Set access tokens TTL depending on the requested scopes

This commit is contained in:
ErickSkrauch 2019-12-06 19:07:08 +03:00
parent f0a73f2b7a
commit efb97a2006
4 changed files with 41 additions and 5 deletions

View File

@ -25,7 +25,7 @@ class Component extends BaseComponent {
$authCodesRepo = new Repositories\AuthCodeRepository(); $authCodesRepo = new Repositories\AuthCodeRepository();
$refreshTokensRepo = new Repositories\RefreshTokenRepository(); $refreshTokensRepo = new Repositories\RefreshTokenRepository();
$accessTokenTTL = CarbonInterval::day(); $accessTokenTTL = CarbonInterval::days(2);
$authServer = new AuthorizationServer( $authServer = new AuthorizationServer(
$clientsRepo, $clientsRepo,

View File

@ -4,6 +4,8 @@ declare(strict_types=1);
namespace api\components\OAuth2\Entities; namespace api\components\OAuth2\Entities;
use api\components\OAuth2\Repositories\PublicScopeRepository; use api\components\OAuth2\Repositories\PublicScopeRepository;
use api\rbac\Permissions;
use Carbon\CarbonImmutable;
use DateTimeImmutable; use DateTimeImmutable;
use League\OAuth2\Server\CryptKeyInterface; use League\OAuth2\Server\CryptKeyInterface;
use League\OAuth2\Server\Entities\AccessTokenEntityInterface; use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
@ -43,8 +45,22 @@ class AccessTokenEntity implements AccessTokenEntityInterface {
} }
public function getExpiryDateTime(): DateTimeImmutable { public function getExpiryDateTime(): DateTimeImmutable {
// TODO: extend token life depending on scopes list $expiryTime = $this->parentGetExpiryDateTime();
return $this->parentGetExpiryDateTime(); if ($this->hasScope(PublicScopeRepository::CHANGE_SKIN) || $this->hasScope(Permissions::OBTAIN_ACCOUNT_EMAIL)) {
$expiryTime = min($expiryTime, CarbonImmutable::now()->addHour());
}
return $expiryTime;
}
private function hasScope(string $scopeIdentifier): bool {
foreach ($this->getScopes() as $scope) {
if ($scope->getIdentifier() === $scopeIdentifier) {
return true;
}
}
return false;
} }
} }

View File

@ -12,8 +12,8 @@ use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
class PublicScopeRepository implements ScopeRepositoryInterface { class PublicScopeRepository implements ScopeRepositoryInterface {
public const OFFLINE_ACCESS = 'offline_access'; public const OFFLINE_ACCESS = 'offline_access';
public const CHANGE_SKIN = 'change_skin';
private const CHANGE_SKIN = 'change_skin';
private const ACCOUNT_INFO = 'account_info'; private const ACCOUNT_INFO = 'account_info';
private const ACCOUNT_EMAIL = 'account_email'; private const ACCOUNT_EMAIL = 'account_email';

View File

@ -5,6 +5,8 @@ namespace api\tests\unit\components\OAuth2\Entities;
use api\components\OAuth2\Entities\AccessTokenEntity; use api\components\OAuth2\Entities\AccessTokenEntity;
use api\tests\unit\TestCase; use api\tests\unit\TestCase;
use DateInterval;
use DateTimeImmutable;
use League\OAuth2\Server\Entities\ClientEntityInterface; use League\OAuth2\Server\Entities\ClientEntityInterface;
use League\OAuth2\Server\Entities\ScopeEntityInterface; use League\OAuth2\Server\Entities\ScopeEntityInterface;
@ -17,7 +19,7 @@ class AccessTokenEntityTest extends TestCase {
$entity = new AccessTokenEntity(); $entity = new AccessTokenEntity();
$entity->setClient($client); $entity->setClient($client);
$entity->setExpiryDateTime(new \DateTimeImmutable()); $entity->setExpiryDateTime(new DateTimeImmutable());
$entity->addScope($this->createScopeEntity('first')); $entity->addScope($this->createScopeEntity('first'));
$entity->addScope($this->createScopeEntity('second')); $entity->addScope($this->createScopeEntity('second'));
$entity->addScope($this->createScopeEntity('offline_access')); $entity->addScope($this->createScopeEntity('offline_access'));
@ -33,6 +35,24 @@ class AccessTokenEntityTest extends TestCase {
$this->assertSame('offline_access', $scopes[2]->getIdentifier()); $this->assertSame('offline_access', $scopes[2]->getIdentifier());
} }
public function testGetExpiryDateTime() {
$initialExpiry = (new DateTimeImmutable())->add(new DateInterval('P1D'));
$entity = new AccessTokenEntity();
$entity->setExpiryDateTime($initialExpiry);
$this->assertSame($initialExpiry, $entity->getExpiryDateTime());
$entity = new AccessTokenEntity();
$entity->setExpiryDateTime($initialExpiry);
$entity->addScope($this->createScopeEntity('change_skin'));
$this->assertEqualsWithDelta(time() + 60 * 60, $entity->getExpiryDateTime()->getTimestamp(), 5);
$entity = new AccessTokenEntity();
$entity->setExpiryDateTime($initialExpiry);
$entity->addScope($this->createScopeEntity('obtain_account_email'));
$this->assertEqualsWithDelta(time() + 60 * 60, $entity->getExpiryDateTime()->getTimestamp(), 5);
}
private function createScopeEntity(string $id): ScopeEntityInterface { private function createScopeEntity(string $id): ScopeEntityInterface {
/** @var ScopeEntityInterface|\PHPUnit\Framework\MockObject\MockObject $entity */ /** @var ScopeEntityInterface|\PHPUnit\Framework\MockObject\MockObject $entity */
$entity = $this->createMock(ScopeEntityInterface::class); $entity = $this->createMock(ScopeEntityInterface::class);