From d8c484d3878638def6cd624dac5511011edeb2bd Mon Sep 17 00:00:00 2001
From: "J. King" <jking@jkingweb.ca>
Date: Tue, 10 Sep 2019 00:02:11 -0400
Subject: [PATCH] Partial implementation of IndieAuth authorization

---
 lib/REST/Microsub/Auth.php | 31 ++++++++++++++++++++++++++++---
 1 file changed, 28 insertions(+), 3 deletions(-)

diff --git a/lib/REST/Microsub/Auth.php b/lib/REST/Microsub/Auth.php
index c4e7f07..087b50e 100644
--- a/lib/REST/Microsub/Auth.php
+++ b/lib/REST/Microsub/Auth.php
@@ -6,6 +6,7 @@
 declare(strict_types=1);
 namespace JKingWeb\Arsse\REST\Microsub;
 
+use JKingWeb\Arsse\Arsse;
 use JKingWeb\Arsse\Misc\URL;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Message\ResponseInterface;
@@ -33,16 +34,22 @@ class Auth extends \JKingWeb\Arsse\REST\AbstractHandler {
         }
     }
 
-    protected function doDiscovery(string $user, ServerRequestInterface $req): ResponseInterface {
+    protected function buildIdentifier(ServerRequestInterface $req, bool $baseOnly = false): string {
         // construct the base user identifier URL; the user is never checked against the database
-        // as this route is publicly accessible, for reasons of privacy requests for user discovery work regardless of whether the user exists
         $s = $req->getServerParams();
+        $path = $req->getRequestTarget()['path'];
         $https = (strlen($s['HTTPS'] ?? "") && $s['HTTPS'] !== "off");
         $port = (int) $s['SERVER_PORT'];
         $port = (!$port || ($https && $port == 443) || (!$https && $port == 80)) ? "" : ":$port";
         $base = URL::normalize(($https ? "https" : "http")."://".$s['HTTP_HOST'].$port."/");
-        $id = $base."u/".rawurlencode($user);
+        return !$baseOnly ? URL::normalize($base.$path) : $base;
+    }
+
+    protected function doDiscovery(string $user, ServerRequestInterface $req): ResponseInterface {
+        // as this route is publicly accessible, for reasons of privacy requests for user discovery work regardless of whether the user exists
         // prepare authroizer, token, and Microsub endpoint URLs
+        $base = $this->buildIdentifier($req, true);
+        $id = $this->buildIdentifier($req);
         $urlAuth = $id."?proc=login";
         $urlToken = $id."?proc=issue";
         $urlService = $base."microsub";
@@ -54,4 +61,22 @@ class Auth extends \JKingWeb\Arsse\REST\AbstractHandler {
             "Link: <$urlService>; rel=\"microsub\"",
         ]);
     }
+
+    protected function doLogin(string $user, ServerRequestInterface $req): ResponseInterface {
+        if (!$req->getAttribute("authenticated", false)) {
+            // user has not yet logged in, or has failed to log in
+            return new EmptyResponse(401);
+        } else {
+            // user has logged in
+            // ensure the logged-in user matches the IndieAuth identifier URL
+            $id = $req->getAttribute("authenticatedUser");
+            $query = $req->getQueryParams();
+            $url = buildIdentifier($req);
+            if ($user !== $id || URL::normalize($query['me']) !== $url) {
+                return new EmptyResponse(403);
+            } else {
+                // redirect
+            }
+        }
+    }
 }