--- loncom/auth/lonauth.pm	2021/11/03 01:04:02	1.169
+++ loncom/auth/lonauth.pm	2022/09/17 23:38:50	1.178
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # User Authentication Module
 #
-# $Id: lonauth.pm,v 1.169 2021/11/03 01:04:02 raeburn Exp $
+# $Id: lonauth.pm,v 1.178 2022/09/17 23:38:50 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -42,11 +42,12 @@ use Apache::lonlocal;
 use Apache::File();
 use HTML::Entities;
 use Digest::MD5;
+use CGI::Cookie();
  
 # ------------------------------------------------------------ Successful login
 sub success {
     my ($r, $username, $domain, $authhost, $lowerurl, $extra_env,
-	$form,$skipcritical,$cid) = @_;
+	$form,$skipcritical,$cid,$expirepub,$write_to_opener) = @_;
 
 # ------------------------------------------------------------ Get cookie ready
     my $cookie =
@@ -146,6 +147,10 @@ sub success {
                 $destination .= 'selectrole=1&'.$newrole.'=1';
             }
         }
+    } elsif (defined($form->{display})) {
+        if ($destination =~ m{^/adm/email($|\?)}) {
+            $destination  .= ($destination =~ /\?/) ? '&' : '?' .'display='.&escape($form->{display});
+        }
     }
     if (defined($form->{symb})) {
         my $destsymb = $form->{symb};
@@ -178,11 +183,21 @@ sub success {
         $destination .= 'source=login';
     }
 
+    my $brcrum = [{'href' => '',
+                   'text' => 'Successful Login'},];
+    my $args = {'no_inline_link' => 1,
+                'bread_crumbs' => $brcrum,};
     if (($env{'request.deeplink.login'} eq $lowerurl) &&
         (($env{'request.linkprot'}) || ($env{'request.linkkey'} ne ''))) {
         my %info;
         if ($env{'request.linkprot'}) {
             $info{'linkprot'} = $env{'request.linkprot'};
+            foreach my $item ('linkprotuser','linkprotexit') {
+                if ($form->{$item}) {
+                    $info{$item} = $form->{$item};
+                }
+            }
+            $args = {'only_body' => 1,};
         } elsif ($env{'request.linkkey'} ne '') {
             $info{'linkkey'} = $env{'request.linkkey'};
         }
@@ -199,9 +214,6 @@ sub success {
         $windowname .= 'lti';
     }
     my $windowinfo = Apache::lonhtmlcommon::scripttag('self.name="'.$windowname.'";');
-    my $brcrum = [{'href' => '',
-                   'text' => 'Successful Login'},];
-    my $args = {'bread_crumbs' => $brcrum,};
     unless ((defined($form->{role})) || (defined($form->{symb}))) {
         my $update=$env{'user.update.time'};
         if (!$update) {
@@ -233,6 +245,12 @@ sub success {
     if ($defaultcookie) {
         $r->headers_out->add('Set-cookie' => $defaultcookie);
     }
+    if ($expirepub) {
+        my $c = new CGI::Cookie(-name    => 'lonPubID',
+                                -value   => '',
+                                -expires => '-10y',);
+        $r->headers_out->add('Set-cookie' => $c);
+    }
     $r->send_http_header;
 
     my ($start_page,$js,$pagebody,$end_page);
@@ -241,6 +259,7 @@ sub success {
         if ($env{'request.lti.target'} eq '') {
             my $ltitarget = (($destination =~ /\?/) ? '&' : '?').
                             'ltitarget=iframe';
+            &js_escape(\$destination);
             $js = <<"ENDJS";
 
 <script type="text/javascript">
@@ -265,21 +284,22 @@ ENDJS
         }
         $start_page=&Apache::loncommon::start_page('',$js,$args);
     } else {
-        $args->{'redirect'} = [0,$destination];
+        $args->{'redirect'} = [0,$destination,'',$write_to_opener];
         $start_page=&Apache::loncommon::start_page('Successful Login',
                                                    $js,$args);
-
-        my %lt=&Apache::lonlocal::texthash(
-				           'wel' => 'Welcome',
-				           'pro' => 'Login problems?',
+        unless ($env{'request.linkprot'}) {
+            my %lt=&Apache::lonlocal::texthash(
+		    		               'wel' => 'Welcome',
+				               'pro' => 'Login problems?',
 				          );
-        $pagebody = "<h1>$lt{'wel'}</h1>\n".
-                    &mt('Welcome to the Learning[_1]Online[_2] Network with CAPA. Please wait while your session is being set up.','<i>','</i>');
-        my $loginhelp = &loginhelpdisplay($domain);
-        if ($loginhelp) {
-            $pagebody .= '<p><a href="'.$loginhelp.'">'.$lt{'pro'}.'</a></p>';
+            $pagebody = "<h1>$lt{'wel'}</h1>\n".
+                        &mt('Welcome to the Learning[_1]Online[_2] Network with CAPA. Please wait while your session is being set up.','<i>','</i>');
+            my $loginhelp = &loginhelpdisplay($domain);
+            if ($loginhelp) {
+                $pagebody .= '<p><a href="'.$loginhelp.'">'.$lt{'pro'}.'</a></p>';
+            }
         }
-    }
+    } 
     $end_page = &Apache::loncommon::end_page();
     $r->print(<<ENDSUCCESS);
 $start_page
@@ -293,22 +313,32 @@ ENDSUCCESS
 # --------------------------------------------------------------- Failed login!
 
