workos-php/lib/CookieSession.php at 1bbb38edee8ea07818776e9a1ce46aea68a62672 · workos/workos-php · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
<?php

namespace WorkOS;

use WorkOS\Resource\SessionAuthenticationSuccessResponse;
use WorkOS\Resource\SessionAuthenticationFailureResponse;

/**
 * Class CookieSession
 *
 * Handles encrypted session cookies for user authentication and session management.
 * Matches workos-node CookieSession behavior - unsealing and validating sessions.
 */
class CookieSession
{
    /**
     * @var UserManagement
     */
    private $userManagement;

    /**
     * @var string Encrypted session data
     */
    private $sealedSession;

    /**
     * @var string Cookie encryption password
     */
    private $cookiePassword;

    /**
     * Constructor.
     *
     * @param UserManagement $userManagement UserManagement instance
     * @param string $sealedSession Encrypted session cookie data
     * @param string $cookiePassword Password used to decrypt the session
     */
    public function __construct(
        UserManagement $userManagement,
        string $sealedSession,
        string $cookiePassword
    ) {
        $this->userManagement = $userManagement;
        $this->sealedSession = $sealedSession;
        $this->cookiePassword = $cookiePassword;
    }

    /**
     * Authenticates the sealed session and returns user information.
     *
     * @return SessionAuthenticationSuccessResponse|SessionAuthenticationFailureResponse
     * @throws Exception\WorkOSException
     */
    public function authenticate()
    {
        return $this->userManagement->authenticateWithSessionCookie(
            $this->sealedSession,
            $this->cookiePassword
        );
    }

    /**
     * Refreshes an expired session and returns new tokens.
     *
     * Note: This method returns raw tokens. The calling code (e.g., authkit-php)
     * is responsible for sealing the tokens into a new session cookie.
     *
     * @param array $options Options for session refresh
     *   - 'organizationId' (string|null): Organization to scope the session to
     *
     * @return array{SessionAuthenticationSuccessResponse|SessionAuthenticationFailureResponse, array|null}
     *         Returns [response, newTokens] where newTokens contains:
     *         - 'access_token': The new access token
     *         - 'refresh_token': The new refresh token
     *         - 'session_id': The session ID
     *         Returns [failureResponse, null] on error.
     * @throws Exception\WorkOSException
     */
    public function refresh(array $options = [])
    {
        $organizationId = $options['organizationId'] ?? null;

        // First authenticate to get the current session data
        $authResult = $this->authenticate();

        if (!$authResult->authenticated) {
            return [$authResult, null];
        }

        // Tight try/catch for refresh token API call
        try {
            $refreshedAuth = $this->userManagement->authenticateWithRefreshToken(
                WorkOS::getClientId(),
                $authResult->refreshToken,
                null,
                null,
                $organizationId
            );
        } catch (Exception\BaseRequestException $e) {
            $failureResponse = new SessionAuthenticationFailureResponse(
                SessionAuthenticationFailureResponse::REASON_HTTP_ERROR
            );
            return [$failureResponse, null];
        }

        // Build success response
        $successResponse = SessionAuthenticationSuccessResponse::constructFromResponse([
            'authenticated' => true,
            'access_token' => $refreshedAuth->accessToken,
            'refresh_token' => $refreshedAuth->refreshToken,
            'session_id' => $authResult->sessionId,
            'user' => $refreshedAuth->user->raw,
            'organization_id' => $refreshedAuth->organizationId ?? $organizationId,
            'authentication_method' => $authResult->authenticationMethod
        ]);

        // Return raw tokens for the caller to seal
        $newTokens = [
            'access_token' => $refreshedAuth->accessToken,
            'refresh_token' => $refreshedAuth->refreshToken,
            'session_id' => $authResult->sessionId
        ];

        return [$successResponse, $newTokens];
    }

    /**
     * Gets the logout URL for the current session.
     *
     * @param array $options
     *   - 'returnTo' (string|null): URL to redirect to after logout
     *
     * @return string Logout URL
     * @throws Exception\UnexpectedValueException
     */
    public function getLogoutUrl(array $options = [])
    {
        $authResult = $this->authenticate();

        if (!$authResult->authenticated) {
            throw new Exception\UnexpectedValueException(
                "Cannot get logout URL for unauthenticated session"
            );
        }

        $returnTo = $options['returnTo'] ?? null;
        return $this->userManagement->getLogoutUrl($authResult->sessionId, $returnTo);
    }
}