mirror of
https://github.com/elyby/oauth2-server.git
synced 2024-12-23 05:29:52 +05:30
Merge branch 'master' of github.com:erickjth/oauth2-server into fix-pkce-implementation
# Conflicts: # src/Grant/AuthCodeGrant.php
This commit is contained in:
commit
4270f5bac1
12
CHANGELOG.md
12
CHANGELOG.md
@ -1,5 +1,17 @@
|
|||||||
# Changelog
|
# Changelog
|
||||||
|
|
||||||
|
## 6.0.2 (released 2017-08-03)
|
||||||
|
|
||||||
|
* An invalid refresh token that can't be decrypted now returns a HTTP 401 error instead of HTTP 400 (Issue #759)
|
||||||
|
* Removed chmod from CryptKey and add toggle to disable checking (Issue #776)
|
||||||
|
* Fixes invalid code challenge method payload key name (Issue #777)
|
||||||
|
|
||||||
|
## 6.0.1 (released 2017-07-19)
|
||||||
|
|
||||||
|
To address feedback from the security release the following change has been made:
|
||||||
|
|
||||||
|
* If an RSA key cannot be chmod'ed to 600 then it will now throw a E_USER_NOTICE instead of an exception.
|
||||||
|
|
||||||
## 6.0.0 (released 2017-07-01)
|
## 6.0.0 (released 2017-07-01)
|
||||||
|
|
||||||
* Breaking change: The `AuthorizationServer` constructor now expects an encryption key string instead of a public key
|
* Breaking change: The `AuthorizationServer` constructor now expects an encryption key string instead of a public key
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
Thanks for contributing to this project.
|
Thanks for contributing to this project.
|
||||||
|
|
||||||
|
|
||||||
**Please submit your pull request against the `develop` branch only.**
|
**Please submit your pull request against the `master` branch only.**
|
||||||
|
|
||||||
|
|
||||||
Please ensure that you run `phpunit` from the project root after you've made any changes.
|
Please ensure that you run `phpunit` from the project root after you've made any changes.
|
||||||
|
@ -29,8 +29,9 @@ class CryptKey
|
|||||||
/**
|
/**
|
||||||
* @param string $keyPath
|
* @param string $keyPath
|
||||||
* @param null|string $passPhrase
|
* @param null|string $passPhrase
|
||||||
|
* @param bool $keyPermissionsCheck
|
||||||
*/
|
*/
|
||||||
public function __construct($keyPath, $passPhrase = null)
|
public function __construct($keyPath, $passPhrase = null, $keyPermissionsCheck = true)
|
||||||
{
|
{
|
||||||
if (preg_match(self::RSA_KEY_PATTERN, $keyPath)) {
|
if (preg_match(self::RSA_KEY_PATTERN, $keyPath)) {
|
||||||
$keyPath = $this->saveKeyToFile($keyPath);
|
$keyPath = $this->saveKeyToFile($keyPath);
|
||||||
@ -44,20 +45,15 @@ class CryptKey
|
|||||||
throw new \LogicException(sprintf('Key path "%s" does not exist or is not readable', $keyPath));
|
throw new \LogicException(sprintf('Key path "%s" does not exist or is not readable', $keyPath));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ($keyPermissionsCheck === true) {
|
||||||
// Verify the permissions of the key
|
// Verify the permissions of the key
|
||||||
$keyPathPerms = decoct(fileperms($keyPath) & 0777);
|
$keyPathPerms = decoct(fileperms($keyPath) & 0777);
|
||||||
if ($keyPathPerms !== '600') {
|
if (in_array($keyPathPerms, ['600', '660'], true) === false) {
|
||||||
// Attempt to correct the permissions
|
trigger_error(sprintf(
|
||||||
if (chmod($keyPath, 0600) === false) {
|
'Key file "%s" permissions are not correct, should be 600 or 660 instead of %s',
|
||||||
// @codeCoverageIgnoreStart
|
|
||||||
throw new \LogicException(
|
|
||||||
sprintf(
|
|
||||||
'Key file "%s" permissions are not correct, should be 600 instead of %s, unable to automatically resolve the issue',
|
|
||||||
$keyPath,
|
$keyPath,
|
||||||
$keyPathPerms
|
$keyPathPerms
|
||||||
)
|
), E_USER_NOTICE);
|
||||||
);
|
|
||||||
// @codeCoverageIgnoreEnd
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -152,7 +152,7 @@ class OAuthServerException extends \Exception
|
|||||||
*/
|
*/
|
||||||
public static function invalidRefreshToken($hint = null)
|
public static function invalidRefreshToken($hint = null)
|
||||||
{
|
{
|
||||||
return new static('The refresh token is invalid.', 8, 'invalid_request', 400, $hint);
|
return new static('The refresh token is invalid.', 8, 'invalid_request', 401, $hint);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -200,7 +200,7 @@ class ImplicitGrant extends AbstractAuthorizeGrant
|
|||||||
$finalRedirectUri,
|
$finalRedirectUri,
|
||||||
[
|
[
|
||||||
'access_token' => (string) $accessToken->convertToJWT($this->privateKey),
|
'access_token' => (string) $accessToken->convertToJWT($this->privateKey),
|
||||||
'token_type' => 'bearer',
|
'token_type' => 'Bearer',
|
||||||
'expires_in' => $accessToken->getExpiryDateTime()->getTimestamp() - (new \DateTime())->getTimestamp(),
|
'expires_in' => $accessToken->getExpiryDateTime()->getTimestamp() - (new \DateTime())->getTimestamp(),
|
||||||
'state' => $authorizationRequest->getState(),
|
'state' => $authorizationRequest->getState(),
|
||||||
],
|
],
|
||||||
|
@ -12,6 +12,7 @@ namespace League\OAuth2\Server\Repositories;
|
|||||||
use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
|
use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
|
||||||
use League\OAuth2\Server\Entities\ClientEntityInterface;
|
use League\OAuth2\Server\Entities\ClientEntityInterface;
|
||||||
use League\OAuth2\Server\Entities\ScopeEntityInterface;
|
use League\OAuth2\Server\Entities\ScopeEntityInterface;
|
||||||
|
use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Access token interface.
