Rework Authentication into separate services

NEWS.md

@@ -41,6 +41,9 @@
 - Source filters are stricter, they need to start and end with a `/`. ([#1423](https://github.com/fossar/selfoss/pull/1423))
 - OPML importer has been merged into the React client. ([#1442](https://github.com/fossar/selfoss/pull/1442))
 - Web requests will send `Accept-Encoding` header. ([#1482](https://github.com/fossar/selfoss/pull/1482))
+- Authentication system has been rewritten to allow more methods in the future. ([#1491](https://github.com/fossar/selfoss/pull/1491))
+- Authentication will now also log user out when the credentials in the config change. ([#1491](https://github.com/fossar/selfoss/pull/1491))
+- Requests from loopback IP address now give full access to all operations, not just update. Additionally, IPv6 loopback address is recognized and proxies are ignored. ([#1491](https://github.com/fossar/selfoss/pull/1491))
 
 ## 2.19 – 2022-10-12
 **This version requires PHP ~~5.6~~ 7.2 (see known regressions section) or newer. It is also the last version to support PHP 7.**

src/common.php

@@ -65,10 +65,15 @@ function boot_error(string $message) {
     ->register(Bramus\Router\Router::class)
     ->setShared(true)
 ;
+
 $container
-    ->register(helpers\Authentication::class)
+    ->register(
+        helpers\Authentication\AuthenticationService::class,
+        [new Slince\Di\Reference(helpers\Authentication\AuthenticationFactory::class), 'create']
+    )
     ->setShared(true)
 ;
+
 $container
     ->register(helpers\Session::class)
     ->setShared(true)

src/controllers/About.php

@@ -5,19 +5,20 @@
 namespace controllers;
 
 use helpers\Authentication;
+use helpers\Authentication\AuthenticationService;
 use helpers\Configuration;
 use helpers\View;
 
 /**
  * Controller for instance information API
  */
 class About {
-    private Authentication $authentication;
+    private bool $authenticationEnabled;
     private Configuration $configuration;
     private View $view;
 
-    public function __construct(Authentication $authentication, Configuration $configuration, View $view) {
-        $this->authentication = $authentication;
+    public function __construct(AuthenticationService $authenticationService, Configuration $configuration, View $view) {
+        $this->authenticationEnabled = !$authenticationService instanceof Authentication\Services\Trust;
         $this->configuration = $configuration;
         $this->view = $view;
     }
@@ -54,7 +55,7 @@ public function about(): void {
                 'htmlTitle' => trim($this->configuration->htmlTitle), // string
                 'allowPublicUpdate' => $this->configuration->allowPublicUpdateAccess, // bool
                 'publicMode' => $this->configuration->public, // bool
-                'authEnabled' => $this->authentication->enabled() === true, // bool
+                'authEnabled' => $this->authenticationEnabled, // bool
                 'readingSpeed' => $this->configuration->readingSpeedWpm > 0 ? $this->configuration->readingSpeedWpm : null, // ?int
                 'language' => $this->configuration->language === '0' ? null : $this->configuration->language, // ?string
                 'userCss' => file_exists(BASEDIR . '/user.css') ? filemtime(BASEDIR . '/user.css') : null, // ?int

src/controllers/Authentication.php

@@ -4,18 +4,18 @@
 
 namespace controllers;
 
-use helpers;
+use helpers\Authentication\AuthenticationService;
 use helpers\View;
 
 /**
  * Controller for user related tasks
  */
 class Authentication {
-    private helpers\Authentication $authentication;
+    private AuthenticationService $authenticationService;
     private View $view;
 
-    public function __construct(helpers\Authentication $authentication, View $view) {
-        $this->authentication = $authentication;
+    public function __construct(AuthenticationService $authenticationService, View $view) {
+        $this->authenticationService = $authenticationService;
         $this->view = $view;
     }
 
