first commit

.github/pull_request_template.md

@@ -0,0 +1 @@
+Fixes #

.github/workflows/dependency-review.yml

@@ -0,0 +1,20 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@v3
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@v3

.github/workflows/gitleaks-scan.yml

@@ -0,0 +1,11 @@
+name: gitleaks
+
+on: [pull_request]
+
+jobs:
+  gitleaks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: gitleaks-action
+        uses: zricethezav/gitleaks-action@v1.6.0

.github/workflows/php.yml

@@ -0,0 +1,39 @@
+name: PHP Composer
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Validate composer.json and composer.lock
+      run: composer validate --strict
+
+    - name: Cache Composer packages
+      id: composer-cache
+      uses: actions/cache@v3
+      with:
+        path: vendor
+        key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }}
+        restore-keys: |
+          ${{ runner.os }}-php-
+
+    - name: Install dependencies
+      run: composer install --prefer-dist --no-progress
+
+    # Add a test script to composer.json, for instance: "test": "vendor/bin/phpunit"
+    # Docs: https://getcomposer.org/doc/articles/scripts.md
+
+    # - name: Run test suite
+    #   run: composer run-script test

.github/workflows/security.yml

@@ -0,0 +1,15 @@
+name: security
+on:
+  pull_request: {}
+  workflow_dispatch: {}
+jobs:
+  security:
+    permissions:
+      contents: read
+      checks: read
+      statuses: read
+      security-events: write
+    uses: affinidi/pipeline-security/.github/workflows/security-scanners.yml@feat/check-inherit
+    with:
+      config-path: .github/labeler.yml
+    secrets: inherit

.gitignore

@@ -0,0 +1,19 @@
+/.phpunit.cache
+/node_modules
+/public/build
+/public/hot
+/public/storage
+/storage/*.key
+/vendor
+.env
+.env.backup
+.env.production
+.phpunit.result.cache
+Homestead.json
+Homestead.yaml
+auth.json
+npm-debug.log
+yarn-error.log
+/.fleet
+/.idea
+/.vscode

.gitlab-ci.yml

@@ -0,0 +1,13 @@
+# You can override the included template(s) by including variable overrides
+# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
+# Dependency Scanning customization: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings
+# Container Scanning customization: https://docs.gitlab.com/ee/user/application_security/container_scanning/#customizing-the-container-scanning-settings
+# Note that environment variables can be set in several places
+# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
+stages:
+- test
+sast:
+  stage: test
+include:
+- template: Security/SAST.gitlab-ci.yml

CONTRIBUTING.md

@@ -0,0 +1,15 @@
+# Contributing to laravel-hybridauth-affinidi
+
+## Getting started
+
+Clone the repository and run `composer install` command.
+
+## Github repository & pull requests
+
+Please follow semantic release conventions for your commits and pull request names.
+Read about it here: https://github.com/semantic-release/semantic-release
+
+For example, a correct commit name or pull request name is: `fix: add test` or `feat: implement a tree view`
+
+Don't forget to write a meaningful description to your pull request.
+If necessary, attach a screenshot of UI changes.

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 Affinidi
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

NOTICE.txt

@@ -0,0 +1 @@
+This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of this notice when they are further distributing this code.

