From 55767e5690bd78246bf5281d1f369ff67be9085c Mon Sep 17 00:00:00 2001
From: Pyjacpp <pyjacpp@crans.org>
Date: Mon, 23 Mar 2026 22:20:33 +0100
Subject: [PATCH] =?UTF-8?q?feat:=E2=80=AFOAuth?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 hosts/vm/mediakiwi/WSONoteKfetAuth/README     |  14 ++
 .../mediakiwi/WSONoteKfetAuth/extension.json  |  25 ++++
 .../WSONoteKfetAuth/src/NoteKfetAuth.php      | 137 ++++++++++++++++++
 hosts/vm/mediakiwi/mediawiki.nix              |  16 +-
 secrets/mediakiwi/mediawiki-oauth.age         | Bin 0 -> 2000 bytes
 secrets/mediakiwi/mediawiki-openid.age        | Bin 2028 -> 0 bytes
 6 files changed, 186 insertions(+), 6 deletions(-)
 create mode 100644 hosts/vm/mediakiwi/WSONoteKfetAuth/README
 create mode 100644 hosts/vm/mediakiwi/WSONoteKfetAuth/extension.json
 create mode 100644 hosts/vm/mediakiwi/WSONoteKfetAuth/src/NoteKfetAuth.php
 create mode 100644 secrets/mediakiwi/mediawiki-oauth.age
 delete mode 100644 secrets/mediakiwi/mediawiki-openid.age

diff --git a/hosts/vm/mediakiwi/WSONoteKfetAuth/README b/hosts/vm/mediakiwi/WSONoteKfetAuth/README
new file mode 100644
index 0000000..0d3eae9
--- /dev/null
+++ b/hosts/vm/mediakiwi/WSONoteKfetAuth/README
@@ -0,0 +1,14 @@
+# NoteKfetAuth
+
+Extension pour médiawiki pour ajouter le support de l'autentification par Note
+via l'extension WSOAuth.
+
+## Installation
+
+Il faut enregistrer l'extension comme provider
+
+```
+$wgOAuthCustomAuthProviders = [
+    'note' => WSOAuthNoteKfetAuth\NoteKfetAuth::class
+];
+```
diff --git a/hosts/vm/mediakiwi/WSONoteKfetAuth/extension.json b/hosts/vm/mediakiwi/WSONoteKfetAuth/extension.json
new file mode 100644
index 0000000..efbb583
--- /dev/null
+++ b/hosts/vm/mediakiwi/WSONoteKfetAuth/extension.json
@@ -0,0 +1,25 @@
+{
+    "name": "WSONoteKfetAuth",
+    "author": [
+        "Pyjacpp"
+    ],
+    "url": "https://gitlab.crans.org/nounou/WSONoteKfet",
+    "description": "Implementation of the NoteKfet OAuth2 for the WSOAuth extension",
+    "type": "other",
+    "requires": {
+        "MediaWiki": ">= 1.35.0",
+        "extensions": {
+            "WSOAuth": ">= 9.0"
+        }
+    },
+    "AutoloadNamespaces": {
+        "WSONoteKfetAuth\\": "src/"
+    },
+    "config": {
+        "NoteKfetUrl": {
+            "description": "The url of the NoteKfet.",
+            "value": "https://note.crans.org/"
+        }
+    },
+    "manifest_version": 2
+}
\ No newline at end of file
diff --git a/hosts/vm/mediakiwi/WSONoteKfetAuth/src/NoteKfetAuth.php b/hosts/vm/mediakiwi/WSONoteKfetAuth/src/NoteKfetAuth.php
new file mode 100644
index 0000000..464213c
--- /dev/null
+++ b/hosts/vm/mediakiwi/WSONoteKfetAuth/src/NoteKfetAuth.php
@@ -0,0 +1,137 @@
+<?php
+
+/**
+ * Copyright 2020 Marijn van Wezel
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
+ * Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
+ * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+namespace WSOAuth\AuthenticationProvider;
+
+use MediaWiki\User\UserIdentity;
+
+class NoteKfetAuth extends AuthProvider {
+
+	/**
+	 * @var string
+	 */
+	private $clientId;
+
+	/**
+	 * @var string
+	 */
+	private $clientSecret;
+	/**
+	 * @inheritDoc
+	 */
+	public function __construct(
+		string $clientId,
+		string $clientSecret,
