3.1.2

Improving OAuth2 feature by removing the possibility to use "multi-tenant" for Teampass application

includes/config/include.php

@@ -28,7 +28,7 @@
 
 define('TP_VERSION', '3.1.2');
 define("UPGRADE_MIN_DATE", "1724862801");
-define('TP_VERSION_MINOR', '76');
+define('TP_VERSION_MINOR', '77');
 define('TP_TOOL_NAME', 'Teampass');
 define('TP_ONE_DAY_SECONDS', 86400);
 define('TP_ONE_WEEK_SECONDS', 604800);

includes/tables_integrity.json

@@ -13,11 +13,11 @@
     },
     {
         "table_name": "background_tasks",
-        "structure_hash": "5c978dc465d2ad92100a9297adebe17702f140a8a03e29d3688ae5059bec74ab"
+        "structure_hash": "ebdf0ce49d3be2223e59e9faa598965b041243540c65dcfe2c03a91ce4c2ab2e"
     },
     {
         "table_name": "background_tasks_logs",
-        "structure_hash": "0a5c21f4eb80e0dab639836f47acfdad67c8a37cd8f52d94168edf02763fdd95"
+        "structure_hash": "18a0d2bde6955715cc70fdc01c2d91cd61ee7608093d076fcc3f8d32e4be938f"
     },
     {
         "table_name": "cache",
@@ -101,7 +101,7 @@
     },
     {
         "table_name": "log_system",
-        "structure_hash": "ad52bdf1006dc2ba9e1decbe73c12e6ff4476e086800ae2963504573431d9f9f"
+        "structure_hash": "7cf40d09bef89b6cc415df5abe2175e33893973afe651f8814ddf6d8b06721f8"
     },
     {
         "table_name": "misc",

vendor/teampassclasses/azureauthcontroller/src/AzureAuthController.php

@@ -47,6 +47,11 @@ class AzureAuthController
 
     public function __construct(array $settings)
     {
+        // Multi-tenant is not allowed
+        if (empty($settings['oauth2_tenant_id']) || $settings['oauth2_tenant_id'] === 'common') {
+            throw new Exception('Invalid tenant_id provided. Multi-tenant access is not allowed.');
+        }
+
         // Utilisation du point de terminaison v2.0
         $this->provider = new Azure([
             'clientId'                => $settings['oauth2_client_id'],
@@ -63,6 +68,11 @@ public function __construct(array $settings)
 
     public function redirect()
     {
+        // Force a unique tenant by refusing any other configuration
+        if ($this->settings['oauth2_tenant_id'] === 'common') {
+            throw new Exception('Multi-tenant access is not allowed. Tenant must be specified.');
+        }
+
         // Force user to select account
         $options = [
             'prompt' => 'select_account'
@@ -88,15 +98,12 @@ public function callback()
             $token = $this->provider->getAccessToken('authorization_code', [
                 'code' => $_GET['code']
             ]);
-            //error_log('Token récupéré : ' . print_r($token, true));
 
             // Récupérer les informations de l'utilisateur via Microsoft Graph
             $graphUrl = 'https://graph.microsoft.com/v1.0/me';
             $response = $this->provider->getAuthenticatedRequest('GET', $graphUrl, $token->getToken());
             $user = $this->provider->getParsedResponse($response);
 
-            //error_log('Utilisateur récupéré : ' . print_r($user, true));
-
             // Récupérer les groupes auxquels l'utilisateur appartient
             $groupsUrl = 'https://graph.microsoft.com/v1.0/me/memberOf';
             $groupsResponse = $this->provider->getAuthenticatedRequest('GET', $groupsUrl, $token->getToken());
@@ -112,11 +119,6 @@ public function callback()
                     ];
                 }
             }
-            //error_log('Utilisateur  : ' . print_r(array_merge($user, array('groups' => $userGroups)), true));
-
-            // Get groups
-            //$groups = $this->getAllGroups($token);
-            //error_log('Groupes récupérés : ' . print_r($groups, true));
 
             // Retourner les informations de l'utilisateur
             return [