? - // Wel bij elke klant aan te maken dan? Of automatisch? - // bearer is stateless/ single request dus geen redirect - // maar via url &jwt= zou wel kunnen? - // refresh_url: HTTP.urlzelf() + "/appl/aut/getapptoken.asp?client_id={0}&auth={1}".format(sp, spp_data.refreshtoken) + "fcltversion": FCLTVersion, + "instance_url": HTTP.urlzelf() + "?mobile=1", + "push_token": cp_data.pushtoken, + "access_token": cp_data.accesstoken, // JWT met SP 'NWNX'? Of JWT met IDP 'FACILITOR'? + // Wel bij elke klant aan te maken dan? Of automatisch? + // bearer is stateless/ single request dus geen redirect + // maar via url &jwt= zou wel kunnen? + "issued_at": Math.floor(cp_data.accessdate.getTime() / 1000) + // "refresh_url": HTTP.urlzelf() + "/appl/aut/getapptoken.asp?client_id={0}&auth={1}".format(sp, spp_data.refreshtoken) } Response.Write(JSON.stringify(result)); Response.End; diff --git a/APPL/AUT/loginTry.asp b/APPL/AUT/loginTry.asp index dbc5688a45..38b467dfa8 100644 --- a/APPL/AUT/loginTry.asp +++ b/APPL/AUT/loginTry.asp @@ -26,6 +26,7 @@ if (Response.Expires > 0) + <% __Log("== Entering loginTry.asp =="); @@ -77,6 +78,22 @@ if (user_key < 0) } } +if (user_key < 0) +{ + var auth = String(Request.ServerVariables("HTTP_X_FACILITOR_ACCESS_TOKEN")); + if (auth.match(/^1\$/)) // Mode 1$xxxxxxx + { + __Log("Found HTTP_X_FACILITOR_ACCESS_TOKEN"); + var model_client_perslid = new model_aut_client_perslid(); + var cp_data = api2.GET(model_client_perslid, { filter: { "accesstoken": auth } }); + if (cp_data) + { + doLogin(cp_data.person.id); + model_client_perslid.REST_PUT({}, { login: new Date() }, cp_data.id); + } + } +} + if (user_key < 0) { // Deeplink met &userauth=27399&userhmac=1387370160%3AECQXKFpi8RU5WTK2pfJ0zRnc7QY diff --git a/APPL/PRS/prs_perslid_qr_confirm.asp b/APPL/PRS/prs_perslid_qr_confirm.asp index 76ca8c4e58..9e4b323680 100644 --- a/APPL/PRS/prs_perslid_qr_confirm.asp +++ b/APPL/PRS/prs_perslid_qr_confirm.asp @@ -35,6 +35,7 @@ doLogin(user_key); var getToken = getQParamInt("gettoken", 0) == 1; if (getToken) { + Response.Clear(); // DOCTYPE weghalen Server.Transfer("../aut/getapptoken.asp"); // Die doet dat verder } else diff --git a/APPL/Shared/locale.inc b/APPL/Shared/locale.inc index 9b5066c3c0..9c6501eead 100644 --- a/APPL/Shared/locale.inc +++ b/APPL/Shared/locale.inc @@ -266,7 +266,10 @@ lcl = { if (!lclcode) // moet een FAC_LOCALE.FAC_LOCALE_KOLOMNAAM waarde zijn lclcode = alias; // Als de user-taal de db-taal (nu nog hard NL) is gewoon pkolomnaam opleveren - if (S("multi_language_option") == 0 || S("language_toggles").length <= 1 || user.lang() == S("db_lang")) + if (S("multi_language_option") == 0 || + S("language_toggles").length <= 1 || + typeof user == "undefined" || // nog niet ingelogd + user.lang() == S("db_lang")) llocaleclause = pkolomnaam+" "+(pwithalias ? alias+" " : ""); else llocaleclause = " lcl.x('"+lclcode+"', "+pkey+", "+pkolomnaam+", " + (noautolcl?0:1) + ")"+(pwithalias ? alias+" " : "");