+		?string $authUri,
+		?string $redirectUri,
+		array $extensionData = []
+	) {
+		$this->clientId = $clientId;
+		$this->clientSecret = $clientSecret;
+	}
+
+	/**
+	 * @inheritDoc
+	 */
+	public function login( ?string &$key, ?string &$secret, ?string &$authUrl ): bool {
+
+		$state = random_int(PHP_INT_MIN, PHP_INT_MAX);
+		$secret = "$state";
+		$authUrl = $GLOBALS['wgNoteKfetUrl'] . "o/authorize/?" . http_build_query(
+			'client_id' => $this->clientId,
+			'response_type' => 'code',
+			'scope' => '1_1',
+			'state' => $secret,
+		);
+
+		return true;
+	}
+
+	/**
+	 * @inheritDoc
+	 */
+	public function logout( UserIdentity &$user ): void {
+	}
+
+	/**
+	 * @inheritDoc
+	 */
+	public function getUser( string $key, string $secret, &$errorMessage ) {
+		if ( !isset( $_GET['code'] ) ) {
+			return false;
+		}
+
+		if ( !isset( $_GET['state'] ) || empty( $_GET['state'] ) || ( $_GET['state'] !== $secret ) ) {
+			return false;
+		}
+
+		try {
+			$token = $this->getAccessTokens( $_GET['code'] );
+			$userInfos = $this->getUserInfos( $token );
+
+			return [
+				'name' => $userInfos->normalized_name,
+				'realname' => $userInfos->username,
+				'email' => $userInfos->email,
+			];
+		} catch ( \Exception $e ) {
+			return false;
+		}
+	}
+
+	private function getAccessTokens( string $code ) {
+		$data = [
+			'grant_type' => 'authorization_code',
+			'client_id' => $this->clientId,
+			'client_secret' => $this->clientSecret,
+			'code' => $code,
+		];
+
+		$options = [
+			'http' => [
+				'method'  => 'POST',
+				'header'  => 'Content-type: application/x-www-form-urlencoded',
+				'content' => http_build_query($data),
+			],
+		];
+
+		$context  = stream_context_create($options);
+		$response = file_get_contents($GLOBALS['wgNoteKfetUrl'] . 'o/oauth/token/', false, $context);
+		$tokens = json_decode($response);
+		return $tokens->access_token;
+	}
+
+	private function getUserInfos( string $token ) {
+		$options = [
+			'http' => [
+				'method'  => 'GET',
+				'header'  => "Authorization: Bearer $token",
+			],
+		];
+
+		$context  = stream_context_create($options);
+		$response = file_get_contents($GLOBALS['wgNoteKfetUrl'] . 'api/me/', false, $context);
+		return json_decode($response);
+	}
+
+	/**
+	 * @inheritDoc
+	 */
+	public function saveExtraAttributes( int $id ): void {
+	}
+}
diff --git a/hosts/vm/mediakiwi/mediawiki.nix b/hosts/vm/mediakiwi/mediawiki.nix
index c0217f0..15cd91b 100644
--- a/hosts/vm/mediakiwi/mediawiki.nix
+++ b/hosts/vm/mediakiwi/mediawiki.nix
@@ -106,6 +106,9 @@ in
       $wgPluggableAuth_EnableLocalLogin = true;
       $LDAPAuthentication2AllowLocalLogin = true;
       $LDAPProviderDomainConfigs = "${config.age.secrets.mediawiki-ldap.path}";
+      $wgOAuthCustomAuthProviders = [
+        'note' => WSOAuthNoteKfetAuth\NoteKfetAuth::class
+      ];
       $wgPluggableAuth_Config = [
         "Compte Crans" => [
           'plugin' => 'LDAPAuthentication2',
@@ -114,8 +117,8 @@ in
           ]
         ],
         "Note BDE" => [
-          'plugin' => 'OpenIDConnect',
-          'data' => require('${config.age.secrets.mediawiki-openid.path}'),
+          'plugin' => 'WSOAuth',
+          'data' => require('${config.age.secrets.mediawiki-oauth.path}'),
         ]
       ];
 
