@ollaid/native-sso 2.1.2 → 2.1.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +36 -23
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -359,13 +359,14 @@ class NativeConfigController extends Controller
|
|
|
359
359
|
$payload = json_encode(['secret_key' => $secretKey, 'ts' => time()]);
|
|
360
360
|
$key = hash('sha256', $secretKey, true);
|
|
361
361
|
$iv = random_bytes(16);
|
|
362
|
-
$encrypted = openssl_encrypt($payload, 'AES-256-CBC', $key,
|
|
363
|
-
$encryptedCredentials = base64_encode($iv . '::' . $encrypted);
|
|
362
|
+
$encrypted = openssl_encrypt($payload, 'AES-256-CBC', $key, OPENSSL_RAW_DATA, $iv);
|
|
363
|
+
$encryptedCredentials = base64_encode($iv . '::' . base64_encode($encrypted));
|
|
364
364
|
|
|
365
365
|
return response()->json([
|
|
366
366
|
'success' => true,
|
|
367
367
|
'app_key' => $appKey,
|
|
368
368
|
'encrypted_credentials' => $encryptedCredentials,
|
|
369
|
+
'iam_api_url' => config("services.{$prefix}.api_url", 'https://identityam.ollaid.com/api'),
|
|
369
370
|
'credentials_ttl' => 300,
|
|
370
371
|
'debug' => $debug,
|
|
371
372
|
]);
|
|
@@ -944,17 +945,19 @@ class NativeAuthController extends Controller
|
|
|
944
945
|
$aesKey = hash('sha256', $secretKey, true);
|
|
945
946
|
$iv = random_bytes(16);
|
|
946
947
|
$payload = json_encode([
|
|
947
|
-
'app_key' => $appKey,
|
|
948
948
|
'secret_key' => $secretKey,
|
|
949
949
|
'ts' => time(),
|
|
950
950
|
]);
|
|
951
951
|
|
|
952
|
-
$encrypted = openssl_encrypt($payload, 'aes-256-cbc', $aesKey,
|
|
952
|
+
$encrypted = openssl_encrypt($payload, 'aes-256-cbc', $aesKey, OPENSSL_RAW_DATA, $iv);
|
|
953
|
+
$encryptedCredentials = base64_encode($iv . '::' . base64_encode($encrypted));
|
|
953
954
|
|
|
954
955
|
return response()->json([
|
|
955
956
|
'success' => true,
|
|
956
957
|
'app_key' => $appKey, // En clair (non sensible, sert d'identifiant pour l'IAM)
|
|
957
|
-
'encrypted_credentials' =>
|
|
958
|
+
'encrypted_credentials' => $encryptedCredentials,
|
|
959
|
+
'iam_api_url' => config('services.iam.api_url', 'https://identityam.ollaid.com/api'),
|
|
960
|
+
'credentials_ttl' => 300,
|
|
958
961
|
'debug' => (bool) config('services.iam.debug'), // Contrôlé par IAM_DEBUG dans .env
|
|
959
962
|
]);
|
|
960
963
|
}
|
|
@@ -983,18 +986,17 @@ class NativeAuthController extends Controller
|
|
|
983
986
|
], 400);
|
|
984
987
|
}
|
|
985
988
|
|
|
986
|
-
// ⚠️ IMPORTANT : Remplacer les espaces par '+' (encodage URL)
|
|
987
|
-
$callbackToken = str_replace(' ', '+', $callbackToken);
|
|
988
|
-
|
|
989
989
|
try {
|
|
990
|
-
$response = Http::timeout(30)
|
|
991
|
-
|
|
992
|
-
|
|
993
|
-
'
|
|
994
|
-
'
|
|
995
|
-
'
|
|
996
|
-
]
|
|
997
|
-
|
|
990
|
+
$response = Http::timeout(30)
|
|
991
|
+
->withHeaders([
|
|
992
|
+
'Content-Type' => 'application/json',
|
|
993
|
+
'Accept' => 'application/json',
