add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
<?php
|
|
|
|
|
|
|
|
|
|
namespace MintyPHP\Service\Auth;
|
|
|
|
|
|
2026-03-05 08:26:51 +01:00
|
|
|
use MintyPHP\Repository\Tenant\UserTenantRepositoryInterface;
|
|
|
|
|
use MintyPHP\Repository\User\UserReadRepositoryInterface;
|
|
|
|
|
use MintyPHP\Repository\User\UserWriteRepositoryInterface;
|
2026-02-23 12:58:19 +01:00
|
|
|
use MintyPHP\Service\User\UserAssignmentService;
|
2026-03-13 11:31:33 +01:00
|
|
|
use MintyPHP\Service\User\UserAvatarService;
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
|
|
|
|
|
class SsoUserLinkService
|
|
|
|
|
{
|
2026-02-23 12:58:19 +01:00
|
|
|
public function __construct(
|
2026-03-05 08:26:51 +01:00
|
|
|
private readonly UserReadRepositoryInterface $userReadRepository,
|
|
|
|
|
private readonly UserWriteRepositoryInterface $userWriteRepository,
|
2026-02-23 12:58:19 +01:00
|
|
|
private readonly UserAssignmentService $userAssignmentService,
|
2026-03-05 08:26:51 +01:00
|
|
|
private readonly UserTenantRepositoryInterface $userTenantRepository,
|
2026-02-23 12:58:19 +01:00
|
|
|
private readonly AuthSettingsGateway $settingsGateway,
|
2026-03-13 11:31:33 +01:00
|
|
|
private readonly TenantSsoService $tenantSsoService,
|
|
|
|
|
private readonly UserAvatarService $avatarService,
|
2026-02-23 12:58:19 +01:00
|
|
|
private readonly AuthExternalIdentityGateway $externalIdentityGateway
|
|
|
|
|
) {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function linkOrProvisionMicrosoftUser(array $tenant, array $claims): array
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
{
|
|
|
|
|
$tenantId = (int) ($tenant['id'] ?? 0);
|
|
|
|
|
$tid = trim((string) ($claims['tid'] ?? ''));
|
|
|
|
|
$oid = trim((string) ($claims['oid'] ?? ''));
|
|
|
|
|
$issuer = trim((string) ($claims['issuer'] ?? ''));
|
|
|
|
|
$subject = trim((string) ($claims['subject'] ?? ''));
|
|
|
|
|
$email = strtolower(trim((string) ($claims['email'] ?? '')));
|
|
|
|
|
|
|
|
|
|
if ($tenantId <= 0 || $tid === '' || $oid === '' || $issuer === '' || $subject === '') {
|
|
|
|
|
return ['ok' => false, 'error' => 'identity_invalid'];
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-13 11:31:33 +01:00
|
|
|
$providerKey = $this->tenantSsoService->microsoftProviderKey();
|
2026-03-06 00:44:52 +01:00
|
|
|
// Look up by OID first (stable Microsoft object ID), fall back to issuer+subject
|
|
|
|
|
// to handle tenants that migrated from an older OIDC setup without OID.
