co-stack/typo3-easy-request-token

TYPO3 CMS Extension to make handling RequestToken easy

Maintainers

Details

gitlab.com/co-stack.com/co-stack.com/typo3-extensions/typo3-easy-request-token

Source

Issues

Installs: 0

Dependents: 0

Suggesters: 0

Security: 0

Stars: 0

Forks: 0

Type:typo3-cms-extension

1.0.1 2025-07-18 02:30 UTC

Requires

GPL-2.0-only 93e0dc36d376cb648a1f549f123c576b4beff5bb

This package is auto-updated.

Last update: 2025-07-22 08:06:09 UTC

README

Takes the mental load of JWT, Nonce, Cookie, URI, etc. in TYPO3 away. Focus on your application, nothing more.

Usage

This usage illustrates the generation and consumption of the SecurityObjects.

namespace Vendor\Package;

use Exception;use TYPO3\CMS\Core\Utility\GeneralUtility;
use CoStack\EasyRequestToken\Security\SecurityObjectsFactory;
use CoStack\EasyRequestToken\Security\LockedSecurityObjects;
use CoStack\EasyRequestToken\Http\NonceCookie;
use CoStack\EasyRequestToken\Http\RedirectResponse;
use TYPO3\CMS\Core\Http\PropagateResponseException;
use TYPO3\CMS\Backend\Routing\UriBuilder;

class YourConsumer
{
    public function redirect(): never
    {
        // You can put anything in params which can be json_encoded.
        // These values are accessible (and trusted!) when receiving the request token.
        $params = [];

        // If using for something else than a backend authentication, define your own scope!
        $scope = 'core/user-auth/be';

        // Create the factory
        $securityObjectsFactory = GeneralUtility::makeInstance(SecurityObjectsFactory::class);
        // Create a mutable version of the security objects
        $securityObjects = $securityObjectsFactory->create($scope, $params);
        // You can alter the security object params until they are locked
        $securityObjects->params['foo'] = 'example';
        
        // After locking, params can not be altered. Anything is immutable.
        $securityObjects = $securityObjects->lock();

        // Build the callback Uri
        $callbackUrl = $this->getCallbackUrl($securityObjects);
        $redirectUrl = $this->getRedirectUrl($callbackUrl);

        // Use NonceCookie and RedirectResponse, because the PropagateResponseException
        // will bypass setting nonce cookies via middleware.
        // In case you can return a RedirectResponse without using the PropagateResponseException, you should always
        // prefer returning the response. You can use the TYPO3 RedirectResponse in that case.
        $nonceCookie = new NonceCookie($securityObjects->signingSecret, $sitePath);
        $redirectResponse = new RedirectResponse($redirectUrl, $nonceCookie);
        
        throw new PropagateResponseException($redirectResponse);
    }
    
    // Assuming this is the method of your callback URI after successful redirect
    public function handle()
    {
        // Change accordingly
        $scope = 'core/user-auth/be';

        $securityObjectsFactory = GeneralUtility::makeInstance(SecurityObjectsFactory::class);
        $securityObjects = $securityObjectsFactory->getCurrentSecurityObjects($scope)

        // Don't forget to actually check the return value
        if (!$securityObjects instanceof LockedSecurityObjects) {
            throw new Exception('Something went wrong');
        }

        // trusted params
        $params = $securityObjects->requestToken->params;
    }

    function getCallbackUrl(LockedSecurityObjects $securityObjects): string
    {
        $uriBuilder = GeneralUtility::makeInstance(UriBuilder::class);
        return (string) $uriBuilder->buildUriFromRoute(
            'login',
            $securityObjects->addSecurityObjectsToParams(),
            UriBuilder::ABSOLUTE_URL,
        );
    }

    function getRedirectUrl(string $callbackUrl): string
    {
        return 'https://example.com?callbackUri=' . rawurlencode($callbackUrl);
    }
}

Licenses

License of this package: GPL-3.0-or-later

List of used assets with source and license

LICENSE

Resources/Public/Icons/Extension.svg