Commit 8c3f9fc5 authored by pjcdawkins's avatar pjcdawkins

Issue #2483203: Add TFA integration

parent 4541a37c
......@@ -52,7 +52,7 @@ function openid_connect_redirect_page($client_name) {
$tokens = $client->retrieveTokens($_GET['code']);
if ($tokens) {
if ($_SESSION['openid_connect_op'] === 'login') {
$success = openid_connect_complete_authorization($client, $tokens);
$success = openid_connect_complete_authorization($client, $tokens, $destination);
if (!$success) {
drupal_set_message(t('Sign in with @provider could not be completed due to an error.', array('@provider' => $client->getLabel())), 'error');
}
......@@ -69,5 +69,11 @@ function openid_connect_redirect_page($client_name) {
}
}
drupal_goto($destination);
// It's possible to set 'options' in the redirect destination.
if (is_array($destination)) {
drupal_goto($destination[0], $destination[1]);
}
else {
drupal_goto($destination);
}
}
......@@ -288,10 +288,35 @@ function openid_connect_save_user_picture($account, $picture_url) {
/**
* Logs in a user.
*
* @param object $account
* The user account.
* @param string|array &$destination
* The path to redirect to after login.
*/
function openid_connect_login_user($account) {
function openid_connect_login_user($account, &$destination) {
$form_state['uid'] = $account->uid;
user_login_submit(array(), $form_state);
$form = array();
// TFA integration.
if (module_exists('tfa')) {
// The 'code' and 'state' parameters have now been used.
unset($_GET['code'], $_GET['state']);
// TFA will preserve the initial redirect if it is set in the $form_state.
$form_state['redirect'] = $destination;
tfa_login_submit($form, $form_state);
tfa_login_form_redirect($form, $form_state);
}
else {
user_login_submit($form, $form_state);
}
// TFA or other submit handlers may want to change the redirect destination.
if (isset($form_state['redirect'])) {
$destination = $form_state['redirect'];
}
}
/**
......@@ -679,11 +704,13 @@ function openid_connect_extract_sub($user_data, $userinfo) {
* The client.
* @param array $tokens
* The tokens as returned from OpenIDConnectClientInterface::retrieveTokens().
* @param string|array &$destination
* The path to redirect to after authorization.
*
* @return bool
* TRUE on success, FALSE on failure.
*/
function openid_connect_complete_authorization($client, $tokens) {
function openid_connect_complete_authorization($client, $tokens, &$destination) {
if (user_is_logged_in()) {
throw new \RuntimeException('User already logged in');
}
......@@ -716,7 +743,7 @@ function openid_connect_complete_authorization($client, $tokens) {
}
openid_connect_save_userinfo($account, $userinfo);
openid_connect_login_user($account);
openid_connect_login_user($account, $destination);
module_invoke_all('openid_connect_post_authorize', $tokens, $account, $userinfo);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment