From 0115c41eeabff40d6981f179c99dadc1715d2daf Mon Sep 17 00:00:00 2001
From: Alex Bilbie <alexbilbie@Alexs-Home-iMac.local>
Date: Fri, 12 Feb 2016 13:32:58 +0000
Subject: [PATCH] Numerous bug fixes

---
 examples/public/auth_code.php                 | 78 ++++++++++++-------
 .../src/Repositories/AuthCodeRepository.php   | 42 ++++++++++
 src/Grant/AuthCodeGrant.php                   | 46 +++++++----
 .../AuthCodeRepositoryInterface.php           |  6 +-
 4 files changed, 125 insertions(+), 47 deletions(-)
 create mode 100644 examples/src/Repositories/AuthCodeRepository.php

diff --git a/examples/public/auth_code.php b/examples/public/auth_code.php
index d0e76989..3b2642c0 100644
--- a/examples/public/auth_code.php
+++ b/examples/public/auth_code.php
@@ -1,10 +1,10 @@
 <?php
 
 use League\OAuth2\Server\Exception\OAuthServerException;
-use League\OAuth2\Server\Grant\PasswordGrant;
 use League\OAuth2\Server\Server;
 
 use OAuth2ServerExamples\Repositories\AccessTokenRepository;
+use OAuth2ServerExamples\Repositories\AuthCodeRepository;
 use OAuth2ServerExamples\Repositories\ClientRepository;
 use OAuth2ServerExamples\Repositories\RefreshTokenRepository;
 use OAuth2ServerExamples\Repositories\ScopeRepository;
@@ -16,42 +16,64 @@ use Slim\Http\Response;
 
 include(__DIR__ . '/../vendor/autoload.php');
 
-// Setup the authorization server
-$server = new Server('file://' . __DIR__ . '/../private.key');
-
-// Init our repositories
-$userRepository = new UserRepository();
-$clientRepository = new ClientRepository();
-$scopeRepository = new ScopeRepository();
-$accessTokenRepository = new AccessTokenRepository();
-$refreshTokenRepository = new RefreshTokenRepository();
-
-// Enable the client credentials grant on the server
-$passwordGrant = new PasswordGrant(
-    $userRepository,
-    $clientRepository,
-    $scopeRepository,
-    $accessTokenRepository,
-    $refreshTokenRepository
-);
-$server->enableGrantType($passwordGrant);
-
 // App
-$app = new App([Server::class => $server]);
+$app = new App([
+    Server::class => function () {
 
-$app->any('/authorise', function (Request $request, Response $response) {
-     if (strtoupper($request->getMethod()) === 'GET') {
-         $response = $response->withHeader('Set-Cookie', $authCodeGrant->storeOriginalRequestParams)
-     }
+        // Init our repositories
+        $clientRepository = new ClientRepository();
+        $scopeRepository = new ScopeRepository();
+        $accessTokenRepository = new AccessTokenRepository();
+        $userRepository = new UserRepository();
+        $refreshTokenRepository = new RefreshTokenRepository();
+        $authCodeRepository = new AuthCodeRepository();
+
+        $privateKeyPath = 'file://' . __DIR__ . '/../private.key';
+        $publicKeyPath = 'file://' . __DIR__ . '/../public.key';
+
+        // Setup the authorization server
+        $server = new Server(
+            $clientRepository,
+            $accessTokenRepository,
+            $scopeRepository,
+            $privateKeyPath,
+            $publicKeyPath
+        );
+
+        // Enable the password grant on the server with a token TTL of 1 hour
+        $server->enableGrantType(
+            new \League\OAuth2\Server\Grant\AuthCodeGrant(
+                $authCodeRepository,
+                $refreshTokenRepository,
+                $userRepository,
+                new \DateInterval('PT10M')
+            ),
+            new \DateInterval('PT1H')
+        );
+
+        return $server;
+    },
+]);
+
+$app->any('/authorize', function (Request $request, Response $response) {
+    /** @var Server $server */
+    $server = $this->get(Server::class);
+    try {
+        return $server->respondToRequest($request, $response);
+    } catch (OAuthServerException $e) {
+        return $e->generateHttpResponse($response);
+    } catch (\Exception $e) {
+        return $response->withStatus(500)->write($e->getMessage());
+    }
 });
 