README.md

@@ -0,0 +1,175 @@
+# Overview
+
+**AUGMENT EXPERIENCES WITH A SAFER, SIMPLER AND MORE PRIVATE WAY TO LOGIN**
+
+A paradigm shift in the registration and sign-in process, Affinidi Login is a game-changing solution for developers. With our revolutionary passwordless authentication solution your user's first sign-in doubles as their registration, and all the necessary data for onboarding can be requested during this streamlined sign-in/signup process. End users are in full control, ensuring that they consent to the information shared in a transparent and user-friendly manner. This streamlined approach empowers developers to create efficient user experiences with data integrity, enhanced security and privacy, and ensures compatibility with industry standards.
+
+| Passwordless Authentication | Decentralised Identity Management | Uses Latest Standards |
+|---|---|---|
+| Offers a secure and user-friendly alternative to traditional password-based authentication by eliminating passwords and thus removing the vulnerability to password-related attacks such as phishing and credential stuffing. | Leverages OID4VP to enable users to control their data and digital identity, selectively share their credentials and authenticate themselves across multiple platforms and devices without relying on a centralised identity provider. | Utilises OID4VP to enhance security of the authentication process by verifying user authenticity without the need for direct communication with the provider, reducing risk of tampering and ensuring data integrity. |
+
+## Introduction
+
+This package extends HybridAuth to enable passwordless authentication with the Affinidi OIDC provider.
+
+Learn more about Hybridauth [here](https://hybridauth.github.io/)
+
+**Quick Links**
+1. [Installation & Usage](#setup--run-application-from-playground-folder)
+2. [Create Affinidi Login Configuration](#create-affinidi-login-configuration)
+3. Affinidi Login Integration with [Sample Laravel project](#setup--run-application-from-playground-folder)
+4. Affinidi Login Integration in [Fresh Laravel Project](#setup--run-application-from-playground-folder)
+5. Affinidi Login Integration in [Existing Laravel Project](#setup--run-application-from-playground-folder)
+
+
+## Installation & Basic Usage
+
+To get started with Affinidi hybridauth, follow these steps:
+
+1. Install the Affinidi hybridauth package using Composer:
+
+```
+composer require affinidi/laravel-hybridauth-affinidi
+```
+
+2. Create a configuration file `hybridauth.php` with below content under `config` folder:
+
+```
+<?php
+return [
+    'callback' => env('APP_URL') . '/login/affinidi/callback',
+    'keys' => [
+        'id' => env('PROVIDER_CLIENT_ID'),
+        'secret' => env('PROVIDER_CLIENT_SECRET')
+    ],
+    'endpoints' => [
+        'api_base_url' => env('PROVIDER_ISSUER'),
+        'authorize_url' => env('PROVIDER_ISSUER') . '/oauth2/auth',
+        'access_token_url' => env('PROVIDER_ISSUER') . '/oauth2/token',
+    ]
+]
+    ?>
+```
+
+# Authentication
+
+To authenticate users using an OAuth provider, you will need two routes: one for redirecting the user to the OAuth provider, and another for receiving the callback from the provider after authentication.
+
+The login controller example below demonstrate the implementation of both routes:
+
+```
+<?php
+
+namespace App\Http\Controllers;
+
+use App\Http\Controllers\Controller;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Auth;
+
+class LoginRegisterController extends Controller
+{
+    private static $adapter;
+
+    public function __construct() {
+        $config = \Config::get('hybridauth');
+        self::$adapter = new \Affinidi\HybridauthProvider\AffinidiProvider($config);
+    }
+
+    public function login()
+    {
+        return view('login');
+    }
+
+    public function home()
+    {
+        if (session("user")) {
+            return view('dashboard');
+        }
+
+        return redirect()->route('login')
+            ->withErrors([
+                'email' => 'Please login to access the home.',
+            ]);
+    }
+
+    public function logout(Request $request)
+    {   
+        self::$adapter->disconnect();