|
2026-02-23 12:58:19 +01:00
|
|
|
$identity = $this->externalIdentityGateway->findByProviderTidOid(
|
|
|
|
|
$providerKey,
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
$tid,
|
|
|
|
|
$oid
|
|
|
|
|
);
|
|
|
|
|
if (!$identity) {
|
2026-02-23 12:58:19 +01:00
|
|
|
$identity = $this->externalIdentityGateway->findByProviderIssuerSubject(
|
|
|
|
|
$providerKey,
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
$issuer,
|
|
|
|
|
$subject
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ($identity) {
|
|
|
|
|
$userId = (int) ($identity['user_id'] ?? 0);
|
2026-02-23 12:58:19 +01:00
|
|
|
$user = $this->userReadRepository->find($userId);
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
if (!$user || empty($user['active'])) {
|
|
|
|
|
return ['ok' => false, 'error' => 'user_inactive'];
|
|
|
|
|
}
|
2026-02-23 12:58:19 +01:00
|
|
|
$tenantIds = array_values(array_map('intval', $this->userTenantRepository->listTenantIdsByUserId($userId)));
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
if (!in_array($tenantId, $tenantIds, true)) {
|
|
|
|
|
return ['ok' => false, 'error' => 'tenant_not_assigned'];
|
|
|
|
|
}
|
2026-02-23 12:58:19 +01:00
|
|
|
$this->syncProfileFromMicrosoft($userId, $claims);
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
return ['ok' => true, 'user_id' => $userId, 'created' => false];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ($email === '' || !filter_var($email, FILTER_VALIDATE_EMAIL)) {
|
|
|
|
|
return ['ok' => false, 'error' => 'email_missing'];
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-23 12:58:19 +01:00
|
|
|
$user = $this->userReadRepository->findByEmail($email);
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
if ($user) {
|
|
|
|
|
$userId = (int) ($user['id'] ?? 0);
|
|
|
|
|
if ($userId <= 0 || empty($user['active'])) {
|
|
|
|
|
return ['ok' => false, 'error' => 'user_inactive'];
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-23 12:58:19 +01:00
|
|
|
$this->ensureTenantAssignment($userId, $tenantId);
|
|
|
|
|
$this->createIdentityLink($userId, $tid, $oid, $issuer, $subject, $email);
|
|
|
|
|
$this->syncProfileFromMicrosoft($userId, $claims);
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
return ['ok' => true, 'user_id' => $userId, 'created' => false];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$firstName = trim((string) ($claims['given_name'] ?? ''));
|
|
|
|
|
$lastName = trim((string) ($claims['family_name'] ?? ''));
|
|
|
|
|
$fullName = trim((string) ($claims['name'] ?? ''));
|
|
|
|
|
if ($firstName === '' && $lastName === '' && $fullName !== '') {
|
|
|
|
|
$parts = preg_split('/\s+/', $fullName) ?: [];
|
|
|
|
|
$firstName = (string) ($parts[0] ?? '');
|
|
|
|
|
$lastName = implode(' ', array_slice($parts, 1));
|
|
|
|
|
}
|
|
|
|
|
if ($firstName === '') {
|
|
|
|
|
$firstName = ucfirst(explode('@', $email, 2)[0]);
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-23 12:58:19 +01:00
|
|
|
$createdId = $this->userWriteRepository->create([
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
'first_name' => $firstName,
|
|
|
|
|
'last_name' => $lastName,
|
|
|
|
|
'email' => $email,
|
2026-02-23 12:58:19 +01:00
|
|
|
'password' => $this->randomPassword(),
|
|
|
|
|
'locale' => $this->normalizeLocale((string) ($claims['preferred_language'] ?? '')),
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
'totp_secret' => '',
|
2026-02-23 12:58:19 +01:00
|
|
|
'theme' => $this->resolveInitialTheme($this->settingsGateway->getAppTheme()),
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
'primary_tenant_id' => $tenantId,
|
|
|
|
|
'current_tenant_id' => $tenantId,
|
|
|
|
|
'active' => 1,
|
|
|
|
|
'created_by' => null,
|
|
|
|
|
'active_changed_at' => gmdate('Y-m-d H:i:s'),
|
|
|
|
|
'active_changed_by' => null,
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
if (!$createdId) {
|
|
|
|
|
return ['ok' => false, 'error' => 'user_create_failed'];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$userId = (int) $createdId;
|
2026-02-23 12:58:19 +01:00
|
|
|
$this->userWriteRepository->setEmailVerified($userId);
|
|
|
|
|
$this->userAssignmentService->syncTenants($userId, [$tenantId]);
|
|
|
|
|
$defaultRoleId = $this->settingsGateway->getDefaultRoleId();
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
if ($defaultRoleId) {
