Move code challenge check to auth code request

2025-05-31 14:12:07 +05:30 · 2018-08-13 21:47:53 +01:00
parent 7f2fd7b22c
commit 491852b521
2 changed files with 44 additions and 4 deletions
--- a/src/Grant/AuthCodeGrant.php
+++ b/src/Grant/AuthCodeGrant.php
@@ -151,7 +151,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant

        // Validate code challenge
        if (!empty($authCodePayload->code_challenge)) {
-	        $codeVerifier = $this->getRequestParameter('code_verifier', $request, null);
+            $codeVerifier = $this->getRequestParameter('code_verifier', $request, null);

            if ($codeVerifier === null) {
                throw OAuthServerException::invalidRequest('code_verifier');
@@ -193,8 +193,6 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
                    );
                // @codeCoverageIgnoreEnd
            }
-        } else if ($this->requireCodeChallengeForPublicClients && !$client->isConfidential()) {
-            throw OAuthServerException::invalidRequest('code_challenge', 'Code challenge must be provided for public clients');
        }

        // Issue and persist access + refresh tokens
@@ -296,7 +294,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant

        $authorizationRequest->setScopes($scopes);

-	$codeChallenge = $this->getQueryStringParameter('code_challenge', $request);
+        $codeChallenge = $this->getQueryStringParameter('code_challenge', $request);

        if ($codeChallenge !== null) {
            $codeChallengeMethod = $this->getQueryStringParameter('code_challenge_method', $request, 'plain');
@@ -319,6 +317,8 @@ class AuthCodeGrant extends AbstractAuthorizeGrant

            $authorizationRequest->setCodeChallenge($codeChallenge);
            $authorizationRequest->setCodeChallengeMethod($codeChallengeMethod);
+        } else if ($this->requireCodeChallengeForPublicClients && !$client->isConfidential()) {
+            throw OAuthServerException::invalidRequest('code_challenge', 'Code challenge must be provided for public clients');
        }

        return $authorizationRequest;
--- a/tests/Grant/AuthCodeGrantTest.php
+++ b/tests/Grant/AuthCodeGrantTest.php
@@ -1784,4 +1784,44 @@ class AuthCodeGrantTest extends TestCase

        $grant->completeAuthorizationRequest(new AuthorizationRequest());
    }
+
+    public function testPublicClientAuthCodeRequestRejectedWhenCodeChallengeRequiredButNotGiven()
+    {
+        $client = new ClientEntity();
+        $client->setRedirectUri('http://foo/bar');
+
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $scope = new ScopeEntity();
+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
+
+        $grant = new AuthCodeGrant(
+            $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(),
+            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
+            new \DateInterval('PT10M')
+        );
+
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setScopeRepository($scopeRepositoryMock);
+        $grant->setDefaultScope(self::DEFAULT_SCOPE);
+
+        $request = new ServerRequest(
+            [],
+            [],
+            null,
+            null,
+            'php://input',
+            [],
+            [],
+            [
+                'response_type' => 'code',
+                'client_id'     => 'foo',
+                'redirect_uri'  => 'http://foo/bar',
+            ]
+        );
+
+        $this->assertInstanceOf(AuthorizationRequest::class, $grant->validateAuthorizationRequest($request));
+    }
 }