Rework Authentication into separate services

NEWS.md

@@ -40,6 +40,9 @@
 - Source filters are stricter, they need to start and end with a `/`. ([#1423](https://github.com/fossar/selfoss/pull/1423))
 - OPML importer has been merged into the React client. ([#1442](https://github.com/fossar/selfoss/pull/1442))
 - Web requests will send `Accept-Encoding` header. ([#1482](https://github.com/fossar/selfoss/pull/1482))
+- Authentication system has been rewritten to allow more methods in the future. ([#1491](https://github.com/fossar/selfoss/pull/1491))
+- Authentication will now also log user out when the credentials in the config change. ([#1491](https://github.com/fossar/selfoss/pull/1491))
+- Requests from loopback IP address now give full access to all operations, not just update. Additionally, IPv6 loopback address is recognized and proxies are ignored. ([#1491](https://github.com/fossar/selfoss/pull/1491))
 
 #### For developers
 - Back-end source code is now checked using [PHPStan](https://phpstan.org/). ([#1409](https://github.com/fossar/selfoss/pull/1409))

src/common.php

@@ -69,6 +69,15 @@ function boot_error(string $message) {
     ->register(helpers\Authentication::class)
     ->setShared(true)
 ;
+
+$container
+    ->register(
+        helpers\Authentication\AuthenticationService::class,
+        [new Slince\Di\Reference(helpers\Authentication\AuthenticationFactory::class), 'create']
+    )
+    ->setShared(true)
+;
+
 $container
     ->register(helpers\Session::class)
     ->setShared(true)

src/controllers/About.php

@@ -54,7 +54,7 @@ public function about(): void {
                 'htmlTitle' => trim($this->configuration->htmlTitle), // string
                 'allowPublicUpdate' => $this->configuration->allowPublicUpdateAccess, // bool
                 'publicMode' => $this->configuration->public, // bool
-                'authEnabled' => $this->authentication->enabled() === true, // bool
+                'authEnabled' => $this->authentication->enabled(), // bool
                 'readingSpeed' => $this->configuration->readingSpeedWpm > 0 ? $this->configuration->readingSpeedWpm : null, // ?int
                 'language' => $this->configuration->language === '0' ? null : $this->configuration->language, // ?string
                 'userCss' => file_exists(BASEDIR . '/user.css') ? filemtime(BASEDIR . '/user.css') : null, // ?int

src/controllers/Authentication.php

@@ -4,18 +4,18 @@
 
 namespace controllers;
 
-use helpers;
+use helpers\Authentication\AuthenticationService;
 use helpers\View;
 
 /**
  * Controller for user related tasks
  */
 class Authentication {
-    private helpers\Authentication $authentication;
+    private AuthenticationService $authenticationService;
     private View $view;
 
-    public function __construct(helpers\Authentication $authentication, View $view) {
-        $this->authentication = $authentication;
+    public function __construct(AuthenticationService $authenticationService, View $view) {
+        $this->authenticationService = $authenticationService;
         $this->view = $view;
     }
 
@@ -26,17 +26,11 @@ public function __construct(helpers\Authentication $authentication, View $view)
     public function login(): void {
         $error = null;
 
-        if (isset($_REQUEST['username'])) {
-            $username = $_REQUEST['username'];
-        } else {
-            $username = '';
+        if (!isset($_REQUEST['username'])) {
             $error = 'no username given';
         }
 
-        if (isset($_REQUEST['password'])) {
-            $password = $_REQUEST['password'];
-        } else {
-            $password = '';
+        if (!isset($_REQUEST['password'])) {
             $error = 'no password given';
         }
 