@@ -26,17 +26,11 @@ public function __construct(helpers\Authentication $authentication, View $view)
     public function login(): void {
         $error = null;
 
-        if (isset($_REQUEST['username'])) {
-            $username = $_REQUEST['username'];
-        } else {
-            $username = '';
+        if (!isset($_REQUEST['username'])) {
             $error = 'no username given';
         }
 
-        if (isset($_REQUEST['password'])) {
-            $password = $_REQUEST['password'];
-        } else {
-            $password = '';
+        if (!isset($_REQUEST['password'])) {
             $error = 'no password given';
         }
 
@@ -47,7 +41,8 @@ public function login(): void {
             ]);
         }
 
-        if ($this->authentication->login($username, $password)) {
+        // The function automatically checks the request for credentials.
+        if ($this->authenticationService->isPrivileged()) {
             $this->view->jsonSuccess([
                 'success' => true,
             ]);
@@ -64,7 +59,7 @@ public function login(): void {
      * json
      */
     public function logout(): void {
-        $this->authentication->logout();
+        $this->authenticationService->destroy();
         $this->view->jsonSuccess([
             'success' => true,
         ]);

src/controllers/Helpers/HashPassword.php

@@ -4,18 +4,18 @@
 
 namespace controllers\Helpers;
 
-use helpers\Authentication;
+use helpers\Authentication\AuthenticationService;
 use helpers\View;
 
 /**
  * Controller for user related tasks
  */
 final class HashPassword {
-    private Authentication $authentication;
+    private AuthenticationService $authenticationService;
     private View $view;
 
-    public function __construct(Authentication $authentication, View $view) {
-        $this->authentication = $authentication;
+    public function __construct(AuthenticationService $authenticationService, View $view) {
+        $this->authenticationService = $authenticationService;
         $this->view = $view;
     }
 
@@ -24,7 +24,7 @@ public function __construct(Authentication $authentication, View $view) {
      * json
      */
     public function hash(): void {
-        $this->authentication->needsLoggedIn();
+        $this->authenticationService->ensureIsPrivileged();
 
         if (!isset($_POST['password'])) {
             $this->view->jsonError([

src/controllers/Index.php

@@ -6,7 +6,7 @@
 
 use Bramus\Router\Router;
 use daos\ItemOptions;
-use helpers\Authentication;
+use helpers\Authentication\AuthenticationService;
 use helpers\StringKeyedArray;
 use helpers\View;
 use helpers\ViewHelper;
@@ -19,7 +19,7 @@
  * @author     Tobias Zeising <[email protected]>
  */
 class Index {
-    private Authentication $authentication;
+    private AuthenticationService $authenticationService;
     private \daos\Items $itemsDao;
     private Router $router;
     private \daos\Sources $sourcesDao;
@@ -28,8 +28,8 @@ class Index {
     private View $view;
     private ViewHelper $viewHelper;
 
-    public function __construct(Authentication $authentication, \daos\Items $itemsDao, Router $router, \daos\Sources $sourcesDao, Tags $tagsController, \daos\Tags $tagsDao, View $view, ViewHelper $viewHelper) {
-        $this->authentication = $authentication;
+    public function __construct(AuthenticationService $authenticationService, \daos\Items $itemsDao, Router $router, \daos\Sources $sourcesDao, Tags $tagsController, \daos\Tags $tagsDao, View $view, ViewHelper $viewHelper) {
+        $this->authenticationService = $authenticationService;
         $this->itemsDao = $itemsDao;
         $this->router = $router;
         $this->sourcesDao = $sourcesDao;
@@ -60,7 +60,7 @@ public function home(): void {
             return;
         }
 
-        $this->authentication->needsLoggedInOrPublicMode();
+        $this->authenticationService->ensureCanRead();
 