@@ -257,15 +260,16 @@ in
         # Pas de meilleure solution à ma connaissance pour suivre les releases.
         sha256 = "sha256-oi5rliHb4KnLbvQxO7MGuLp/FEucoGR/Z0NP1gmbgMc=";
       };
-      OpenIDConnect = pkgs.fetchFromGitHub {
-        name = "OpenIDConnect";
+      WSOAuth = pkgs.fetchFromGitHub {
+        name = "WSOAuth";
         owner = "wikimedia";
-        repo = "mediawiki-extensions-OpenIDConnect";
+        repo = "mediawiki-extensions-WSOAuth";
         rev = "REL" + major + "_" + minor;
         # Le SHA doit être changé à chaque nouveau commit de traduction.
         # Pas de meilleure solution à ma connaissance pour suivre les releases.
-        sha256 = "sha256-KoBULn53xnY+ydodeTGN7YEoqgLr9qhhuR5mNibbh5s=";
+        sha256 = "sha256-1jv4nmkxky1dx7833sacsbqww54yb9glrnl1360b13h2z5fhwdxp";
       };
+      WSONoteKfetAuth = ./WSONoteKfetAuth;
     };
   };
 }
diff --git a/secrets/mediakiwi/mediawiki-oauth.age b/secrets/mediakiwi/mediawiki-oauth.age
new file mode 100644
index 0000000000000000000000000000000000000000..e442571d799062c48266bba318cd37f6914617ec
GIT binary patch
literal 2000
zcmZXU>&xT@8O2vc#e5Q>t6LGqij+3{nn@<fWV%wxWHOmdl9}8yNwqY|WOA9A+$WQy
zBC=FlFI%*Ax3Vgzt)im%p{O8&lw!5EyRCv%ye+m$70aT#{h*7ozU?P{{R_@Hzvnr}
z_PqlycJn4J!z6xBlKW5v0|&QviXu4hmI#KygHB};y1(ym-oCeN+bZT9bf$7bP8i@i
zDA1yoYYu^JqXfr|T5g4~3s3=*^fqIAu$pe9vd6$F@1=@8S7;USA*+|8%gIoVi!vc!
zQA@+>AVn~|<LxQ8x9^afdSoz+T1ccrtIj$<v;uO5k+706E0=vtpgFi#Tiu0G0))X(
zTX<H|78z`(I<d<*b+cQwB`u;obnM6@XT;(S9GmF>XyFtOiHBM{iFbt<Au>9JK%OTT
zU@g0x5GPIsaTdY0gb&w!Y3?a4P>58Ls&Qmd8ss>WE(9)gsYuMC?SmA%H*_V+hEn6j
zqy15e-kj7Fze72`(b5~ULD-lKX9c~?hK=H(4Jl`<HX(LtY7hD_F3K9fVPjU=ihVVk
za09JTQAKr-L&#|a_heE41w|BS*4^9As}x_kSzg#3nYOJV2}~t<O^Rr3>V7%SAcxz6
z_zrWjZr=uTp)wQ3NCyin@OVh&mhl9s)@URt3dQMeLAxQa!{}wr*J3sc5VcU-v<L>C
zr6Th^*=?-UhPxY~X!<fAGbq>R$uwoFAnrFC7HR$Qf&@fwwME*oDou+C&a6nOsscwP
z=)&sNsb=qOA~gd?!gonV>nm8S<E=b0o4KVoBV*|3fB?<mWg;3|Wli_1z9L72h{fg#
z3<zOa^vo4Z4mRC*OuBWC7Zi@)aRo%0<^u6noBgf?=+uYi1Bul#G>R2i7&DaA$J}I)
zgQaQ(f+nRS#>5k`Z8^^Ll@X(}Rzqbt!A&I^l7Vcmx@BGyEY8dkT$8qtUrnZUtQtK?