|
2026-02-23 12:58:19 +01:00
|
|
|
$this->userAssignmentService->syncRoles($userId, [$defaultRoleId]);
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
}
|
2026-02-23 12:58:19 +01:00
|
|
|
$defaultDepartmentId = $this->settingsGateway->getDefaultDepartmentId();
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
if ($defaultDepartmentId) {
|
2026-02-23 12:58:19 +01:00
|
|
|
$this->userAssignmentService->syncDepartments($userId, [$defaultDepartmentId]);
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
}
|
|
|
|
|
|
2026-02-23 12:58:19 +01:00
|
|
|
$this->createIdentityLink($userId, $tid, $oid, $issuer, $subject, $email);
|
|
|
|
|
$this->syncProfileFromMicrosoft($userId, $claims);
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
return ['ok' => true, 'user_id' => $userId, 'created' => true];
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-23 12:58:19 +01:00
|
|
|
private function syncProfileFromMicrosoft(int $userId, array $claims): void
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
{
|
|
|
|
|
if ($userId <= 0 || empty($claims['sync_profile_on_login'])) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-13 11:31:33 +01:00
|
|
|
$syncFields = $this->tenantSsoService->normalizeProfileSyncFields($claims['sync_profile_fields'] ?? []);
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
if (!$syncFields) {
|
2026-03-13 11:31:33 +01:00
|
|
|
$syncFields = $this->tenantSsoService->defaultProfileSyncFields();
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
}
|
|
|
|
|
if (!$syncFields) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
$syncAvatar = in_array('avatar', $syncFields, true);
|
|
|
|
|
|
|
|
|
|
$mappedValues = [
|
|
|
|
|
'first_name' => trim((string) ($claims['given_name'] ?? '')) !== ''
|
|
|
|
|
? trim((string) ($claims['given_name'] ?? ''))
|
|
|
|
|
: trim((string) ($claims['graph_given_name'] ?? '')),
|
|
|
|
|
'last_name' => trim((string) ($claims['family_name'] ?? '')) !== ''
|
|
|
|
|
? trim((string) ($claims['family_name'] ?? ''))
|
|
|
|
|
: trim((string) ($claims['graph_family_name'] ?? '')),
|
|
|
|
|
'phone' => trim((string) ($claims['graph_phone'] ?? '')),
|
|
|
|
|
'mobile' => trim((string) ($claims['graph_mobile'] ?? '')),
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
$updates = [];
|
|
|
|
|
foreach ($syncFields as $field) {
|
|
|
|
|
if ($field === 'avatar') {
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
$value = trim((string) ($mappedValues[$field] ?? ''));
|
|
|
|
|
if ($value === '') {
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
$updates[$field] = $value;
|
|
|
|
|
}
|
|
|
|
|
if (!$updates) {
|
|
|
|
|
if ($syncAvatar) {
|
2026-02-23 12:58:19 +01:00
|
|
|
$this->syncAvatarFromMicrosoft($userId, $claims);
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
}
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-23 12:58:19 +01:00
|
|
|
$this->userWriteRepository->updateProfileFieldsFromSso($userId, $updates);
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
if ($syncAvatar) {
|
2026-02-23 12:58:19 +01:00
|
|
|
$this->syncAvatarFromMicrosoft($userId, $claims);
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-23 12:58:19 +01:00
|
|
|
private function syncAvatarFromMicrosoft(int $userId, array $claims): void
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
{
|
|
|
|
|
$avatarBase64 = trim((string) ($claims['graph_avatar_data_base64'] ?? ''));
|
|
|
|
|
if ($avatarBase64 === '') {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$avatarMime = strtolower(trim((string) ($claims['graph_avatar_mime'] ?? '')));
|
|
|
|
|
if (!in_array($avatarMime, ['image/jpeg', 'image/png', 'image/webp'], true)) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$binary = base64_decode($avatarBase64, true);
|
|
|
|
|
if (!is_string($binary) || $binary === '') {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-23 12:58:19 +01:00
|
|
|
$user = $this->userReadRepository->find($userId);
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
if (!$user) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
$userUuid = (string) ($user['uuid'] ?? '');
|
2026-03-13 11:31:33 +01:00
|
|
|
if (!$this->avatarService->isValidUuid($userUuid)) {
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Keep avatar current with Microsoft profile photo on each login.
