Merge pull request #444 from juliangut/secure_body_params_access

V5 - Secure access to body params
This commit is contained in:
Alex Bilbie 2016-03-10 17:47:20 +00:00
commit 2b2d4a3df7
2 changed files with 37 additions and 30 deletions

View File

@ -276,7 +276,9 @@ abstract class AbstractGrant implements GrantTypeInterface
*/ */
protected function getRequestParameter($parameter, ServerRequestInterface $request, $default = null) protected function getRequestParameter($parameter, ServerRequestInterface $request, $default = null)
{ {
return (isset($request->getParsedBody()[$parameter])) ? $request->getParsedBody()[$parameter] : $default; $requestParameters = (array) $request->getParsedBody();
return isset($requestParameters[$parameter]) ? $requestParameters[$parameter] : $default;
} }
/** /**
@ -290,7 +292,7 @@ abstract class AbstractGrant implements GrantTypeInterface
*/ */
protected function getQueryStringParameter($parameter, ServerRequestInterface $request, $default = null) protected function getQueryStringParameter($parameter, ServerRequestInterface $request, $default = null)
{ {
return (isset($request->getQueryParams()[$parameter])) ? $request->getQueryParams()[$parameter] : $default; return isset($request->getQueryParams()[$parameter]) ? $request->getQueryParams()[$parameter] : $default;
} }
/** /**
@ -304,13 +306,13 @@ abstract class AbstractGrant implements GrantTypeInterface
*/ */
protected function getCookieParameter($parameter, ServerRequestInterface $request, $default = null) protected function getCookieParameter($parameter, ServerRequestInterface $request, $default = null)
{ {
return (isset($request->getCookieParams()[$parameter])) ? $request->getCookieParams()[$parameter] : $default; return isset($request->getCookieParams()[$parameter]) ? $request->getCookieParams()[$parameter] : $default;
} }
/** /**
* Retrieve server parameter. * Retrieve server parameter.
* *
* @param string|array $parameter * @param string $parameter
* @param \Psr\Http\Message\ServerRequestInterface $request * @param \Psr\Http\Message\ServerRequestInterface $request
* @param mixed $default * @param mixed $default
* *
@ -318,7 +320,7 @@ abstract class AbstractGrant implements GrantTypeInterface
*/ */
protected function getServerParameter($parameter, ServerRequestInterface $request, $default = null) protected function getServerParameter($parameter, ServerRequestInterface $request, $default = null)
{ {
return (isset($request->getServerParams()[$parameter])) ? $request->getServerParams()[$parameter] : $default; return isset($request->getServerParams()[$parameter]) ? $request->getServerParams()[$parameter] : $default;
} }
/** /**
@ -440,7 +442,11 @@ abstract class AbstractGrant implements GrantTypeInterface
*/ */
public function canRespondToRequest(ServerRequestInterface $request) public function canRespondToRequest(ServerRequestInterface $request)
{ {
return isset($request->getParsedBody()['grant_type']) $requestParameters = (array) $request->getParsedBody();
&& $request->getParsedBody()['grant_type'] === $this->getIdentifier();
return (
array_key_exists('grant_type', $requestParameters)
&& $requestParameters['grant_type'] === $this->getIdentifier()
);
} }
} }

View File

@ -289,29 +289,6 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
return $responseType; return $responseType;
} }
/**
* {@inheritdoc}
*/
public function canRespondToRequest(ServerRequestInterface $request)
{
return
(
isset($request->getQueryParams()['response_type'])
&& $request->getQueryParams()['response_type'] === 'code'
&& isset($request->getQueryParams()['client_id'])
) || (parent::canRespondToRequest($request));
}
/**
* Return the grant identifier that can be used in matching up requests.
*
* @return string
*/
public function getIdentifier()
{
return 'authorization_code';
}
/** /**
* {@inheritdoc} * {@inheritdoc}
*/ */
@ -329,4 +306,28 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
return $this->respondToAccessTokenRequest($request, $responseType, $accessTokenTTL); return $this->respondToAccessTokenRequest($request, $responseType, $accessTokenTTL);
} }
/**
* {@inheritdoc}
*/
public function canRespondToRequest(ServerRequestInterface $request)
{
return
(
array_key_exists('response_type', $request->getQueryParams())
&& $request->getQueryParams()['response_type'] === 'code'
&& isset($request->getQueryParams()['client_id'])
)
|| parent::canRespondToRequest($request);
}
/**
* Return the grant identifier that can be used in matching up requests.
*
* @return string
*/
public function getIdentifier()
{
return 'authorization_code';
}
} }