-
Notifications
You must be signed in to change notification settings - Fork 7
/
plugin.php
107 lines (85 loc) · 3.66 KB
/
plugin.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
<?php
/*
Plugin Name: Google Authentication
Plugin URI: https://github.com/8thwall/google-auth-yourls
Description: This plugin enables authentation against Google
Version: 1.0
Author: Tony Tomarchio (atomarch)
Author URI: http://www.8thwall.com, http://www.tomarchio.cc
*/
// No direct call
if (!defined('YOURLS_ABSPATH')) {
die();
}
/* Assumes that you have already downloaded and installed the
* Google APIs Client Library for PHP and it's in the same directory.
* See https://github.com/google/google-api-php-client for install instructions.
* Include your composer dependencies:
*/
require_once __DIR__ . '/vendor/autoload.php';
/* The function yourls_is_valid_user() in includes/functions-auth.php checks for a valid user via the login
* form or stored cookie. The 'shunt_is_valid_user' filter allows plugins such as this one, to short-circuit
* the entire function.
*/
/* This says: when filter 'shunt_is_valid_user' is triggered, execute function 'atomarch_google_auth'
* and send back it's return value. Filters should always have a return value.
*/
yourls_add_filter('shunt_is_valid_user', 'atomarch_google_auth');
function atomarch_google_auth() {
session_start();
$client = new Google_Client();
$client->addScope('profile');
$client->addScope('email');
$client->setAccessType('offline');
// See https://developers.google.com/api-client-library/php/auth/web-app to create
// an OAuth 2.0 client ID, and download the resulting JSON file
// This assumes that client_secrets.json file resides in the same directory as plugin.php
$client->setAuthConfig(dirname(__FILE__) . '/client_secrets.json');
$client->setRedirectUri(yourls_admin_url());
if (isset($_SESSION['access_token']) && $_SESSION['access_token']) {
// User has already authenticated against google with an approved domain, nothing to do
return true;
} else {
if (!isset($_GET['code'])) {
// Generate a URL to request access from Google's OAuth 2.0 server
$auth_url = $client->createAuthUrl();
// Redirect the user to $auth_url so they can enter their Google credentials
header('Location: ' . filter_var($auth_url, FILTER_SANITIZE_URL));
} else {
// Exchange an authorization code for an access token
$token = $client->fetchAccessTokenWithAuthCode($_GET['code']);
if (!array_key_exists('access_token', $token)) {
yourls_e("invalid token");
die();
}
//Store Access Token in a session variable
$_SESSION['access_token'] = $token;
if (atomarch_check_domain($client) === false) {
$client->revokeToken();
unset($_SESSION['access_token']);
yourls_e("User from Unauthorized Domain.");
die();
}
$redirect_uri = yourls_admin_url();
header('Location: ' . filter_var($redirect_uri, FILTER_SANITIZE_URL));
}
}
}
function atomarch_check_domain($google_client) {
// List of domains that have permission to login. Use "*"" to allow access from any google account
//$APPROVED_DOMAINS = array("domain1.com", "domain2.com");
$APPROVED_DOMAINS = array("*");
if (in_array("*", $APPROVED_DOMAINS)) {
return true;
}
if (isset($_SESSION['access_token']) && $_SESSION['access_token']) {
$google_oauthV2 = new Google_Service_Oauth2($google_client);
$user_info = $google_oauthV2->userinfo->get();
$user_domain = substr(strrchr($user_info['email'], "@"), 1);
if (in_array($user_domain, $APPROVED_DOMAINS)) {
return true;
} else {
return false;
}
}
}