secure params access on authcode grant

2024-12-22 21:19:46 +05:30 · 2016-02-12 18:32:09 +01:00 · 2016-02-12 18:32:09 +01:00 · 2f914a0aa3
commit 2f914a0aa3
parent 95e3c1d1a2
1 changed files with 31 additions and 28 deletions
--- a/src/Grant/AuthCodeGrant.php
+++ b/src/Grant/AuthCodeGrant.php
@ -307,17 +307,44 @@ class AuthCodeGrant extends AbstractGrant
        return $responseType;
    }

+    /**
+     * @inheritdoc
+     */
+    public function respondToRequest(
+        ServerRequestInterface $request,
+        ResponseTypeInterface $responseType,
+        \DateInterval $accessTokenTTL
+    ) {
+        $requestParameters = (array) $request->getParsedBody();
+
+        if (array_key_exists('response_type', $requestParameters)
+            && $requestParameters['response_type'] === 'code'
+            && array_key_exists('client_id', $requestParameters)
+        ) {
+            return $this->respondToAuthorizationRequest($request);
+        } elseif (array_key_exists('grant_type', $requestParameters)
+            && $requestParameters['grant_type'] === $this->getIdentifier()
+        ) {
+            return $this->respondToAccessTokenRequest($request, $responseType, $accessTokenTTL);
+        } else {
+            throw OAuthServerException::serverError('respondToRequest() should not have been called');
+        }
+    }
+
    /**
     * @inheritdoc
     */
    public function canRespondToRequest(ServerRequestInterface $request)
    {
+        $requestParameters = (array) $request->getParsedBody();
+
        return (
            (
-                isset($request->getQueryParams()['response_type'])
-                && $request->getQueryParams()['response_type'] === 'code'
-                && isset($request->getQueryParams()['client_id'])
-            ) || (parent::canRespondToRequest($request))
+                array_key_exists('response_type', $requestParameters)
+                && $requestParameters['response_type'] === 'code'
+                && array_key_exists('client_id', $requestParameters)
+            )
+            || parent::canRespondToRequest($request)
        );
    }

@ -330,28 +357,4 @@ class AuthCodeGrant extends AbstractGrant
    {
        return 'authorization_code';
    }
-
-    /**
-     * @inheritdoc
-     */
-    public function respondToRequest(
-        ServerRequestInterface $request,
-        ResponseTypeInterface $responseType,
-        \DateInterval $accessTokenTTL
-    ) {
-        if (
-            isset($request->getQueryParams()['response_type'])
-            && $request->getQueryParams()['response_type'] === 'code'
-            && isset($request->getQueryParams()['client_id'])
-        ) {
-            return $this->respondToAuthorizationRequest($request);
-        } elseif (
-            isset($request->getParsedBody()['grant_type'])
-            && $request->getParsedBody()['grant_type'] === 'authorization_code'
-        ) {
-            return $this->respondToAccessTokenRequest($request, $responseType, $accessTokenTTL);
-        } else {
-            throw OAuthServerException::serverError('respondToRequest() should not have been called');
-        }
-    }
 }