Gecka-Apps
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 38 additions & 0 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎LICENSE‎
Lines changed: 22 additions & 0 deletions b/‎LICENSE‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎NcConnectExtendSocialite.php‎
Lines changed: 8 additions & 2 deletions b/‎NcConnectExtendSocialite.php‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎Provider.php‎
Lines changed: 148 additions & 87 deletions b/‎Provider.php‎
Lines changed: 148 additions & 87 deletions
@@ -0,0 +1,38 @@
+name: CI
+
+on:
+  push:
+    branches: [master, main]
+  pull_request:
+
+jobs:
+  lint:
+    name: Code style
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.2'
+
+      - run: composer install --no-interaction
+
+      - run: composer lint
+
+  syntax:
+    name: PHP ${{ matrix.php }} syntax
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        php: ['8.2', '8.3', '8.4', '8.5']
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php }}
+
+      - name: Check syntax
+        run: |
+          find . -name "*.php" -not -path "./vendor/*" -print0 | xargs -0 -n1 php -l
@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2018 Adil Kachbat and contributors
+Copyright (c) 2023-2026 Gecka
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
@@ -1,5 +1,13 @@
 <?php
 
+/*
+ * Copyright (c) 2018 Adil Kachbat and contributors
+ * Copyright (c) 2023-2026 Gecka
+ *
+ * For the full copyright and license notice, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
 namespace SocialiteProviders\NcConnect;
 
 use SocialiteProviders\Manager\SocialiteWasCalled;
@@ -8,8 +16,6 @@ class NcConnectExtendSocialite
 {
     /**
      * Register the provider.
-     *
-     * @param  \SocialiteProviders\Manager\SocialiteWasCalled  $socialiteWasCalled
      */
     public function handle(SocialiteWasCalled $socialiteWasCalled)
     {
 
@@ -1,90 +1,100 @@
 <?php
 
+/*
+ * Copyright (c) 2018 Adil Kachbat and contributors
+ * Copyright (c) 2023-2026 Gecka
+ *
+ * For the full copyright and license notice, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
 namespace SocialiteProviders\NcConnect;
 
 use GuzzleHttp\RequestOptions;
 use Illuminate\Support\Arr;
 use Illuminate\Support\Str;
 use Laravel\Socialite\Two\InvalidStateException;
 use SocialiteProviders\Manager\OAuth2\AbstractProvider;
+use UnexpectedValueException;
 
-/**
- * @see Provider's documentation: https://docs.google.com/document/d/13zo1E1eVMFUmbV6ECw2YvTiM-uPBL0DBuWh5wLtzCpA/edit?pli=1
- */
 class Provider extends AbstractProvider
 {
-    /**
-     * API URLs.
-     */
-    public const PROD_BASE_URL = 'https://connect.gouv.nc/v2/';
+    public const PROD_BASE_URL = 'https://connect.gouv.nc/v3/realms/nc-connect/';
 
-    public const TEST_BASE_URL = 'https://connect-dev.gouv.nc/v2/';
+    public const TEST_BASE_URL = 'https://connect-dev.gouv.nc/v3/realms/nc-connect/';
 
     public const IDENTIFIER = 'NCCONNECT';
 
-    /**
-     * The scopes being requested.
-     *
-     * @var array
-     */
     protected $scopes = [
         'openid',
         'identite_pivot',
         'profile',
         'email',
     ];
 
-    /**
-     * {@inheritdoc}
-     */
     protected $scopeSeparator = ' ';
 
-    /**
-     * Return API Base URL.
-     *
-     * @return string
-     */
-    protected function getBaseUrl()
+    protected function getBaseUrl(): string
     {
-        return config('app.env') === 'production' && ! $this->getConfig('force_dev') ? self::PROD_BASE_URL : self::TEST_BASE_URL;
+        return app()->environment('production') && ! $this->getConfig('force_dev')
+            ? self::PROD_BASE_URL
+            : self::TEST_BASE_URL;
     }
 
-    /**
-     * {@inheritdoc}
-     */
-    public static function additionalConfigKeys()
+    public static function additionalConfigKeys(): array
     {
-        return ['logout_redirect', 'force_dev'];
+        return ['logout_redirect', 'force_dev', 'auth_method'];
     }
 
