From be3164e997a7fd3f143b18d41930fcc1dafca347 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Hru=C5=A1ka?= <ondra@ondrovo.com>
Date: Tue, 10 Jul 2018 22:57:50 +0200
Subject: [PATCH] Fixes to make SO login work. GitHub now works also (was a FF
 plugin bug)

---
 config/app.php                                   |  6 ++++++
 config/session.php                               |  4 ++--
 .../2014_10_12_000000_create_users_table.php     |  2 +-
 .../eloquent-oauth/src/EloquentIdentityStore.php |  2 +-
 .../socialnorm/github/src/GitHubProvider.php     |  9 +++++++--
 .../src/Exceptions/AuthNotUsableException.php    |  7 +++++++
 .../socialnorm/src/Providers/OAuth2Provider.php  | 13 +++++++++----
 sideload/socialnorm/socialnorm/src/Request.php   |  2 +-
 .../socialnorm/socialnorm/src/SocialNorm.php     |  7 +++++--
 .../stackoverflow/src/StackOverflowProvider.php  | 16 ++++++++++++++--
 10 files changed, 53 insertions(+), 15 deletions(-)
 create mode 100644 sideload/socialnorm/socialnorm/src/Exceptions/AuthNotUsableException.php

diff --git a/config/app.php b/config/app.php
index 65c39b5..ed47faa 100644
--- a/config/app.php
+++ b/config/app.php
@@ -220,4 +220,10 @@ return [
 
     // -------------- added keys --------------
     'pretty_json' => env('PRETTY_JSON', false),
+
+    'debug_blacklist' => [
+        '_COOKIE' => array_keys($_COOKIE),
+        '_SERVER' => array_keys($_SERVER),
+        '_ENV' => array_keys($_ENV),
+    ],
 ];
diff --git a/config/session.php b/config/session.php
index 3e142c9..5a44a3f 100644
--- a/config/session.php
+++ b/config/session.php
@@ -177,7 +177,7 @@ return [
     |
     */
 
-    'http_only' => true,
+    'http_only' => env('SESSION_HTTPONLY', true),
 
     /*
     |--------------------------------------------------------------------------
@@ -192,6 +192,6 @@ return [
     |
     */
 
-    'same_site' => 'lax', // this was changed, leaving it as 'null' caused session to be reset during oAuth2 login
+    'same_site' => env('SESSION_SAMESITE', null), // this was changed, leaving it as 'null' caused session to be reset during oAuth2 login
 
 ];
diff --git a/database/migrations/2014_10_12_000000_create_users_table.php b/database/migrations/2014_10_12_000000_create_users_table.php
index f98c88a..2fed394 100644
--- a/database/migrations/2014_10_12_000000_create_users_table.php
+++ b/database/migrations/2014_10_12_000000_create_users_table.php
@@ -16,7 +16,7 @@ class CreateUsersTable extends Migration
         Schema::create('users', function (Blueprint $table) {
             $table->increments('id');
 	        $table->timestamps();
-            $table->string('name');
+            $table->string('name')->unique();
             $table->string('email')->unique()->nullable();
             $table->string('password')->nullable();
             $table->rememberToken();
diff --git a/sideload/adamwathan/eloquent-oauth/src/EloquentIdentityStore.php b/sideload/adamwathan/eloquent-oauth/src/EloquentIdentityStore.php
index 1f22924..4b707df 100644
--- a/sideload/adamwathan/eloquent-oauth/src/EloquentIdentityStore.php
+++ b/sideload/adamwathan/eloquent-oauth/src/EloquentIdentityStore.php
@@ -25,7 +25,7 @@ class EloquentIdentityStore implements IdentityStore
 	{
 		$first = User::where('email', $providerUser->email)->first();
 
-		if($first->email) return $first;
+		if($first && $first->email) return $first;
 		return null;
 	}
 
diff --git a/sideload/socialnorm/github/src/GitHubProvider.php b/sideload/socialnorm/github/src/GitHubProvider.php
index 4e108f7..4c1702c 100644
--- a/sideload/socialnorm/github/src/GitHubProvider.php
+++ b/sideload/socialnorm/github/src/GitHubProvider.php
@@ -1,5 +1,6 @@
 <?php namespace SocialNorm\GitHub;
 
+use SocialNorm\Exceptions\AuthNotUsableException;
 use SocialNorm\Exceptions\InvalidAuthorizationCodeException;
 use SocialNorm\Providers\OAuth2Provider;
 
@@ -15,7 +16,8 @@ class GitHubProvider extends OAuth2Provider
     protected $headers = [
         'authorize' => [],
         'access_token' => [
-            'Accept' => 'application/json'
+            'Accept' => 'application/json',
+            'Content-Type' => 'application/x-www-form-urlencoded'
         ],
         'user_details' => [
             'Accept' => 'application/vnd.github.v3'
@@ -72,10 +74,13 @@ class GitHubProvider extends OAuth2Provider
     protected function getPrimaryEmail($emails)
     {
         foreach ($emails as $email) {
-            if ($email['primary']) {
+            if ($email['primary'] && $email['verified']) {
                 return $email['email'];
             }
         }
+        if (!$emails[0]['verified']) {
+            throw new AuthNotUsableException("No verified e-mail.");
+        }
         return $emails[0]['email'];
     }
 
