3 require_once 'authx.civix.php';
5 use CRM_Authx_ExtensionUtil
as E
;
8 Civi
::dispatcher()->addListener('civi.invoke.auth', function($e) {
9 $params = ($_SERVER['REQUEST_METHOD'] === 'GET') ?
$_GET : $_POST;
10 $siteKey = $_SERVER['HTTP_X_CIVI_KEY'] ??
$params['_authxSiteKey'] ??
NULL;
12 if (!empty($_SERVER['HTTP_X_CIVI_AUTH'])) {
13 return (new \Civi\Authx\
Authenticator())->auth($e, ['flow' => 'xheader', 'cred' => $_SERVER['HTTP_X_CIVI_AUTH'], 'siteKey' => $siteKey]);
16 if (!empty($_SERVER['HTTP_AUTHORIZATION']) && !empty(Civi
::settings()->get('authx_header_cred'))) {
17 return (new \Civi\Authx\
Authenticator())->auth($e, ['flow' => 'header', 'cred' => $_SERVER['HTTP_AUTHORIZATION'], 'siteKey' => $siteKey]);
20 if (!empty($params['_authx'])) {
21 if ((implode('/', $e->args
) === 'civicrm/authx/login')) {
22 (new \Civi\Authx\
Authenticator())->auth($e, ['flow' => 'login', 'cred' => $params['_authx'], 'useSession' => TRUE, 'siteKey' => $siteKey]);
23 _authx_redact(['_authx']);
25 elseif (!empty($params['_authxSes'])) {
26 (new \Civi\Authx\
Authenticator())->auth($e, ['flow' => 'auto', 'cred' => $params['_authx'], 'useSession' => TRUE, 'siteKey' => $siteKey]);
27 if ($_SERVER['REQUEST_METHOD'] === 'GET') {
28 _authx_reload(implode('/', $e->args
), $_SERVER['QUERY_STRING']);
31 _authx_redact(['_authx', '_authxSes']);
35 (new \Civi\Authx\
Authenticator())->auth($e, ['flow' => 'param', 'cred' => $params['_authx'], 'siteKey' => $siteKey]);
36 _authx_redact(['_authx']);
40 // Accept legacy auth (?key=...&api_key=...) for 'civicrm/ajax/rest' and 'civicrm/ajax/api4/*'.
41 // The use of `?key=` could clash on some endpoints. Only accept on a small list of endpoints that are compatible with it.
42 if (count($e->args
) > 2 && $e->args
[1] === 'ajax' && in_array($e->args
[2], ['rest', 'api4'])) {
43 if ((!empty($_REQUEST['api_key']) ||
!empty($_REQUEST['key']))) {
44 return (new \Civi\Authx\
LegacyRestAuthenticator())->auth($e, ['flow' => 'legacyrest', 'cred' => 'Bearer ' . $_REQUEST['api_key'] ??
'', 'siteKey' => $_REQUEST['key'] ??
NULL]);
50 * Perform a system login.
52 * This is useful for backend scripts that need to switch to a specific user.
54 * As needed, this will update the Civi session and CMS data.
56 * @param array{flow: ?string, useSession: ?bool, principal: ?array, cred: ?string,} $details
57 * Describe the authentication process with these properties:
59 * - string $flow (default 'script');
60 * The type of authentication flow being used
61 * Ex: 'param', 'header', 'auto'
62 * - bool $useSession (default FALSE)
63 * If TRUE, then the authentication should be persistent (in a session variable).
64 * If FALSE, then the authentication should be ephemeral (single page-request).
66 * And then ONE of these properties to describe the user/principal:
69 * The credential, as formatted in the 'Authorization' header.
70 * Ex: 'Bearer 12345', 'Basic ASDFFDSA=='
72 * Description of a validated principal.
73 * Must include 'contactId', 'userId', xor 'user'
74 * @return array{contactId: int, userId: ?int, flow: string, credType: string, useSession: bool}
75 * An array describing the authenticated session.