 sub failed {
-    my ($r,$message,$form) = @_;
+    my ($r,$message,$form,$authhost) = @_;
     (undef,undef,undef,my $clientmathml,my $clientunicode) =
         &Apache::loncommon::decode_user_agent();
     my $args = {};
     if ($clientunicode && !$clientmathml) {
         $args = {'browser.unicode' => 1};
     }
+    if ($form->{firsturl} =~ m{^/tiny/$match_domain/\w+$}) {
+        if ($form->{linkprot}) {
+            $args->{only_body} = 1;
+        }
+    }
 
+    my @actions;
     my $start_page = &Apache::loncommon::start_page('Unsuccessful Login',undef,$args);
     my $uname = &Apache::loncommon::cleanup_html($form->{'uname'});
     my $udom = &Apache::loncommon::cleanup_html($form->{'udom'});
     if (&Apache::lonnet::domain($udom,'description') eq '') {
         undef($udom);
     }
+    my $authtype;
+    if (($udom ne '') && ($uname ne '') && ($authhost eq 'no_host')) {
+        $authtype = &Apache::lonnet::queryauthenticate($uname,$udom);
+    }
     my $retry = '/adm/login';
-    if ($uname eq $form->{'uname'}) {
+    if (($uname eq $form->{'uname'}) && ($authtype !~ /^lti:/)) {
         $retry .= '?username='.$uname;
     }
     if ($udom) {
@@ -344,7 +374,15 @@ sub failed {
             }
         }
         if (exists($form->{linkprot})) {
-            my $ltoken = &Apache::lonnet::tmpput({linkprot => $form->{'linkprot'}},
+            my %info = (
+                         'linkprot' => $form->{'linkprot'},
+                       );
+            foreach my $item ('linkprotuser','linkprotexit') {
+                if ($form->{$item} ne '') {
+                    $info{$item} = $form->{$item};
+                }
+            }
+            my $ltoken = &Apache::lonnet::tmpput(\%info,
                                                  $r->dir_config('lonHostID'),'retry');
             if ($ltoken) {
                 $retry .= (($retry =~ /\?/) ? '&' : '?').'ltoken='.$ltoken;
@@ -356,18 +394,28 @@ sub failed {
     my $end_page = &Apache::loncommon::end_page();
     &Apache::loncommon::content_type($r,'text/html');
     $r->send_http_header;
-    my @actions =
-         (&mt('Please [_1]log in again[_2].','<a href="'.$retry.'">','</a>'));
+    if ($authtype =~ /^lti:/) {
+        $message = &mt('Direct login is not supported with the username you entered.').
+                   '<br /><br />'.
+                   &mt('You likely need to launch LON-CAPA from within a course in a different Learning Management System.').
+                   '<br />'.
+                   &mt('You can also try to log in with a different username.');
+        @actions = 
+            (&mt('Try your [_1]log in again[_2].','<a href="'.$retry.'">','</a>'));
+    } else {
+        $message = &mt($message);
+        @actions =
+            (&mt('Please [_1]log in again[_2].','<a href="'.$retry.'">','</a>'));
+    }
     my $loginhelp = &loginhelpdisplay($udom);
     if ($loginhelp) {
         push(@actions, '<a href="'.$loginhelp.'">'.&mt('Login problems?').'</a>');
     }
     #FIXME: link to helpdesk might be added here
-
     $r->print(
        $start_page
       .'<h2>'.&mt('Sorry ...').'</h2>'
-      .&Apache::lonhtmlcommon::confirm_success(&mt($message),1).'<br /><br />'
+      .&Apache::lonhtmlcommon::confirm_success($message,1).'<br /><br />'
       .&Apache::lonhtmlcommon::actionbox(\@actions)
       .$end_page
     );
@@ -452,6 +500,19 @@ sub handler {
                                      .$end_page);
                             } else {
                                 if (($info{'linkprot'}) || ($info{'linkkey'} ne '')) {
+                                    if (($info{'linkprot'}) && ($info{'linkprotuser'} ne '')) {
+                                        unless ($info{'linkprotuser'} eq $env{'user.name'}.':'.$env{'user.domain'}) {
+                                            $r->print(
+                                                      $start_page
+                                                      .'<p class="LC_warning">'.&mt('You are already logged in, but as a different user from the one expected for the link you followed from another system').'</p>'
+                                                      .'<p>'.&mt('Please [_1]log out[_2] first, and then try following the link again from the other system',
+                                                                 '<a href="/adm/logout">','</a>')
+
+                                                      .'</p>'
+                                                      .$end_page);
+                                            return OK;
+                                        }
+                                    }
                                     my $token = &Apache::lonnet::tmpput(\%info,$r->dir_config('lonHostID'),'link');
                                     unless (($token eq 'con_lost') || ($token eq 'refused') ||
                                             ($token eq 'unknown_cmd') || ($token eq 'no_such_host')) {
@@ -561,9 +622,33 @@ sub handler {
 # --------------------------------------------------------------------- Failed?
 
