From 6dc435f05ae833e5aabd1a59fc9acc318d83cbf6 Mon Sep 17 00:00:00 2001
From: Magnus Rosenquist Hamvall <magnus.rosenquist@adeprimo.se>
Date: Wed, 13 Mar 2024 17:04:25 +0100
Subject: [PATCH 1/2] WIP checkout login

---
 checkout_landing.php                        | 43 +++++++++++++
 includes/class-tulo-paywall.php             |  6 +-
 includes/class-tulo-payway-sso2-api.php     | 69 +++++++++++++++++++++
 includes/class-tulo-payway-sso2-session.php |  4 ++
 public/class-tulo-payway-public.php         |  1 +
 5 files changed, 122 insertions(+), 1 deletion(-)
 create mode 100644 checkout_landing.php

diff --git a/checkout_landing.php b/checkout_landing.php
new file mode 100644
index 0000000..aa7a399
--- /dev/null
+++ b/checkout_landing.php
@@ -0,0 +1,43 @@
+<?php
+
+function write_log($log) {
+    if (true === WP_DEBUG) {
+        if (is_array($log) || is_object($log)) {
+            error_log(print_r($log, true));
+        } else {
+            error_log("[SSO2][Landing] ".$log);
+        }
+    }
+}
+
+$token = $_POST["jwtToken"];
+if (!isset($token)) {
+    write_log("No token available!");
+    die("No token available!");
+}
+
+$baseurl = explode( "wp-content" , $_SERVER['SCRIPT_FILENAME'] );
+$baseurl = $baseurl[0];
+require_once( $baseurl . "wp-load.php" );
+
+use \Firebase\JWT\JWT;
+
+
+try
+{
+    $client_secret = get_option('tulo_paywall_secret');
+    $session = new Tulo_Payway_Session();
+    $payload = $session->decode_jwt($token, $client_secret);
+    if (isset($payload)) {        
+        $session->process_checkout_landing($payload);
+    }
+
+} catch(Firebase\JWT\ExpiredException $e) {
+    // we land here if the JWT token can not be decoded properly, in this case some claims have expired.
+    write_log("Could not decode JWT from Payway! Message: ".$e->getMessage());
+}
+
+die();
+
+
+?>
diff --git a/includes/class-tulo-paywall.php b/includes/class-tulo-paywall.php
index da472b9..c7a25c8 100644
--- a/includes/class-tulo-paywall.php
+++ b/includes/class-tulo-paywall.php
@@ -69,7 +69,7 @@ public function get_return_url() {
         } else {
             $currentUrl .= "?tpw_session_refresh=1";
         }            
-        return $currentUrl;
+        return str_replace("http://", "https://", $currentUrl);
     }
 
     public function get_current_url() {
@@ -77,6 +77,10 @@ public function get_current_url() {
         return add_query_arg( $wp->query_vars, home_url( $wp->request ) );
     }
 
+    public function get_ticket_login_url() {
+        return plugin_dir_url(__DIR__)."checkout_landing.php";
+    }
+
     public function get_account_origin() {
         return get_option("tulo_paywall_account_origin");
     }
diff --git a/includes/class-tulo-payway-sso2-api.php b/includes/class-tulo-payway-sso2-api.php
index 6a691f6..dc11fde 100644
--- a/includes/class-tulo-payway-sso2-api.php
+++ b/includes/class-tulo-payway-sso2-api.php
@@ -36,6 +36,75 @@ public function __construct() {
         $this->api = new Tulo_Payway_API();
     }  
 