zFKpgai8Wg7xOA>*wb_hkZj?s2I~~nHrdU^9K*M{wY5AT>+a;j|V3^nvx`Et?PU~o~
zt}_IwbHok#LFuj5EV)InJ~1DymR-SVLxcxFa=IfYBC837F7MWcja5yQYc$5s`f(X(
zOkl<&%vh_ctxFd}^Twz5jM>NWzFe{c5jgsYQz(=@zq5)NzQ*i%%<ZPEqAM9Xo%c|c
z671Nv0+CLJpy~!SnJxrCT#R>Xb-m@pvS#|5T~IC^j+SOzm!u##>gx5x?`uxGfxAc5
zm|37O`wlEGF})p?lL_C_1lk+Vl@PR}CDE2B-c%?Q3OET4bWHI9XO&0^Q91cM0#h4<
z90N*lg{Oo?FC3*5$Bh;o7|o1z_G+R3d#b#JK$c`@fNr?~)ko%Wo#?(2uC{RmtID4B
z_+>y>iYF7!e&ek-6BCef#4Fh-n~pTnaU?s^l5)e%N61<o(4yeydN-?yFho}L(QH_-
zNL;D2H6&G|d!wSs$E~z=9CFQC`jl&mg+}aoXq*u=KinE#Kmw^S*=uUpb!pg&%v_#1
zk~47d1)bC4mafHQ#F8ih=h*Q7NILRF*U663QlTdEfwMN-`Fb{S4*gbMY|+x9HF(|%
zIDBl(z>1E2Ky=mJvYpMl1kw#7b-2(+)F3>pbu?M&h@{)-MyR$tB#+&r*(Sa*@W>8_
z2NbU!PUwoQL!R%o<szbbHL*fnjpsOQClZ2zZdhDO02Q&e3xZ8rsN7Sf-NJU{_izL8
zW=*~(puKA>rMAhthl2_n92|5sQ8SVSxpdIXz^C@oY(TWxWl~PsYfN)$%i>B>fdhEZ
z1x}s$MCXsqg`d9nvL&l`UBB+U@u5q_=N>)v*|)#*Df#cRcdMlaFB1Q}6G+e9^{jb?
zg#Z2e^~au-;`{!9{Qh3OJU@T%lMmeS81gcF{Mg0&&+e+fep{K`{Jk3<dD{t7xHUc&
zoc#22U;k}j;hp#WXuy5#7nh$=?s!@tZhnqA@x%1}moNY8z8_ruvvTU>S@y}7AG-U(
zS1+CU&<)JR;NtH-IN$!N^U@1%J$>y>Kfd~n^3t8ur{a%(=JXTJ1IJ#x|D_90U%Txl
z?RfaSc<IAGf3tkcZ8ttSJ{uEPe&$5ym0$nlm**aR!xL|L<hx(~X846`k0HQS{ZEfS
zb*_Ky#*aU9eR%g@uFU`Tl~SJF{`_|y{{9u<`1x=B<HDED6esR|_vv@#58v~}o9K5e
Y+z<Tb1^1qhJbv;uue(Ki@bj<z55*k12mk;8

literal 0
HcmV?d00001

diff --git a/secrets/mediakiwi/mediawiki-openid.age b/secrets/mediakiwi/mediawiki-openid.age
deleted file mode 100644
index ceae6cf9a712d69cdae7d4c2f375c98b38573c92..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 2028
zcmZA0ZRp$v9S87D-H=FM_y9h%!mX|7IRDLEF3BZs6mv-~xw|~)@^FXJCU<$dB$wRf
z=`Nk18+I?Y*@ClHoZy5pw&CWBZEna=Hz^FZbyY0gic@E)RTM?-rU=&hqA&cv{k{2o
z`Tf2>%X4;|<!rr8^B`FsO4c4&wt=0)jV$wboH>LbZM;!VG2N>gq0Bn966j2!Dv*(>
zAVCiJpk7j4JQ&6UcrrDFtU}g;nE{Dfvb{7#1&57VL9-Bevj<z58Aw?Rtuq@B6Wp-j
z2puK=)6$^aNg)JnI2AeTR1G3${Q#*1)3$Uh@}r7RhHj_C3DI}OuyRr`kj(<wlv`c^