+
+        Auth::logout();
+        $request->session()->invalidate();
+        $request->session()->regenerateToken();
+        return redirect()->route('login')
+            ->withSuccess('You have logged out successfully!');
+        ;
+    }
+
+    public function affinidiLogin(Request $request)
+    {
+        self::$adapter->authenticate();
+    }
+
+    public function affinidiCallback(Request $request)
+    {
+        try {
+
+            self::$adapter->authenticate();
+
+            $userProfile = self::$adapter->getUserProfile();
+
+            session(['user' => $userProfile]);
+
+            return redirect()->intended('home');
+        } catch (\Exception $e) {
+            return redirect()->route('login')
+                ->withError($e->getMessage());
+        }
+    }
+}
+
+```
+
+## Create Affinidi Login Configuration
+
+Create the Login Configuration using [Affinidi Dev Portal](https://portal.affinidi.com/) as illustrated [here](https://docs.affinidi.com/docs/affinidi-login/login-configuration/#using-affinidi-portal). You can given name as "hybridauth App" and Redirect URIs as per your application specific e.g. "https://<domain-name>/login/affinidi/callback"
+
+**Important**: Safeguard the Client ID and Client Secret and Issuer; you'll need them for setting up your environment variables. Remember, the Client Secret will be provided only once.
+
+**Note**: By default Login Configuration will requests only `Email VC`, if you want to request email and profile VC, you can refer PEX query under (docs\loginConfig.json)[playground\example\docs\loginConfig.json] and execute the below affinidi CLI command to update PEX
+```
+affinidi login update-config --id <CONFIGURATION_ID> -f docs\loginConfig.json
+```
+
+## Setup & Run application from playground folder
+
+Open the directory `playground/example` in VS code or your favorite editor
+
+ 1. Install the dependencies by executing the below command in terminal
+    ```
+    composer install
+    ```
+ 2. Create the `.env` file in the sample application by running the following command
+    ```
+    cp .env.example .env
+    ```
+ 3. Create Affinidi Login Configuration as mentioned [here](#create-affinidi-login-configuration)
+ 
+ 4. Update below environment variables in `.env` based on the auth credentials received from the Login Configuration created earlier:
+    ```
+    PROVIDER_CLIENT_ID="<AUTH.CLIENT_ID>"
+    PROVIDER_CLIENT_SECRET="<AUTH.CLIENT_SECRET>"
+    PROVIDER_ISSUER="<AUTH.CLIENT_ISSUER>"
+    ```
+    Sample values looks like below
+    ```
+    PROVIDER_CLIENT_ID="xxxxx-xxxxx-xxxxx-xxxxx-xxxxx"
+    PROVIDER_CLIENT_SECRET="xxxxxxxxxxxxxxx"
+    PROVIDER_ISSUER="https://yyyy-yyy-yyy-yyyy.apse1.login.affinidi.io"
+    ```
+5. Run the application
+    ```
+    php artisan serve
+    ```
+6. Open the [http://localhost:8000/](http://localhost:8000/), which displays login page 
+    **Important**: You might error on redirect URL mismatch if you are using `http://127.0.0.1:8000/` instead of `http://localhost:8000/`. 
+7. Click on `Affinidi Login` button to initiate OIDC login flow with Affinidi Vault

SECURITY.md

@@ -0,0 +1 @@
+To report a security issue, please email security@affinidi.com with a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue.

composer.json

@@ -0,0 +1,36 @@
+{
+  "name": "affinidi/laravel-hybridauth-affinidi",
+  "description": "Affinidi (affinidi.com) OIDC Provider for Hybridauth.",
+  "keywords": [
+    "affinidi",
+    "laravel",
+    "oauth",
+    "provider",
+    "hybridauth",
+    "affinidi login",
+    "OIDC",
+    "OID4VP"
+  ],
+  "homepage": "https://affinidi.com",
+  "support": {
+      "issues": "https://github.com/affinidi/laravel-hybridauth-affinidi/issues",
+      "source": "https://github.com/affinidi/laravel-hybridauth-affinidi"
+  },
+  "require": {
+    "php": "^8.0",
+    "hybridauth/hybridauth" : "~3.0"
+  },
+  "license": "MIT",
+  "autoload": {
+    "psr-4": {
+      "Affinidi\\HybridauthProvider\\": "src/"
+    }
+  },
+  "authors": [
+    {
+      "name": "Paramesh Kamarthi",
+      "email": "paramesh.k@affinidi.com"
+    }
+  ],
+  "minimum-stability": "dev"
+}