diff --git a/sideload/socialnorm/socialnorm/src/Exceptions/AuthNotUsableException.php b/sideload/socialnorm/socialnorm/src/Exceptions/AuthNotUsableException.php
new file mode 100644
index 0000000..0656151
--- /dev/null
+++ b/sideload/socialnorm/socialnorm/src/Exceptions/AuthNotUsableException.php
@@ -0,0 +1,7 @@
+<?php namespace SocialNorm\Exceptions;
+
+/**
+ * oauth granted ok but user has no verified e-mail
+ * or no users were found (in the case of SO)
+ */
+class AuthNotUsableException extends \RuntimeException {}
diff --git a/sideload/socialnorm/socialnorm/src/Providers/OAuth2Provider.php b/sideload/socialnorm/socialnorm/src/Providers/OAuth2Provider.php
index 7462431..306a42e 100644
--- a/sideload/socialnorm/socialnorm/src/Providers/OAuth2Provider.php
+++ b/sideload/socialnorm/socialnorm/src/Providers/OAuth2Provider.php
@@ -99,6 +99,7 @@ abstract class OAuth2Provider implements Provider
         } catch (BadResponseException $e) {
             throw new InvalidAuthorizationCodeException((string) $e->getResponse()->getBody());
         }
+
         return $this->parseTokenResponse((string) $response->getBody());
     }
 
@@ -128,11 +129,15 @@ abstract class OAuth2Provider implements Provider
 
     protected function parseJsonTokenResponse($response)
     {
-        $response = json_decode($response);
-        if (! isset($response->access_token)) {
-            throw new InvalidAuthorizationCodeException;
+        $parsed = json_decode($response);
+
+        if ($parsed === false || json_last_error())
+            throw new InvalidAuthorizationCodeException('No access token in response: ' . $response . ", error " . json_last_error_msg());
+
+        if (! isset($parsed->access_token)) {
+            throw new InvalidAuthorizationCodeException('No access token in response: ' . $response);
         }
-        return $response->access_token;
+        return $parsed->access_token;
     }
 
     abstract protected function getAuthorizeUrl();
diff --git a/sideload/socialnorm/socialnorm/src/Request.php b/sideload/socialnorm/socialnorm/src/Request.php
index a57a8dc..f6ebc0f 100644
--- a/sideload/socialnorm/socialnorm/src/Request.php
+++ b/sideload/socialnorm/socialnorm/src/Request.php
@@ -31,7 +31,7 @@ final class Request
     public function authorizationCode()
     {
         if (! isset($this->queryParams['code'])) {
-            throw new ApplicationRejectedException;
+            throw new ApplicationRejectedException("Did not receive auth code. " . json_encode($this->queryParams));
         }
         return $this->queryParams['code'];
     }
diff --git a/sideload/socialnorm/socialnorm/src/SocialNorm.php b/sideload/socialnorm/socialnorm/src/SocialNorm.php
index 1f034dd..ffc501a 100644
--- a/sideload/socialnorm/socialnorm/src/SocialNorm.php
+++ b/sideload/socialnorm/socialnorm/src/SocialNorm.php
@@ -53,8 +53,11 @@ class SocialNorm
 
 	protected function verifyState()
 	{
-        if ($this->session->get('oauth.state') !== $this->request->state()) {
-            throw new InvalidAuthorizationCodeException("State failed to verify");
+	    $expected = $this->session->get('oauth.state');
+	    $received = $this->request->state();
+
+        if ($expected !== $received) {
+            throw new InvalidAuthorizationCodeException("State failed to verify - session: $expected, from provider: $received");
         }
 	}
 }
diff --git a/sideload/socialnorm/stackoverflow/src/StackOverflowProvider.php b/sideload/socialnorm/stackoverflow/src/StackOverflowProvider.php
index e23403d..823ad6e 100644
--- a/sideload/socialnorm/stackoverflow/src/StackOverflowProvider.php
+++ b/sideload/socialnorm/stackoverflow/src/StackOverflowProvider.php
@@ -1,5 +1,7 @@
 <?php namespace SocialNorm\StackOverflow;
 
+use SocialNorm\Exceptions\AuthNotUsableException;
+use SocialNorm\Exceptions\InvalidAuthorizationCodeException;
 use SocialNorm\Providers\OAuth2Provider;
 use GuzzleHttp\Client as HttpClient;
 use SocialNorm\Request;
@@ -21,6 +23,7 @@ class StackOverflowProvider extends OAuth2Provider
     protected $headers = [
         'authorize' => [],
         'access_token' => [
+            'Accept' => 'application/json',
             'Content-Type' => 'application/x-www-form-urlencoded'
         ],
         'user_details' => [],
@@ -65,12 +68,21 @@ class StackOverflowProvider extends OAuth2Provider
 
     protected function parseTokenResponse($response)
     {
-        return $this->parseJsonTokenResponse($response);
+        return explode('=', $response, 2)[1];
     }
 
     protected function parseUserDataResponse($response)
     {
-        return json_decode($response, true);
+        $decoded = (array)json_decode($response, true);
+
+        if ($decoded === false || json_last_error())
+            throw new InvalidAuthorizationCodeException('Corrupt response json: ' . $response . ", error " . json_last_error_msg());
+
+        if (0 == count(array_get($decoded, 'items'))) {
+            throw new AuthNotUsableException('No profile on StackOverflow. Resp: '.$response);
+        }
+
+        return $decoded;
     }
 
     protected function userId()