Implemented public scopes repository. Fix some auth cases [skip ci]

This commit is contained in:
ErickSkrauch 2019-09-13 01:19:03 +03:00
parent 4dc2a3025b
commit 8a1d7148d0
4 changed files with 64 additions and 2 deletions

View File

@ -25,6 +25,7 @@ class Component extends BaseComponent {
$clientsRepo = new Repositories\ClientRepository(); $clientsRepo = new Repositories\ClientRepository();
$accessTokensRepo = new Repositories\AccessTokenRepository(); $accessTokensRepo = new Repositories\AccessTokenRepository();
$scopesRepo = new Repositories\ScopeRepository(); $scopesRepo = new Repositories\ScopeRepository();
$publicScopesRepo = new Repositories\PublicScopeRepository();
$authCodesRepo = new Repositories\AuthCodeRepository(); $authCodesRepo = new Repositories\AuthCodeRepository();
$refreshTokensRepo = new Repositories\RefreshTokenRepository(); $refreshTokensRepo = new Repositories\RefreshTokenRepository();
@ -41,6 +42,7 @@ class Component extends BaseComponent {
$authCodeGrant = new Grant\AuthCodeGrant($authCodesRepo, $refreshTokensRepo, new DateInterval('PT10M')); $authCodeGrant = new Grant\AuthCodeGrant($authCodesRepo, $refreshTokensRepo, new DateInterval('PT10M'));
$authCodeGrant->disableRequireCodeChallengeForPublicClients(); $authCodeGrant->disableRequireCodeChallengeForPublicClients();
$authServer->enableGrantType($authCodeGrant, $accessTokenTTL); $authServer->enableGrantType($authCodeGrant, $accessTokenTTL);
$authCodeGrant->setScopeRepository($publicScopesRepo); // Change repository after enabling
$authServer->enableGrantType(new Grant\RefreshTokenGrant($refreshTokensRepo), $accessTokenTTL); $authServer->enableGrantType(new Grant\RefreshTokenGrant($refreshTokensRepo), $accessTokenTTL);
$authServer->enableGrantType(new Grant\ClientCredentialsGrant(), $accessTokenTTL); $authServer->enableGrantType(new Grant\ClientCredentialsGrant(), $accessTokenTTL);

View File

@ -0,0 +1,54 @@
<?php
declare(strict_types=1);
namespace api\components\OAuth2\Repositories;
use api\components\OAuth2\Entities\ScopeEntity;
use api\rbac\Permissions as P;
use League\OAuth2\Server\Entities\ClientEntityInterface;
use League\OAuth2\Server\Entities\ScopeEntityInterface;
use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
class PublicScopeRepository implements ScopeRepositoryInterface {
private const OFFLINE_ACCESS = 'offline_access';
private const CHANGE_SKIN = 'change_skin';
private const ACCOUNT_INFO = 'account_info';
private const ACCOUNT_EMAIL = 'account_email';
private const PUBLIC_SCOPES_TO_INTERNAL_PERMISSIONS = [
self::ACCOUNT_INFO => P::OBTAIN_OWN_ACCOUNT_INFO,
self::ACCOUNT_EMAIL => P::OBTAIN_ACCOUNT_EMAIL,
];
private const ALLOWED_SCOPES = [
P::OBTAIN_OWN_ACCOUNT_INFO,
P::OBTAIN_ACCOUNT_EMAIL,
P::MINECRAFT_SERVER_SESSION,
self::OFFLINE_ACCESS,
self::CHANGE_SKIN,
];
public function getScopeEntityByIdentifier($identifier): ?ScopeEntityInterface {
$identifier = $this->convertToInternalPermission($identifier);
if (!in_array($identifier, self::ALLOWED_SCOPES, true)) {
return null;
}
return new ScopeEntity($identifier);
}
public function finalizeScopes(
array $scopes,
$grantType,
ClientEntityInterface $clientEntity,
$userIdentifier = null
): array {
return $scopes;
}
private function convertToInternalPermission(string $publicScope): string {
return self::PUBLIC_SCOPES_TO_INTERNAL_PERMISSIONS[$publicScope] ?? $publicScope;
}
}

View File

@ -107,6 +107,7 @@ class OauthProcess {
} }
$authRequest->setUser(new UserEntity($account->id)); $authRequest->setUser(new UserEntity($account->id));
$authRequest->setAuthorizationApproved(true);
$responseObj = $this->server->completeAuthorizationRequest($authRequest, new Response(200)); $responseObj = $this->server->completeAuthorizationRequest($authRequest, new Response(200));
$response = [ $response = [
@ -250,10 +251,15 @@ class OauthProcess {
} }
private function buildErrorResponse(OAuthServerException $e): array { private function buildErrorResponse(OAuthServerException $e): array {
$hint = $e->getPayload()['hint'] ?? '';
if (preg_match('/the `(\w+)` scope/', $hint, $matches)) {
$parameter = $matches[1];
}
$response = [ $response = [
'success' => false, 'success' => false,
'error' => $e->getErrorType(), 'error' => $e->getErrorType(),
// 'parameter' => $e->parameter, // TODO: if this is necessary, the parameter can be extracted from the hint 'parameter' => $parameter ?? null,
'statusCode' => $e->getHttpStatusCode(), 'statusCode' => $e->getHttpStatusCode(),
]; ];

View File

@ -132,7 +132,7 @@ class AuthCodeCest {
$I->canSeeResponseContainsJson([ $I->canSeeResponseContainsJson([
'success' => false, 'success' => false,
'error' => 'access_denied', 'error' => 'access_denied',
'parameter' => '', 'parameter' => null,
'statusCode' => 401, 'statusCode' => 401,
]); ]);
$I->canSeeResponseJsonMatchesJsonPath('$.redirectUri'); $I->canSeeResponseJsonMatchesJsonPath('$.redirectUri');