+    protected function process_paywall_checkout_login($payload) {
+        $this->common->write_log("---> process paywall checkout login");
+        if (isset($payload)) {
+            $delegated_ticket = $payload->dtid;
+            $account_id = $payload->aid;
+            $this->common->write_log("Authentication ticket: ".$delegated_ticket);
+            $this->common->write_log("Account id: ".$account_id);
+
+            $url = $this->get_sso2_url("authenticatewithticket");
+            $client_id = get_option('tulo_server_client_id');
+            $client_secret = get_option('tulo_server_secret');
+    
+            $token = $this->get_delegated_ticket_token($client_id, $client_secret, $delegated_ticket);
+            $payload = json_encode(array("t" => $token));
+    
+            $this->common->write_log("posting payload to: ".$url);
+            $response = $this->common->post_json_jwt($url, $payload);
+            if ($response["status"] == 200) {
+                $data = json_decode($response["data"]);
+                $decoded = $this->decode_token($data->t, $client_secret);
+                if ($decoded == null) {
+                    $this->common->write_log("[ERROR] error processing response from sso request, token could not be decoded");
+                } else {
+                    $sts = $decoded->sts; 
+                    $err = $decoded->err;
+                    $at = $decoded->at;
+                    $this->common->write_log(" sts.......: ".$sts);
+                    $this->common->write_log(" at........: ".$at);
+                    if ($sts == "loggedin" && $at != "") {
+                        $this->fetch_user_and_login($at);
+                        $this->common->write_log("<--- process paywall completed successfully, user is logged in, ready for reload.");
+                    } else {
+                        $this->common->write_log(" !! Error fetching access token => ".$err);
+                    }
+                }                
+    
+            } else {
+                $this->common->write_log("[ERROR] error posting authenticate with ticket request");
+                $this->common->write_log($response);
+            }
+
+    
+        }
+    }
+
+    private function get_delegated_ticket_token($client_id, $client_secret, $ticket) {
+        $organisation_id = get_option('tulo_organisation_id');
+        $ip_address = $_SERVER ['REMOTE_ADDR'];
+        $user_agent = $_SERVER['HTTP_USER_AGENT'];
+        
+        $time = time();
+        $payload = array(
+            "cid" => $client_id,
+            "iss" => $organisation_id,
+            "sid" => $this->sso_session_id(),
+            "ipa" => $ip_address,
+            "uas" => $user_agent,
+            "at" =>  $ticket, 
+            "aud" => "pw-sso",
+            "nbf" => $time,
+            "exp" => $time + 10,
+            "iat" => $time
+        );
+        $this->common->write_log("ticket token payload:");
+        $this->common->write_log($payload);
+        
+        $token = JWT::encode($payload, $client_secret, 'HS256');
+        return $token;
+    }
     /**
      * Called from the landing page, checks session status and sets user in session if logged in
      */
diff --git a/includes/class-tulo-payway-sso2-session.php b/includes/class-tulo-payway-sso2-session.php
index 690e159..42fa3d0 100644
--- a/includes/class-tulo-payway-sso2-session.php
+++ b/includes/class-tulo-payway-sso2-session.php
@@ -10,6 +10,10 @@ public function __construct() {
         parent::__construct();
     }
 
+    public function process_checkout_landing($payload) {
+        $this->process_paywall_checkout_login($payload);
+    }
+
     public function is_logged_in() {
         return $this->is_session_logged_in();
     }
diff --git a/public/class-tulo-payway-public.php b/public/class-tulo-payway-public.php
index e5b7adc..568985e 100644
--- a/public/class-tulo-payway-public.php
+++ b/public/class-tulo-payway-public.php
@@ -372,6 +372,7 @@ private function initialize_paywall($post_restrictions)
                         utmSource: "",
                         loginUrl: "'.$paywall->get_login_url().'",
                         shopUrl: "'.$paywall->get_shop_url().'",
+                        ticketLoginUrl: "'.$paywall->get_ticket_login_url().'",
                         utmMedium: "",
                         utmCampaign: "",
                         utmContent: "",

From f58fdcdc4e9ae0da296b682d3aa6f1cf4da0aba9 Mon Sep 17 00:00:00 2001
From: Magnus Rosenquist Hamvall <magnus.rosenquist@adeprimo.se>
Date: Thu, 14 Mar 2024 13:55:43 +0100
Subject: [PATCH 2/2] Handling returnUrl logic after refresh

---
 includes/class-tulo-paywall.php     | 9 ++++++++-
 public/class-tulo-payway-public.php | 2 +-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/includes/class-tulo-paywall.php b/includes/class-tulo-paywall.php
index c7a25c8..72d6247 100644
--- a/includes/class-tulo-paywall.php
+++ b/includes/class-tulo-paywall.php
@@ -74,7 +74,14 @@ public function get_return_url() {
 
     public function get_current_url() {
         global $wp;
-        return add_query_arg( $wp->query_vars, home_url( $wp->request ) );
+        $currentUrl = home_url( $wp->request );
+        $permalinkStructure = get_option( 'permalink_structure' );
+        if ($permalinkStructure == "plain" || $permalinkStructure == "") {
+            $queryVars = $wp->query_vars;
+            unset($queryVars['tpw_session_refresh']);
+            $currentUrl = add_query_arg( $queryVars, home_url( $wp->request ) );
+        }
+        return $currentUrl;
     }
 
     public function get_ticket_login_url() {
diff --git a/public/class-tulo-payway-public.php b/public/class-tulo-payway-public.php
index 568985e..693154f 100644
--- a/public/class-tulo-payway-public.php
+++ b/public/class-tulo-payway-public.php
@@ -100,7 +100,7 @@ public function check_session($wp)
                 $this->session->refresh();
                 $currentUrl = home_url( $wp->request );
                 $permalinkStructure = get_option( 'permalink_structure' );
-                if ($permalinkStructure == "plain") {
+                if ($permalinkStructure == "plain" || $permalinkStructure == "") {
                     $queryVars = $wp->query_vars;
                     unset($queryVars['tpw_session_refresh']);
                     $currentUrl = add_query_arg( $queryVars, home_url( $wp->request ) );