Merge branch 'master' into oauth_jwt_tokens

# Conflicts:
#	api/components/OAuth2/Entities/AccessTokenEntity.php
#	api/components/OAuth2/Entities/RefreshTokenEntity.php
#	api/components/OAuth2/Grants/RefreshTokenGrant.php
#	api/components/OAuth2/Storage/SessionStorage.php
#	api/components/User/OAuth2Identity.php
This commit is contained in:
ErickSkrauch 2019-12-04 01:17:12 +03:00
commit 72cbf16c97
8 changed files with 99 additions and 24 deletions

View File

@ -1,5 +1,6 @@
.git/* .git/*
.env .env
data
# vendor folder will be filled from the container # vendor folder will be filled from the container
vendor vendor

View File

@ -49,9 +49,9 @@ AUTHSERVER_HOST=authserver.ely.by
# LETSENCRYPT_HOST=account.ely.by # LETSENCRYPT_HOST=account.ely.by
# LETSENCRYPT_EMAIL=erickskrauch@ely.by # LETSENCRYPT_EMAIL=erickskrauch@ely.by
# MySQL # MariaDB
MYSQL_ALLOW_EMPTY_PASSWORD=yes ALLOW_EMPTY_PASSWORD=yes
MYSQL_ROOT_PASSWORD= MARIADB_ROOT_PASSWORD=
MYSQL_DATABASE=ely_accounts MARIADB_DATABASE=ely_accounts
MYSQL_USER=ely_accounts_user MARIADB_USER=ely_accounts_user
MYSQL_PASSWORD=ely_accounts_password MARIADB_PASSWORD=ely_accounts_password

View File

@ -74,7 +74,7 @@ Codeception:
services: services:
- name: redis:4.0.10-alpine - name: redis:4.0.10-alpine
alias: redis alias: redis
- name: mariadb:10.2.11 - name: bitnami/mariadb:10.3.20-debian-9-r4
alias: db alias: db
variables: variables:
# App config # App config
@ -85,10 +85,10 @@ Codeception:
REDIS_HOST: "redis" REDIS_HOST: "redis"
REDIS_PORT: "6379" REDIS_PORT: "6379"
# MariaDB config # MariaDB config
MYSQL_RANDOM_ROOT_PASSWORD: "true" ALLOW_EMPTY_PASSWORD: "yes"
MYSQL_DATABASE: "ely_accounts_test" MARIADB_DATABASE: "ely_accounts_test"
MYSQL_USER: "ely_accounts_tester" MARIADB_USER: "ely_accounts_tester"
MYSQL_PASSWORD: "ely_accounts_tester_password" MARIADB_PASSWORD: "ely_accounts_tester_password"
before_script: before_script:
# We don't count code coverage yet, so xdebug can be removed # We don't count code coverage yet, so xdebug can be removed
- sudo rm /usr/local/etc/php/conf.d/docker-php-ext-xdebug.ini - sudo rm /usr/local/etc/php/conf.d/docker-php-ext-xdebug.ini

View File

@ -68,7 +68,7 @@ CMD ["php-fpm"]
# ================================================================================ # ================================================================================
FROM nginx:1.15.10-alpine AS web FROM fholzer/nginx-brotli:v1.16.0 AS web
ENV PHP_SERVERS php:9000 ENV PHP_SERVERS php:9000
@ -88,7 +88,9 @@ CMD ["nginx", "-g", "daemon off;"]
# ================================================================================ # ================================================================================
FROM mariadb:10.3.14-bionic AS db FROM bitnami/mariadb:10.3.20-debian-9-r4 AS db
USER 0
COPY ./docker/mariadb/config.cnf /etc/mysql/conf.d/ COPY ./docker/mariadb/config.cnf /etc/mysql/conf.d/
@ -116,5 +118,7 @@ RUN set -ex \
&& rm -rf /mysql-sys \ && rm -rf /mysql-sys \
&& apt-get purge -y --auto-remove $fetchDeps && apt-get purge -y --auto-remove $fetchDeps
ENTRYPOINT ["docker-entrypoint.sh"] USER 1001
CMD ["mysqld"]
ENTRYPOINT ["/entrypoint.sh"]
CMD ["/run.sh"]

View File

@ -1,4 +1,6 @@
<?php <?php
declare(strict_types=1);
namespace api\modules\oauth\controllers; namespace api\modules\oauth\controllers;
use api\controllers\Controller; use api\controllers\Controller;
@ -19,11 +21,23 @@ class IdentityController extends Controller {
'actions' => ['index'], 'actions' => ['index'],
'allow' => true, 'allow' => true,
'roles' => [P::OBTAIN_ACCOUNT_INFO], 'roles' => [P::OBTAIN_ACCOUNT_INFO],
'roleParams' => function() { 'roleParams' => function(): array {
/** @noinspection NullPointerExceptionInspection */ /** @var \api\components\User\IdentityInterface $identity */
return [ $identity = Yii::$app->user->getIdentity();
'accountId' => Yii::$app->user->getIdentity()->getAccount()->id, $account = $identity->getAccount();
]; if ($account === null) {
Yii::$app->sentry->captureMessage('Unexpected lack of account', [
'identityType' => get_class($identity),
'userId' => $identity->getId(),
'assignedPermissions' => $identity->getAssignedPermissions(),
], [
'level' => 'warning',
]);
return ['accountId' => 0];
}
return ['accountId' => $account->id];
}, },
], ],
], ],

