38 lines
940 B
PHP
38 lines
940 B
PHP
<?php
|
|
|
|
namespace App\Actions\Auth;
|
|
|
|
use App\DTOs\OidcUserData;
|
|
use App\Models\User;
|
|
use Illuminate\Auth\AuthenticationException;
|
|
|
|
class AuthenticateOidcUser
|
|
{
|
|
/**
|
|
* Authenticate or link OIDC authenticated user.
|
|
*
|
|
* @throws AuthenticationException
|
|
*/
|
|
public function execute(OidcUserData $data): User
|
|
{
|
|
// Search by subject claim
|
|
$user = User::where('oidc_sub', $data->sub)->first();
|
|
|
|
if (! $user) {
|
|
// Fallback: search by email to map existing accounts
|
|
$user = User::where('email', $data->email)->first();
|
|
|
|
if ($user) {
|
|
// Link account
|
|
$user->oidc_sub = $data->sub;
|
|
$user->save();
|
|
} else {
|
|
// Deny registration
|
|
throw new AuthenticationException('Account not found. Please contact an administrator.');
|
|
}
|
|
}
|
|
|
|
return $user;
|
|
}
|
|
}
|