@@ -47,7 +41,8 @@ public function login(): void {
             ]);
         }
 
-        if ($this->authentication->login($username, $password)) {
+        // The function automatically checks the request for credentials.
+        if ($this->authenticationService->isPrivileged()) {
             $this->view->jsonSuccess([
                 'success' => true,
             ]);
@@ -64,7 +59,7 @@ public function login(): void {
      * json
      */
     public function logout(): void {
-        $this->authentication->logout();
+        $this->authenticationService->destroy();
         $this->view->jsonSuccess([
             'success' => true,
         ]);

src/controllers/Helpers/HashPassword.php

@@ -24,7 +24,7 @@ public function __construct(Authentication $authentication, View $view) {
      * json
      */
     public function hash(): void {
-        $this->authentication->needsLoggedIn();
+        $this->authentication->ensureIsPrivileged();
 
         if (!isset($_POST['password'])) {
             $this->view->jsonError([

src/controllers/Index.php

@@ -60,7 +60,7 @@ public function home(): void {
             return;
         }
 
-        $this->authentication->needsLoggedInOrPublicMode();
+        $this->authentication->ensureCanRead();
 
         // load tags
         $tags = $this->tagsDao->getWithUnread();

src/controllers/Items.php

@@ -44,7 +44,7 @@ public function __construct(
      * @param ?string $itemId ID of item to mark as read
      */
     public function mark(?string $itemId = null): void {
-        $this->authentication->needsLoggedIn();
+        $this->authentication->ensureIsPrivileged();
 
         $ids = null;
         if ($itemId !== null) {
@@ -84,7 +84,7 @@ public function mark(?string $itemId = null): void {
      * @param string $itemId id of an item to mark as unread
      */
     public function unmark(string $itemId): void {
-        $this->authentication->needsLoggedIn();
+        $this->authentication->ensureIsPrivileged();
 
         try {
             $itemId = Misc::forceId($itemId);
@@ -106,7 +106,7 @@ public function unmark(string $itemId): void {
      * @param string $itemId id of an item to starr
      */
     public function starr(string $itemId): void {
-        $this->authentication->needsLoggedIn();
+        $this->authentication->ensureIsPrivileged();
 
         try {
             $itemId = Misc::forceId($itemId);
@@ -127,7 +127,7 @@ public function starr(string $itemId): void {
      * @param string $itemId id of an item to unstarr
      */
     public function unstarr(string $itemId): void {
-        $this->authentication->needsLoggedIn();
+        $this->authentication->ensureIsPrivileged();
 
         try {
             $itemId = Misc::forceId($itemId);
@@ -146,7 +146,7 @@ public function unstarr(string $itemId): void {
      * json
      */
     public function listItems(): void {
-        $this->authentication->needsLoggedInOrPublicMode();
+        $this->authentication->ensureCanRead();
 
         // parse params
         $options = new ItemOptions($_GET);

src/controllers/Items/Stats.php

@@ -30,7 +30,7 @@ public function __construct(Authentication $authentication, \daos\Items $itemsDa
      * json
      */
     public function stats(): void {
-        $this->authentication->needsLoggedInOrPublicMode();
+        $this->authentication->ensureCanRead();
 
         $stats = $this->itemsDao->stats();
 

src/controllers/Items/Sync.php

@@ -39,7 +39,7 @@ public function __construct(Authentication $authentication, Configuration $confi
      * json
      */
     public function sync(): void {
-        $this->authentication->needsLoggedInOrPublicMode();
+        $this->authentication->ensureCanRead();
 
         if (isset($_GET['since'])) {
             $params = $_GET;
@@ -113,7 +113,7 @@ public function sync(): void {
      * Items statuses bulk update.
      */
     public function updateStatuses(): void {
-        $this->authentication->needsLoggedIn();
+        $this->authentication->ensureIsPrivileged();
 
         if (isset($_POST['updatedStatuses'])) {
             $updatedStatuses = $_POST['updatedStatuses'];

src/controllers/Opml/Export.php

@@ -79,7 +79,7 @@ private function writeSource(array $source): void {
      * @note Uses the selfoss namespace to store selfoss-specific information
      */
     public function export(): void {
-        $this->authentication->needsLoggedIn();
+        $this->authentication->ensureIsPrivileged();
 
