instances added god may help
This commit is contained in:
@@ -3,15 +3,25 @@
|
||||
namespace MintyPHP\Service\Auth;
|
||||
|
||||
use MintyPHP\Repository\Tenant\UserTenantRepository;
|
||||
use MintyPHP\Repository\User\UserExternalIdentityRepository;
|
||||
use MintyPHP\Repository\User\UserRepository;
|
||||
use MintyPHP\Service\Settings\SettingService;
|
||||
use MintyPHP\Service\User\UserAvatarService;
|
||||
use MintyPHP\Service\User\UserService;
|
||||
use MintyPHP\Repository\User\UserReadRepository;
|
||||
use MintyPHP\Repository\User\UserWriteRepository;
|
||||
use MintyPHP\Service\User\UserAssignmentService;
|
||||
|
||||
class SsoUserLinkService
|
||||
{
|
||||
public static function linkOrProvisionMicrosoftUser(array $tenant, array $claims): array
|
||||
public function __construct(
|
||||
private readonly UserReadRepository $userReadRepository,
|
||||
private readonly UserWriteRepository $userWriteRepository,
|
||||
private readonly UserAssignmentService $userAssignmentService,
|
||||
private readonly UserTenantRepository $userTenantRepository,
|
||||
private readonly AuthSettingsGateway $settingsGateway,
|
||||
private readonly AuthTenantSsoGateway $tenantSsoGateway,
|
||||
private readonly AuthAvatarGateway $avatarGateway,
|
||||
private readonly AuthExternalIdentityGateway $externalIdentityGateway
|
||||
) {
|
||||
}
|
||||
|
||||
public function linkOrProvisionMicrosoftUser(array $tenant, array $claims): array
|
||||
{
|
||||
$tenantId = (int) ($tenant['id'] ?? 0);
|
||||
$tid = trim((string) ($claims['tid'] ?? ''));
|
||||
@@ -24,14 +34,15 @@ class SsoUserLinkService
|
||||
return ['ok' => false, 'error' => 'identity_invalid'];
|
||||
}
|
||||
|
||||
$identity = UserExternalIdentityRepository::findByProviderTidOid(
|
||||
TenantSsoService::PROVIDER_MICROSOFT,
|
||||
$providerKey = $this->tenantSsoGateway->microsoftProviderKey();
|
||||
$identity = $this->externalIdentityGateway->findByProviderTidOid(
|
||||
$providerKey,
|
||||
$tid,
|
||||
$oid
|
||||
);
|
||||
if (!$identity) {
|
||||
$identity = UserExternalIdentityRepository::findByProviderIssuerSubject(
|
||||
TenantSsoService::PROVIDER_MICROSOFT,
|
||||
$identity = $this->externalIdentityGateway->findByProviderIssuerSubject(
|
||||
$providerKey,
|
||||
$issuer,
|
||||
$subject
|
||||
);
|
||||
@@ -39,15 +50,15 @@ class SsoUserLinkService
|
||||
|
||||
if ($identity) {
|
||||
$userId = (int) ($identity['user_id'] ?? 0);
|
||||
$user = UserRepository::find($userId);
|
||||
$user = $this->userReadRepository->find($userId);
|
||||
if (!$user || empty($user['active'])) {
|
||||
return ['ok' => false, 'error' => 'user_inactive'];
|
||||
}
|
||||
$tenantIds = array_values(array_map('intval', UserTenantRepository::listTenantIdsByUserId($userId)));
|
||||
$tenantIds = array_values(array_map('intval', $this->userTenantRepository->listTenantIdsByUserId($userId)));
|
||||
if (!in_array($tenantId, $tenantIds, true)) {
|
||||
return ['ok' => false, 'error' => 'tenant_not_assigned'];
|
||||
}
|
||||
self::syncProfileFromMicrosoft($userId, $claims);
|
||||
$this->syncProfileFromMicrosoft($userId, $claims);
|
||||
return ['ok' => true, 'user_id' => $userId, 'created' => false];
|
||||
}
|
||||
|
||||
@@ -55,16 +66,16 @@ class SsoUserLinkService
|
||||
return ['ok' => false, 'error' => 'email_missing'];
|
||||
}
|
||||
|
||||
$user = UserRepository::findByEmail($email);
|
||||
$user = $this->userReadRepository->findByEmail($email);
|
||||
if ($user) {
|
||||
$userId = (int) ($user['id'] ?? 0);
|
||||
if ($userId <= 0 || empty($user['active'])) {
|
||||
return ['ok' => false, 'error' => 'user_inactive'];