|
2026-03-13 11:31:33 +01:00
|
|
|
$this->avatarService->saveBinary($userUuid, $binary, $avatarMime);
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
}
|
|
|
|
|
|
2026-02-23 12:58:19 +01:00
|
|
|
private function ensureTenantAssignment(int $userId, int $tenantId): void
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
{
|
2026-02-23 12:58:19 +01:00
|
|
|
$tenantIds = array_values(array_unique(array_map('intval', $this->userTenantRepository->listTenantIdsByUserId($userId))));
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
if (!in_array($tenantId, $tenantIds, true)) {
|
|
|
|
|
$tenantIds[] = $tenantId;
|
2026-02-23 12:58:19 +01:00
|
|
|
$this->userAssignmentService->syncTenants($userId, $tenantIds);
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-23 12:58:19 +01:00
|
|
|
private function createIdentityLink(
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
int $userId,
|
|
|
|
|
string $tid,
|
|
|
|
|
string $oid,
|
|
|
|
|
string $issuer,
|
|
|
|
|
string $subject,
|
|
|
|
|
string $email
|
|
|
|
|
): void {
|
|
|
|
|
try {
|
2026-03-13 11:31:33 +01:00
|
|
|
$providerKey = $this->tenantSsoService->microsoftProviderKey();
|
2026-02-23 12:58:19 +01:00
|
|
|
$this->externalIdentityGateway->createLink([
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
'user_id' => $userId,
|
2026-02-23 12:58:19 +01:00
|
|
|
'provider' => $providerKey,
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
'oid' => $oid,
|
|
|
|
|
'tid' => $tid,
|
|
|
|
|
'issuer' => $issuer,
|
|
|
|
|
'subject' => $subject,
|
|
|
|
|
'email_at_link_time' => $email,
|
|
|
|
|
]);
|
|
|
|
|
} catch (\Throwable $exception) {
|
|
|
|
|
// Ignore duplicate-link race conditions.
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-23 12:58:19 +01:00
|
|
|
private function normalizeLocale(string $locale): ?string
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
{
|
|
|
|
|
$locale = strtolower(trim($locale));
|
|
|
|
|
if ($locale === '') {
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
if (str_contains($locale, '-')) {
|
|
|
|
|
$locale = explode('-', $locale, 2)[0];
|
|
|
|
|
}
|
|
|
|
|
$allowed = defined('APP_LOCALES') ? APP_LOCALES : [];
|
|
|
|
|
if ($allowed && !in_array($locale, $allowed, true)) {
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
return $locale;
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-06 00:44:52 +01:00
|
|
|
// SSO users never log in with a password, but the DB column is NOT NULL.
|
|
|
|
|
// The suffix ensures the hash satisfies any strength validators.
|
2026-02-23 12:58:19 +01:00
|
|
|
private function randomPassword(): string
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
{
|
|
|
|
|
return 'sso-' . bin2hex(random_bytes(24)) . '-A1!';
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-23 12:58:19 +01:00
|
|
|
private function resolveInitialTheme(?string $theme): string
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
{
|
|
|
|
|
$theme = strtolower(trim((string) ($theme ?? '')));
|
|
|
|
|
$themes = function_exists('appThemes') ? appThemes() : ['light' => 'Light'];
|
|
|
|
|
if ($theme !== '' && isset($themes[$theme])) {
|
|
|
|
|
return $theme;
|
|
|
|
|
}
|
|
|
|
|
return isset($themes['light']) ? 'light' : (string) array_key_first($themes);
|
|
|
|
|
}
|
|
|
|
|
}
|