OAuth system

General discussion of development ideas and the approaches taken in the 3.x branch of phpBB. The next feature release of phpBB 3 will be 3.3/Proteus.
Forum rules
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.2.x. If you need support for phpBB 3.2.x please visit the 3.2.x Support Forum on phpbb.com.

If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
Post Reply
User avatar
posey
Registered User
Posts: 30
Joined: Fri Dec 18, 2015 9:41 pm

OAuth system

Post by posey » Wed Apr 17, 2019 12:11 pm

Currently there are a few issues with the OAuth system and limited possibilities extending it. This has various reasons, but most of them look quite 'easily' fixable, atleast, from the surface. Perhaps I'll retract this statement once I dive into adjusting the code.

Uncaught exceptions
In the UCP you can link an OAuth provider with your phpBB account. After a successful link, the page refreshes and the link is now toggled for the link button. However, the URL in the address bar of the browser is also updated. Obviously this is needed to confirm the successful link. However, now when you refresh the page you get prompted with an uncaught exception from the OAuth provider.

This leads to the problem in general: uncaught exceptions. There are quite a few occurrences in the OAuth providers where exceptions are not caught. While almost all of those exceptions should really never occurre, it is still possible. They should be caught and a proper error message should be displayed. Or atleast something along the lines of the error messages for AJAX requests:
"Something went wrong when processing your OAuth request. Orignial error message: $e->getMessage()".

strtolower
A little back information:
Currently OAuth services in phpBB are registered through yaml as auth.provider.oauth.service.google:.
The last part, the part behind auth.provider.oauth.service., is considered the "service name", for example google or github.
Then that service name is turned into an OAuth service:

Code: Select all

$service = $this->get_service(strtolower($link_data['oauth_service']), ...);

Code: Select all

$service_factory = new \OAuth\ServiceFactory();
$service = $service_factory->createService($service_name, ...);
And the relevant code for the for the ServiceFactory:

Code: Select all

private function getFullyQualifiedServiceName($serviceName, $type)
{
	$serviceName = ucfirst($serviceName);

	if (isset($this->serviceClassMap[$type][$serviceName])) {
		return $this->serviceClassMap[$type][$serviceName];
	}

	return '\\OAuth\\' . $type . '\\Service\\' . $serviceName;
}
Now we can combine this all together. The service name (eg. google or github) is pulled through a strtolower, send to the ServiceFactory and there put through a ucfirst. This means, we will always end up with Google or Github. Unfortunately, the OAuth library uses PascalCase, meaning that files and services are registered as GitHub or SoundCloud, etc. And while on most localhosts this is not an issue as Windows and Apple have a case insensitive filesystem, webservers often do not. Linux is case sensitive. This means that the class OAuth\OAuth2\Services\Github is not found, while OAuth\OAuth2\Services\GitHub is.
This is currently not an issue for the core as all services provided by phpBB only have the first letter capitalised: Bitly, Facebook, Google, Twitter. However, this makes extending it rather limited.

I think an easy solution would be, that OAuth services in phpBB have a function that will return the 'Service name', eg Google or GitHub, and that is used through out. Instead of using the last part of the service declaration and putting it through a strtolower.

Registering new services
Now this is purely an enhancement, but the ServiceFactory allows you to add custom classes, which are checked before creating the above mentioned class. We can provide an option where registering additional classes is possible aswell, to prevent extension authors having to use weird autoload files.

Miscellaneous
Server settings: Have not looked into this one yet, but listing it for completeness: PHPBB3-16008
Code style: The entire oauth.php could do with some clean up.
Better known as mrgoldy.

User avatar
3Di
Registered User
Posts: 759
Joined: Tue Nov 01, 2005 9:50 pm
Location: Milano (I) Frankfurt (D)
Contact:

Re: OAuth system

Post by 3Di » Thu Apr 18, 2019 1:10 pm

Yup, subscribed.
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
👨‍🏫 | Take a tour to | The Studio | 👨‍🏫

Post Reply