|
||||
}
|
||||
|
||||
self::ensureTenantAssignment($userId, $tenantId);
|
||||
self::createIdentityLink($userId, $tid, $oid, $issuer, $subject, $email);
|
||||
self::syncProfileFromMicrosoft($userId, $claims);
|
||||
$this->ensureTenantAssignment($userId, $tenantId);
|
||||
$this->createIdentityLink($userId, $tid, $oid, $issuer, $subject, $email);
|
||||
$this->syncProfileFromMicrosoft($userId, $claims);
|
||||
return ['ok' => true, 'user_id' => $userId, 'created' => false];
|
||||
}
|
||||
|
||||
@@ -80,14 +91,14 @@ class SsoUserLinkService
|
||||
$firstName = ucfirst(explode('@', $email, 2)[0]);
|
||||
}
|
||||
|
||||
$createdId = UserRepository::create([
|
||||
$createdId = $this->userWriteRepository->create([
|
||||
'first_name' => $firstName,
|
||||
'last_name' => $lastName,
|
||||
'email' => $email,
|
||||
'password' => self::randomPassword(),
|
||||
'locale' => self::normalizeLocale((string) ($claims['preferred_language'] ?? '')),
|
||||
'password' => $this->randomPassword(),
|
||||
'locale' => $this->normalizeLocale((string) ($claims['preferred_language'] ?? '')),
|
||||
'totp_secret' => '',
|
||||
'theme' => self::resolveInitialTheme(SettingService::getAppTheme()),
|
||||
'theme' => $this->resolveInitialTheme($this->settingsGateway->getAppTheme()),
|
||||
'primary_tenant_id' => $tenantId,
|
||||
'current_tenant_id' => $tenantId,
|
||||
'active' => 1,
|
||||
@@ -101,31 +112,31 @@ class SsoUserLinkService
|
||||
}
|
||||
|
||||
$userId = (int) $createdId;
|
||||
UserRepository::setEmailVerified($userId);
|
||||
UserService::syncTenants($userId, [$tenantId]);
|
||||
$defaultRoleId = SettingService::getDefaultRoleId();
|
||||
$this->userWriteRepository->setEmailVerified($userId);
|
||||
$this->userAssignmentService->syncTenants($userId, [$tenantId]);
|
||||
$defaultRoleId = $this->settingsGateway->getDefaultRoleId();
|
||||
if ($defaultRoleId) {
|
||||
UserService::syncRoles($userId, [$defaultRoleId]);
|
||||
$this->userAssignmentService->syncRoles($userId, [$defaultRoleId]);
|
||||
}
|
||||
$defaultDepartmentId = SettingService::getDefaultDepartmentId();
|
||||
$defaultDepartmentId = $this->settingsGateway->getDefaultDepartmentId();
|
||||
if ($defaultDepartmentId) {
|
||||
UserService::syncDepartments($userId, [$defaultDepartmentId]);
|
||||
$this->userAssignmentService->syncDepartments($userId, [$defaultDepartmentId]);
|
||||
}
|
||||
|
||||
self::createIdentityLink($userId, $tid, $oid, $issuer, $subject, $email);
|
||||
self::syncProfileFromMicrosoft($userId, $claims);
|
||||
$this->createIdentityLink($userId, $tid, $oid, $issuer, $subject, $email);
|
||||
$this->syncProfileFromMicrosoft($userId, $claims);
|
||||
return ['ok' => true, 'user_id' => $userId, 'created' => true];
|
||||
}
|
||||
|
||||
private static function syncProfileFromMicrosoft(int $userId, array $claims): void
|
||||
private function syncProfileFromMicrosoft(int $userId, array $claims): void
|
||||
{
|
||||
if ($userId <= 0 || empty($claims['sync_profile_on_login'])) {
|
||||
return;
|
||||
}
|
||||
|
||||
$syncFields = TenantSsoService::normalizeProfileSyncFields($claims['sync_profile_fields'] ?? []);
|
||||
$syncFields = $this->tenantSsoGateway->normalizeProfileSyncFields($claims['sync_profile_fields'] ?? []);
|
||||
if (!$syncFields) {
|
||||
$syncFields = TenantSsoService::defaultProfileSyncFields();
|
||||
$syncFields = $this->tenantSsoGateway->defaultProfileSyncFields();
|
||||
}
|
||||
if (!$syncFields) {
|
||||
return;
|
||||
@@ -156,18 +167,18 @@ class SsoUserLinkService
|
||||
}
|
||||
if (!$updates) {
|
||||
if ($syncAvatar) {
|
||||
self::syncAvatarFromMicrosoft($userId, $claims);
