From c29340ae27c0fc7579719b064387396c307b6edd Mon Sep 17 00:00:00 2001 From: Alex Bilbie Date: Mon, 4 Aug 2014 09:11:19 +0100 Subject: [PATCH 1/4] Added FizzFuzz requirement --- composer.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/composer.json b/composer.json index 5d40377e..176fcc74 100644 --- a/composer.json +++ b/composer.json @@ -13,12 +13,16 @@ "mockery/mockery": "~0.9", "league/phpunit-coverage-listener": "~1.0", "squizlabs/php_codesniffer": "1.*", - "codeception/codeception": "2.0.*" + "codeception/codeception": "2.0.*", + "alexbilbie/fizzfuzz": "dev-develop" }, "repositories": [ { "type": "git", "url": "https://github.com/thephpleague/oauth2-server.git" + },{ + "type": "git", + "url": "https://github.com/alexbilbie/fizzfuzz.git" } ], "keywords": [ From 7b9899c46b0c339c95c559da4af422d6d45c60b6 Mon Sep 17 00:00:00 2001 From: Alex Bilbie Date: Mon, 4 Aug 2014 09:11:44 +0100 Subject: [PATCH 2/4] Removed line break in error messages --- src/Exception/InvalidGrantException.php | 3 +-- src/Exception/InvalidRequestException.php | 3 +-- src/Exception/ServerErrorException.php | 3 +-- 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/src/Exception/InvalidGrantException.php b/src/Exception/InvalidGrantException.php index 3b9f5d79..051330e9 100644 --- a/src/Exception/InvalidGrantException.php +++ b/src/Exception/InvalidGrantException.php @@ -34,8 +34,7 @@ class InvalidGrantException extends OAuthException { parent::__construct( sprintf( - 'The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used - in the authorization request, or was issued to another client. Check the "%s" parameter.', + 'The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. Check the "%s" parameter.', $parameter ) ); diff --git a/src/Exception/InvalidRequestException.php b/src/Exception/InvalidRequestException.php index d47d6fb4..56dd75df 100644 --- a/src/Exception/InvalidRequestException.php +++ b/src/Exception/InvalidRequestException.php @@ -34,8 +34,7 @@ class InvalidRequestException extends OAuthException { parent::__construct( sprintf( - 'The request is missing a required parameter, includes an invalid parameter value, includes a parameter - more than once, or is otherwise malformed. Check the "%s" parameter.', + 'The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the "%s" parameter.', $parameter ) ); diff --git a/src/Exception/ServerErrorException.php b/src/Exception/ServerErrorException.php index bdcec4dc..fe5a7df1 100644 --- a/src/Exception/ServerErrorException.php +++ b/src/Exception/ServerErrorException.php @@ -31,8 +31,7 @@ class ServerErrorException extends OAuthException */ public function __construct($parameter = null) { - $parameter = is_null($parameter) ? 'The authorization server encountered an unexpected condition which prevented - it from fulfilling the request.' : $parameter; + $parameter = is_null($parameter) ? 'The authorization server encountered an unexpected condition which prevented it from fulfilling the request.' : $parameter; parent::__construct($parameter); } } From ffe59f5a5fcb3c40e60780d12218abc61f7e7869 Mon Sep 17 00:00:00 2001 From: Alex Bilbie Date: Mon, 4 Aug 2014 09:12:00 +0100 Subject: [PATCH 3/4] Added Fuzz tests --- tests/fuzz/tokeninfo-no-access-token.yml | 14 +++++++++++ ...okeninfo-no-invalid-token-query-string.yml | 14 +++++++++++ tests/fuzz/tokeninfo-no-invalid-token.yml | 18 ++++++++++++++ tests/fuzz/tokeninfo-valid-token.yml | 24 +++++++++++++++++++ 4 files changed, 70 insertions(+) create mode 100644 tests/fuzz/tokeninfo-no-access-token.yml create mode 100644 tests/fuzz/tokeninfo-no-invalid-token-query-string.yml create mode 100644 tests/fuzz/tokeninfo-no-invalid-token.yml create mode 100644 tests/fuzz/tokeninfo-valid-token.yml diff --git a/tests/fuzz/tokeninfo-no-access-token.yml b/tests/fuzz/tokeninfo-no-access-token.yml new file mode 100644 index 00000000..15fbc8fa --- /dev/null +++ b/tests/fuzz/tokeninfo-no-access-token.yml @@ -0,0 +1,14 @@ +url: 'http://localhost:8000/api.php/tokeninfo' +request: + method: GET +response: + statusCode: 400 + headers: + Content-type: application/json + body: + - + key: error + value: "invalid_request" + - + key: message + value: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the \"access token\" parameter." \ No newline at end of file diff --git a/tests/fuzz/tokeninfo-no-invalid-token-query-string.yml b/tests/fuzz/tokeninfo-no-invalid-token-query-string.yml new file mode 100644 index 00000000..4d60340b --- /dev/null +++ b/tests/fuzz/tokeninfo-no-invalid-token-query-string.yml @@ -0,0 +1,14 @@ +url: 'http://localhost:8000/api.php/tokeninfo?access_token=foobar' +request: + method: GET +response: + statusCode: 400 + headers: + Content-type: application/json + body: + - + key: error + value: "invalid_request" + - + key: