Files
breadcrumb-the-shire/pages/auth/microsoft/callback().php
fs 11ca546eae feat(security): add session timeout + transaction wrapping (B1)
Session timeout: configurable idle (default 30min) and absolute (default 8h)
timeouts via DB settings, enforced in web/index.php on every request.
Timestamps set at login in action layer; graceful fallback for pre-existing
sessions.

Transaction wrapping: UserAccountService.createFromAdmin/register, roles
create/edit, and permissions edit now wrap multi-step DB operations in
transactions to guarantee atomicity.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-09 19:16:26 +01:00

65 lines
2.4 KiB
PHP

<?php
use MintyPHP\Http\SessionStoreInterface;
use MintyPHP\Router;
use MintyPHP\Service\Auth\AuthServicesFactory;
use MintyPHP\Support\Flash;
$authServicesFactory = app(AuthServicesFactory::class);
$authService = $authServicesFactory->createAuthService();
$ssoUserLinkService = $authServicesFactory->createSsoUserLinkService();
$tenantSsoService = $authServicesFactory->createTenantSsoService();
$microsoftOidcService = $authServicesFactory->createMicrosoftOidcService();
$state = trim((string) (requestInput()->queryAll()['state'] ?? ''));
$code = trim((string) (requestInput()->queryAll()['code'] ?? ''));
$error = trim((string) (requestInput()->queryAll()['error'] ?? ''));
if ($error !== '') {
Flash::error(t('Microsoft login was cancelled or failed'), 'login', 'microsoft_login_error');
Router::redirect('login');
return;
}
$callbackResult = $microsoftOidcService->handleCallback($state, $code);
if (!($callbackResult['ok'] ?? false)) {
Flash::error(t('Microsoft login failed'), 'login', 'microsoft_login_failed');
Router::redirect('login');
return;
}
$tenant = $callbackResult['tenant'] ?? null;
if (!is_array($tenant)) {
Flash::error(t('Microsoft login failed'), 'login', 'microsoft_login_failed');
Router::redirect('login');
return;
}
$linkResult = $ssoUserLinkService->linkOrProvisionMicrosoftUser(
$tenant,
is_array($callbackResult['claims'] ?? null) ? $callbackResult['claims'] : []
);
if (!($linkResult['ok'] ?? false)) {
$tenantSlug = $tenantSsoService->tenantLoginSlug($tenant);
$loginTarget = $tenantSlug !== '' ? ('login?tenant=' . rawurlencode($tenantSlug)) : 'login';
Flash::error(t('Microsoft login is not allowed for this account'), $loginTarget, 'microsoft_login_not_allowed');
Router::redirect($loginTarget);
return;
}
$userId = (int) ($linkResult['user_id'] ?? 0);
$tenantId = (int) ($tenant['id'] ?? 0);
$loginResult = $authService->loginUserById($userId, $tenantId, 'microsoft');
if (!($loginResult['ok'] ?? false)) {
$tenantSlug = $tenantSsoService->tenantLoginSlug($tenant);
$loginTarget = $tenantSlug !== '' ? ('login?tenant=' . rawurlencode($tenantSlug)) : 'login';
Flash::error(t('Microsoft login failed'), $loginTarget, 'microsoft_login_failed');
Router::redirect($loginTarget);
return;
}
$sessionStore = app(SessionStoreInterface::class);
$sessionStore->set('session_started_at', time());
$sessionStore->set('session_last_activity', time());
Router::redirect('admin');