fix: corrected review notes

Author: thorsten

phpmyfaq/src/phpMyFAQ/Auth/AuthKeycloak.php

@@ -48,15 +48,18 @@ public function __construct(
      */
     public function create(string $login, #[SensitiveParameter] string $password, string $domain = ''): bool
     {
-        $result = false;
         $user = $this->createUser();
 
         try {
             $result = $user->createUser($login, '', $domain);
         } catch (\Exception $exception) {
             $this->configuration
                 ->getLogger()
-                ->error(sprintf('Keycloak user creation failed for "%s": %s', $login, $exception->getMessage()));
+                ->error(sprintf(
+                    'Keycloak user creation failed for "%s": %s',
+                    $this->redactIdentifier($login),
+                    $exception->getMessage(),
+                ));
             return false;
         }
 
@@ -76,7 +79,7 @@ public function create(string $login, #[SensitiveParameter] string $password, st
             $this->assignUserToGroups($user->getUserId());
         }
 
-        return $result;
+        return true;
     }
 
     public function update(string $login, #[SensitiveParameter] string $password): bool
@@ -89,6 +92,9 @@ public function delete(string $login): bool
         return true;
     }
 
+    /**
+     * @throws Exception
+     */
     public function checkCredentials(
         string $login,
         #[SensitiveParameter]
@@ -99,7 +105,12 @@ public function checkCredentials(
             return false;
         }
 
-        if ($this->userExists($login)) {
+        $existingUser = $this->findUser($login);
+        if ($existingUser instanceof User) {
+            if ($this->shouldSynchronizeGroupsOnLogin()) {
+                $this->assignUserToGroups($existingUser->getUserId());
+            }
+
             return true;
         }
 
@@ -140,10 +151,10 @@ private function getSubject(): string
         return trim((string) ($this->claims['sub'] ?? ''));
     }
 
-    private function userExists(string $login): bool
+    private function findUser(string $login): ?User
     {
         $user = $this->createUser();
-        return $user->getUserByLogin($login, false);
+        return $user->getUserByLogin($login, false) ? $user : null;
     }
 
     private function shouldAssignGroups(): bool
@@ -272,6 +283,23 @@ private function shouldSynchronizeGroupsOnLogin(): bool
         return $this->toBool($this->configuration->get(item: 'keycloak.groupSyncOnLogin'));
     }
 
+    private function redactIdentifier(string $identifier): string
+    {
+        if (str_contains($identifier, '@')) {
+            [$local, $domain] = explode('@', $identifier, 2);
+            return $local[0] . '***@' . $domain;
+        }
+
+        if (mb_strlen($identifier) <= 3) {
+            return str_repeat('*', mb_strlen($identifier));
+        }
+
+        return mb_substr($identifier, 0, 3) . '…';
+    }
+
+    /**
+     * @throws Exception
+     */
     private function createUser(): User
     {
         if ($this->userFactory instanceof Closure) {

phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcIdTokenValidator.php

@@ -45,8 +45,8 @@ public function validate(
         string $expectedAudience,
         string $expectedNonce,
     ): array {
-        if ($idToken === '') {
-            return [];
+        if (trim($idToken) === '') {
+            throw new RuntimeException('OIDC id_token is missing');
         }
 
         [$encodedHeader, $encodedPayload, $encodedSignature] = $this->splitToken($idToken);
@@ -106,13 +106,25 @@ private function validateClaims(
         string $expectedAudience,
         string $expectedNonce,
     ): void {
-        $issuer = trim((string) ($claims['iss'] ?? ''));
-        if ($issuer !== '' && $issuer !== $expectedIssuer) {
+        if (!array_key_exists('iss', $claims) || !is_string($claims['iss']) || trim($claims['iss']) === '') {
+            throw new RuntimeException('OIDC id_token is missing the issuer claim');
+        }
+        if (trim($claims['iss']) !== $expectedIssuer) {
             throw new RuntimeException('OIDC issuer mismatch in id_token');
         }
 
