Add Discord SSO (#887)

.env.example

@@ -68,6 +68,8 @@ OAUTH_FACEBOOK_ID=
 OAUTH_FACEBOOK_SECRET=
 OAUTH_GOOGLE_ID=
 OAUTH_GOOGLE_SECRET=
+OAUTH_DISCORD_ID=
+OAUTH_DISCORD_SECRET=
 OAUTH_GITHUB_ID=
 OAUTH_GITHUB_SECRET=
 OAUTH_PRIVACYPORTAL_ID=

.env.example_docker

@@ -65,6 +65,8 @@ OAUTH_FACEBOOK_ID=
 OAUTH_FACEBOOK_SECRET=
 OAUTH_GOOGLE_ID=
 OAUTH_GOOGLE_SECRET=
+OAUTH_DISCORD_ID=
+OAUTH_DISCORD_SECRET=
 OAUTH_GITHUB_ID=
 OAUTH_GITHUB_SECRET=
 OAUTH_KEYCLOAK_ID=

composer.json

@@ -109,7 +109,8 @@
         "twig/html-extra": "^3.5",
         "twig/intl-extra": "^3.2",
         "twig/twig": "^2.12 || ^3.0",
-        "webmozart/assert": "^1.9"
+        "webmozart/assert": "^1.9",
+        "wohali/oauth2-discord-new": "^1.2"
     },
     "require-dev": {
         "dama/doctrine-test-bundle": "^8.0.2",

config/kbin_routes/security.yaml

@@ -73,6 +73,16 @@ oauth_google_verify:
   path: /oauth/google/verify
   methods: [ GET ]
 
+oauth_discord_connect:
+  controller: App\Controller\Security\DiscordController::connect
+  path: /oauth/discord/connect
+  methods: [ GET ]
+
+oauth_discord_verify:
+  controller: App\Controller\Security\DiscordController::verify
+  path: /oauth/discord/verify
+  methods: [ GET ]
+
 oauth_github_connect:
   controller: App\Controller\Security\GithubController::connect
   path: /oauth/github/connect

config/packages/knpu_oauth2_client.yaml

@@ -20,6 +20,12 @@ knpu_oauth2_client:
       client_secret: '%oauth_google_secret%'
       redirect_route: oauth_google_verify
       redirect_params: { }
+    discord:
+      type: discord
+      client_id: '%oauth_discord_id%'
+      client_secret: '%oauth_discord_secret%'
+      redirect_route: oauth_discord_verify
+      redirect_params: { }
     github:
       type: github
       client_id: '%oauth_github_id%'

config/packages/security.yaml

@@ -34,6 +34,7 @@ security:
             custom_authenticators:
                 - App\Security\KbinAuthenticator
                 - App\Security\AzureAuthenticator
+                - App\Security\DiscordAuthenticator
                 - App\Security\FacebookAuthenticator
                 - App\Security\GoogleAuthenticator
                 - App\Security\GithubAuthenticator

config/services.yaml

@@ -44,6 +44,9 @@ parameters:
     oauth_google_id: "%env(default::OAUTH_GOOGLE_ID)%"
     oauth_google_secret: "%env(OAUTH_GOOGLE_SECRET)%"
 
+    oauth_discord_id: "%env(default::OAUTH_DISCORD_ID)%"
+    oauth_discord_secret: "%env(OAUTH_DISCORD_SECRET)%"
+
     oauth_github_id: "%env(default::OAUTH_GITHUB_ID)%"
     oauth_github_secret: "%env(OAUTH_GITHUB_SECRET)%"
 

migrations/Version20240706005744.php

@@ -0,0 +1,31 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Auto-generated Migration: Please modify to your needs!
+ */
+final class Version20240706005744 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Add Discord SSO';
+    }
+
+    public function up(Schema $schema): void
+    {
+        // this up() migration is auto-generated, please modify it to your needs
+        $this->addSql('ALTER TABLE "user" ADD oauth_discord_id VARCHAR(255) DEFAULT NULL');
+    }
+
+    public function down(Schema $schema): void
+    {
+        // this down() migration is auto-generated, please modify it to your needs
+        $this->addSql('ALTER TABLE "user" DROP oauth_discord_id');
+    }
+}

src/Controller/Security/DiscordController.php

@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Controller\Security;
+
+use App\Controller\AbstractController;
+use KnpU\OAuth2ClientBundle\Client\ClientRegistry;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class DiscordController extends AbstractController
+{
+    public function connect(ClientRegistry $clientRegistry): Response
+    {
+        return $clientRegistry
+            ->getClient('discord')
+            ->redirect();
+    }
+
+    public function verify(Request $request, ClientRegistry $client)
+    {
+    }
+}

src/Entity/User.php

@@ -124,6 +124,8 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface, Visibil
     #[Column(type: 'string', nullable: true)]
     public ?string $oauthSimpleLoginId = null;
     #[Column(type: 'string', nullable: true)]
+    public ?string $oauthDiscordId = null;
+    #[Column(type: 'string', nullable: true)]
     public ?string $oauthZitadelId = null;
     #[Column(type: 'string', nullable: true)]
     public ?string $oauthAuthentikId = null;
@@ -762,7 +764,7 @@ public function removeOAuth2UserConsent(OAuth2UserConsent $oAuth2UserConsent): s
 
