Oliver/loreal-global-kickoff
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
loreal-global-kickoff/auth.php
Vadym Samoilenko 9036bafc0d Log every user login to Activity Logs 
Track all logins (not just first) via ApplicationLogger user_login action.
Add User Login filter option to logs-viewer.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-02 20:54:07 +00:00

90 lines
2.9 KiB
PHP
Raw Blame History

<?php
/**
* OAuth Callback Handler
* Handles Azure AD MSAL authentication flow
*
* POST /auth.php?action=login — receives idToken, validates, sets cookie
* GET /auth.php?action=logout — clears cookie, redirects to index
* GET /auth.php — redirects to index (MSAL redirect_uri target)
*/
require_once __DIR__ . '/vendor/autoload.php';
require_once __DIR__ . '/JWTValidator.php';
require_once __DIR__ . '/UserRoleManager.php';
require_once __DIR__ . '/ApplicationLogger.php';
$config = require __DIR__ . '/config.php';
$action = $_GET['action'] ?? '';
// POST login — validate idToken, set auth cookie
if ($_SERVER['REQUEST_METHOD'] === 'POST' && $action === 'login') {
header('Content-Type: application/json');
$body = json_decode(file_get_contents('php://input'), true);
$token = $body['token'] ?? '';
if (empty($token)) {
http_response_code(400);
echo json_encode(['success' => false, 'message' => 'Token is required']);
exit;
}
$validator = new JWTValidator(
$config['sso']['tenant_id'],
$config['sso']['client_id']
);
$result = $validator->validate($token);
if (!$result['valid']) {
http_response_code(401);
echo json_encode(['success' => false, 'message' => $result['error'] ?? 'Invalid token']);
exit;
}
// Register user role on first login (auto-promotes admin_emails)
$email = strtolower($result['claims']['preferred_username'] ?? $result['claims']['upn'] ?? '');
$name = $result['claims']['name'] ?? $email;
$roleManager = new UserRoleManager();
$role = $email ? $roleManager->getRole($email) : 'user';
// Log every login to Activity Logs
$logger = new ApplicationLogger();
$logger->log('user_login', ['email' => $email, 'name' => $name], [
'role' => $role,
'ip' => $_SERVER['REMOTE_ADDR'] ?? 'unknown'
]);
// Store the raw idToken in a secure HttpOnly cookie (24h)
$cookieOptions = [
'expires' => time() + (24 * 60 * 60),
'path' => '/',
'domain' => '',
'secure' => isset($_SERVER['HTTPS']),
'httponly' => true,
'samesite' => 'Lax'
];
setcookie('auth_token', $token, $cookieOptions);
echo json_encode(['success' => true]);
exit;
}
// GET logout — clear cookie, redirect
if ($_SERVER['REQUEST_METHOD'] === 'GET' && $action === 'logout') {
setcookie('auth_token', '', time() - 3600, '/');
unset($_COOKIE['auth_token']);
// Build Azure AD logout URL
$tenantId = $config['sso']['tenant_id'];
$postLogoutRedirect = urlencode('https://ai-sandbox.oliver.solutions/loreal-global-kickoff');
$logoutUrl = "https://login.microsoftonline.com/{$tenantId}/oauth2/v2.0/logout?post_logout_redirect_uri={$postLogoutRedirect}";
header('Location: ' . $logoutUrl);
exit;
}
// GET default — redirect to index (handles MSAL redirect_uri)
header('Location: index.php');
exit;
Reference in a new issue View git blame Copy permalink