-        $audience = $claims['aud'] ?? null;
-        if ($audience !== null && !$this->audienceMatches($audience, $expectedAudience)) {
+        if (!array_key_exists('sub', $claims) || !is_string($claims['sub']) || trim($claims['sub']) === '') {
+            throw new RuntimeException('OIDC id_token is missing the subject claim');
+        }
+
+        if (!array_key_exists('aud', $claims)) {
+            throw new RuntimeException('OIDC id_token is missing the audience claim');
+        }
+        $audience = $claims['aud'];
+        if (!$this->isValidAudience($audience)) {
+            throw new RuntimeException('OIDC id_token audience claim is invalid');
+        }
+        if (!$this->audienceMatches($audience, $expectedAudience)) {
             throw new RuntimeException('OIDC audience mismatch in id_token');
         }
 
@@ -125,24 +137,57 @@ private function validateClaims(
             throw new RuntimeException('OIDC authorized party missing in id_token');
         }
 
-        $nonce = trim((string) ($claims['nonce'] ?? ''));
-        if ($expectedNonce !== '' && $nonce !== '' && !hash_equals($expectedNonce, $nonce)) {
-            throw new RuntimeException('OIDC nonce mismatch in id_token');
+        if ($expectedNonce !== '') {
+            if (!array_key_exists('nonce', $claims) || !is_string($claims['nonce']) || $claims['nonce'] === '') {
+                throw new RuntimeException('OIDC id_token is missing the nonce claim');
+            }
+            if (!hash_equals($expectedNonce, $claims['nonce'])) {
+                throw new RuntimeException('OIDC nonce mismatch in id_token');
+            }
         }
 
         $now = $this->getCurrentTimestamp();
 
-        if (array_key_exists('exp', $claims) && is_numeric($claims['exp']) && (int) $claims['exp'] < $now) {
+        if (!array_key_exists('exp', $claims) || !is_numeric($claims['exp'])) {
+            throw new RuntimeException('OIDC id_token is missing the expiration claim');
+        }
+        if ((int) $claims['exp'] < $now) {
             throw new RuntimeException('OIDC id_token has expired');
         }
 
         if (array_key_exists('nbf', $claims) && is_numeric($claims['nbf']) && (int) $claims['nbf'] > $now) {
             throw new RuntimeException('OIDC id_token is not valid yet');
         }
 
-        if (array_key_exists('iat', $claims) && is_numeric($claims['iat']) && (int) $claims['iat'] > ($now + 60)) {
+        if (!array_key_exists('iat', $claims) || !is_numeric($claims['iat'])) {
+            throw new RuntimeException('OIDC id_token is missing the issued-at claim');
+        }
+        $issuedAt = (int) $claims['iat'];
+        if ($issuedAt > ($now + 60)) {
             throw new RuntimeException('OIDC id_token issued-at time is in the future');
         }
+        if ($issuedAt < ($now - 86400)) {
+            throw new RuntimeException('OIDC id_token issued-at time is too far in the past');
+        }
+    }
+
+    private function isValidAudience(mixed $audience): bool
+    {
+        if (is_string($audience)) {
+            return trim($audience) !== '';
+        }
+
+        if (!is_array($audience) || $audience === []) {
+            return false;
+        }
+
+        foreach ($audience as $entry) {
+            if (!is_string($entry) || trim($entry) === '') {
+                return false;
+            }
+        }
+
+        return true;
     }
 
     /**

phpmyfaq/src/phpMyFAQ/Controller/Frontend/AzureAuthenticationController.php

@@ -90,10 +90,16 @@ public function callback(Request $request): Response
         [$auth, $oAuth, $entraIdSession] = $this->buildAuthContext();
 
         $code = Filter::filterVar($request->query->get('code'), FILTER_SANITIZE_SPECIAL_CHARS, '');
+        $errorParam = Filter::filterVar($request->query->get('error'), FILTER_SANITIZE_SPECIAL_CHARS, '');
         $error = Filter::filterVar($request->query->get('error_description'), FILTER_SANITIZE_SPECIAL_CHARS, '');
 
