From d8ece093d5440ccec1d4145ae7a1faad95e8d84f Mon Sep 17 00:00:00 2001 From: Ian Littman Date: Sat, 4 Feb 2017 14:48:40 -0500 Subject: [PATCH 01/22] Add hasRedirect() method for OAuthServerException Resolves #694. --- src/Exception/OAuthServerException.php | 13 +++++++++++++ tests/ExceptionTest.php | 17 +++++++++++++++++ 2 files changed, 30 insertions(+) create mode 100644 tests/ExceptionTest.php diff --git a/src/Exception/OAuthServerException.php b/src/Exception/OAuthServerException.php index 6ffa0fb1..30007be7 100644 --- a/src/Exception/OAuthServerException.php +++ b/src/Exception/OAuthServerException.php @@ -273,6 +273,19 @@ class OAuthServerException extends \Exception return $headers; } + /** + * Returns whether the exception includes a redirect, since + * getHttpStatusCode() doesn't return a 302 when there's a + * redirect enabled. This helps when you want to override local + * error pages but want to let redirects through. + * + * @return bool + */ + public function hasRedirect() + { + return $this->redirectUri !== null; + } + /** * Returns the HTTP status code to send when the exceptions is output. * diff --git a/tests/ExceptionTest.php b/tests/ExceptionTest.php new file mode 100644 index 00000000..2d77118e --- /dev/null +++ b/tests/ExceptionTest.php @@ -0,0 +1,17 @@ +assertFalse($exceptionWithoutRedirect->hasRedirect()); + + $exceptionWithRedirect = OAuthServerException::accessDenied('some hint', 'https://example.com/error'); + $this->assertTrue($exceptionWithRedirect->hasRedirect()); + } +} \ No newline at end of file From 9941a96feba4d4e8d793816194bc4ba1004ee620 Mon Sep 17 00:00:00 2001 From: Martin Dzibela Date: Tue, 22 May 2018 14:13:20 +0200 Subject: [PATCH 02/22] Fix uncaught exception produced by unsigned token --- src/AuthorizationValidators/BearerTokenValidator.php | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/AuthorizationValidators/BearerTokenValidator.php b/src/AuthorizationValidators/BearerTokenValidator.php index 6f299ce4..2efa3c8e 100644 --- a/src/AuthorizationValidators/BearerTokenValidator.php +++ b/src/AuthorizationValidators/BearerTokenValidator.php @@ -65,8 +65,12 @@ class BearerTokenValidator implements AuthorizationValidatorInterface try { // Attempt to parse and validate the JWT $token = (new Parser())->parse($jwt); - if ($token->verify(new Sha256(), $this->publicKey->getKeyPath()) === false) { - throw OAuthServerException::accessDenied('Access token could not be verified'); + try { + if ($token->verify(new Sha256(), $this->publicKey->getKeyPath()) === false) { + throw OAuthServerException::accessDenied('Access token could not be verified'); + } + } catch (\BadMethodCallException $exception) { + throw OAuthServerException::accessDenied('Access token is not signed'); } // Ensure access token hasn't expired From 02609c37ccdfb781970e57a801ee0b280c2d1780 Mon Sep 17 00:00:00 2001 From: Andrew Millington Date: Tue, 22 May 2018 18:10:19 +0100 Subject: [PATCH 03/22] Update changelog --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b3f974a7..d657b746 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## [Unreleased] +### Fixed +- Catch and handle `BadMethodCallException` from the `verify()` method of the JWT token in the `validateAuthorization` method (PR #904) + ## [7.1.1] - released 2018-05-21 ### Fixed From ae4ab26aaf078c3933f2602687d1f19adc3ea682 Mon Sep 17 00:00:00 2001 From: Andrew Millington Date: Thu, 24 May 2018 12:19:55 +0100 Subject: [PATCH 04/22] Add test for unsigned access token --- .../BearerTokenValidatorTest.php | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 tests/AuthorizationValidators/BearerTokenValidatorTest.php diff --git a/tests/AuthorizationValidators/BearerTokenValidatorTest.php b/tests/AuthorizationValidators/BearerTokenValidatorTest.php new file mode 100644 index 00000000..5690c9a9 --- /dev/null +++ b/tests/AuthorizationValidators/BearerTokenValidatorTest.php @@ -0,0 +1,41 @@ +getMockBuilder(AccessTokenRepositoryInterface::class)->getMock(); + + $bearerTokenValidator = new BearerTokenValidator($accessTokenRepositoryMock); + $bearerTokenValidator->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key')); + + $unsignedJwt = (new Builder()) + ->setAudience('client-id') + ->setId('token-id', true) + ->setIssuedAt(time()) + ->setNotBefore(time()) + ->setExpiration(time()) + ->setSubject('user-id') + ->set('scopes', 'scope1 scope2 scope3 scope4') + ->getToken(); + + $request = new ServerRequest(); + $request = $request->withHeader('authorization', sprintf('Bearer %s', $unsignedJwt)); + + $bearerTokenValidator->validateAuthorization($request); + } +} From 72ead2e3ce39fbe0055b7b24c572e858193e52eb Mon Sep 17 00:00:00 2001 From: Andrew Millington Date: Thu, 24 May 2018 12:23:26 +0100 Subject: [PATCH 05/22] Fix unused use statement --- tests/AuthorizationValidators/BearerTokenValidatorTest.php | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/AuthorizationValidators/BearerTokenValidatorTest.php b/tests/AuthorizationValidators/BearerTokenValidatorTest.php index 5690c9a9..801846cb 100644 --- a/tests/AuthorizationValidators/BearerTokenValidatorTest.php +++ b/tests/AuthorizationValidators/BearerTokenValidatorTest.php @@ -3,7 +3,6 @@ namespace LeagueTests\AuthorizationValidators; use Lcobucci\JWT\Builder; -use League\OAuth2\Server\Exception\OAuthServerException; use League\OAuth2\Server\AuthorizationValidators\BearerTokenValidator; use League\OAuth2\Server\CryptKey; use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface; From 68c9fbd83c2fa85f37ef98fcfe30d1c23edaf228 Mon Sep 17 00:00:00 2001 From: Andrew Millington Date: Fri, 25 May 2018 09:53:59 +0100 Subject: [PATCH 06/22] Add a summary for hasRedirect function --- src/Exception/OAuthServerException.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/Exception/OAuthServerException.php b/src/Exception/OAuthServerException.php index 4bf3cb33..2c7bc28b 100644 --- a/src/Exception/OAuthServerException.php +++ b/src/Exception/OAuthServerException.php @@ -304,6 +304,8 @@ class OAuthServerException extends \Exception } /** + * Check if the exception has an associated redirect URI. + * * Returns whether the exception includes a redirect, since * getHttpStatusCode() doesn't return a 302 when there's a * redirect enabled. This helps when you want to override local From e4a7fea834bd3b0af06bd18e9eba0dbf41ac1c97 Mon Sep 17 00:00:00 2001 From: Andrew Millington Date: Fri, 25 May 2018 10:00:21 +0100 Subject: [PATCH 07/22] Move OAuthServerExceptionTest to appropriate folder --- .../OAuthServerExceptionTest.php} | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) rename tests/{ExceptionTest.php => Exception/OAuthServerExceptionTest.php} (72%) diff --git a/tests/ExceptionTest.php b/tests/Exception/OAuthServerExceptionTest.php similarity index 72% rename from tests/ExceptionTest.php rename to tests/Exception/OAuthServerExceptionTest.php index 2d77118e..976362e3 100644 --- a/tests/ExceptionTest.php +++ b/tests/Exception/OAuthServerExceptionTest.php @@ -1,17 +1,23 @@ assertFalse($exceptionWithoutRedirect->hasRedirect()); - $exceptionWithRedirect = OAuthServerException::accessDenied('some hint', 'https://example.com/error'); + $this->assertTrue($exceptionWithRedirect->hasRedirect()); } -} \ No newline at end of file + + public function testDoesNotHaveRedirect() + { + $exceptionWithoutRedirect = OAuthServerException::accessDenied('Some hint'); + + $this->assertFalse($exceptionWithoutRedirect->hasRedirect()); + } +} From 3614f8bd7c385f642e003cd9190595b4642cf31d Mon Sep 17 00:00:00 2001 From: Andrew Millington Date: Fri, 25 May 2018 10:03:58 +0100 Subject: [PATCH 08/22] Update changelog --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d657b746..3d36285c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## [Unreleased] +### Added +- Function `hasRedirect()` added to `OAuthServerException` (PR #703) + ### Fixed - Catch and handle `BadMethodCallException` from the `verify()` method of the JWT token in the `validateAuthorization` method (PR #904) From a571e2262b4316183868a8811d3a7ea774fd14c9 Mon Sep 17 00:00:00 2001 From: Ilya Bulakh Date: Mon, 4 Jun 2018 16:32:02 +0300 Subject: [PATCH 09/22] Update CryptTrait.php --- src/CryptTrait.