FuelPHPã§opauthを使ã£ã¦è‰²ã‚“ãªãƒã‚°ã‚¤ãƒ³ã«å¯¾å¿œã—ã¦ã¿ãŸ
FuelPHPã§opauthを使ã£ã¦è‰²ã‚“ãªãƒã‚°ã‚¤ãƒ³ã«å¯¾å¿œã—ã¦ã¿ã¾ã—ãŸã€‚
ãƒã‚°ã‚¤ãƒ³ã®ãƒ‘ターンã¯
1.通常ã®usernameã¨passwordã®ãƒã‚°ã‚¤ãƒ³
2.Twitterã®oauthãƒã‚°ã‚¤ãƒ³
3.Facebookã®oauthãƒã‚°ã‚¤ãƒ³
ã§ã™ã€‚
Twitterã¨Facebookã®ãƒã‚°ã‚¤ãƒ³ã«ã¤ã„ã¦ã¯fuel-opauthを使ã£ã¦ã„ã¾ã™ãŒã€こちらの参考ブログ記事ã«ã‚‚記載ã•ã‚Œã¦ã„る通りnamespaceã®è¨å®šã«ä¸å…·åˆãŒã‚ã‚‹ãŸã‚githubã§forkã—ãŸã‚‚ã®ã‚’submodule化ã—ã¦ã„ã¾ã™ã€‚
本家 https://github.com/andreoav/fuel-opauth本家
修正版 https://github.com/letsspeak/fuel-opauth
今回作æˆã—ãŸã‚Šå¤‰æ›´ã—ãŸãƒ•ã‚¡ã‚¤ãƒ«ã¯ä¸€é€šã‚Šgistã«ã‚‚アップãƒãƒ¼ãƒ‰ã—ã¦ã„ã¾ã™ã€‚
ä¸å…·åˆã¯ã„ã¤ã‚‚通り触りãªãŒã‚‰ä¿®æ£ã—ã¦ã„ã“ã†ã‹ã¨æ€ã£ã¦ã„ã¾ã™ãŒã€å•é¡Œç‚¹ãªã©ã‚ã‚Šã¾ã—ãŸã‚‰ãŠæ°—軽ã«ã”連絡ãã ã•ã„。
gist
https://gist.github.com/letsspeak/5229245
fuel-opauthã®submodule化
git submodule add https://github.com/letsspeak/fuel-opauth.git fuel/app/packages/opauth/
TIPS
githubã‹ã‚‰https://ã§submodule化ã—ãŸå ´åˆã€å†…容ã®å¤‰æ›´ãŒç™ºç”Ÿã—ãŸã¨ãã®push時ã«ä¸‹è¨˜ä¿®æ£ãŒå¿…è¦ãªã®ã§æ³¨æ„。
fuel/packages/opauth/.git/config
- url = https://github.com/letsspeak/fuel-opauth + url = ssh://[email protected]/letsspeak/fuel-opauth.git
opauth.phpã®è¨å®š
ソルトã¨Twitter/Facebookã®é–‹ç™ºè€…用ã®ã‚ーを登録ã™ã‚‹ã€‚
fuel/app/config/opauth.php
<?php namespace Opauth; return array( 'path' => '/auth/login/', 'callback_url' => '/auth/callback/', 'security_salt' => 'ランダムãªæ–‡å—列を生æˆã—ã¦ç™»éŒ²ã™ã‚‹', 'Strategy' => array( 'Facebook' => array( 'app_id' => 'Facebookã§å–å¾—ã—ãŸã‚¢ãƒ—リID / APIã‚ー', 'app_secret' => 'Facebookã§å–å¾—ã—ãŸã‚¢ãƒ—リã®ã‚·ãƒ¼ã‚¯ãƒ¬ãƒƒãƒˆã‚ー' ), 'Twitter' => array( 'key' => 'Consumer key', 'secret' => 'Consumer secret' ), ), );
User/TwitterUser/FacebookUserを作æˆ
oil g model user name:string password:string nickname:string email:string last_login:int oil g model twitteruser uid:string token:string secret:string user_id:int oil g model facebookuser uid:string token:string expires:int user_id:int
マイグレーションã®å¤‰æ›´ç‚¹
ストレージエンジンã¯å…¨ã¦InnoDBã«å¤‰æ›´ã€‚
Userã§ä¸€å…ƒç®¡ç†ã™ã‚‹ã“ã¨ã‚’想定ã—ã¦User->last_login以外ã¯ã™ã¹ã¦'null'=>trueã«è¨å®šã€‚
モデルクラスåã‚’Model_TwitterUserã«å¤‰æ›´ã—ãŸã„ã®ã§ãƒ†ãƒ¼ãƒ–ルåã‚’twitter_usersã«å¤‰æ›´ã€‚
モデルクラスåã‚’Model_FacebookUserã«å¤‰æ›´ã—ãŸã„ã®ã§ãƒ†ãƒ¼ãƒ–ルåã‚’facebook_usersã«å¤‰æ›´ã€‚
モデルã®å¤‰æ›´ç‚¹
モデルクラスåã‚’ãã‚Œãžã‚ŒModel_TwitterUserã€Model_FacebookUserã«å¤‰æ›´ã€‚
Model_Userã€Model_TwitterUserã€Model_FacebookUserã®ãƒãƒªãƒ‡ãƒ¼ã‚·ãƒ§ãƒ³è¿½åŠ 。
authコントãƒãƒ¼ãƒ©ãƒ¼ã‚’作æˆ
通常ãƒã‚°ã‚¤ãƒ³æ™‚ã¯å¼•æ•°ç„¡ã—㧠/auth/login/ã«POSTã™ã‚‹ã€‚
Twitterãƒã‚°ã‚¤ãƒ³æ™‚ã¯/auth/login/twitter/ã‚’å©ã。
Facebookãƒã‚°ã‚¤ãƒ³æ™‚ã¯/auth/login/facebook/ã‚’å©ã。
fuel/app/classes/controller/auth.php