 $app->post('/access_token', function (Request $request, Response $response) {
     /** @var Server $server */
     $server = $this->get(Server::class);
     try {
-        return $server->respondToRequest($request);
+        return $server->respondToRequest($request, $response);
     } catch (OAuthServerException $e) {
-        return $e->generateHttpResponse();
+        return $e->generateHttpResponse($response);
     } catch (\Exception $e) {
         return $response->withStatus(500)->write($e->getMessage());
     }
diff --git a/examples/src/Repositories/AuthCodeRepository.php b/examples/src/Repositories/AuthCodeRepository.php
new file mode 100644
index 00000000..dd91c749
--- /dev/null
+++ b/examples/src/Repositories/AuthCodeRepository.php
@@ -0,0 +1,42 @@
+<?php
+
+namespace OAuth2ServerExamples\Repositories;
+
+use League\OAuth2\Server\Entities\Interfaces\AuthCodeEntityInterface;
+use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
+
+class AuthCodeRepository implements AuthCodeRepositoryInterface
+{
+
+    /**
+     * Persists a new auth code to permanent storage
+     *
+     * @param \League\OAuth2\Server\Entities\Interfaces\AuthCodeEntityInterface $authCodeEntity
+     */
+    public function persistNewAuthCode(AuthCodeEntityInterface $authCodeEntity)
+    {
+        // TODO: Implement persistNewAuthCode() method.
+    }
+
+    /**
+     * Revoke an auth code
+     *
+     * @param string $codeId
+     */
+    public function revokeAuthCode($codeId)
+    {
+        // TODO: Implement revokeAuthCode() method.
+    }
+
+    /**
+     * Check if the auth code has been revoked
+     *
+     * @param string $codeId
+     *
+     * @return bool Return true if this code has been revoked
+     */
+    public function isAuthCodeRevoked($codeId)
+    {
+        // TODO: Implement isAuthCodeRevoked() method.
+    }
+}
\ No newline at end of file
diff --git a/src/Grant/AuthCodeGrant.php b/src/Grant/AuthCodeGrant.php
index 763cfbdf..67c55db2 100644
--- a/src/Grant/AuthCodeGrant.php
+++ b/src/Grant/AuthCodeGrant.php
@@ -3,10 +3,10 @@
 namespace League\OAuth2\Server\Grant;
 
 use DateInterval;
-use League\OAuth2\Server\Entities\ClientEntity;
 use League\OAuth2\Server\Entities\Interfaces\UserEntityInterface;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
+use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
 use League\OAuth2\Server\Repositories\UserRepositoryInterface;
 use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
 use League\OAuth2\Server\Utils\KeyCrypt;
@@ -42,20 +42,28 @@ class AuthCodeGrant extends AbstractGrant
     private $pathToAuthorizeTemplate;
 