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/CryptTrait.php b/src/CryptTrait.php index c9a6d7a6..07ca0044 100644 --- a/src/CryptTrait.php +++ b/src/CryptTrait.php @@ -1,6 +1,6 @@ * @copyright Copyright (c) Alex Bilbie @@ -22,7 +22,7 @@ trait CryptTrait protected $encryptionKey; /** - * Encrypt data with a private key. + * Encrypt data with encryptionKey. * * @param string $unencryptedData * @@ -44,7 +44,7 @@ trait CryptTrait } /** - * Decrypt data with a public key. + * Decrypt data with encryptionKey. * * @param string $encryptedData * From 09bf98892262da4b6ef11e08fdd45d89683e00f5 Mon Sep 17 00:00:00 2001 From: Andrew Millington Date: Tue, 5 Jun 2018 10:34:12 +0100 Subject: [PATCH 10/22] Add capital letter to start of class doc summary --- src/CryptTrait.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/CryptTrait.php b/src/CryptTrait.php index 07ca0044..672c7e2e 100644 --- a/src/CryptTrait.php +++ b/src/CryptTrait.php @@ -1,6 +1,6 @@ * @copyright Copyright (c) Alex Bilbie From a339d99135c4576cad8c69dd5d2f6e4e571dd7b7 Mon Sep 17 00:00:00 2001 From: Andrew Millington Date: Fri, 8 Jun 2018 11:19:27 +0100 Subject: [PATCH 11/22] Change sentence --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e4d90f46..4d5fd215 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,7 @@ The following versions of PHP are supported: The `openssl` extension is also required. -All HTTP messages passed to the server should be [PSR-7 compliant](https://www.php-fig.org/psr/psr-7/). This ensures interoperability between other packages and frameworks. +All HTTP messages passed to the server should be [PSR-7 compliant](https://www.php-fig.org/psr/psr-7/). This ensures interoperability with other packages and frameworks. ## Installation From e36ff17ad9ed91b8401302766446474cbe76e17d Mon Sep 17 00:00:00 2001 From: Ilya Bulah Date: Thu, 14 Jun 2018 17:59:09 +0300 Subject: [PATCH 12/22] Fix psr2 --- src/Grant/AbstractGrant.php | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/Grant/AbstractGrant.php b/src/Grant/AbstractGrant.php index 79a1ac47..30061d60 100644 --- a/src/Grant/AbstractGrant.php +++ b/src/Grant/AbstractGrant.php @@ -196,14 +196,12 @@ abstract class AbstractGrant implements GrantTypeInterface // If a redirect URI is provided ensure it matches what is pre-registered $redirectUri = $this->getRequestParameter('redirect_uri', $request, null); if ($redirectUri !== null) { - if ( - is_string($client->getRedirectUri()) + if (is_string($client->getRedirectUri()) && (strcmp($client->getRedirectUri(), $redirectUri) !== 0) ) { $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request)); throw OAuthServerException::invalidClient(); - } elseif ( - is_array($client->getRedirectUri()) + } elseif (is_array($client->getRedirectUri()) && in_array($redirectUri, $client->getRedirectUri(), true) === false ) { $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request)); From 0d20c755d40bbfc39556f742ae585bd4862a2684 Mon Sep 17 00:00:00 2001 From: Ilya Bulah Date: Thu, 14 Jun 2018 23:33:58 +0300 Subject: [PATCH 13/22] Formatting --- src/Grant/ImplicitGrant.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/Grant/ImplicitGrant.php b/src/Grant/ImplicitGrant.php index b4157883..51a2f32c 100644 --- a/src/Grant/ImplicitGrant.php +++ b/src/Grant/ImplicitGrant.php @@ -118,6 +118,7 @@ class ImplicitGrant extends AbstractAuthorizeGrant $request, $this->getServerParameter('PHP_AUTH_USER', $request) ); + if (is_null($clientId)) { throw OAuthServerException::invalidRequest('client_id'); } @@ -135,6 +136,7 @@ class ImplicitGrant extends AbstractAuthorizeGrant } $redirectUri = $this->getQueryStringParameter('redirect_uri', $request); + if ($redirectUri !