76 * @throws \Civi\Authx\AuthxException
78 function authx_login(array $details): array {
79 $defaults = ['flow' => 'script', 'useSession' => FALSE];
80 $details = array_merge($defaults, $details);
81 $auth = new \Civi\Authx\
Authenticator();
82 $auth->setRejectMode('exception');
83 $auth->auth(NULL, array_merge($defaults, $details));
84 return \CRM_Core_Session
::singleton()->get("authx");
88 * @return \Civi\Authx\AuthxInterface
90 function _authx_uf() {
91 $class = 'Civi\\Authx\\' . CIVICRM_UF
;
92 return class_exists($class) ?
new $class() : new \Civi\Authx\
None();
96 * For parameter-based authentication, this option will hide parameters.
97 * This is mostly a precaution, hedging against the possibility that some routes
98 * make broad use of $_GET or $_PARAMS.
102 function _authx_redact(array $keys) {
103 foreach ($keys as $key) {
104 unset($_POST[$key], $_GET[$key], $_REQUEST[$key]);
109 * Reload the current page-view.
111 * @param string $route
112 * @param string $queryString
114 function _authx_reload($route, $queryString) {
115 parse_str($queryString, $query);
116 foreach (array_keys($query) as $key) {
117 if (CRM_Utils_String
::startsWith($key, '_authx')) {
121 $url = CRM_Utils_System
::url($route, $query, TRUE, NULL, FALSE, CRM_Core_Config
::singleton()->userSystem
->isFrontEndPage());
122 CRM_Utils_System
::redirect($url);
126 * Implements hook_civicrm_config().
128 * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_config/
130 function authx_civicrm_config(&$config) {
131 _authx_civix_civicrm_config($config);
135 * Implements hook_civicrm_install().
137 * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_install
139 function authx_civicrm_install() {
140 _authx_civix_civicrm_install();
145 * Implements hook_civicrm_postInstall().
147 * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_postInstall
149 function authx_civicrm_postInstall() {
150 _authx_civix_civicrm_postInstall();
154 * Implements hook_civicrm_uninstall().
156 * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_uninstall
158 function authx_civicrm_uninstall() {
159 _authx_civix_civicrm_uninstall();
163 * Implements hook_civicrm_enable().
165 * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_enable
167 function authx_civicrm_enable() {
168 _authx_civix_civicrm_enable();
169 // If the system is already using HTTP `Authorization:` headers before installation/re-activation, then
170 // it's probably an extra/independent layer of security.
171 // Only activate support for `Authorization:` if this looks like a clean/amenable environment.
172 // @link https://github.com/civicrm/civicrm-core/pull/22837
173 if (empty($_SERVER['HTTP_AUTHORIZATION']) && NULL === Civi
::settings()->getExplicit('authx_header_cred')) {
174 Civi
::settings()->set('authx_header_cred', ['jwt', 'api_key']);
179 * Implements hook_civicrm_disable().
181 * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_disable
183 function authx_civicrm_disable() {
184 _authx_civix_civicrm_disable();
188 * Implements hook_civicrm_upgrade().
190 * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_upgrade
192 function authx_civicrm_upgrade($op, CRM_Queue_Queue
$queue = NULL) {
193 return _authx_civix_civicrm_upgrade($op, $queue);
197 * Implements hook_civicrm_entityTypes().
199 * Declare entity types provided by this module.
201 * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_entityTypes
203 function authx_civicrm_entityTypes(&$entityTypes) {
204 _authx_civix_civicrm_entityTypes($entityTypes);
208 * Implements hook_civicrm_permission().
210 * @see CRM_Utils_Hook::permission()
212 function authx_civicrm_permission(&$permissions) {
213 $permissions['authenticate with password'] = E
::ts('AuthX: Authenticate to services with password');
214 $permissions['authenticate with api key'] = E
::ts('AuthX: Authenticate to services with API key');
217 // --- Functions below this ship commented out. Uncomment as required. ---
220 * Implements hook_civicrm_preProcess().
222 * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_preProcess
224 //function authx_civicrm_preProcess($formName, &$form) {
229 * Implements hook_civicrm_navigationMenu().
231 * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_navigationMenu
233 function authx_civicrm_navigationMenu(&$menu) {
234 _authx_civix_insert_navigation_menu($menu, 'Administer/System Settings', [
235 'label' => E
::ts('Authentication'),
236 'name' => 'authx_admin',
237 'url' => 'civicrm/admin/setting/authx',
238 'permission' => 'administer CiviCRM',
242 _authx_civix_navigationMenu($menu);