     /**
-     * @param \League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface $authCodeRepository
-     * @param \League\OAuth2\Server\Repositories\UserRepositoryInterface     $userRepository
-     * @param \DateInterval                                                  $authCodeTTL
-     * @param string|null                                                    $pathToLoginTemplate
-     * @param string|null                                                    $pathToAuthorizeTemplate
+     * @var \League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface
+     */
+    private $refreshTokenRepository;
+
+    /**
+     * @param \League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface     $authCodeRepository
+     * @param \League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface $refreshTokenRepository
+     * @param \League\OAuth2\Server\Repositories\UserRepositoryInterface         $userRepository
+     * @param \DateInterval                                                      $authCodeTTL
+     * @param string|null                                                        $pathToLoginTemplate
+     * @param string|null                                                        $pathToAuthorizeTemplate
      */
     public function __construct(
         AuthCodeRepositoryInterface $authCodeRepository,
+        RefreshTokenRepositoryInterface $refreshTokenRepository,
         UserRepositoryInterface $userRepository,
         \DateInterval $authCodeTTL,
         $pathToLoginTemplate = null,
         $pathToAuthorizeTemplate = null
     ) {
         $this->authCodeRepository = $authCodeRepository;
+        $this->refreshTokenRepository = $refreshTokenRepository;
         $this->userRepository = $userRepository;
         $this->authCodeTTL = $authCodeTTL;
         $this->pathToLoginTemplate = $pathToLoginTemplate;
@@ -242,6 +250,7 @@ class AuthCodeGrant extends AbstractGrant
      * @param \DateInterval                                             $accessTokenTTL
      *
      * @return \League\OAuth2\Server\ResponseTypes\ResponseTypeInterface
+     * @throws \League\OAuth2\Server\Exception\OAuthServerException
      */
     protected function respondToAccessTokenRequest(
         ServerRequestInterface $request,
@@ -250,37 +259,44 @@ class AuthCodeGrant extends AbstractGrant
     ) {
         // Validate request
         $client = $this->validateClient($request);
-        $scopes = $this->validateScopes($request, $client);
-        $encryptedAuthcode = $this->getRequestParameter('code', $request, null);
+        $encryptedAuthCode = $this->getRequestParameter('code', $request, null);
 
-        if ($encryptedAuthcode === null) {
+        if ($encryptedAuthCode === null) {
             throw OAuthServerException::invalidRequest('code');
         }
 
         // Validate the authorization code
         try {
-            $authCodePayload = json_decode(KeyCrypt::decrypt($encryptedAuthcode, $this->pathToPrivateKey));
+            $authCodePayload = json_decode(KeyCrypt::decrypt($encryptedAuthCode, $this->pathToPrivateKey));
             if (time() > $authCodePayload->expire_time) {
                 throw OAuthServerException::invalidRequest('code', 'Authorization code has expired');
             }
+
+            if ($this->authCodeRepository->isAuthCodeRevoked($authCodePayload->auth_code_id) === true) {
+                throw OAuthServerException::invalidRequest('code', 'Authorization code has been revoked');
+            }
+
+            if ($authCodePayload->client_id !== $client->getIdentifier()) {
+                throw OAuthServerException::invalidRequest('code', 'Authorization code was not issued to this client');
+            }
         } catch (\LogicException  $e) {
             throw OAuthServerException::invalidRequest('code');
         }
 
-        $client = new ClientEntity();
-        $client->setIdentifier($authCodePayload->client_id);
-
-        // Issue and persist access token
+        // Issue and persist access + refresh tokens
         $accessToken = $this->issueAccessToken(
             $accessTokenTTL,
             $client,
             $authCodePayload->user_id,
             $authCodePayload->scopes
         );
+        $refreshToken = $this->issueRefreshToken($accessToken);
         $this->accessTokenRepository->persistNewAccessToken($accessToken);
+        $this->refreshTokenRepository->persistNewRefreshToken($refreshToken);
 
-        // Inject access token into response type
+        // Inject tokens into response type
         $responseType->setAccessToken($accessToken);
+        $responseType->setRefreshToken($refreshToken);
 
         return $responseType;
     }
diff --git a/src/Repositories/AuthCodeRepositoryInterface.php b/src/Repositories/AuthCodeRepositoryInterface.php
index be341ca0..a6742092 100644
--- a/src/Repositories/AuthCodeRepositoryInterface.php
+++ b/src/Repositories/AuthCodeRepositoryInterface.php
@@ -21,11 +21,9 @@ interface AuthCodeRepositoryInterface extends RepositoryInterface
     /**
      * Persists a new auth code to permanent storage
      *
-     * @param \League\OAuth2\Server\Entities\Interfaces\AuthCodeEntityInterface $authCodeEntityInterface
-     *
-     * @return
+     * @param \League\OAuth2\Server\Entities\Interfaces\AuthCodeEntityInterface $authCodeEntity
      */
-    public function persistNewAuthCode(AuthCodeEntityInterface $authCodeEntityInterface);
+    public function persistNewAuthCode(AuthCodeEntityInterface $authCodeEntity);
 
     /**
      * Revoke an auth code