     public function isSsoControlled(): bool
     {
-        return $this->oauthAzureId || $this->oauthGithubId || $this->oauthGoogleId || $this->oauthFacebookId || $this->oauthKeycloakId || $this->oauthSimpleLoginId || $this->oauthZitadelId || $this->oauthAuthentikId || $this->oauthPrivacyPortalId;
+        return $this->oauthAzureId || $this->oauthGithubId || $this->oauthGoogleId || $this->oauthDiscordId || $this->oauthFacebookId || $this->oauthKeycloakId || $this->oauthSimpleLoginId || $this->oauthZitadelId || $this->oauthAuthentikId || $this->oauthPrivacyPortalId;
     }
 
     public function getCustomCss(): ?string

src/Security/DiscordAuthenticator.php

@@ -0,0 +1,149 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Security;
+
+use App\DTO\UserDto;
+use App\Entity\User;
+use App\Factory\ImageFactory;
+use App\Repository\ImageRepository;
+use App\Service\ImageManager;
+use App\Service\IpResolver;
+use App\Service\SettingsManager;
+use App\Service\UserManager;
+use App\Utils\Slugger;
+use Doctrine\ORM\EntityManagerInterface;
+use KnpU\OAuth2ClientBundle\Client\ClientRegistry;
+use KnpU\OAuth2ClientBundle\Security\Authenticator\OAuth2Authenticator;
+use Symfony\Component\HttpFoundation\RedirectResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Routing\RouterInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticationException;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\RememberMeBadge;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
+use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
+use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
+use Wohali\OAuth2\Client\Provider\DiscordResourceOwner;
+
+class DiscordAuthenticator extends OAuth2Authenticator
+{
+    public function __construct(
+        private readonly ClientRegistry $clientRegistry,
+        private readonly RouterInterface $router,
+        private readonly EntityManagerInterface $entityManager,
+        private readonly UserManager $userManager,
+        private readonly ImageManager $imageManager,
+        private readonly ImageFactory $imageFactory,
+        private readonly ImageRepository $imageRepository,
+        private readonly RequestStack $requestStack,
+        private readonly IpResolver $ipResolver,
+        private readonly Slugger $slugger,
+        private readonly SettingsManager $settingsManager
+    ) {
+    }
+
+    public function supports(Request $request): ?bool
+    {
+        return 'oauth_discord_verify' === $request->attributes->get('_route');
+    }
+
+    public function authenticate(Request $request): Passport
+    {
+        $client = $this->clientRegistry->getClient('discord');
+        $slugger = $this->slugger;
+        $session = $this->requestStack->getSession();
+
+        $accessToken = $this->fetchAccessToken($client, ['prompt' => 'consent', 'accessType' => 'offline']);
+        $session->set('access_token', $accessToken);
+
+        $accessToken = $session->get('access_token');
+
+        if ($accessToken->hasExpired()) {
+            $accessToken = $client->refreshAccessToken($accessToken->getRefreshToken());
+            $session->set('access_token', $accessToken);
+        }
+
+        $rememberBadge = new RememberMeBadge();
+        $rememberBadge = $rememberBadge->enable();
+
+        return new SelfValidatingPassport(
+            new UserBadge($accessToken->getToken(), function () use ($accessToken, $client, $slugger) {
+                /** @var DiscordResourceOwner $discordUser */
+                $discordUser = $client->fetchUserFromToken($accessToken);
+
+                $existingUser = $this->entityManager->getRepository(User::class)->findOneBy(
+                    ['oauthDiscordId' => $discordUser->getId()]
+                );
+
+                if ($existingUser) {
+                    return $existingUser;
+                }
+
+                $user = $this->entityManager->getRepository(User::class)->findOneBy(['email' => $discordUser->getEmail()]
+                );
+
+                if ($user) {
+                    $user->oauthDiscordId = $discordUser->getId();
+
+                    $this->entityManager->persist($user);
+                    $this->entityManager->flush();
+
+                    return $user;
+                }
+
+                if (false === $this->settingsManager->get('MBIN_SSO_REGISTRATIONS_ENABLED')) {
+                    throw new CustomUserMessageAuthenticationException('MBIN_SSO_REGISTRATIONS_ENABLED');
+                }
+
+                $dto = (new UserDto())->create(
+                    $slugger->slug($discordUser->getUsername()).rand(1, 999),
+                    $discordUser->getEmail()
+                );
+
+                $dto->plainPassword = bin2hex(random_bytes(20));
+                $dto->ip = $this->ipResolver->resolve();
+
+                $user = $this->userManager->create($dto, false);
+                $user->oauthDiscordId = $discordUser->getId();
+                $user->isVerified = true;
+
+                $this->entityManager->persist($user);
+                $this->entityManager->flush();
+
+                return $user;
+            }),
+            [
+                $rememberBadge,
+            ]
+        );
+    }
+
+    public function onAuthenticationSuccess(
+        Request $request,
+        TokenInterface $token,
+        string $firewallName
+    ): ?Response {
+        $targetUrl = $this->router->generate('front');
+
+        return new RedirectResponse($targetUrl);
+    }
+
+    public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
+    {
+        $message = strtr($exception->getMessageKey(), $exception->getMessageData());
+
+        if ('MBIN_SSO_REGISTRATIONS_ENABLED' === $message) {
+            $session = $request->getSession();
+            $session->getFlashBag()->add('error', 'sso_registrations_enabled.error');
+
+            return new RedirectResponse($this->router->generate('app_login'));
+        }
+
+        return new Response($message, Response::HTTP_FORBIDDEN);
+    }
+}