Merge branch 'master' into v2.0.0-dev

.github/workflows/php.yml

@@ -18,7 +18,7 @@ jobs:
 
         services:
             mariadb:
-                image: mariadb:latest
+                image: mariadb:10
                 ports:
                     - 3306:3306
                 env:

CHANGELOG.md

@@ -2,7 +2,19 @@
 
 ## dev
 
+- Enh: Keycloak auth client (e.luhr)
+- Fix: Social Network Auth (eluhr)
+
+## 1.6.2 Jan 4th, 2024
+
+- Fix: Two Factor Authentication - Filter - Blocks even when two factor authentication is enabled
+- Fix: update Dutch (nl) translations (squio)
 - Enh: possibility to limit the depth of the recursion when getting user ids from roles (mp1509)
+- Fix: UserSearch avoid fields name conflict if joined with other tables (liviuk2)
+- Fix: PasswordExpireService return false when user model attribute "password_changed_at" is already set at null.
+- Enh #524: Two Factor - Authenticator App - offer a "Can't scan?" fallback
+- Fix #530: Welcome email: reported Password is now HTML-encoded
+- Ehn: updated french translation by @arollmann
 
 ## 1.6.1 March 4th, 2023
 

docs/guides/social-network-authentication.md

@@ -46,6 +46,7 @@ The following is the list of clients supported by the module:
 - **Facebook** - `Da\User\AuthClient\Facebook`
 - **Github** - `Da\User\AuthClient\Github`
 - **Google** - `Da\User\AuthClient\Google`
+- **Keycloak** - `Da\User\AuthClient\Keycloak`
 - **LinkedIn** - `Da\User\AuthClient\LinkedIn`
 - **Twitter** - `Da\User\AuthClient\Twitter`
 - **VKontakte** - `Da\User\AuthClient\VKontakte`

docs/install/configuration-options.md

@@ -143,6 +143,15 @@ List of urls that does not require explicit data processing consent to be access
 Setting this attribute allows the registration process. If you set it to `false`, the module won't allow users to
 register by throwing a `NotFoundHttpException` if the `RegistrationController::actionRegister()` is accessed.
 
+#### enableSocialNetworkRegistration (type: `boolean`, default: `true`)
+
+Setting this attribute allows the registration process via social networks. If you set it to `false`, the module won't allow users to
+register.
+
+#### sendWelcomeMailAfterSocialNetworkRegistration (type: `boolean`, default: `true`)
+
+Setting this attribute controls wether a confirmation mail should be send or not.
+
 #### enableEmailConfirmation (type: `boolean`, default: `true`)
 
 If `true`, the module will send an email with a confirmation link that user needs to click through to complete its

src/User/AuthClient/Facebook.php

@@ -12,10 +12,14 @@
 namespace Da\User\AuthClient;
 
 use Da\User\Contracts\AuthClientInterface;
+use Da\User\Traits\AuthClientUserIdTrait;
 use yii\authclient\clients\Facebook as BaseFacebook;
 
 class Facebook extends BaseFacebook implements AuthClientInterface
 {
+
+    use AuthClientUserIdTrait;
+
     /**
      * {@inheritdoc}
      */

src/User/AuthClient/GitHub.php

@@ -12,10 +12,12 @@
 namespace Da\User\AuthClient;
 
 use Da\User\Contracts\AuthClientInterface;
+use Da\User\Traits\AuthClientUserIdTrait;
 use yii\authclient\clients\GitHub as BaseGitHub;
 
 class GitHub extends BaseGitHub implements AuthClientInterface
 {
+    use AuthClientUserIdTrait;
     /**
      * {@inheritdoc}
      */

src/User/AuthClient/Google.php

@@ -12,10 +12,12 @@
 namespace Da\User\AuthClient;
 
 use Da\User\Contracts\AuthClientInterface;
+use Da\User\Traits\AuthClientUserIdTrait;
 use yii\authclient\clients\Google as BaseGoogle;
 
 class Google extends BaseGoogle implements AuthClientInterface
 {
+    use AuthClientUserIdTrait;
     /**
      * {@inheritdoc}
      */

src/User/AuthClient/Keycloak.php

@@ -0,0 +1,55 @@
+<?php
+
+namespace Da\User\AuthClient;
+
+use Da\User\Contracts\AuthClientInterface;
+use yii\authclient\OpenIdConnect;
+
+/**
+ * Example application configuration:
+ *
+ * ```php
+ * 'components' => [
+ *     'authClientCollection' => [
+ *         'class' => 'yii\authclient\Collection',
+ *         'clients' => [
+ *             'keycloak' => [
+ *                 'class' => 'yii\authclient\clients\Keycloak',
+ *                 'clientId' => 'keycloak_client_id',
+ *                 'clientSecret' => 'keycloak_client_secret',
+ *                 'issuerUrl' => 'http://keycloak/realms/your-realm',
+ *             ],
+ *         ],
+ *     ]
+ *     // ...
+ * ]
+ * ```
+*/
+class Keycloak extends OpenIdConnect implements AuthClientInterface
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function getEmail()
+    {
+        // claim from email scope
+        return $this->getUserAttributes()['email'] ?? null;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getUserName()
+    {
+        // claim from profile scope
+        return $this->getUserAttributes()['preferred_username'] ?? $this->getEmail();
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getUserId()
+    {
+        return $this->getUserAttributes()['sub'] ?? null;
+    }
+}