-    /**
-     * {@inheritdoc}
-     */
-    protected function getAuthUrl($state)
+    protected function getAuthUrl($state): string
     {
-        //It is used to prevent replay attacks
-        $this->parameters['nonce'] = Str::random(20);
+        $nonce = Str::random(40);
+        $this->parameters['nonce'] = $nonce;
+        $this->request->session()->put('ncconnect_nonce', $nonce);
+
+        return $this->buildAuthUrlFromBase(
+            $this->getBaseUrl().'protocol/openid-connect/auth',
+            $state
+        );
+    }
 
-        return $this->buildAuthUrlFromBase($this->getBaseUrl().'/authorize', $state);
+    protected function getTokenUrl(): string
+    {
+        return $this->getBaseUrl().'protocol/openid-connect/token';
     }
 
     /**
-     * {@inheritdoc}
+     * Build HTTP request options with the configured auth method.
      */
-    protected function getTokenUrl()
+    protected function buildTokenRequestOptions(array $params): array
     {
-        return $this->getBaseUrl().'/token';
+        if ($this->getConfig('auth_method') === 'client_secret_post') {
+            $params['client_id'] = $this->clientId;
+            $params['client_secret'] = $this->clientSecret;
+
+            return [RequestOptions::FORM_PARAMS => $params];
+        }
+
+        return [
+            RequestOptions::HEADERS => [
+                'Authorization' => 'Basic '.base64_encode($this->clientId.':'.$this->clientSecret),
+            ],
+            RequestOptions::FORM_PARAMS => $params,
+        ];
     }
 
-    /**
-     * {@inheritdoc}
-     */
-    public function getAccessTokenResponse($code)
+    public function getAccessTokenResponse($code): array
     {
-        $response = $this->getHttpClient()->post($this->getBaseUrl().'/token', [
-            RequestOptions::HEADERS     => ['Authorization' => 'Basic '.base64_encode($this->clientId.':'.$this->clientSecret)],
-            RequestOptions::FORM_PARAMS => $this->getTokenFields($code),
-        ]);
+        $params = [
+            'grant_type' => 'authorization_code',
+            'code' => $code,
+            'redirect_uri' => $this->redirectUrl,
+        ];
+
+        $response = $this->getHttpClient()->post(
+            $this->getTokenUrl(),
+            $this->buildTokenRequestOptions($params)
+        );
 
         return json_decode((string) $response->getBody(), true);
     }
@@ -94,70 +104,121 @@ public function getAccessTokenResponse($code)
      */
     public function user()
     {
-        if ($this->hasInvalidState()) {
-            throw new InvalidStateException();
-        }
+        $user = parent::user();
 
-        $response = $this->getAccessTokenResponse($this->getCode());
+        $idToken = Arr::get($this->credentialsResponseBody, 'id_token');
 
-        $user = $this->mapUserToObject($this->getUserByToken(
-            $token = Arr::get($response, 'access_token')
-        ));
+        $this->validateNonce($idToken);
 
-        //store tokenId session for logout url generation
-        $this->request->session()->put('fc_token_id', Arr::get($response, 'id_token'));
+        if ($user instanceof User) {
+            $user->setTokenId($idToken);
+        }
 
-        return $user->setTokenId(Arr::get($response, 'id_token'))
-                    ->setToken($token)
-                    ->setRefreshToken(Arr::get($response, 'refresh_token'))
-                    ->setExpiresIn(Arr::get($response, 'expires_in'));
+        return $user;
     }
 
     /**
-     * {@inheritdoc}
+     * Validate the nonce claim in the id_token against the session value.
+     *
+     * @throws InvalidStateException
      */
-    protected function getUserByToken($token)
+    protected function validateNonce(?string $idToken): void
     {
-        $response = $this->getHttpClient()->get($this->getBaseUrl().'/userinfo', [
-            RequestOptions::HEADERS => [
-                'Authorization' => 'Bearer '.$token,
-            ],
-        ]);
+        $expectedNonce = $this->request->session()->pull('ncconnect_nonce');
+
+        if (! $idToken || ! $expectedNonce) {
+            throw new InvalidStateException('Missing nonce or id_token.');
+        }
+
+        $parts = explode('.', $idToken);
+
+        if (count($parts) !== 3) {
+            throw new InvalidStateException('Invalid id_token format.');
+        }
+
+        $payload = json_decode(base64_decode(strtr($parts[1], '-_', '+/')), true);
+
+        if (! is_array($payload) || ($payload['nonce'] ?? null) !== $expectedNonce) {
+            throw new InvalidStateException('Invalid nonce in id_token.');
+        }
+    }
+
+    protected function getUserByToken($token): array
+    {
+        $response = $this->getHttpClient()->get(
+            $this->getBaseUrl().'protocol/openid-connect/userinfo',
+            [RequestOptions::HEADERS => ['Authorization' => 'Bearer '.$token]]
+        );
 
