From 2f914a0aa327a4c553d6941ec303fac02ad2303e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juli=C3=A1n=20Guti=C3=A9rrez?= Date: Fri, 12 Feb 2016 18:32:09 +0100 Subject: [PATCH] secure params access on authcode grant --- src/Grant/AuthCodeGrant.php | 59 +++++++++++++++++++------------------ 1 file changed, 31 insertions(+), 28 deletions(-) diff --git a/src/Grant/AuthCodeGrant.php b/src/Grant/AuthCodeGrant.php index 560b8ad1..010bc482 100644 --- a/src/Grant/AuthCodeGrant.php +++ b/src/Grant/AuthCodeGrant.php @@ -307,17 +307,44 @@ class AuthCodeGrant extends AbstractGrant return $responseType; } + /** + * @inheritdoc + */ + public function respondToRequest( + ServerRequestInterface $request, + ResponseTypeInterface $responseType, + \DateInterval $accessTokenTTL + ) { + $requestParameters = (array) $request->getParsedBody(); + + if (array_key_exists('response_type', $requestParameters) + && $requestParameters['response_type'] === 'code' + && array_key_exists('client_id', $requestParameters) + ) { + return $this->respondToAuthorizationRequest($request); + } elseif (array_key_exists('grant_type', $requestParameters) + && $requestParameters['grant_type'] === $this->getIdentifier() + ) { + return $this->respondToAccessTokenRequest($request, $responseType, $accessTokenTTL); + } else { + throw OAuthServerException::serverError('respondToRequest() should not have been called'); + } + } + /** * @inheritdoc */ public function canRespondToRequest(ServerRequestInterface $request) { + $requestParameters = (array) $request->getParsedBody(); + return ( ( - isset($request->getQueryParams()['response_type']) - && $request->getQueryParams()['response_type'] === 'code' - && isset($request->getQueryParams()['client_id']) - ) || (parent::canRespondToRequest($request)) + array_key_exists('response_type', $requestParameters) + && $requestParameters['response_type'] === 'code' + && array_key_exists('client_id', $requestParameters) + ) + || parent::canRespondToRequest($request) ); } @@ -330,28 +357,4 @@ class AuthCodeGrant extends AbstractGrant { return 'authorization_code'; } - - /** - * @inheritdoc - */ - public function respondToRequest( - ServerRequestInterface $request, - ResponseTypeInterface $responseType, - \DateInterval $accessTokenTTL - ) { - if ( - isset($request->getQueryParams()['response_type']) - && $request->getQueryParams()['response_type'] === 'code' - && isset($request->getQueryParams()['client_id']) - ) { - return $this->respondToAuthorizationRequest($request); - } elseif ( - isset($request->getParsedBody()['grant_type']) - && $request->getParsedBody()['grant_type'] === 'authorization_code' - ) { - return $this->respondToAccessTokenRequest($request, $responseType, $accessTokenTTL); - } else { - throw OAuthServerException::serverError('respondToRequest() should not have been called'); - } - } }