From 02dc5c62a71143e8606db34676e2ae98087ae450 Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Thu, 13 Jan 2022 13:36:20 -0800
Subject: [PATCH] Civi::pipe - Comply with newer `authx_login()` contract.
 Declare flow names.

1. The original Civi::pipe() patch was built on a draft version of `authx_login()`. The
   signature changed during review.
2. The original Civi::pipe() patch hacked the `flow` name - ie it used the
   flow name `xheader` even though it wasn't HTTP-based. Now, it
   uses either the existing `script` flow (for trusted/backend/principal-asserted runtimes)
   or the new `pipe` flow (for untrusted/credential-based runtimes).
---
 Civi/Pipe/PublicMethods.php          | 6 +++---
 ext/authx/settings/authx.setting.php | 3 ++-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/Civi/Pipe/PublicMethods.php b/Civi/Pipe/PublicMethods.php
index 9dafae58cc..3cb7e8d592 100644
--- a/Civi/Pipe/PublicMethods.php
+++ b/Civi/Pipe/PublicMethods.php
@@ -99,7 +99,7 @@ class PublicMethods {
    * Set active user.
    *
    * @param \Civi\Pipe\PipeSession $session
-   * @param array{contactId: int, userId: int, user: string} $request
+   * @param array{contactId: int, userId: int, user: string, cred: string} $request
    * @return array|\Civi\Api4\Generic\Result|int
    */
   public function login(PipeSession $session, array $request) {
@@ -113,7 +113,7 @@ class PublicMethods {
 
     $principal = \CRM_Utils_Array::subset($request, ['contactId', 'userId', 'user']);
     if ($principal && $session->isTrusted()) {
-      return $redact(authx_login($request, FALSE /* Pipe sessions do not need cookies or DB */));
+      return $redact(authx_login(['flow' => 'script', 'principal' => $principal]));
     }
     elseif ($principal && !$session->isTrusted()) {
       throw new AuthxException("Session is not trusted.");
@@ -121,7 +121,7 @@ class PublicMethods {
     elseif (isset($request['cred'])) {
       $authn = new \Civi\Authx\Authenticator();
       $authn->setRejectMode('exception');
-      if ($authn->auth(NULL, ['flow' => 'xheader', 'cred' => $request['cred']])) {
+      if ($authn->auth(NULL, ['flow' => 'pipe', 'cred' => $request['cred']])) {
         return $redact(\CRM_Core_Session::singleton()->get("authx"));
       }
     }
diff --git a/ext/authx/settings/authx.setting.php b/ext/authx/settings/authx.setting.php
index d08d376c3c..81ed26587c 100644
--- a/ext/authx/settings/authx.setting.php
+++ b/ext/authx/settings/authx.setting.php
@@ -17,7 +17,7 @@ use CRM_Authx_ExtensionUtil as E;
  * @copyright CiviCRM LLC https://civicrm.org/licensing
  */
 $_authx_settings = function() {
-  $flows = ['param', 'header', 'xheader', 'login', 'auto', 'script'];
+  $flows = ['param', 'header', 'xheader', 'login', 'auto', 'script', 'pipe'];
   $basic = [
     'group_name' => 'CiviCRM Preferences',
     'group' => 'authx',
@@ -80,6 +80,7 @@ $_authx_settings = function() {
   $s['authx_param_cred']['default'] = ['jwt', 'api_key'];
   $s['authx_header_cred']['default'] = ['jwt', 'api_key'];
   $s['authx_xheader_cred']['default'] = ['jwt', 'api_key'];
+  $s['authx_pipe_cred']['default'] = ['jwt', 'api_key'];
 
   return $s;
 };
-- 
2.25.1