co-stack / typo3-easy-request-token
TYPO3 CMS Extension to make handling RequestToken easy
1.0.1
2025-07-18 02:30 UTC
Requires
- php: ^8.2
- typo3/cms-core: ^13.4
README
Takes the mental load of JWT, Nonce, Cookie, URI, etc. in TYPO3 away. Focus on your application, nothing more.
Usage
This usage illustrates the generation and consumption of the SecurityObjects
.
namespace Vendor\Package;
use Exception;use TYPO3\CMS\Core\Utility\GeneralUtility;
use CoStack\EasyRequestToken\Security\SecurityObjectsFactory;
use CoStack\EasyRequestToken\Security\LockedSecurityObjects;
use CoStack\EasyRequestToken\Http\NonceCookie;
use CoStack\EasyRequestToken\Http\RedirectResponse;
use TYPO3\CMS\Core\Http\PropagateResponseException;
use TYPO3\CMS\Backend\Routing\UriBuilder;
class YourConsumer
{
public function redirect(): never
{
// You can put anything in params which can be json_encoded.
// These values are accessible (and trusted!) when receiving the request token.
$params = [];
// If using for something else than a backend authentication, define your own scope!
$scope = 'core/user-auth/be';
// Create the factory
$securityObjectsFactory = GeneralUtility::makeInstance(SecurityObjectsFactory::class);
// Create a mutable version of the security objects
$securityObjects = $securityObjectsFactory->create($scope, $params);
// You can alter the security object params until they are locked
$securityObjects->params['foo'] = 'example';
// After locking, params can not be altered. Anything is immutable.
$securityObjects = $securityObjects->lock();
// Build the callback Uri
$callbackUrl = $this->getCallbackUrl($securityObjects);
$redirectUrl = $this->getRedirectUrl($callbackUrl);
// Use NonceCookie and RedirectResponse, because the PropagateResponseException
// will bypass setting nonce cookies via middleware.
// In case you can return a RedirectResponse without using the PropagateResponseException, you should always
// prefer returning the response. You can use the TYPO3 RedirectResponse in that case.
$nonceCookie = new NonceCookie($securityObjects->signingSecret, $sitePath);
$redirectResponse = new RedirectResponse($redirectUrl, $nonceCookie);
throw new PropagateResponseException($redirectResponse);
}
// Assuming this is the method of your callback URI after successful redirect
public function handle()
{
// Change accordingly
$scope = 'core/user-auth/be';
$securityObjectsFactory = GeneralUtility::makeInstance(SecurityObjectsFactory::class);
$securityObjects = $securityObjectsFactory->getCurrentSecurityObjects($scope)
// Don't forget to actually check the return value
if (!$securityObjects instanceof LockedSecurityObjects) {
throw new Exception('Something went wrong');
}
// trusted params
$params = $securityObjects->requestToken->params;
}
function getCallbackUrl(LockedSecurityObjects $securityObjects): string
{
$uriBuilder = GeneralUtility::makeInstance(UriBuilder::class);
return (string) $uriBuilder->buildUriFromRoute(
'login',
$securityObjects->addSecurityObjectsToParams(),
UriBuilder::ABSOLUTE_URL,
);
}
function getRedirectUrl(string $callbackUrl): string
{
return 'https://example.com?callbackUri=' . rawurlencode($callbackUrl);
}
}
Licenses
License of this package: GPL-3.0-or-later
List of used assets with source and license
- License: Copyright (C) 2007 Free Software Foundation
- Source: https://www.gnu.org/licenses/gpl-3.0.txt
Resources/Public/Icons/Extension.svg
- License: CC BY-SA 3.0
- Source: https://wiki.oauth.net/Logo