mirror of
https://github.com/elyby/accounts.git
synced 2025-05-31 14:11:46 +05:30
Remove refresh_token from OAuth2 result. Return the same access_token as a refresh_token in case when it's requested. Make access_tokens to live forever.
This commit is contained in:
ErickSkrauch
@@ -3,64 +3,22 @@ declare(strict_types=1);
|
||||
|
||||
namespace api\components\OAuth2\Entities;
|
||||
|
||||
use api\components\OAuth2\Repositories\PublicScopeRepository;
|
||||
use api\rbac\Permissions;
|
||||
use Carbon\CarbonImmutable;
|
||||
use DateTimeImmutable;
|
||||
use League\OAuth2\Server\CryptKeyInterface;
|
||||
use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
|
||||
use League\OAuth2\Server\Entities\ScopeEntityInterface;
|
||||
use League\OAuth2\Server\Entities\Traits\EntityTrait;
|
||||
use League\OAuth2\Server\Entities\Traits\TokenEntityTrait;
|
||||
use Yii;
|
||||
|
||||
class AccessTokenEntity implements AccessTokenEntityInterface {
|
||||
use EntityTrait;
|
||||
use TokenEntityTrait {
|
||||
getExpiryDateTime as parentGetExpiryDateTime;
|
||||
}
|
||||
use TokenEntityTrait;
|
||||
|
||||
/**
|
||||
* There is no need to store offline_access scope in the resulting access_token.
|
||||
* We cannot remove it from the token because otherwise we won't be able to form a refresh_token.
|
||||
* That's why we delete offline_access before creating the token and then return it back.
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
public function __toString(): string {
|
||||
$scopes = $this->scopes;
|
||||
$this->scopes = array_filter($this->scopes, function(ScopeEntityInterface $scope): bool {
|
||||
return $scope->getIdentifier() !== PublicScopeRepository::OFFLINE_ACCESS;
|
||||
});
|
||||
|
||||
$token = Yii::$app->tokensFactory->createForOAuthClient($this);
|
||||
|
||||
$this->scopes = $scopes;
|
||||
|
||||
return (string)$token;
|
||||
return (string)Yii::$app->tokensFactory->createForOAuthClient($this);
|
||||
}
|
||||
|
||||
public function setPrivateKey(CryptKeyInterface $privateKey): void {
|
||||
// We use a general-purpose component to build JWT tokens, so there is no need to keep the key
|
||||
}
|
||||
|
||||
public function getExpiryDateTime(): DateTimeImmutable {
|
||||
$expiryTime = $this->parentGetExpiryDateTime();
|
||||
if ($this->hasScope(PublicScopeRepository::CHANGE_SKIN) || $this->hasScope(Permissions::OBTAIN_ACCOUNT_EMAIL)) {
|
||||
$expiryTime = min($expiryTime, CarbonImmutable::now()->addHour());
|
||||
}
|
||||
|
||||
return $expiryTime;
|
||||
}
|
||||
|
||||
private function hasScope(string $scopeIdentifier): bool {
|
||||
foreach ($this->getScopes() as $scope) {
|
||||
if ($scope->getIdentifier() === $scopeIdentifier) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -1,29 +0,0 @@
|
||||
<?php
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace api\components\OAuth2\Entities;
|
||||
|
||||
use Carbon\CarbonImmutable;
|
||||
use DateTimeImmutable;
|
||||
use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
|
||||
use League\OAuth2\Server\Entities\Traits\EntityTrait;
|
||||
use League\OAuth2\Server\Entities\Traits\RefreshTokenTrait;
|
||||
|
||||
class RefreshTokenEntity implements RefreshTokenEntityInterface {
|
||||
use EntityTrait;
|
||||
use RefreshTokenTrait;
|
||||
|
||||
/**
|
||||
* We don't rotate refresh tokens, so that to always pass validation in the internal validator
|
||||
* of the oauth2 server implementation we set the lifetime as far as possible.
|
||||
*
|
||||
* In 2038 this may cause problems, but I am sure that by then this code, if it still works,
|
||||
* will be rewritten several times and the problem will be solved in a completely different way.
|
||||
*
|
||||
* @return DateTimeImmutable
|
||||
*/
|
||||
public function getExpiryDateTime(): DateTimeImmutable {
|
||||
return CarbonImmutable::create(2038, 11, 11, 22, 13, 0, 'Europe/Minsk');
|
||||
}
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user