From 3030b77a892489d8eb822f3ab7aa02e631665f32 Mon Sep 17 00:00:00 2001
From: Yekta <yekta.senay@zeneg.de>
Date: Tue, 10 Sep 2024 17:32:12 +0200
Subject: [PATCH] - Added sogo-auth.php / sogo-tokengenerate.php

---
 data/web/sogossologin/sogo-auth.php          | 60 ++++++++++++++++
 data/web/sogossologin/sogo-tokengenerate.php | 76 ++++++++++++++++++++
 2 files changed, 136 insertions(+)
 create mode 100644 data/web/sogossologin/sogo-auth.php
 create mode 100644 data/web/sogossologin/sogo-tokengenerate.php

diff --git a/data/web/sogossologin/sogo-auth.php b/data/web/sogossologin/sogo-auth.php
new file mode 100644
index 0000000000..b3507b454b
--- /dev/null
+++ b/data/web/sogossologin/sogo-auth.php
@@ -0,0 +1,60 @@
+<?php
+
+session_start();
+$session_var_user_allowed = 'sogo-sso-user-allowed';
+$session_var_pass = 'sogo-sso-pass';
+
+
+function checkTokenExists($pdo, $username, $token): bool
+{
+    try {
+
+        $stmt = $pdo->prepare("SELECT * FROM `sogo_sso_tokens` WHERE `username` = :username AND `token` = :token");
+        $stmt->bindParam(':username', $username);
+        $stmt->bindParam(':token', $token);
+
+        $stmt->execute();
+
+        $res = $stmt->fetchAll();
+        if(count($res) == 1){
+            return true;
+        }else{
+            return false;
+        }
+    } catch (PDOException $e) {
+        return false;
+    }
+}
+
+
+
+
+
+
+if(isset($_GET['email']) && $_GET['token']){
+    require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
+    if(checkTokenExists($pdo, $_GET['email'], $_GET['token'])){
+        try {
+            $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
+            $_SESSION[$session_var_user_allowed][] = $_GET['email'];
+            $_SESSION[$session_var_pass] = $sogo_sso_pass;
+            $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES ('SSO', 0, :username, :remote_addr)");
+            $stmt->execute(array(
+                ':username' => $_GET['email'],
+                ':remote_addr' => (isset($_SERVER['HTTP_X_REAL_IP']) ? $_SERVER['HTTP_X_REAL_IP'] : $_SERVER['REMOTE_ADDR'])
+            ));
+        }catch (PDOException $e){
+            echo $e->getMessage();
+        }
+
+
+        header("Location: /SOGo/so/{$_GET['email']}");
+    }else{
+        http_response_code(401);
+    }
+}
+
+// if username is empty, SOGo will use the normal login methods / login form
+header("X-User: ");
+header("X-Auth: ");
+header("X-Auth-Type: ");
\ No newline at end of file
diff --git a/data/web/sogossologin/sogo-tokengenerate.php b/data/web/sogossologin/sogo-tokengenerate.php
new file mode 100644
index 0000000000..6e9cf71612
--- /dev/null
+++ b/data/web/sogossologin/sogo-tokengenerate.php
@@ -0,0 +1,76 @@
+<?php
+
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
+$_POST = json_decode(file_get_contents('php://input'), true);
+
+function createIfTableDoesntExist($pdo, $debug = false)
+{
+    try {
+        $stmt = $pdo->prepare("CREATE TABLE IF NOT EXISTS `sogo_sso_tokens` (
+            `id` INT AUTO_INCREMENT PRIMARY KEY,
+            `username` TEXT NOT NULL,
+            `token` TEXT NOT NULL
+        )");
+        $stmt->execute();
+    } catch (PDOException $e) {
+        if ($debug) echo $e->getMessage();
+    }
+}
+
+function showTables($pdo)
+{
+    try {
+        $stmt2 = $pdo->query("SHOW TABLES");
+        $res = $stmt2->fetchAll(PDO::FETCH_ASSOC);
+        var_dump($res);
+    } catch (PDOException $e) {
+        echo $e->getMessage();
+    }
+}
+
+function writeTokenToDB($username, $token, $pdo): bool
+{
+    try {
+        $stmt = $pdo->prepare("INSERT INTO `sogo_sso_tokens` (`username`, `token`) VALUES (:username, :token)");
+        $stmt->bindParam(':username', $username);
+        $stmt->bindParam(':token', $token);
+        $success = $stmt->execute();
+        return $success;
+    } catch (PDOException $e) {
+        echo $e->getMessage();
+        return false;
+    }
+}
+
+function generateToken($username): string
+{
+    return md5(base64_encode($username) . random_bytes(16) . md5(time()));
+}
+
+function getApiKey($pdo)
+{
+    try {
+        $stmt = $pdo->prepare("SELECT `api_key` FROM `api` LIMIT 1");
+        $stmt->execute();
+        return $stmt->fetchColumn();
+
+    } catch (PDOException $e) {
+        return null;
+    }
+}
+
+
+if (isset($_POST['username']) && isset($_POST['apikey'])) {
+
+    if ($_POST['apikey'] == getApiKey($pdo)) {
+        $username = $_POST['username'];
+        $token = generateToken($username);
+        createIfTableDoesntExist($pdo);
+        writeTokenToDB($username, $token, $pdo);
+        echo json_encode(array(
+            "success" => true,
+            "username"=> $username,
+            "token" => $token
+        ));
+    }
+}
\ No newline at end of file