|
||||
$this->syncAvatarFromMicrosoft($userId, $claims);
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
UserRepository::updateProfileFieldsFromSso($userId, $updates);
|
||||
$this->userWriteRepository->updateProfileFieldsFromSso($userId, $updates);
|
||||
if ($syncAvatar) {
|
||||
self::syncAvatarFromMicrosoft($userId, $claims);
|
||||
$this->syncAvatarFromMicrosoft($userId, $claims);
|
||||
}
|
||||
}
|
||||
|
||||
private static function syncAvatarFromMicrosoft(int $userId, array $claims): void
|
||||
private function syncAvatarFromMicrosoft(int $userId, array $claims): void
|
||||
{
|
||||
$avatarBase64 = trim((string) ($claims['graph_avatar_data_base64'] ?? ''));
|
||||
if ($avatarBase64 === '') {
|
||||
@@ -184,29 +195,29 @@ class SsoUserLinkService
|
||||
return;
|
||||
}
|
||||
|
||||
$user = UserRepository::find($userId);
|
||||
$user = $this->userReadRepository->find($userId);
|
||||
if (!$user) {
|
||||
return;
|
||||
}
|
||||
$userUuid = (string) ($user['uuid'] ?? '');
|
||||
if (!UserAvatarService::isValidUuid($userUuid)) {
|
||||
if (!$this->avatarGateway->isValidUuid($userUuid)) {
|
||||
return;
|
||||
}
|
||||
|
||||
// Keep avatar current with Microsoft profile photo on each login.
|
||||
UserAvatarService::saveBinary($userUuid, $binary, $avatarMime);
|
||||
$this->avatarGateway->saveBinary($userUuid, $binary, $avatarMime);
|
||||
}
|
||||
|
||||
private static function ensureTenantAssignment(int $userId, int $tenantId): void
|
||||
private function ensureTenantAssignment(int $userId, int $tenantId): void
|
||||
{
|
||||
$tenantIds = array_values(array_unique(array_map('intval', UserTenantRepository::listTenantIdsByUserId($userId))));
|
||||
$tenantIds = array_values(array_unique(array_map('intval', $this->userTenantRepository->listTenantIdsByUserId($userId))));
|
||||
if (!in_array($tenantId, $tenantIds, true)) {
|
||||
$tenantIds[] = $tenantId;
|
||||
UserService::syncTenants($userId, $tenantIds);
|
||||
$this->userAssignmentService->syncTenants($userId, $tenantIds);
|
||||
}
|
||||
}
|
||||
|
||||
private static function createIdentityLink(
|
||||
private function createIdentityLink(
|
||||
int $userId,
|
||||
string $tid,
|
||||
string $oid,
|
||||
@@ -215,9 +226,10 @@ class SsoUserLinkService
|
||||
string $email
|
||||
): void {
|
||||
try {
|
||||
UserExternalIdentityRepository::createLink([
|
||||
$providerKey = $this->tenantSsoGateway->microsoftProviderKey();
|
||||
$this->externalIdentityGateway->createLink([
|
||||
'user_id' => $userId,
|
||||
'provider' => TenantSsoService::PROVIDER_MICROSOFT,
|
||||
'provider' => $providerKey,
|
||||
'oid' => $oid,
|
||||
'tid' => $tid,
|
||||
'issuer' => $issuer,
|
||||
@@ -229,7 +241,7 @@ class SsoUserLinkService
|
||||
}
|
||||
}
|
||||
|
||||
private static function normalizeLocale(string $locale): ?string
|
||||
private function normalizeLocale(string $locale): ?string
|
||||
{
|
||||
$locale = strtolower(trim($locale));
|
||||
if ($locale === '') {
|
||||
@@ -245,12 +257,12 @@ class SsoUserLinkService
|
||||
return $locale;
|
||||
}
|
||||
|
||||
private static function randomPassword(): string
|
||||
private function randomPassword(): string
|
||||
{
|
||||
return 'sso-' . bin2hex(random_bytes(24)) . '-A1!';
|
||||
}
|
||||
|
||||
private static function resolveInitialTheme(?string $theme): string
|
||||
private function resolveInitialTheme(?string $theme): string
|
||||
{
|
||||
$theme = strtolower(trim((string) ($theme ?? '')));
|
||||
$themes = function_exists('appThemes') ? appThemes() : ['light' => 'Light'];
|
||||
|
||||
Reference in New Issue
Block a user