<?php class Controller_Auth extends Controller { private $_config = null; private $_salt_length = null; private $_iteration_count = null; public function before() { if(!isset($this->_config)) { $this->_config = Config::load('opauth', 'opauth'); } $this->_salt_length = 32; $this->_iteration_count = 10; } // auth/login/* public function action_login($_provider = null, $method = null) { // 引数無ã—時ã¯é€šå¸¸ãƒã‚°ã‚¤ãƒ³ if (is_null($_provider)) return $this->normal_login(); // http://domainname/auth/login/twitter/oauth_callback?denied=signature if ($method === 'oauth_callback') { if (Input::get('denied')){ return $this->login_failed(); } } if(array_key_exists(Inflector::humanize($_provider), Arr::get($this->_config, 'Strategy'))) { $_oauth = new Opauth($this->_config, true); } else { return $this->login_failed(); } } // 通常ãƒã‚°ã‚¤ãƒ³ public function normal_login() { $username = Input::post('username'); $password = Input::post('password'); // ユーザーåã¨ãƒ‘スワード空欄時ã¯ãƒã‚°ã‚¤ãƒ³ãƒ•ã‚©ãƒ¼ãƒ を表示ã™ã‚‹ if (is_null($username) and is_null($password)) { return Response::forge(View::forge('auth/form')); } // èªè¨¼ $query = Model_User::query()->where('name', $username); if ($query->count() === 0){ // èªè¨¼ã‚¨ãƒ©ãƒ¼ $this->login_failed(); } // パスワードã®ãƒãƒƒã‚·ãƒ¥åŒ– $user = $query->get_one(); $salt = substr($user->password, 0, $this->_salt_length); $enc_password = $salt.$password; for ($i = 0; $i < $this->_iteration_count; $i++) { $enc_password = sha1($enc_password); } if ($user->password === $salt.$enc_password){ // èªè¨¼æˆåŠŸ return $this->login_succeeded($user->id); }else{ // èªè¨¼ã‚¨ãƒ©ãƒ¼ $this->login_failed(); } } public function action_signup() { $username = Input::post('username'); $password = Input::post('password'); // ユーザーåã¨ãƒ‘スワード空欄時ã¯ã‚µã‚¤ãƒ³ã‚¢ãƒƒãƒ—フォームを表示ã™ã‚‹ if (is_null($username) and is_null($password)) { return Response::forge(View::forge('auth/signup')); } // ã‚µã‚¤ãƒ³ã‚¢ãƒƒãƒ—å‡¦ç† // パスワードã®ãƒãƒƒã‚·ãƒ¥åŒ– $salt = substr(md5(uniqid(rand(), true)), 0, $this->_salt_length); $enc_password = $salt.$password; for ($i = 0; $i < $this->_iteration_count; $i++) { $enc_password = sha1($enc_password); } // ãƒãƒªãƒ‡ãƒ¼ã‚·ãƒ§ãƒ³ $val = Model_User::validate('create'); $input = array( 'name' => $username, 'password' => $salt.$enc_password, 'last_login' => \Date::time()->get_timestamp(), ); if ($val->run($input)) { // ãƒãƒªãƒ‡ãƒ¼ã‚·ãƒ§ãƒ³æˆåŠŸæ™‚ $user = Model_User::forge($input); if ($user and $user->save()) { // サインアップæˆåŠŸæ™‚ return $this->login_succeeded($user->id); } else { // サインアップ失敗時 return $this->login_failed(); } } else { // ãƒãƒªãƒ‡ãƒ¼ã‚·ãƒ§ãƒ³å¤±æ•—時 $data['errors'] = $val->error(); return Response::forge(View::forge('auth/signup', $data)); } } public function action_test1() { return Response::forge(View::forge('auth/test')); } public