From 0d190c7c17b130370b300e8b0ab4c20fe5c7af1d Mon Sep 17 00:00:00 2001
From: Angel Fernando Quiroz Campos <angelfqc.18@gmail.com>
Date: Mon, 13 Mar 2023 16:57:21 -0500
Subject: [PATCH] Plugin: OAuth2: Add message about redirect to provider when
 user's auth_source has been changed - refs BT#20611

---
 main/auth/external_login/login.oauth2.php |  7 ++++-
 plugin/oauth2/lang/english.php            |  2 ++
 plugin/oauth2/redirect_info.php           | 37 +++++++++++++++++++++++
 plugin/oauth2/src/OAuth2.php              | 35 +++++++++++++++++++++
 4 files changed, 80 insertions(+), 1 deletion(-)
 create mode 100644 plugin/oauth2/redirect_info.php

diff --git a/main/auth/external_login/login.oauth2.php b/main/auth/external_login/login.oauth2.php
index 04f8b9082f..3a1ef64c09 100644
--- a/main/auth/external_login/login.oauth2.php
+++ b/main/auth/external_login/login.oauth2.php
@@ -23,11 +23,16 @@ if ('oauth2' === $uData['auth_source']) {
 
     $provider = $plugin->getProvider();
 
+    // Redirect to OAuth2 login.
     $authUrl = $provider->getAuthorizationUrl();
 
     ChamiloSession::write('oauth2state', $provider->getState());
 
-    // Redirect to OAuth2 login.
+    if (OAuth2::isFirstLoginAfterAuthSource($uData['user_id'])) {
+        ChamiloSession::write('aouth2_authorization_url', $authUrl);
+        $authUrl = api_get_path(WEB_PLUGIN_PATH).'oauth2/redirect_info.php';
+    }
+
     header('Location: '.$authUrl);
     // Avoid execution from here in local.inc.php script.
     exit;
diff --git a/plugin/oauth2/lang/english.php b/plugin/oauth2/lang/english.php
index f9c85b3597..6d780b444e 100644
--- a/plugin/oauth2/lang/english.php
+++ b/plugin/oauth2/lang/english.php
@@ -130,3 +130,5 @@ $strings['UserNotAllowedOnThisPortal'] = 'This user account is not enabled on th
 $strings['WrongResponseResourceOwnerId'] = 'OAuth2 resource owner identifier value not found at the configured key';
 $strings['IssuerNotFound'] = 'Issuer not found';
 $strings['AuthorizeUrlNotAllowed'] = 'Authorize URL not allowed';
+
+$strings['MessageInfoAboutRedirectToProvider'] = 'You are getting redirected to the common authentication system. Your credentials there are the ones that you typically use for other applications of your organisation. These might be different from the ones you used here previously.';
diff --git a/plugin/oauth2/redirect_info.php b/plugin/oauth2/redirect_info.php
new file mode 100644
index 0000000000..4518c6fa57
--- /dev/null
+++ b/plugin/oauth2/redirect_info.php
@@ -0,0 +1,37 @@
+<?php
+
+/* For licensing terms, see /license.txt */
+
+require __DIR__.'/../../main/inc/global.inc.php';
+
+$plugin = OAuth2::create();
+
+if ('true' !== $plugin->get(OAuth2::SETTING_ENABLE)
+    || !ChamiloSession::has('oauth2state')
+    || !ChamiloSession::has('aouth2_authorization_url')
+) {
+    api_not_allowed(true);
+}
+
+$oauth2authorizationUrl = ChamiloSession::read('aouth2_authorization_url');
+
+$htmlHeadXtra[] = '<meta http-equiv="refresh" content="15; url='.$oauth2authorizationUrl.'">';
+
+ChamiloSession::erase('aouth2_authorization_url');
+
+$content = '<div class="row">
+        <div class="col-md-6 col-md-offset-3">
+            <div class="alert alert-info text-center lead">
+                <span class="fa fa-info-circle fa-2x fa-fw" aria-hidden="true"></span>
+                '.$plugin->get_lang('MessageInfoAboutRedirectToProvider').'
+                <hr>
+                '.$plugin->get_lang('PleaseWaitThisCouldTakeAWhile').'
+                <span class="fa fa-spinner fa-pulse fa-fw" aria-hidden="true"></span>
+            </div>
+        </div>
+    </div>
+';
+
+$template = new Template();
+$template->assign('content', $content);
+$template->display_one_col_template();
\ No newline at end of file
diff --git a/plugin/oauth2/src/OAuth2.php b/plugin/oauth2/src/OAuth2.php
index a1788cbd40..cbbf891b81 100644
--- a/plugin/oauth2/src/OAuth2.php
+++ b/plugin/oauth2/src/OAuth2.php
@@ -1,6 +1,8 @@
 <?php
 /* For license terms, see /license.txt */
 
+use Chamilo\CoreBundle\Entity\ExtraFieldValues;
+use Chamilo\CoreBundle\Entity\TrackELogin;
 use League\OAuth2\Client\Provider\AbstractProvider;
 use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
 use League\OAuth2\Client\Provider\GenericProvider;
@@ -470,4 +472,37 @@ class OAuth2 extends Plugin
             error_log("OAuth2 plugin: $key: $content");
         }
     }
+
+    public static function isFirstLoginAfterAuthSource(int $userId): bool
+    {
+        $em = Database::getManager();
+
+        $lastLogin = $em
+            ->getRepository(TrackELogin::class)
+            ->findOneBy(
+                ['loginUserId' => $userId],
+                ['loginDate' => 'DESC']
+            )
+        ;
+
+        if (!$lastLogin) {
+            return false;
+        }
+
+        $objExtraField = new ExtraField('user');
+        $field = $objExtraField->getHandlerEntityByFieldVariable(self::EXTRA_FIELD_OAUTH2_ID);
+
+        $fieldValue = $em
+            ->getRepository(ExtraFieldValues::class)
+            ->findOneBy(
+                ['itemId' => $userId, 'field' => $field]
+            )
+        ;
+
+        if (!$fieldValue) {
+            return false;
+        }
+
+        return $fieldValue->getCreatedAt() >= $lastLogin->getLoginDate();
+    }
 }