View File

@ -65,12 +65,22 @@ class Textures {
public function getTextures(): array { public function getTextures(): array {
/** @var SkinSystemApi $api */ /** @var SkinSystemApi $api */
$api = Yii::$container->get(SkinSystemApi::class); $api = Yii::$container->get(SkinSystemApi::class);
if (YII_ENV_PROD) {
$api->setClient(new \GuzzleHttp\Client([
'connect_timeout' => 2,
'decode_content' => false,
'read_timeout' => 5,
'stream' => true,
'timeout' => 5,
]));
}
try { try {
$textures = $api->textures($this->account->username); $textures = $api->textures($this->account->username);
} catch (RequestException $e) { } catch (RequestException $e) {
Yii::warning('Cannot get textures from skinsystem.ely.by. Exception message is ' . $e->getMessage()); Yii::warning('Cannot get textures from skinsystem.ely.by. Exception message is ' . $e->getMessage());
} catch (GuzzleException $e) { } catch (GuzzleException $e) {
Yii::error($e); Yii::warning($e);
} }
return $textures ?? []; return $textures ?? [];

View File

@ -10,6 +10,7 @@ server {
add_header X-Frame-Options "sameorigin" always; add_header X-Frame-Options "sameorigin" always;
add_header X-XSS-Protection "1; mode=block" always; add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always; add_header X-Content-Type-Options "nosniff" always;
add_header Content-Security-Policy "default-src 'none';style-src 'self' 'unsafe-inline';script-src 'self' 'unsafe-inline' https://www.google-analytics.com https://recaptcha.net/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.gstatic.cn/recaptcha/;img-src 'self' data: www.google-analytics.com;font-src 'self' data:;connect-src 'self' https://sentry.io https://sentry.ely.by;frame-src https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/";
# You can uncomment the next lines to enable debug mode # You can uncomment the next lines to enable debug mode
# rewrite_log on; # rewrite_log on;
@ -61,7 +62,8 @@ server {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REQUEST_URI $request_url; fastcgi_param REQUEST_URI $request_url;
fastcgi_param REMOTE_ADDR $http_x_real_ip; fastcgi_param REMOTE_ADDR $http_x_real_ip;
# Override HTTPS param to handle ssl from nginx-proxy container # Override HTTPS param to handle ssl from nginx-proxy or haproxy containers
fastcgi_param HTTPS $http_x_forwarded_ssl if_not_empty; fastcgi_param HTTPS $http_x_forwarded_ssl if_not_empty;
fastcgi_param HTTPS $http_x_forwarded_proto if_not_empty;
} }
} }

View File

@ -5,7 +5,8 @@ error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid; pid /var/run/nginx.pid;
events { events {
worker_connections 1024; worker_connections 4096;
use epoll;
} }
http { http {
@ -19,11 +20,54 @@ http {
access_log /var/log/nginx/access.log main; access_log /var/log/nginx/access.log main;
sendfile on; sendfile on;
keepalive_timeout 10; server_tokens off;
keepalive_timeout 16;
connection_pool_size 4k;
request_pool_size 8k;
output_buffers 10 32k;
client_max_body_size 2m;
client_body_buffer_size 16k;
client_header_buffer_size 4k;
large_client_header_buffers 16 8k;
fastcgi_cache_path /data/nginx/cache levels=1:2 keys_zone=cache:128m inactive=600m use_temp_path=off; fastcgi_cache_path /data/nginx/cache levels=1:2 keys_zone=cache:128m inactive=600m use_temp_path=off;
fastcgi_cache_key "$scheme$request_method$host$request_uri"; fastcgi_cache_key "$scheme$request_method$host$request_uri";
# Gzip
gzip on;
gzip_comp_level 6;
gzip_min_length 4096;
gzip_proxied any;
gzip_vary on;
gzip_types text/plain
text/css
text/javascript
application/javascript
application/json
application/octet-stream
application/x-font-ttf
application/x-font-opentype
application/vnd.ms-fontobject
image/svg+xml
image/x-icon;
# Brotli
brotli on;
brotli_comp_level 6;
brotli_min_length 4096;
brotli_types text/plain
text/css
text/javascript
application/javascript
application/json
application/octet-stream
application/x-font-ttf
application/x-font-opentype
application/vnd.ms-fontobject
image/svg+xml
image/x-icon;
map $uri $cache_duration { map $uri $cache_duration {
"~*^.+\.(jpe?g|gif|png|svg|js|json|css|zip|rar|eot|ttf|woff|woff2|ico|xml)$" "max"; "~*^.+\.(jpe?g|gif|png|svg|js|json|css|zip|rar|eot|ttf|woff|woff2|ico|xml)$" "max";
default "off"; default "off";