         // load tags
         $tags = $this->tagsDao->getWithUnread();

src/controllers/Items.php

@@ -6,7 +6,7 @@
 
 use daos\ItemOptions;
 use DateTimeInterface;
-use helpers\Authentication;
+use helpers\Authentication\AuthenticationService;
 use helpers\Misc;
 use helpers\Request;
 use helpers\View;
@@ -20,18 +20,18 @@
  * @author     Tobias Zeising <[email protected]>
  */
 class Items {
-    private Authentication $authentication;
+    private AuthenticationService $authenticationService;
     private \daos\Items $itemsDao;
     private Request $request;
     private View $view;
 
     public function __construct(
-        Authentication $authentication,
+        AuthenticationService $authenticationService,
         \daos\Items $itemsDao,
         Request $request,
         View $view
     ) {
-        $this->authentication = $authentication;
+        $this->authenticationService = $authenticationService;
         $this->itemsDao = $itemsDao;
         $this->request = $request;
         $this->view = $view;
@@ -44,7 +44,7 @@ public function __construct(
      * @param ?string $itemId ID of item to mark as read
      */
     public function mark(?string $itemId = null): void {
-        $this->authentication->needsLoggedIn();
+        $this->authenticationService->ensureIsPrivileged();
 
         $ids = null;
         if ($itemId !== null) {
@@ -84,7 +84,7 @@ public function mark(?string $itemId = null): void {
      * @param string $itemId id of an item to mark as unread
      */
     public function unmark(string $itemId): void {
-        $this->authentication->needsLoggedIn();
+        $this->authenticationService->ensureIsPrivileged();
 
         try {
             $itemId = Misc::forceId($itemId);
@@ -106,7 +106,7 @@ public function unmark(string $itemId): void {
      * @param string $itemId id of an item to starr
      */
     public function starr(string $itemId): void {
-        $this->authentication->needsLoggedIn();
+        $this->authenticationService->ensureIsPrivileged();
 
         try {
             $itemId = Misc::forceId($itemId);
@@ -127,7 +127,7 @@ public function starr(string $itemId): void {
      * @param string $itemId id of an item to unstarr
      */
     public function unstarr(string $itemId): void {
-        $this->authentication->needsLoggedIn();
+        $this->authenticationService->ensureIsPrivileged();
 
         try {
             $itemId = Misc::forceId($itemId);
@@ -146,7 +146,7 @@ public function unstarr(string $itemId): void {
      * json
      */
     public function listItems(): void {
-        $this->authentication->needsLoggedInOrPublicMode();
+        $this->authenticationService->ensureCanRead();
 
         // parse params
         $options = ItemOptions::fromUser($_GET);

src/controllers/Items/Stats.php

@@ -4,21 +4,21 @@
 
 namespace controllers\Items;
 
-use helpers\Authentication;
+use helpers\Authentication\AuthenticationService;
 use helpers\View;
 
 /**
  * Controller for viewing item statistics
  */
 class Stats {
-    private Authentication $authentication;
+    private AuthenticationService $authenticationService;
     private \daos\Items $itemsDao;
     private \daos\Sources $sourcesDao;
     private \daos\Tags $tagsDao;
     private View $view;
 
-    public function __construct(Authentication $authentication, \daos\Items $itemsDao, \daos\Sources $sourcesDao, \daos\Tags $tagsDao, View $view) {
-        $this->authentication = $authentication;
+    public function __construct(AuthenticationService $authenticationService, \daos\Items $itemsDao, \daos\Sources $sourcesDao, \daos\Tags $tagsDao, View $view) {
+        $this->authenticationService = $authenticationService;
         $this->itemsDao = $itemsDao;
         $this->sourcesDao = $sourcesDao;
         $this->tagsDao = $tagsDao;
@@ -30,7 +30,7 @@ public function __construct(Authentication $authentication, \daos\Items $itemsDa
      * json
      */
     public function stats(): void {
-        $this->authentication->needsLoggedInOrPublicMode();
+        $this->authenticationService->ensureCanRead();
 