|
* Access token interface.
|
||||||
@ -33,6 +34,8 @@ interface AccessTokenRepositoryInterface extends RepositoryInterface
|
|||||||
* Persists a new access token to permanent storage.
|
* Persists a new access token to permanent storage.
|
||||||
*
|
*
|
||||||
* @param AccessTokenEntityInterface $accessTokenEntity
|
* @param AccessTokenEntityInterface $accessTokenEntity
|
||||||
|
*
|
||||||
|
* @throws UniqueTokenIdentifierConstraintViolationException
|
||||||
*/
|
*/
|
||||||
public function persistNewAccessToken(AccessTokenEntityInterface $accessTokenEntity);
|
public function persistNewAccessToken(AccessTokenEntityInterface $accessTokenEntity);
|
||||||
|
|
||||||
|
@ -10,6 +10,7 @@
|
|||||||
namespace League\OAuth2\Server\Repositories;
|
namespace League\OAuth2\Server\Repositories;
|
||||||
|
|
||||||
use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
|
use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
|
||||||
|
use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Auth code storage interface.
|
* Auth code storage interface.
|
||||||
@ -27,6 +28,8 @@ interface AuthCodeRepositoryInterface extends RepositoryInterface
|
|||||||
* Persists a new auth code to permanent storage.
|
* Persists a new auth code to permanent storage.
|
||||||
*
|
*
|
||||||
* @param AuthCodeEntityInterface $authCodeEntity
|
* @param AuthCodeEntityInterface $authCodeEntity
|
||||||
|
*
|
||||||
|
* @throws UniqueTokenIdentifierConstraintViolationException
|
||||||
*/
|
*/
|
||||||
public function persistNewAuthCode(AuthCodeEntityInterface $authCodeEntity);
|
public function persistNewAuthCode(AuthCodeEntityInterface $authCodeEntity);
|
||||||
|
|
||||||
|
@ -10,6 +10,7 @@
|
|||||||
namespace League\OAuth2\Server\Repositories;
|
namespace League\OAuth2\Server\Repositories;
|
||||||
|
|
||||||
use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
|
use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
|
||||||
|
use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Refresh token interface.
|
* Refresh token interface.
|
||||||
@ -27,6 +28,8 @@ interface RefreshTokenRepositoryInterface extends RepositoryInterface
|
|||||||
* Create a new refresh token_name.
|
* Create a new refresh token_name.
|
||||||
*
|
*
|
||||||
* @param RefreshTokenEntityInterface $refreshTokenEntity
|
* @param RefreshTokenEntityInterface $refreshTokenEntity
|
||||||
|
*
|
||||||
|
* @throws UniqueTokenIdentifierConstraintViolationException
|
||||||
*/
|
*/
|
||||||
public function persistNewRefreshToken(RefreshTokenEntityInterface $refreshTokenEntity);
|
public function persistNewRefreshToken(RefreshTokenEntityInterface $refreshTokenEntity);
|
||||||
|
|
||||||
|
@ -26,6 +26,13 @@ use Zend\Diactoros\ServerRequestFactory;
|
|||||||
|
|
||||||
class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
|
class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
|
||||||
{
|
{
|
||||||
|
public function setUp()
|
||||||
|
{
|
||||||
|
// Make sure the keys have the correct permissions.
|
||||||
|
chmod(__DIR__ . '/Stubs/private.key', 0600);
|
||||||
|
chmod(__DIR__ . '/Stubs/public.key', 0600);
|
||||||
|
}
|
||||||
|
|
||||||
public function testRespondToRequestInvalidGrantType()
|
public function testRespondToRequestInvalidGrantType()
|
||||||
{
|
{
|
||||||
$server = new AuthorizationServer(
|
$server = new AuthorizationServer(
|
||||||
|
Loading…
Reference in New Issue
Block a user