-        if ($error !== '') {
-            $this->configuration->getLogger()->warning(sprintf('Azure callback error: %s', $error));
+        if ($errorParam !== '' || $error !== '') {
+            $this->configuration
+                ->getLogger()
+                ->warning(sprintf(
+                    'Azure callback error: %s',
+                    trim($errorParam . ($error !== '' ? ': ' . $error : '')),
+                ));
             return new RedirectResponse($this->configuration->getDefaultUrl());
         }
 

phpmyfaq/src/phpMyFAQ/Controller/Frontend/KeycloakAuthenticationController.php

@@ -111,21 +111,22 @@ public function logout(): RedirectResponse
 
         try {
             $providerConfig = $this->providerConfigFactory->create();
-            if (!$providerConfig->enabled || $providerConfig->discoveryUrl === '') {
-                return new RedirectResponse($this->configuration->getDefaultUrl());
-            }
-
             $idToken = $this->resolveLogoutIdToken($user);
 
             $user->deleteFromSession();
             $this->oidcSession->clearIdToken();
 
+            if (!$providerConfig->enabled || $providerConfig->discoveryUrl === '') {
+                return new RedirectResponse($this->configuration->getDefaultUrl());
+            }
+
             $discoveryDocument = $this->discoveryService->discover($providerConfig);
             $logoutUrl = $this->oidcClient->buildLogoutUrl($providerConfig, $discoveryDocument, $idToken);
 
             return new RedirectResponse($logoutUrl ?? $this->configuration->getDefaultUrl());
         } catch (Exception) {
             $user->deleteFromSession();
+            $this->oidcSession->clearIdToken();
             return new RedirectResponse($this->configuration->getDefaultUrl());
         }
     }
@@ -171,26 +172,39 @@ public function callback(Request $request): Response
                 $code,
                 $authorizationState['verifier'],
             );
-            $this->idTokenValidator->validate(
+            $idTokenClaims = $this->idTokenValidator->validate(
                 (string) ($token['id_token'] ?? ''),
                 $discoveryDocument,
                 $providerConfig->client->clientId,
                 $authorizationState['nonce'],
             );
             $claims = $this->oidcClient->fetchUserInfo($discoveryDocument, (string) $token['access_token']);
+
+            $idTokenSub = (string) ($idTokenClaims['sub'] ?? '');
+            $userInfoSub = (string) ($claims['sub'] ?? '');
+            if ($idTokenSub === '' || $userInfoSub === '' || !hash_equals($idTokenSub, $userInfoSub)) {
+                $this->configuration
+                    ->getLogger()
+                    ->warning('Keycloak subject mismatch between ID token and UserInfo; aborting login.');
+                $this->oidcSession->clearAuthorizationState();
+                return $redirect;
+            }
+
             $login = $this->resolveLocalLogin($claims);
             $auth = new AuthKeycloak($this->configuration, $providerConfig, $claims, $login, $this->userFactory);
 
             if (!$auth->isValidLogin($login)) {
-                $this->configuration->getLogger()->warning(sprintf('Keycloak login not valid for user: %s', $login));
+                $this->configuration
+                    ->getLogger()
+                    ->warning(sprintf('Keycloak login not valid for user: %s', $this->maskLogin($login)));
                 $this->oidcSession->clearAuthorizationState();
                 return $redirect;
             }
 
             if (!$auth->checkCredentials($login, '')) {
                 $this->configuration
                     ->getLogger()
-                    ->warning(sprintf('Keycloak credentials not valid for user: %s', $login));
+                    ->warning(sprintf('Keycloak credentials not valid for user: %s', $this->maskLogin($login)));
                 $this->oidcSession->clearAuthorizationState();
                 return $redirect;
             }
@@ -199,13 +213,15 @@ public function callback(Request $request): Response
             if (!$user->getUserByLogin($login)) {
                 $this->configuration
                     ->getLogger()
-                    ->warning(sprintf('Keycloak user lookup failed for login: %s', $login));
+                    ->warning(sprintf('Keycloak user lookup failed for login: %s', $this->maskLogin($login)));
                 $this->oidcSession->clearAuthorizationState();
                 return $redirect;
             }
 
             if (!$this->synchronizeKeycloakSubject($user, $claims)) {
-                $this->configuration->getLogger()->warning(sprintf('Keycloak subject mismatch for user: %s', $login));
+                $this->configuration
+                    ->getLogger()
+                    ->warning(sprintf('Keycloak subject mismatch for user: %s', $this->maskLogin($login)));
                 $this->oidcSession->clearAuthorizationState();
                 return $redirect;
             }
@@ -276,6 +292,16 @@ private function resolveLocalLogin(array $claims): string
         return $subject;
     }
 