     if ($authhost eq 'no_host') {
-	&failed($r,'Username and/or password could not be authenticated.',
-		\%form);
-        return OK;
+        my $pwdverify;
+        if (&Apache::lonnet::homeserver($form{'uname'},$form{'udom'}) eq 'no_host') {
+            my %possunames = &alternate_unames_check($form{'uname'},$form{'udom'});
+            if (keys(%possunames) > 0) {
+                foreach my $rulematch (keys(%possunames)) {
+                    my $possuname = $possunames{$rulematch};
+                    if (($possuname ne '') && ($possuname =~ /^$match_username$/)) {
+                        $authhost=Apache::lonnet::authenticate($possuname,$upass,
+                                                               $form{'udom'},undef,
+                                                               $clientcancheckhost);
+                        if (($authhost eq 'no_host') || ($authhost eq 'no_account_on_host')) {
+                            next;
+                        } elsif (($authhost ne '') && (&Apache::lonnet::hostname($authhost) ne '')) {
+                            $pwdverify = 1;
+                            &Apache::lonnet::logthis("Authenticated user: $possuname was submitted as: $form{'uname'}"); 
+                            $form{'uname'} = $possuname;
+                            last;
+                        }
+                    }
+                }
+            }
+        }
+        unless ($pwdverify) {
+            &failed($r,'Username and/or password could not be authenticated.',
+                    \%form,$authhost);
+            return OK;
+        }
     } elsif ($authhost eq 'no_account_on_host') {
         if ($defaultauth) {
             my $domdesc = &Apache::lonnet::domain($form{'udom'},'description');
@@ -683,6 +768,18 @@ sub handler {
 	}
     }
 
+    if ($form{'firsturl'} =~ m{^/tiny/$match_domain/\w+$}) {
+        if (($form{'linkprot'}) && ($form{'linkprotuser'} ne '')) {
+            unless($form{'linkprotuser'} eq $form{'uname'}.':'.$form{'udom'}) {
+                delete($form{'udom'});
+                delete($form{'uname'});
+                &failed($r,'Username and/or domain are different to that expected for the link you followed from another system',
+                        \%form,$authhost);
+                return OK;
+            }
+        }
+    }
+
     my ($is_balancer,$otherserver);
 
