atwx / silverstripe-gate-client
A Silverstripe module to allow you to log into any of your Silverstripe sites from one place.
Installs: 0
Dependents: 0
Suggesters: 0
Security: 0
Stars: 0
Watchers: 0
Forks: 0
Open Issues: 0
Type:silverstripe-vendormodule
pkg:composer/atwx/silverstripe-gate-client
Requires
- ext-openssl: *
- firebase/php-jwt: ^6.11
- silverstripe/admin: ^3.0
- silverstripe/framework: ^6.0
Requires (Dev)
- phpstan/extension-installer: ^1.3
- phpunit/phpunit: ^11.3
- silverstripe/standards: ^1
- squizlabs/php_codesniffer: ^3.7
README
A SilverStripe module that lets you log into a SilverStripe site from a centralized system using signed JWTs and then redirects you into the CMS.
In short: the module validates a signed JSON Web Token (JWT) passed via the URL. On successful validation a configured user (or the default admin) is automatically logged in and redirected to a configured destination URL.
Use the Silverstripe Gate Manager on your admin instance to do so.
Installation
This package is intended to be installed via Composer. From your project root:
composer require atwx/silverstripe-gate-client
Configuration
Configure the module via SilverStripe YAML config. Important options:
Atwx\SilverGateClient\Services\TokenService: public_key: | -----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY----- # Login as admin is default Atwx\SilverGateClient\Services\LoginService: # Finds the current default admin or creates one if none exists login_as_default_admin: true #member_id: 1 #member_email: xyz@example.com
Note: the key must be in PEM format. Tokens should be signed by the central system that issues them with the corresponding private key (for example RS256).
You can also use the .env to configure the public key. Make sure to escape newlines using \n:
SILVERGATECLIENT_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----"
More advanced configuration:
Atwx\SilverGateClient\Services\TokenService: public_key: | -----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY----- # defaults to 60, specifies how old the token is allowed to be before it is invalidated token_max_age_seconds: 60 Atwx\SilverGateClient\Services\LoginService: member_id: 1 login_dest: '/custom-url-after-login'
Route / Endpoint
The module registers the route /_silvergateclient (see _config/routes.yml).
Primary endpoint:
- GET
/_silvergateclient/token/<urlencoded_base64_jwt>
Example (as used in the tests):
$token = JWT::encode(['iat' => time()], $privateKey, 'RS256'); $b64 = urlencode(base64_encode($token)); // GET /_silvergateclient/token/<$b64>