Oauth with Open Collective

application/modules/oauth.module.php

@@ -0,0 +1,71 @@
+<?php
+
+$oauth = service('oauth');
+
+if (url_is('/oauth/connect')) {
+  $_SESSION['oauth_state'] = $oauth->state();
+  return redirect($oauth->authorization_url());
+}
+
+else if (url_is('/oauth/callback')) {
+  check_parameters(['code', 'state']);
+
+  $code = get_param('code');
+  $state = get_param('state');
+
+  # Recommended security checks
+  # https://oauth2-client.thephpleague.com/usage/
+  if (isset($_SESSION['oauth_state']) && $state !== $_SESSION['oauth_state']) {
+    if (isset($_SESSION['oauth_state'])) {
+      unset($_SESSION['oauth_state']);
+    }
+    throw http_error(400, 'Invalid state.');
+  }
+
+  # error_log("access_token:$access_token");
+  $_SESSION['oauth_access_token'] = $oauth->access_token($code);
+
+  return redirect('/oauth/membership');
+}
+
+else if (url_is('/oauth/membership')) {
+  $access_token = $_SESSION['oauth_access_token'];
+
+  $authenticated_user = $oauth->authenticated_user($access_token);
+  if (empty($authenticated_user)) {
+    return redirect('/oauth/connect');
+  }
+
+  # error_log(json_encode($authenticated_user));
+  $_SESSION['oauth_authenticated_user'] = $authenticated_user;
+
+  $member_of = $authenticated_user['memberOf']['nodes'];
+  # If member of blogmarks on Open Collective
+  if (!empty($member_of)) {
+    $user = table('users')->get_one('email', $authenticated_user['email']);
+    # If user found
+    if ($user) {
+      signin($user);
+    } else {
+      $user = table('users')->get_one('login', $authenticated_user['slug']);
+      if ($user) {
+        throw http_error(400, 'Login is already taken.');
+      }
+      $params = [
+        'name'  => $authenticated_user['name'],
+        'login' => $authenticated_user['slug'],
+        'email' => $authenticated_user['email'],
+      ];
+      $user = table('users')->create($params);
+      signin($user);
+    }
+    return redirect(get_param('redirect_url', '/my/'));
+  }
+
+  title(_('Membership'));
+  return render('oauth/membership');
+}
+
+else {
+  return unknown_url();
+}

application/partials/top.partial.php

@@ -20,11 +20,15 @@
           /
           <a class="navbar-link" href="<?= $relative_url('/auth/signout') ?>"><?= _("Sign Out") ?></a>
           <?php else : ?>
-            <?php if (flag('enable_signup')) : ?>
-            <a class="navbar-link" href="<?= $relative_url('/auth/signup') ?>"><?= _("Sign Up") ?></a>
-            /
+            <?php if (flag('enable_oauth')) : ?>
+              <a class="navbar-link" href="<?= $relative_url('/oauth/connect') ?>"><?= _("Sign In with Open Collective") ?></a>
+            <?php else : ?>
+              <?php if (flag('enable_signup')) : ?>
+                <a class="navbar-link" href="<?= $relative_url('/auth/signup') ?>"><?= _("Sign Up") ?></a>
+                /
+                <?php endif ?>
+              <a class="navbar-link" href="<?= $relative_url('/auth/signin') ?>"><?= _("Sign In") ?></a>
             <?php endif ?>
-            <a class="navbar-link" href="<?= $relative_url('/auth/signin') ?>"><?= _("Sign In") ?></a>
           <?php endif ?>
         </p>
         <ul class="nav">

application/start.action.php

@@ -24,6 +24,9 @@
 elseif (url_start_with('/auth')) {
   module('auth');
 }
+elseif (url_start_with('/oauth')) {
+  module('oauth');
+}
 else {
   module('public');
 }

application/views/oauth/membership.view.php

@@ -0,0 +1,16 @@
+<div id="content" class="fullwidth">
+  <div id="content-inner">
+
+    <?php partial('notification') ?>
+
+    <a href="https://opencollective.com/blogmarks/contribute/supporter-8698/checkout?redirect=<?= current_url() ?>">
+      <img
+        alt="Contribute to help us stay sustainable for the next 10 years!"
+        src="/img/opencollective-contribute.png"
+        width="300"
+        style="display:block;margin:20px auto"
+      />
+    </a>
+
+  </div>
+</div>

classes/service/oauth.php

@@ -0,0 +1,80 @@
+<?php namespace blogmarks\service;
+
+class oauth
+{
+
+  public $client_id;
+
+  public $client_secret;
+
+  public $redirect_uri;
+
+  public $api_url = 'https://api.opencollective.com';
+
+  public $website_url = 'https://opencollective.com';
+
+  public $graphql_query = '{
+    me {
+      id
+      name
+      slug
+      email
+      imageUrl(height: 90)
+      memberOf(account: { slug: "blogmarks" }, role: [ADMIN, BACKER]) {
+        nodes {
+          role
+          totalDonations {
+            value
+            currency
+          }
+        }
+      }
+    }
+  }';
+
+  public $scope = ['email'];
+
+  protected $provider;
+
+  function provider($params = null)
+  {
+    if (isset($this->provider) && empty($params)) {
+      return $this->provider;
+    }
+
+    foreach ($params as $key => $value) {
+      $this->$key = $value;
+    }
+
+    return $this->provider = new \League\OAuth2\Client\Provider\GenericProvider([
+      'clientId'                => $this->client_id,
+      'clientSecret'            => $this->client_secret,
+      'redirectUri'             => $this->redirect_uri,
+      'urlAuthorize'            => $this->website_url . '/oauth/authorize?scope=' . implode(',', $this->scope),
+      'urlAccessToken'          => $this->api_url . '/oauth/token',
+      'urlResourceOwnerDetails' => $this->api_url . '/graphql?query=' . urlencode($this->graphql_query)
+    ]);
+  }
+
+  function authorization_url()
+  {
+    return $this->provider()->getAuthorizationUrl();
+  }
+
+  function state()
+  {
+    return $this->provider()->getState();
+  }
+
+  function access_token($code)
+  {
+    return $this->provider()->getAccessToken('authorization_code', ['code' => $code]);
+  }
+
+  function authenticated_user($access_token)
+  {
+    $resource_owner = $this->provider()->getResourceOwner($access_token)->toArray();
+    return $resource_owner['data']['me'];
+  }
+
+}

composer.json

@@ -7,7 +7,8 @@
     "ruflin/elastica": "^6.1.1",
     "pixel418/markdownify": "^2.3",
     "swiftmailer/swiftmailer": "^6.0",
-    "ca-dsgn/lessphp": "^0.7.0"
+    "ca-dsgn/lessphp": "^0.7.0",
+    "league/oauth2-client": "^2.6"
   },
   "autoload": {
       "psr-4": {