     unless ($hosthere) {
@@ -726,11 +823,21 @@ sub handler {
             }
             if ($form{'linkprot'}) {
                 $env{'request.linkprot'} = $form{'linkprot'};
+                foreach my $item ('linkprotuser','linkprotexit') {
+                    if ($form{$item}) {
+                        $env{'request.'.$item} = $form{$item};
+                    }
+                }
             } elsif ($form{'linkkey'} ne '') {
                 $env{'request.linkkey'} = $form{'linkkey'};
             }
             if ($form{'firsturl'} =~ m{^/tiny/$match_domain/\w+$}) {
                 &set_deeplink_login(%form);
+            } elsif ($firsturl eq '/adm/email') {
+                if ($form{'display'} && ($form{'mailrecip'} eq "$form{'uname'}:$form{'udom'}")) {
+                    $env{'request.display'} = $form{'display'};
+                    $env{'request.mailrecip'} = $form{'mailrecip'};
+                }
             }
             $r->internal_redirect($switchto);
         } else {
@@ -757,11 +864,21 @@ sub handler {
                 }
                 if ($form{'linkprot'}) {
                     $env{'request.linkprot'} = $form{'linkprot'};
+                    foreach my $item ('linkprotuser','linkprotexit') {
+                        if ($form{$item}) {
+                            $env{'request.'.$item} = $form{$item};
+                        }
+                    }
                 } elsif ($form{'linkkey'} ne '') {
                     $env{'request.linkkey'} = $form{'linkkey'};
                 }
                 if ($form{'firsturl'} =~ m{^/tiny/$match_domain/\w+$}) {
                     &set_deeplink_login(%form);
+                } elsif ($firsturl eq '/adm/email') {
+                    if ($form{'display'} && ($form{'mailrecip'} eq "$form{'uname'}:$form{'udom'}")) {
+                        $env{'request.display'} = $form{'display'};
+                        $env{'request.mailrecip'} = $form{'mailrecip'};
+                    }
                 }
                 $r->internal_redirect($switchto);
             } else {
@@ -801,6 +918,11 @@ sub handler {
                 }
                 if ($form{'firsturl'} =~ m{^/tiny/$match_domain/\w+$}) {
                     &set_deeplink_login(%form);
+                } elsif ($firsturl eq '/adm/email') {
+                    if ($form{'display'} && ($form{'mailrecip'} eq "$form{'uname'}:$form{'udom'}")) {
+                        $env{'request.display'} = $form{'display'};
+                        $env{'request.mailrecip'} = $form{'mailrecip'};
+                    }
                 }
                 $r->internal_redirect('/adm/switchserver?otherserver='.$unloaded.'&origurl='.$firsturl);
                 return OK;
@@ -820,6 +942,14 @@ sub handler {
                         $form{$item} = $sessiondata{$item};
                     }
                 }
+                if ($sessiondata{'origurl'} eq '/adm/email') {
+                    if (($sessiondata{'display'}) && ($sessiondata{'mailrecip'})) {
+                        if (&unescape($sessiondata{'mailrecip'}) eq "$form{'uname'}:$form{'udom'}") {
+                            $form{'display'} = &unescape($sessiondata{'display'});
+                            $form{'mailrecip'} = &unescape($sessiondata{'mailrecip'});
+                        }
+                    }
+                }
             }
         }
         if ($form{'linkprot'}) {
@@ -840,6 +970,9 @@ sub handler {
                 } else {
                     $extra_env = {'request.linkprot' => $form{'linkprot'}};
                 }
+                if ($form{'linkprotexit'}) {
+                    $extra_env->{'request.linkprotexit'} = $form{'linkprotexit'};
+                }
             } elsif ($form{'linkkey'} ne '') {
                 if (ref($extra_env) eq 'HASH') {
                     %{$extra_env} = ( %{$extra_env}, 'request.linkkey' => $form{'linkkey'} );
@@ -928,7 +1061,7 @@ sub set_retry_token {
     my ($form,$lonhost,$querystr) = @_;
     if (ref($form) eq 'HASH') {
         my ($firsturl,$token,$extras,@names);
-        @names = ('role','symb','linkprot','linkkey','iptoken');
+        @names = ('role','symb','linkprotuser','linkprotexit','linkprot','linkkey','iptoken');
         foreach my $name (@names) {
             if ($form->{$name} ne '') {
                 $extras .= '&'.$name.'='.&escape($form->{$name});
@@ -1015,6 +1148,11 @@ sub check_can_host {
                      $form);
             if ($form->{'firsturl'} =~ m{^/tiny/$match_domain/\w+$}) {
                 $env{'request.deeplink.login'} = $form->{'firsturl'};
+            } elsif ($form->{'firsturl'} eq '/adm/email') {
+                if ($form->{'display'} && ($form->{'mailrecip'} eq $form->{'uname'}.':'.$form->{'udom'})) {
+                    $env{'request.display'} = $form->{'mailrecip'};
+                    $env{'request.mailrecip'} = $form->{'mailrecip'};
+                }
             }
             if ($form->{'linkprot'}) {
                 $env{'request.linkprot'} = $form->{'linkprot'};
@@ -1064,6 +1202,20 @@ sub loginhelpdisplay {
     return;
 }
 
+sub alternate_unames_check {
+    my ($uname,$udom) = @_;
+    my %possunames;
+    my %domdefs = &Apache::lonnet::get_domain_defaults($udom);
+    if (ref($domdefs{'unamemap_rule'}) eq 'ARRAY') { 
+        if (@{$domdefs{'unamemap_rule'}} > 0) {
+            %possunames =
+                &Apache::lonnet::inst_rulecheck($udom,$uname,undef,
+                                                'unamemap',$domdefs{'unamemap_rule'});
+        }
+    }
+    return %possunames;
+}
+
 1;
 __END__