         $stats = $this->itemsDao->stats();
 

src/controllers/Items/Sync.php

@@ -4,7 +4,7 @@
 
 namespace controllers\Items;
 
-use helpers\Authentication;
+use helpers\Authentication\AuthenticationService;
 use helpers\Configuration;
 use function helpers\json_response;
 use helpers\View;
@@ -14,7 +14,7 @@
  * Controller for synchronizing item statuses
  */
 class Sync {
-    private Authentication $authentication;
+    private AuthenticationService $authenticationService;
     private Configuration $configuration;
     private \daos\Items $itemsDao;
     private \daos\Sources $sourcesDao;
@@ -23,8 +23,8 @@ class Sync {
     private View $view;
     private ViewHelper $viewHelper;
 
-    public function __construct(Authentication $authentication, Configuration $configuration, \daos\Items $itemsDao, \daos\Sources $sourcesDao, \controllers\Tags $tagsController, \daos\Tags $tagsDao, View $view, ViewHelper $viewHelper) {
-        $this->authentication = $authentication;
+    public function __construct(AuthenticationService $authenticationService, Configuration $configuration, \daos\Items $itemsDao, \daos\Sources $sourcesDao, \controllers\Tags $tagsController, \daos\Tags $tagsDao, View $view, ViewHelper $viewHelper) {
+        $this->authenticationService = $authenticationService;
         $this->configuration = $configuration;
         $this->itemsDao = $itemsDao;
         $this->sourcesDao = $sourcesDao;
@@ -39,7 +39,7 @@ public function __construct(Authentication $authentication, Configuration $confi
      * json
      */
     public function sync(): void {
-        $this->authentication->needsLoggedInOrPublicMode();
+        $this->authenticationService->ensureCanRead();
 
         if (isset($_GET['since'])) {
             $params = $_GET;
@@ -113,7 +113,7 @@ public function sync(): void {
      * Items statuses bulk update.
      */
     public function updateStatuses(): void {
-        $this->authentication->needsLoggedIn();
+        $this->authenticationService->ensureIsPrivileged();
 
         if (isset($_POST['updatedStatuses'])
             && is_array($_POST['updatedStatuses'])) {

src/controllers/Opml/Export.php

@@ -4,7 +4,7 @@
 
 namespace controllers\Opml;
 
-use helpers\Authentication;
+use helpers\Authentication\AuthenticationService;
 use helpers\Configuration;
 use helpers\SpoutLoader;
 use helpers\StringKeyedArray;
@@ -19,16 +19,16 @@
  * @author     Sean Rand <[email protected]>
  */
 class Export {
-    private Authentication $authentication;
+    private AuthenticationService $authenticationService;
     private Configuration $configuration;
     private Logger $logger;
     private SpoutLoader $spoutLoader;
     private \XMLWriter $writer;
     private \daos\Sources $sourcesDao;
     private \daos\Tags $tagsDao;
 
-    public function __construct(Authentication $authentication, Configuration $configuration, Logger $logger, \daos\Sources $sourcesDao, SpoutLoader $spoutLoader, \daos\Tags $tagsDao, \XMLWriter $writer) {
-        $this->authentication = $authentication;
+    public function __construct(AuthenticationService $authenticationService, Configuration $configuration, Logger $logger, \daos\Sources $sourcesDao, SpoutLoader $spoutLoader, \daos\Tags $tagsDao, \XMLWriter $writer) {
+        $this->authenticationService = $authenticationService;
         $this->configuration = $configuration;
         $this->logger = $logger;
         $this->sourcesDao = $sourcesDao;
@@ -79,7 +79,7 @@ private function writeSource(array $source): void {
      * @note Uses the selfoss namespace to store selfoss-specific information
      */
     public function export(): void {
-        $this->authentication->needsLoggedIn();
+        $this->authenticationService->ensureIsPrivileged();
 
         $this->logger->debug('start OPML export');
         $this->writer->openMemory();