         return json_decode((string) $response->getBody(), true);
     }
 
-    /**
-     * {@inheritdoc}
-     */
-    protected function mapUserToObject(array $user)
+    protected function mapUserToObject(array $user): User
     {
-        return (new User())->setRaw($user)->map([
-            'id'                 => $user['sub'],
-            'email'              => $user['email'],
-            'email_verified'     => $user['email_verified'],
-            'verified'           => $user['verified'] ?? 0,
-            'preferred_username' => $user['preferred_username'] ?? '',
+        if (empty($user['sub'])) {
+            throw new UnexpectedValueException('Missing "sub" claim in userinfo response.');
+        }
 
-            'given_name'            => $user['given_name'] ?? '',
-            'family_name'           => $user['family_name'] ?? '',
-            'birthdate'             => $user['birthdate'] ?? '',
-            'gender'                => $user['gender'] ?? '',
-            'birthplace'            => $user['birthplace'] ?? '',
-            'birthcountry'          => $user['birthcountry'] ?? '',
+        return (new User)->setRaw($user)->map([
+            'id' => $user['sub'],
+            'email' => $user['email'] ?? null,
+            'email_verified' => $user['email_verified'] ?? false,
+            'verified' => $user['verified'] ?? 0,
+            'preferred_username' => $user['preferred_username'] ?? '',
+            'given_name' => $user['given_name'] ?? '',
+            'first_name' => $user['first_name'] ?? '',
+            'family_name' => $user['family_name'] ?? '',
+            'birthdate' => $user['birthdate'] ?? '',
+            'gender' => $user['gender'] ?? '',
+            'birthplace' => $user['birthplace'] ?? '',
         ]);
     }
 
     /**
-     *  Generate logout URL for redirection to NcConnect.
+     * {@inheritdoc}
      */
-    public function generateLogoutURL()
+    protected function getRefreshTokenResponse($refreshToken): array
     {
         $params = [
-            'post_logout_redirect_uri' => $this->getConfig('logout_redirect'),
-            'id_token_hint'            => $this->request->session()->get('fc_token_id'),
+            'grant_type' => 'refresh_token',
+            'refresh_token' => $refreshToken,
         ];
 
-        return $this->getBaseUrl().'/logout?'.http_build_query($params);
+        $response = $this->getHttpClient()->post(
+            $this->getTokenUrl(),
+            $this->buildTokenRequestOptions($params)
+        );
+
+        return json_decode((string) $response->getBody(), true);
+    }
+
+    /**
+     * Generate logout URL for redirection to NcConnect.
+     *
+     * Without arguments, returns the bare logout endpoint.
+     * With an id_token_hint and/or redirect URI, builds a full RP-Initiated Logout URL.
+     */
+    public function generateLogoutURL(?string $idTokenHint = null, ?string $postLogoutRedirectUri = null): string
+    {
+        $logoutUrl = $this->getBaseUrl().'protocol/openid-connect/logout';
+
+        $redirectUri = $postLogoutRedirectUri ?? $this->getConfig('logout_redirect');
+
+        if ($redirectUri === null && $idTokenHint === null) {
+            return $logoutUrl;
+        }
+
+        $params = [];
+
+        if ($redirectUri !== null) {
+            $params['client_id'] = $this->clientId;
+            $params['post_logout_redirect_uri'] = $redirectUri;
+        }
+
+        if ($idTokenHint !== null) {
+            $params['id_token_hint'] = $idTokenHint;
+        }
+
+        return $logoutUrl.'?'.http_build_query($params);
     }
 }