== null) { if ( is_string($client->getRedirectUri()) From a31bc7d4cc6bf9e1832fcd46b020d54ac54b1133 Mon Sep 17 00:00:00 2001 From: Ilya Bulah Date: Thu, 14 Jun 2018 23:12:32 +0300 Subject: [PATCH 14/22] Extract validateRedirectUri() --- src/Grant/AbstractGrant.php | 44 +++++++++++++++++++++++++++---------- src/Grant/AuthCodeGrant.php | 14 +----------- src/Grant/ImplicitGrant.php | 14 +----------- 3 files changed, 34 insertions(+), 38 deletions(-) diff --git a/src/Grant/AbstractGrant.php b/src/Grant/AbstractGrant.php index 30061d60..6fb621f6 100644 --- a/src/Grant/AbstractGrant.php +++ b/src/Grant/AbstractGrant.php @@ -193,25 +193,45 @@ abstract class AbstractGrant implements GrantTypeInterface throw OAuthServerException::invalidClient(); } - // If a redirect URI is provided ensure it matches what is pre-registered $redirectUri = $this->getRequestParameter('redirect_uri', $request, null); + if ($redirectUri !== null) { - if (is_string($client->getRedirectUri()) - && (strcmp($client->getRedirectUri(), $redirectUri) !== 0) - ) { - $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request)); - throw OAuthServerException::invalidClient(); - } elseif (is_array($client->getRedirectUri()) - && in_array($redirectUri, $client->getRedirectUri(), true) === false - ) { - $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request)); - throw OAuthServerException::invalidClient(); - } + $this->validateRedirectUri($redirectUri, $client, $request); } return $client; } + /** + * Validate redirectUri from the request. + * If a redirect URI is provided ensure it matches what is pre-registered + * + * @param string $redirectUri + * @param ClientEntityInterface $client + * @param ServerRequestInterface $request + * + * @throws OAuthServerException + * + * @return void + */ + protected function validateRedirectUri( + string $redirectUri, + ClientEntityInterface $client, + ServerRequestInterface $request + ) { + if (is_string($client->getRedirectUri()) + && (strcmp($client->getRedirectUri(), $redirectUri) !== 0) + ) { + $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request)); + throw OAuthServerException::invalidClient(); + } elseif (is_array($client->getRedirectUri()) + && in_array($redirectUri, $client->getRedirectUri(), true) === false + ) { + $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request)); + throw OAuthServerException::invalidClient(); + } + } + /** * Validate scopes in the request. * diff --git a/src/Grant/AuthCodeGrant.php b/src/Grant/AuthCodeGrant.php index 80e1cd0f..cfa8309b 100644 --- a/src/Grant/AuthCodeGrant.php +++ b/src/Grant/AuthCodeGrant.php @@ -242,19 +242,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant $redirectUri = $this->getQueryStringParameter('redirect_uri', $request); if ($redirectUri !== null) { - if ( - is_string($client->getRedirectUri()) - && (strcmp($client->getRedirectUri(), $redirectUri) !== 0) - ) { - $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request)); - throw OAuthServerException::invalidClient(); - } elseif ( - is_array($client->getRedirectUri()) - && in_array($redirectUri, $client->getRedirectUri(), true) === false - ) { - $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request)); - throw OAuthServerException::invalidClient(); - } + $this->validateRedirectUri($redirectUri, $client, $request); } elseif (is_array($client->getRedirectUri()) && count($client->getRedirectUri()) !== 1 || empty($client->getRedirectUri())) { $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request)); diff --git a/src/Grant/ImplicitGrant.php b/src/Grant/ImplicitGrant.php index 51a2f32c..9810c30a 100644 --- a/src/Grant/ImplicitGrant.php +++ b/src/Grant/ImplicitGrant.php @@ -138,19 +138,7 @@ class ImplicitGrant extends AbstractAuthorizeGrant $redirectUri = $this->getQueryStringParameter('redirect_uri', $request); if ($redirectUri !== null) { - if ( - is_string($client->getRedirectUri()) - && (strcmp($client->getRedirectUri(), $redirectUri) !