message + value: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the \"access token\" parameter." \ No newline at end of file diff --git a/tests/fuzz/tokeninfo-no-invalid-token.yml b/tests/fuzz/tokeninfo-no-invalid-token.yml new file mode 100644 index 00000000..30ee8887 --- /dev/null +++ b/tests/fuzz/tokeninfo-no-invalid-token.yml @@ -0,0 +1,18 @@ +url: 'http://localhost:8000/api.php/tokeninfo' +request: + method: GET + headers: + - + key: Authorization + value: Bearer foobar +response: + statusCode: 401 + headers: + Content-type: application/json + body: + - + key: error + value: "access_denied" + - + key: message + value: "The resource owner or authorization server denied the request." \ No newline at end of file diff --git a/tests/fuzz/tokeninfo-valid-token.yml b/tests/fuzz/tokeninfo-valid-token.yml new file mode 100644 index 00000000..d7ec6b3a --- /dev/null +++ b/tests/fuzz/tokeninfo-valid-token.yml @@ -0,0 +1,24 @@ +url: 'http://localhost:8000/api.php/tokeninfo' +request: + method: GET + headers: + - + key: Authorization + value: "Bearer iamgod" +response: + statusCode: 200 + headers: + Content-type: application/json + body: + - + key: owner_id + value: testclient + - + key: owner_type + value: client + - + key: access_token + value: iamgod + - + key: client_id + value: testclient \ No newline at end of file From ac3e7872783e5ed5a3cf3fea8740702bb8cb04a1 Mon Sep 17 00:00:00 2001 From: Alex Bilbie Date: Mon, 4 Aug 2014 09:12:43 +0100 Subject: [PATCH 4/4] Updated api.php code --- examples/relational/api.php | 123 ++++++++++++++---------------------- 1 file changed, 46 insertions(+), 77 deletions(-) diff --git a/examples/relational/api.php b/examples/relational/api.php index 69463f4e..9c1d4a79 100644 --- a/examples/relational/api.php +++ b/examples/relational/api.php @@ -1,7 +1,4 @@ setRequest($request); +// Routing setup +$request = (new Request)->createFromGlobals(); +$router = new \Orno\Route\RouteCollection; -// Check that access token is present -try { - $server->isValidRequest(false); -} catch (\League\OAuth2\Server\Exception\OAuthException $e) { - - foreach ($e->getHttpHeaders() as $header) { - header($header); - } - - echo json_encode([ - 'error' => $e->errorType, - 'message' => $e->getMessage() - ]); - - exit; -} - -// GET /tokeninfo $router->get('/tokeninfo', function (Request $request) use ($server) { $token = [ @@ -62,62 +43,50 @@ $router->get('/tokeninfo', function (Request $request) use ($server) { 'scopes' => $server->getScopes() ]; - return new JsonResponse($token); + return new Response(json_encode($token)); }); -// GET /users -$router->get('/users', function (Request $request) use ($server) { - - $results = (new Model\Users())->get(); - - $users = []; - - foreach ($results as $result) { - $user = [ - 'username' => $result['username'], - 'name' => $result['name'] - ]; - - if ($server->hasScope('email')) { - $user['email'] = $result['email']; - } - - if ($server->hasScope('photo')) { - $user['photo'] = $result['photo']; - } - - $users[] = $user; - } - - return new JsonResponse($users); -}); - -// GET /users/{username} -$router->get('/users/{username}', function (Request $request, $args) use ($server) { - - $result = (new Model\Users())->get($args['username']); - - if (count($result) === 0) { - throw new NotFoundException(); - } - - $user = [ - 'username' => $result[0]['username'], - 'name' => $result[0]['name'] - ]; - - if ($server->hasScope('email')) { - $user['email'] = $result[0]['email']; - } - - if ($server->hasScope('photo')) { - $user['photo'] = $result[0]['photo']; - } - - return new JsonResponse($user); -}); - $dispatcher = $router->getDispatcher(); -$response = $dispatcher->dispatch($request->getMethod(), $request->getPathInfo()); -$response->send(); + +try { + + // Check that access token is present + $server->isValidRequest(); + + // A successful response + $response = $dispatcher->dispatch( + $request->getMethod(), + $request->getPathInfo() + ); + +} catch (\Orno\Http\Exception $e) { + + // A failed response + $response = $e->getJsonResponse(); + $response->setContent(json_encode(['status_code' => $e->getStatusCode(), 'message' => $e->getMessage()])); + +} catch (\League\OAuth2\Server\Exception\OAuthException $e) { + + $response = new Response(json_encode([ + 'error' => $e->errorType, + 'message' => $e->getMessage() + ]), $e->httpStatusCode); + + foreach ($e->getHttpHeaders() as $header) { + $response->headers($header); + } + +} catch (\Exception $e) { + + $response = new Orno\Http\Response; + $response->setStatusCode(500); + $response->setContent(json_encode(['status_code' => 500, 'message' => $e->getMessage()])); + +} finally { + + // Return the response + $response->headers->set('Content-type', 'application/json'); + $response->send(); + +} \ No newline at end of file