         $this->logger->debug('start OPML export');
         $this->writer->openMemory();

src/controllers/Opml/Import.php

@@ -42,7 +42,7 @@ public function __construct(Authentication $authentication, Logger $logger, \dao
      * @note Borrows from controllers/Sources.php:write
      */
     public function add(): void {
-        $this->authentication->needsLoggedIn();
+        $this->authentication->ensureIsPrivileged();
 
         http_response_code(400);
 

src/controllers/Rss.php

@@ -38,13 +38,13 @@ public function __construct(Authentication $authentication, Configuration $confi
      * rss feed
      */
     public function rss(): void {
-        $this->authentication->needsLoggedInOrPublicMode();
+        $this->authentication->ensureCanRead();
 
         $this->feedWriter->setTitle($this->configuration->rssTitle);
         $this->feedWriter->setChannelElement('description', '');
-        $this->feedWriter->setSelfLink($this->view->base . 'feed');
+        $this->feedWriter->setSelfLink($this->view->getBaseUrl() . 'feed');
 
-        $this->feedWriter->setLink($this->view->base);
+        $this->feedWriter->setLink($this->view->getBaseUrl());
 
         // get sources
         $lastSourceId = 0;

src/controllers/Sources.php

@@ -37,7 +37,7 @@ public function __construct(Authentication $authentication, \daos\Sources $sourc
      * json
      */
     public function show(): void {
-        $this->authentication->needsLoggedIn();
+        $this->authentication->ensureIsPrivileged();
 
         // get available spouts
         $spouts = $this->spoutLoader->all();
@@ -61,7 +61,7 @@ public function show(): void {
      * json
      */
     public function add(): void {
-        $this->authentication->needsLoggedIn();
+        $this->authentication->ensureIsPrivileged();
 
         $spouts = $this->spoutLoader->all();
 
@@ -75,7 +75,7 @@ public function add(): void {
      * json
      */
     public function params(): void {
-        $this->authentication->needsLoggedIn();
+        $this->authentication->ensureIsPrivileged();
 
         if (!isset($_GET['spout'])) {
             $this->view->error('no spout type given');
@@ -102,7 +102,7 @@ public function params(): void {
      * @param string $id ID of source to remove
      */
     public function remove(string $id): void {
-        $this->authentication->needsLoggedIn();
+        $this->authentication->ensureIsPrivileged();
 
         try {
             $id = Misc::forceId($id);
@@ -126,7 +126,7 @@ public function remove(string $id): void {
      * json
      */
     public function listSources(): void {
-        $this->authentication->needsLoggedIn();
+        $this->authentication->ensureIsPrivileged();
 
         // load sources
         $sources = $this->sourcesDao->getWithIcon();
@@ -145,7 +145,7 @@ public function listSources(): void {
      * json
      */
     public function spouts(): void {
-        $this->authentication->needsLoggedIn();
+        $this->authentication->ensureIsPrivileged();
 
         $spouts = $this->spoutLoader->all();
         $this->view->jsonSuccess($spouts);
@@ -156,7 +156,7 @@ public function spouts(): void {
      * json
      */
     public function stats(): void {
-        $this->authentication->needsLoggedInOrPublicMode();
+        $this->authentication->ensureCanRead();
 
         // load sources
         $sources = $this->sourcesDao->getWithUnread();

src/controllers/Sources/Write.php

@@ -51,7 +51,7 @@ public function __construct(
      * @param ?string $id ID of source to update, or null to create a new one
      */
     public function write(?string $id = null): void {
-        $this->authentication->needsLoggedIn();
+        $this->authentication->ensureIsPrivileged();
 
         $data = $this->request->getData();
 

src/controllers/Tags.php

@@ -70,7 +70,7 @@ public function tagsAddColors(array $itemTags, ?array $tags = null): StringKeyed
      * set tag color
      */
     public function color(): void {
-        $this->authentication->needsLoggedIn();
+        $this->authentication->ensureIsPrivileged();
 
         $data = $this->request->getData();
 
@@ -101,7 +101,7 @@ public function color(): void {
      * html
      */
     public function listTags(): void {
-        $this->authentication->needsLoggedInOrPublicMode();
+        $this->authentication->ensureCanRead();
 
         $tags = $this->tagsDao->getWithUnread();