|
|
994
|
+
'X-IAM-App-Key' => config('services.iam.app_key'),
|
|
995
|
+
'X-IAM-Secret-Key' => config('services.iam.secret_key'),
|
|
996
|
+
])
|
|
997
|
+
->post(config('services.iam.api_url') . '/iam/auth/decrypt', [
|
|
998
|
+
'token' => $callbackToken,
|
|
999
|
+
]);
|
|
998
1000
|
|
|
999
1001
|
if (!$response->successful() || !$response->json('success')) {
|
|
1000
1002
|
$error = $response->json();
|
|
@@ -1052,8 +1054,15 @@ class NativeAuthController extends Controller
|
|
|
1052
1054
|
$expiresAt = now()->addDays(30);
|
|
1053
1055
|
$token = $user->createToken('native-sso', ['*'], $expiresAt);
|
|
1054
1056
|
|
|
1055
|
-
// Récupérer app_access_token_ref depuis la réponse IAM
|
|
1056
|
-
$appAccessTokenRef = $
|
|
1057
|
+
// Récupérer app_access_token_ref depuis la racine de la réponse IAM
|
|
1058
|
+
$appAccessTokenRef = $data['app_access_token_ref'] ?? null;
|
|
1059
|
+
|
|
1060
|
+
// Stocker la ref dans le token Sanctum pour le webhook de révocation
|
|
1061
|
+
if ($appAccessTokenRef) {
|
|
1062
|
+
$token->accessToken->forceFill([
|
|
1063
|
+
'app_access_token_ref' => $appAccessTokenRef,
|
|
1064
|
+
])->save();
|
|
1065
|
+
}
|
|
1057
1066
|
|
|
1058
1067
|
return response()->json([
|
|
1059
1068
|
'success' => true,
|
|
@@ -1115,8 +1124,9 @@ class NativeAuthController extends Controller
|
|
|
1115
1124
|
$user = $request->user();
|
|
1116
1125
|
|
|
1117
1126
|
return response()->json([
|
|
1118
|
-
'status'
|
|
1119
|
-
'
|
|
1127
|
+
'status' => 'connected',
|
|
1128
|
+
'message' => 'Utilisateur connecté',
|
|
1129
|
+
'user' => [
|
|
1120
1130
|
'name' => $user->name,
|
|
1121
1131
|
'email' => $user->email,
|
|
1122
1132
|
'ccphone' => $user->ccphone,
|
|
@@ -1145,14 +1155,17 @@ class NativeAuthController extends Controller
|
|
|
1145
1155
|
|
|
1146
1156
|
if ($user) {
|
|
1147
1157
|
$sanctumTokenPlain = $request->bearerToken();
|
|
1148
|
-
$user->currentAccessToken()
|
|
1158
|
+
$currentToken = $user->currentAccessToken();
|
|
1159
|
+
$appAccessTokenRef = $currentToken?->app_access_token_ref ?? null;
|
|
1160
|
+
|
|
1161
|
+
// Supprimer le token APRÈS avoir lu la ref
|
|
1162
|
+
$currentToken?->delete();
|
|
1149
1163
|
|
|
1150
1164
|
// Notifier l'IAM (fire-and-forget, timeout 5s)
|
|
1151
|
-
if ($sanctumTokenPlain) {
|
|
1165
|
+
if ($sanctumTokenPlain || $appAccessTokenRef) {
|
|
1152
1166
|
$iamPrefix = $request->attributes->get('iam_prefix', 'iam');
|
|
1153
1167
|
$iamApiUrl = config("services.{$iamPrefix}.api_url", 'https://identityam.ollaid.com/api');
|
|
1154
1168
|
try {
|
|
1155
|
-
$appAccessTokenRef = $user->currentAccessToken()->app_access_token_ref ?? null;
|
|
1156
1169
|
Http::timeout(5)->post("{$iamApiUrl}/iam/disconnect", array_filter([
|
|
1157
1170
|
'sanctum_token' => $sanctumTokenPlain,
|
|
1158
1171
|
'app_access_token_ref' => $appAccessTokenRef,
|