[pam] Support browser-based login

1 files changed, 27 insertions, 5 deletions

diff --git a/pam.php b/pam.php
index c5cb8fb..2a74bc3 100644
--- a/pam.php
+++ b/pam.php
@@ -1,17 +1,39 @@
 <?php
 
 // Autoload classes from ./inc which adhere to naming scheme <lowercasename>.inc.php
-function slxAutoloader($class)
-{
-	$file = 'inc/' . preg_replace('/[^a-z0-9]/', '', mb_strtolower($class)) . '.inc.php';
+spl_autoload_register(function ($class) {
+	$file = 'inc/' . preg_replace('/[^a-z0-9]/', '', strtolower($class)) . '.inc.php';
 	if (!file_exists($file))
 		return;
 	require_once $file;
-}
-spl_autoload_register('slxAutoloader');
+});
 
 require_once 'config.php';
 
+$action = Request::any('action');
+
+//
+// New version - browser based
+//
+if ($action === 'browser') {
+	// Browser requesting a token
+	Header('Location: shib/client_auth.php?token=' . (string)Request::any('token'));
+	exit;
+}
+
+if ($action === 'verify') {
+	// pam stack on client trying to verify
+	$row = Database::queryFirst("SELECT username FROM client_token WHERE token = :token AND dateline > UNIX_TIMESTAMP() - 300", ['token' => (string)Request::any('token')]);
+	Header('Content-Type: text/plain; charset=utf-8');
+	if ($row === false) {
+		die("ERROR=Invalid token");
+	}
+	die("USER={$row['username']}");
+}
+
+//
+// Old way, ECP
+//
 Header('Content-Type: text/plain; charset=utf-8');
 
 $res = Database::simpleQuery("SELECT suffix, authmethod FROM organization INNER JOIN organization_suffix USING(organizationid)");