== 0) - ) { - $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request)); - throw OAuthServerException::invalidClient(); - } elseif ( - is_array($client->getRedirectUri()) - && in_array($redirectUri, $client->getRedirectUri(), true) === false - ) { - $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request)); - throw OAuthServerException::invalidClient(); - } + $this->validateRedirectUri($redirectUri, $client, $request); } elseif (is_array($client->getRedirectUri()) && count($client->getRedirectUri()) !== 1 || empty($client->getRedirectUri())) { $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request)); From 224763cda662f17be7f34b5a236d6466f2bbda74 Mon Sep 17 00:00:00 2001 From: Ilya Bulah Date: Fri, 15 Jun 2018 00:06:33 +0300 Subject: [PATCH 15/22] Fix docblock --- src/Grant/AbstractGrant.php | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/Grant/AbstractGrant.php b/src/Grant/AbstractGrant.php index 6fb621f6..99f1626a 100644 --- a/src/Grant/AbstractGrant.php +++ b/src/Grant/AbstractGrant.php @@ -206,13 +206,11 @@ abstract class AbstractGrant implements GrantTypeInterface * Validate redirectUri from the request. * If a redirect URI is provided ensure it matches what is pre-registered * - * @param string $redirectUri - * @param ClientEntityInterface $client + * @param string $redirectUri + * @param ClientEntityInterface $client * @param ServerRequestInterface $request * * @throws OAuthServerException - * - * @return void */ protected function validateRedirectUri( string $redirectUri, From 614bba2c11e9dda5a3ed5bc9597230d8c89066d6 Mon Sep 17 00:00:00 2001 From: Ilya Bulah Date: Fri, 15 Jun 2018 15:57:01 +0300 Subject: [PATCH 16/22] update changelog --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3d36285c..e2fe02fb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## [Unreleased] +### Changed +- Refactoring: extracted `validateRedirectUri` method to remove 3 code duplicates (PR #912) + ### Added - Function `hasRedirect()` added to `OAuthServerException` (PR #703) From ffffc4bfebce693401e3c261f39ed2f339751c3e Mon Sep 17 00:00:00 2001 From: Erik van Velzen Date: Thu, 21 Jun 2018 17:02:01 +0200 Subject: [PATCH 17/22] Allow 640 as key file permisions --- src/CryptKey.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/CryptKey.php b/src/CryptKey.php index efc5f5e8..98b53222 100644 --- a/src/CryptKey.php +++ b/src/CryptKey.php @@ -48,7 +48,7 @@ class CryptKey if ($keyPermissionsCheck === true) { // Verify the permissions of the key $keyPathPerms = decoct(fileperms($keyPath) & 0777); - if (in_array($keyPathPerms, ['400', '440', '600', '660'], true) === false) { + if (in_array($keyPathPerms, ['400', '440', '600', '640', '660'], true) === false) { trigger_error(sprintf( 'Key file "%s" permissions are not correct, recommend changing to 600 or 660 instead of %s', $keyPath, From f54980da25d69b75388c05db88923ae90c1b0746 Mon Sep 17 00:00:00 2001 From: Andrew Millington Date: Thu, 21 Jun 2018 23:24:13 +0100 Subject: [PATCH 18/22] Update changelog to add PR 917 --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e2fe02fb..7af55680 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,7 +7,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## [Unreleased] ### Changed -- Refactoring: extracted `validateRedirectUri` method to remove 3 code duplicates (PR #912) +- Added new`validateRedirectUri` method AbstractGrant to remove three instances of code duplication (PR #912) +- Allow 640 as a crypt key file permission (PR #917) ### Added - Function `hasRedirect()` added to `OAuthServerException` (PR #703) From aeb1fe48d3984598aa09ca5052cc6bd5306db1ca Mon Sep 17 00:00:00 2001 From: Andrew Millington Date: Sat, 23 Jun 2018 17:35:14 +0100 Subject: [PATCH 19/22] Add missing 4.1.6 release to changelog --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7af55680..f6bbd2dd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -107,6 +107,10 @@ To address feedback from the security release the following change has been made - Fixed `finalizeScopes` call (Issue #650) +## [4.1.6] - 