function action_test2() { return Response::forge(View::forge('auth/test')); } public function action_test3() { return Response::forge(View::forge('auth/test')); } // Twitter / Facebook ãƒã‚°ã‚¤ãƒ³æˆåŠŸ/失敗時ã«å‘¼ã°ã‚Œã‚‹ public function action_callback() { $_opauth = new Opauth($this->_config, false); switch($_opauth->env['callback_transport']) { case 'session': session_start(); $response = $_SESSION['opauth']; unset($_SESSION['opauth']); break; } if (array_key_exists('error', $response)) { return $this->login_failed(); // echo '<strong style="color: red;">Authentication error: </strong> Opauth returns error auth response.'."<br>\n"; } else { if (empty($response['auth']) || empty($response['timestamp']) || empty($response['signature']) || empty($response['auth']['provider']) || empty($response['auth']['uid'])) { return $this->login_failed(); // echo '<strong style="color: red;">Invalid auth response: </strong>Missing key auth response components.'."<br>\n"; } elseif (!$_opauth->validate(sha1(print_r($response['auth'], true)), $response['timestamp'], $response['signature'], $reason)) { return $this->login_failed(); // echo '<strong style="color: red;">Invalid auth response: </strong>'.$reason.".<br>\n"; } else { // Twitter / Facebook ãƒã‚°ã‚¤ãƒ³æˆåŠŸ return $this->opauth_login($response); } } } public function opauth_login($response = null) { $provider = $response['auth']['provider']; if ($provider === 'Twitter') return $this->twitter_login($response); if ($provider === 'Facebook') return $this->facebook_login($response); } public function twitter_login($response = null) { $uid = (string) $response['auth']['uid']; $query = Model_TwitterUser::query()->where('uid', $uid); if ($query->count() == 0) { // TwitterUser未登録ã®å ´åˆã¯ã‚µã‚¤ãƒ³ã‚¢ãƒƒãƒ— return $this->twitter_signup($response); } // TwitterUser登録済ã¿ã®å ´åˆã¯ãƒã‚°ã‚¤ãƒ³ $twitter_user = $query->get_one(); return $this->login_succeeded($twitter_user->user_id); } public function facebook_login($response = null) { $uid = $response['auth']['uid']; $query = Model_FacebookUser::query()->where('uid', $uid); if ($query->count() == 0) { // FacebookUser未登録ã®å ´åˆã¯ã‚µã‚¤ãƒ³ã‚¢ãƒƒãƒ— return $this->facebook_signup($response); } // FacebookUser登録済ã¿ã®å ´åˆã¯ãƒã‚°ã‚¤ãƒ³ $facebook_user = $query->get_one(); return $this->login_succeeded($facebook_user->user_id); } public function twitter_signup($response = null) { // ãƒãƒªãƒ‡ãƒ¼ã‚·ãƒ§ãƒ³ $val = Model_TwitterUser::validate('create'); $input = array( 'uid' => (string) $response['auth']['uid'], 'token' => $response['auth']['credentials']['token'], 'secret' => $response['auth']['credentials']['secret'], ); if ($val->run($input)) { // ãƒãƒªãƒ‡ãƒ¼ã‚·ãƒ§ãƒ³æˆåŠŸæ™‚ $user = Model_User::forge(array( 'nickname' => $response['auth']['info']['nickname'], 'last_login' => \Date::time()->get_timestamp(), )); $twitter_user = Model_TwitterUser::forge($input); if ($user and $twitter_user) { // ユーザー生æˆæˆåŠŸ try { \DB::start_transaction(); if ($user->save() === false) { // Userä¿å˜å¤±æ•— throw new \Exception('user save failed.'); } $twitter_user->user_id = $user->id; if ($twitter_user->save() === false) { // TwitterUserä¿å˜å¤±æ•— throw new \Exception('twitter_user save failed.'); } // Userã¨TwitterUserã®ä¿å˜æˆåŠŸ \DB::commit_transaction(); return $this->login_succeeded($user->id); } catch (\Exception $e) { \DB::rollback_transaction(); return $this->login_failed(); } } else { // ユーザー生æˆå¤±æ•— return $this->login_failed(); } } else { // ãƒãƒªãƒ‡ãƒ¼ã‚·ãƒ§ãƒ³å¤±æ•—時 return $this->login_failed(); } } public function facebook_signup($response = null) { // ãƒãƒªãƒ‡ãƒ¼ã‚·ãƒ§ãƒ³ $val = Model_FacebookUser::validate('create'); $expires = strtotime($response['auth']['credentials']['expires']); $input = array( 'uid' => (string) $response['auth']['uid'], 'token' => $response['auth']['credentials']['token'], 'expires' => $expires, ); if ($val->run($input)) { // ãƒãƒªãƒ‡ãƒ¼ã‚·ãƒ§ãƒ³æˆåŠŸæ™‚ $user = Model_User::forge(array( 'nickname' => $response['auth']['info']['name'], 'last_login' => \Date::time()->get_timestamp(), )); $facebook_user = Model_FacebookUser::forge($input); if ($user and $facebook_user) { // ユーザー生æˆæˆåŠŸ try { \DB::start_transaction(); if ($user->save() === false) { // Userä¿å˜å¤±æ•— throw new \Exception('user save failed.'); } $facebook_user->user_id = $user->id; if ($facebook_user->save() === false) { // FacebookUserä¿å˜å¤±æ•— throw new \Exception('facebook_user save failed.'); } // Userã¨FacebookUserã®ä¿å˜æˆåŠŸ \DB::commit_transaction(); return $this->login_succeeded($user->id); } catch (\Exception $e) { \DB::rollback_transaction(); return $this->login_failed(); } } else { // ユーザー生æˆå¤±æ•— return $this->login_failed(); } } else { // ãƒãƒªãƒ‡ãƒ¼ã‚·ãƒ§ãƒ³å¤±æ•—時 return $this->login_failed(); } } public function login_succeeded($user_id) { Session::set('user_id', $user_id); Response::redirect('auth/test1'); } public function login_failed() { return Response::redirect('auth/test1'); } public function action_logout() { Session::delete('user_id'); Response::redirect('auth/test1'); } }
懸念点ãªã©
・ã¨ã‚Šã‚ãˆãšä½œã£ãŸã ã‘ãªã®ã§å…¨ç„¶è„†å¼±ãªæ°—ãŒã™ã‚‹ã€‚
・XSRF対ç–ã‚’ã—ã¦ã„ãªã„。
・ãœã‚“ã¶login_failed()ã«é£›ã°ã—ã¦ã„ã‚‹ã‘ã©ã„ã„ã®ï¼Ÿ
・特定ã®ãƒšãƒ¼ã‚¸ã§ãƒã‚°ã‚¤ãƒ³ã‚’経由ã—ã¦ç‰¹å®šã®ãƒšãƒ¼ã‚¸ã«å¾©å¸°ã™ã‚‹ã‚ˆã†ãªã“ã¨ã¯è€ƒæ…®ã•ã‚Œã¦ã„ãªã„。
・パスワードã¯ã„ã¡ãŠã†ãƒãƒƒã‚·ãƒ¥åŒ–ã—ã¦ã¿ãŸã€‚
・Usersã§ã®ä¸€æ‹¬ç®¡ç†ã«æ„味ãŒã‚ã‚‹ã®ã‹...