src/User/AuthClient/LinkedIn.php

@@ -12,10 +12,13 @@
 namespace Da\User\AuthClient;
 
 use Da\User\Contracts\AuthClientInterface;
+use Da\User\Traits\AuthClientUserIdTrait;
 use yii\authclient\clients\LinkedIn as BaseLinkedIn;
 
 class LinkedIn extends BaseLinkedIn implements AuthClientInterface
 {
+    use AuthClientUserIdTrait;
+
     /**
      * {@inheritdoc}
      */

src/User/AuthClient/Twitter.php

@@ -12,10 +12,13 @@
 namespace Da\User\AuthClient;
 
 use Da\User\Contracts\AuthClientInterface;
+use Da\User\Traits\AuthClientUserIdTrait;
 use yii\authclient\clients\Twitter as BaseTwitter;
 
 class Twitter extends BaseTwitter implements AuthClientInterface
 {
+    use AuthClientUserIdTrait;
+
     /**
      * @return string
      */

src/User/AuthClient/VKontakte.php

@@ -12,11 +12,14 @@
 namespace Da\User\AuthClient;
 
 use Da\User\Contracts\AuthClientInterface;
+use Da\User\Traits\AuthClientUserIdTrait;
 use Yii;
 use yii\authclient\clients\VKontakte as BaseVKontakte;
 
 class VKontakte extends BaseVKontakte implements AuthClientInterface
 {
+    use AuthClientUserIdTrait;
+
     /**
      * {@inheritdoc}
      */

src/User/AuthClient/Yandex.php

@@ -12,11 +12,14 @@
 namespace Da\User\AuthClient;
 
 use Da\User\Contracts\AuthClientInterface;
+use Da\User\Traits\AuthClientUserIdTrait;
 use Yii;
 use yii\authclient\clients\Yandex as BaseYandex;
 
 class Yandex extends BaseYandex implements AuthClientInterface
 {
+    use AuthClientUserIdTrait;
+
     /**
      * {@inheritdoc}
      */

src/User/Contracts/AuthClientInterface.php

@@ -14,8 +14,9 @@
 use yii\authclient\ClientInterface;
 
 /**
- * @property-read string $email
- * @property-read string $username
+ * @property-read string|null $email
+ * @property-read string|null $userName
+ * @property-read mixed|null $userId
  */
 interface AuthClientInterface extends ClientInterface
 {
@@ -28,4 +29,9 @@ public function getEmail();
      * @return string|null username
      */
     public function getUserName();
+
+    /**
+     * @return mixed|null user id
+     */
+    public function getUserId();
 }

src/User/Controller/RegistrationController.php

@@ -17,6 +17,7 @@
 use Da\User\Factory\MailFactory;
 use Da\User\Form\RegistrationForm;
 use Da\User\Form\ResendForm;
+use Da\User\Helper\SecurityHelper;
 use Da\User\Model\SocialNetworkAccount;
 use Da\User\Model\User;
 use Da\User\Query\SocialNetworkAccountQuery;
@@ -152,6 +153,10 @@ public function actionRegister()
      */
     public function actionConnect($code)
     {
+        if (!$this->module->enableSocialNetworkRegistration) {
+            throw new NotFoundHttpException();
+        }
+
         /** @var SocialNetworkAccount $account */
         $account = $this->socialNetworkAccountQuery->whereCode($code)->one();
         if ($account === null || $account->getIsConnected()) {
@@ -171,7 +176,11 @@ public function actionConnect($code)
         if ($user->load(Yii::$app->request->post()) && $user->validate()) {
             $this->trigger(SocialNetworkConnectEvent::EVENT_BEFORE_CONNECT, $event);
 
-            $mailService = MailFactory::makeWelcomeMailerService($user);
+            if ($this->module->sendWelcomeMailAfterSocialNetworkRegistration) {
+                $mailService = MailFactory::makeWelcomeMailerService($user);
+            } else {
+                $mailService = null;
+            }
             if ($this->make(UserCreateService::class, [$user, $mailService])->run()) {
                 $account->connect($user);
                 $this->trigger(SocialNetworkConnectEvent::EVENT_AFTER_CONNECT, $event);

src/User/Controller/SettingsController.php

@@ -473,7 +473,7 @@ public function actionTwoFactor($id)
         switch ($choice) {
             case 'google-authenticator':
                 $uri = $this->make(TwoFactorQrCodeUriGeneratorService::class, [$user])->run();
-                return $this->renderAjax('two-factor', ['id' => $id, 'uri' => $uri]);
+                return $this->renderAjax('two-factor', ['id' => $id, 'uri' => $uri, 'user' => $user]);
             case 'email':
                 $emailCode = $this->make(TwoFactorEmailCodeGeneratorService::class, [$user])->run();
                 return $this->renderAjax('two-factor-email', ['id' => $id, 'code' => $emailCode]);