2016-09-13 + +- Less restrictive on Authorization header check (Issue #652) + ## [5.1.1] - 2016-07-26 - Improved test suite (Issue #614) @@ -419,6 +423,7 @@ Version 5 is a complete code rewrite. [5.0.0]: https://github.com/thephpleague/oauth2-server/compare/5.0.0-RC2...5.0.0 [5.0.0-RC2]: https://github.com/thephpleague/oauth2-server/compare/5.0.0-RC1...5.0.0-RC2 [5.0.0-RC1]: https://github.com/thephpleague/oauth2-server/compare/4.1.5...5.0.0-RC1 +[4.1.6]: https://github.com/thephpleague/oauth2-server/compare/4.1.5...4.1.6 [4.1.5]: https://github.com/thephpleague/oauth2-server/compare/4.1.4...4.1.5 [4.1.4]: https://github.com/thephpleague/oauth2-server/compare/4.1.3...4.1.4 [4.1.3]: https://github.com/thephpleague/oauth2-server/compare/4.1.2...4.1.3 From e3ad09d4a21696f8c63af5cf9ec224e877f3608d Mon Sep 17 00:00:00 2001 From: Andrew Millington Date: Sat, 23 Jun 2018 17:35:51 +0100 Subject: [PATCH 20/22] Update unreleased link in changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f6bbd2dd..fa8a1cc3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -403,7 +403,7 @@ Version 5 is a complete code rewrite. - First major release -[Unreleased]: https://github.com/thephpleague/oauth2-server/compare/7.0.0...HEAD +[Unreleased]: https://github.com/thephpleague/oauth2-server/compare/7.1.1...HEAD [7.1.1]: https://github.com/thephpleague/oauth2-server/compare/7.1.0...7.1.1 [7.1.0]: https://github.com/thephpleague/oauth2-server/compare/7.0.0...7.1.0 [7.0.0]: https://github.com/thephpleague/oauth2-server/compare/6.1.1...7.0.0 From 51b3b415b4ca57650796887559e6fc4bd2387113 Mon Sep 17 00:00:00 2001 From: Andrew Millington Date: Sat, 23 Jun 2018 17:46:19 +0100 Subject: [PATCH 21/22] Update changelog for version 4.1.7 --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fa8a1cc3..4c60cc4a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,11 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ### Fixed - Catch and handle `BadMethodCallException` from the `verify()` method of the JWT token in the `validateAuthorization` method (PR #904) +## [4.1.7] - released 2018-06-23 + +### Fixed +- Ensure `empty()` function call only contains variable to be compatible with PHP 5.4 (PR #918) + ## [7.1.1] - released 2018-05-21 ### Fixed @@ -423,6 +428,7 @@ Version 5 is a complete code rewrite. [5.0.0]: https://github.com/thephpleague/oauth2-server/compare/5.0.0-RC2...5.0.0 [5.0.0-RC2]: https://github.com/thephpleague/oauth2-server/compare/5.0.0-RC1...5.0.0-RC2 [5.0.0-RC1]: https://github.com/thephpleague/oauth2-server/compare/4.1.5...5.0.0-RC1 +[4.1.7]: https://github.com/thephpleague/oauth2-server/compare/4.1.6...4.1.7 [4.1.6]: https://github.com/thephpleague/oauth2-server/compare/4.1.5...4.1.6 [4.1.5]: https://github.com/thephpleague/oauth2-server/compare/4.1.4...4.1.5 [4.1.4]: https://github.com/thephpleague/oauth2-server/compare/4.1.3...4.1.4 From 8184f771d43ea7305ddbb893d0daf6f0352ec5fd Mon Sep 17 00:00:00 2001 From: Andrew Millington Date: Sat, 23 Jun 2018 17:57:59 +0100 Subject: [PATCH 22/22] Update for version 7.2.0 --- CHANGELOG.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4c60cc4a..0e9668d0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## [Unreleased] +## [7.2.0] - released 2018-06-23 + ### Changed - Added new`validateRedirectUri` method AbstractGrant to remove three instances of code duplication (PR #912) - Allow 640 as a crypt key file permission (PR #917) @@ -408,7 +410,8 @@ Version 5 is a complete code rewrite. - First major release -[Unreleased]: https://github.com/thephpleague/oauth2-server/compare/7.1.1...HEAD +[Unreleased]: https://github.com/thephpleague/oauth2-server/compare/7.2.0...HEAD +[7.2.0]: https://github.com/thephpleague/oauth2-server/compare/7.1.1...7.2.0 [7.1.1]: https://github.com/thephpleague/oauth2-server/compare/7.1.0...7.1.1 [7.1.0]: https://github.com/thephpleague/oauth2-server/compare/7.0.0...7.1.0 [7.0.0]: https://github.com/thephpleague/oauth2-server/compare/6.1.1...7.0.0