+    private function maskLogin(string $login): string
+    {
+        $login = trim($login);
+        if ($login === '') {
+            return '<empty>';
+        }
+
+        return 'sha256:' . substr(hash('sha256', $login), 0, 12);
+    }
+
     /** @param array<string, mixed> $claims */
     private function synchronizeKeycloakSubject(CurrentUser $user, array $claims): bool
     {

phpmyfaq/src/phpMyFAQ/Setup/Migration/AbstractMigration.php

@@ -187,6 +187,44 @@ protected function createIndex(string $table, string $indexName, string|array $c
         return sprintf('CREATE INDEX IF NOT EXISTS %s ON %s (%s)', $indexName, $tableName, $columnList);
     }
 
+    /**
+     * Helper to create a UNIQUE index.
+     *
+     * On SQL Server, NULLs are treated as equal in unique indexes, so a filtered
+     * index is emitted to allow multiple NULL values. MySQL/MariaDB, PostgreSQL
+     * and SQLite already treat NULLs as distinct in unique indexes.
+     *
+     * @param string|string[] $columns
+     */
+    protected function createUniqueIndex(string $table, string $indexName, string|array $columns): string
+    {
+        $tableName = $this->table($table);
+        $columns = (array) $columns;
+        $columnList = implode(', ', $columns);
+
+        if ($this->isSqlServer()) {
+            $whereClause = implode(' AND ', array_map(static fn(string $col): string => sprintf(
+                '%s IS NOT NULL',
+                $col,
+            ), $columns));
+            return sprintf(
+                "IF NOT EXISTS (SELECT * FROM sys.indexes WHERE name = '%s') "
+                . 'CREATE UNIQUE INDEX %s ON %s (%s) WHERE %s',
+                $indexName,
+                $indexName,
+                $tableName,
+                $columnList,
+                $whereClause,
+            );
+        }
+
+        if ($this->isMySql()) {
+            return sprintf('CREATE UNIQUE INDEX %s ON %s (%s)', $indexName, $tableName, $columnList);
+        }
+
+        return sprintf('CREATE UNIQUE INDEX IF NOT EXISTS %s ON %s (%s)', $indexName, $tableName, $columnList);
+    }
+
     /**
      * Helper to check if an index exists.
      * Returns a SQL query that checks for index existence.

phpmyfaq/src/phpMyFAQ/Setup/Migration/Versions/Migration420Alpha.php

@@ -228,8 +228,8 @@ public function up(OperationRecorder $recorder): void
         );
 
         $recorder->addSql(
-            $this->createIndex('faquserdata', 'idx_faquserdata_keycloak_sub', 'keycloak_sub'),
-            'Create keycloak_sub index on faquserdata',
+            $this->createUniqueIndex('faquserdata', 'idx_faquserdata_keycloak_sub', 'keycloak_sub'),
+            'Create unique keycloak_sub index on faquserdata',
         );
         $recorder->addConfig('api.rateLimit.interval', '3600');
         $recorder->addConfig('queue.transport', 'database');

phpmyfaq/src/phpMyFAQ/User.php

@@ -821,7 +821,11 @@ public function getUserIdByKeycloakSub(string $keycloakSub): int
 
         $userData = $this->userdata->fetchAll('keycloak_sub', $keycloakSub);
 
-        return $userData['user_id'];
+        if (!is_array($userData) || !isset($userData['user_id'])) {
+            return 0;
+        }
+
+        return (int) $userData['user_id'];
     }
 
     /**

phpmyfaq/src/phpMyFAQ/User/UserData.php

@@ -311,6 +311,10 @@ public function save(): bool
         }
 
         if ($res === false) {
+            if (array_key_exists('keycloak_sub', $this->data)) {
+                return false;
+            }
+
             $update = sprintf(
                 "
             UPDATE