src/User/Filter/TwoFactorAuthenticationEnforceFilter.php

@@ -38,8 +38,10 @@ public function beforeAction($action)
         }
 
         $permissions = $module->twoFactorAuthenticationForcedPermissions;
-        $itemsByUser = array_keys($this->getAuthManager()->getItemsByUser(Yii::$app->user->identity->id));
-        if (!empty(array_intersect($permissions, $itemsByUser))) {
+
+        $user = Yii::$app->user->identity;
+        $itemsByUser = array_keys($this->getAuthManager()->getItemsByUser($user->id));
+        if (!empty(array_intersect($permissions, $itemsByUser)) && !$user->auth_tf_enabled) {
             Yii::$app->session->setFlash('warning', Yii::t('usuario', 'Your role requires 2FA, you won\'t be able to use the application until you enable it'));
             return Yii::$app->response->redirect(['/user/settings/account'])->send();
         }

src/User/Module.php

@@ -117,6 +117,14 @@ class Module extends BaseModule
      * @var bool whether to allow registration process or not
      */
     public $enableRegistration = true;
+    /**
+     * @var bool whether to allow registration process for social network or not
+     */
+    public $enableSocialNetworkRegistration = true;
+    /**
+     * @var bool whether to send a welcome mail after the registration process for social network
+     */
+    public $sendWelcomeMailAfterSocialNetworkRegistration = true;
     /**
      * @var bool whether to force email confirmation to
      */

src/User/Query/SocialNetworkAccountQuery.php

@@ -26,7 +26,7 @@ public function whereClient(AuthClientInterface $client)
         return $this->andWhere(
             [
                 'provider' => $client->getId(),
-                'client_id' => (string)$client->getUserAttributes()['id'],
+                'client_id' => (string)$client->getUserId(),
             ]
         );
     }

src/User/Search/UserSearch.php

@@ -11,14 +11,18 @@
 
 namespace Da\User\Search;
 
+use Da\User\Model\User;
 use Da\User\Query\UserQuery;
+use Da\User\Traits\ContainerAwareTrait;
 use Yii;
 use yii\base\InvalidParamException;
 use yii\base\Model;
 use yii\data\ActiveDataProvider;
 
 class UserSearch extends Model
 {
+    use ContainerAwareTrait;
+
     /**
      * @var string
      */
@@ -106,21 +110,23 @@ public function search($params)
             return $dataProvider;
         }
 
+        $userClass = $this->getClassMap()->get(User::class);
+
         if ($this->created_at !== null) {
             $date = strtotime($this->created_at);
-            $query->andFilterWhere(['between', 'created_at', $date, $date + 3600 * 24]);
+            $query->andFilterWhere(['between', $userClass::tableName().'.created_at', $date, $date + 3600 * 24]);
         }
 
         if ($this->last_login_at !== null) {
             $date = strtotime($this->last_login_at);
-            $query->andFilterWhere(['between', 'last_login_at', $date, $date + 3600 * 24]);
+            $query->andFilterWhere(['between', $userClass::tableName().'.last_login_at', $date, $date + 3600 * 24]);
         }
 
         $query
-            ->andFilterWhere(['like', 'username', $this->username])
-            ->andFilterWhere(['like', 'email', $this->email])
-            ->andFilterWhere(['registration_ip' => $this->registration_ip])
-            ->andFilterWhere(['last_login_ip' => $this->last_login_ip]);
+            ->andFilterWhere(['like', $userClass::tableName().'.username', $this->username])
+            ->andFilterWhere(['like', $userClass::tableName().'.email', $this->email])
+            ->andFilterWhere([$userClass::tableName().'.registration_ip' => $this->registration_ip])
+            ->andFilterWhere([$userClass::tableName().'.last_login_ip' => $this->last_login_ip]);
 
         return $dataProvider;
     }

src/User/Service/MailService.php

@@ -83,11 +83,16 @@ public function getType()
      */
     public function run()
     {
-        return $this->mailer
+        $result = $this->mailer
             ->compose(['html' => $this->view, 'text' => "text/{$this->view}"], $this->params)
             ->setFrom($this->from)
             ->setTo($this->to)
             ->setSubject($this->subject)
             ->send();
+
+        if (!$result) {
+            Yii::error("Email sending failed to '{$this->to}'.", 'mailer');
+        }
+        return $result;
     }
 }

src/User/Service/PasswordExpireService.php

@@ -25,8 +25,9 @@ public function __construct(User $model)
 
     public function run()
     {
-        return $this->model->updateAttributes([
+        $this->model->updateAttributes([
             'password_changed_at' => null,
         ]);
+        return true;
     }
 }

src/User/Service/SocialNetworkAccountConnectService.php

@@ -83,7 +83,7 @@ protected function getSocialNetworkAccount()
                 [],
                 [
                     'provider' => $this->client->getId(),
-                    'client_id' => $data['id'],
+                    'client_id' => $this->client->getUserId(),
                     'data' => json_encode($data),
                 ]
             );