ztf?tf<O+%jU7WQfi=GOTI;qDVm?b_6Reh)*Ymmnc&HuMhk^`md7Gh;1(3}mj+1kfv
z2CZ<tWt*|hW;RqhBx`dh;h}6uWhnyStQL>lZh<kQnrE3g4dc3p``1SmR>>MHG86=j
z>TDW$ySM0wgr<6pzy@VB*g#o9I5uOW3u|I(PD}PEPzd#MYt6HAyHUY9tbj?C3zDp{
zaL%xEImd#CUplSUtad8I)2U&w96=bQ=lCGJp{+Bkq0rW}M*tHgPqk_-##4slI;3I_
zLCLmti8TA<gn-GV8#tqCA#xp|ZJ6X_f#zbCx?8t``;d)Wz}z2C+XY*tL65StLCX|%
zqH-dWqxz~fai^MZuQk89K&cF&qi#yh>J96)h=p8`9A@?b%VHcEFDp1?4Rbi3xYR%<
zJ572R^~R_)4Kgi_P|3%8u!sx|hw&Ipo);@*ofsjKnl^wh%mvx03vsd0TXfq_n{wZB
zRRP~xtG+Y0qXe?Cc)`yk5svh3Im9Y+Jg*dGgj(~09|J<Cw<KtiUJb`KRx6v8=LIv*
zMP{^0hr!V2>_Vc<$vU>Efuv6-*Ms_MkVm8w=L|Z}0YTDf2PT%pnyA5KEJ1#@rHHmU
z)^dDUN<E@yDL!saCS^9A7h=R!Fw;^Hz8NM>okKieiN+nbiFqT1wB=Ecmkc>?>)xod
z5QA*xU|6y#-N<2;bsG!XD8y$9ncMA90T%>;a9aTJjJlLfS>qLDWmtt>fF%u*q)3|v
z7i*oFvZ<R3wcx_k0$YRYhcRMoY4N$XB6Sl&fg9Dh@y<gqP#mw(8FDxr&+*Zir_Ek!
zwA)Y^m4zjC<*d0hx(+^OP@(OpeGLF{iN;l#UfE$4XY<;x;cynu$(k#tZKwm*v5K3W
zer3C@-5MkKDpNJIan}H6v#_68=osQ?M@d?=37Iv&R?`t5M9y@L^gy8wXn<oJ+F18Y
zc4|-Kgr(#Vb*b%oYewy=8EP&@AsQVchM&v3HOJ(MoM=Q?)~=0tk_oy`hSGSY4aT};
zNfe^g@O;(_Xq{+FVH&m)U>f5}>Z~@b+iQiim|CO$+C^nX5*2$$Xilmo%ViQwOuO2x
zA-<W+<Obbbk6M^ORZOWR8MR53V2X_93xk)Dc)aFCA*13sU8sEzut{<ScWjaCx5%wx
zuH|ien;S+9Cf-a<D34rfA!XT<P0H`qY=zZzqG8}XN~V^+QCgYgZ6`ww5hAW0wD@!Z
zi!vwZ0c3)c3T81Nv#8M)&P&1=tww$yONFr-gasA{K5X;#)D0(PYuR#a7T&F~o`E|=
zV`0jDuEe+1s#%8cmMj)gFER=$-Y(S&=GhR9R78}d2^0d<R>aq&Y)I`Y9*R<bHRw8)
zE=`pHrZ|0TFUCd}YSBbm&VZerokmxWz)7Dic$pmabtfq)MYqHhQDv*_b@)C`%6gyi
z$8u8!I)8?)e)7nVUE%fpPu?T%-+SA=4+rmm@v+;!TAX@tSp53@bH6<O5$u+~XTLi9
zc6sv1x$nPu@$%J2tgAbtlWhL-r<B9cp}*~X=*V&NgGcxO;610mbNkK5Km3QY54`oS
z4;)NS-0|{Vw|`Ch_&2V727K+Vo38yE{Pd}}FFo|L6N{g|>)vV||6v>W$M=TczVnHF
z$K>ti%&RXQd+Qfxp`Q%i`}td*_~xZQF2+`P=Dv4?=*rQf`%b;|o0E^4uN?YHcINAQ
z_nq4_ATID1FYI~tz?LZ<y!(x_H(x&RIp&Ug@uy$-&+G3{zs-+5nx8*%e((DJf1bGK
z@eAL5=JZMC;Ez6GGw!wJ`%W$YbQ5^)#ry8ZpL^ik3kRCdKYz)6`r1dYyz%C{U%FKn
z_Wk9c_K5IG{_GdeKl9ob?$$K-%a2We|E-5E=D)i#xbw+Vmwx{E=&3y)`|OqK@>8z@
I5C2vCFT;e)fB*mh