mirror of
https://github.com/elyby/oauth2-server.git
synced 2024-12-22 13:09:44 +05:30
Reduce complexity of respondToAccessTokenRequest
This commit is contained in:
parent
b4d88995de
commit
50566cdc87
@ -9,6 +9,7 @@
|
|||||||
|
|
||||||
namespace League\OAuth2\Server\Grant;
|
namespace League\OAuth2\Server\Grant;
|
||||||
|
|
||||||
|
use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
|
||||||
use League\OAuth2\Server\Entities\ClientEntityInterface;
|
use League\OAuth2\Server\Entities\ClientEntityInterface;
|
||||||
use League\OAuth2\Server\Entities\ScopeEntityInterface;
|
use League\OAuth2\Server\Entities\ScopeEntityInterface;
|
||||||
use League\OAuth2\Server\Entities\UserEntityInterface;
|
use League\OAuth2\Server\Entities\UserEntityInterface;
|
||||||
@ -81,47 +82,13 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
|
|||||||
throw OAuthServerException::invalidRequest('code');
|
throw OAuthServerException::invalidRequest('code');
|
||||||
}
|
}
|
||||||
|
|
||||||
// Validate the authorization code
|
|
||||||
try {
|
try {
|
||||||
$authCodePayload = json_decode($this->decrypt($encryptedAuthCode));
|
$authCodePayload = json_decode($this->decrypt($encryptedAuthCode));
|
||||||
if (time() > $authCodePayload->expire_time) {
|
|
||||||
throw OAuthServerException::invalidRequest('code', 'Authorization code has expired');
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($this->authCodeRepository->isAuthCodeRevoked($authCodePayload->auth_code_id) === true) {
|
$this->validateAuthorizationCode($authCodePayload, $client, $request);
|
||||||
throw OAuthServerException::invalidRequest('code', 'Authorization code has been revoked');
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($authCodePayload->client_id !== $client->getIdentifier()) {
|
|
||||||
throw OAuthServerException::invalidRequest('code', 'Authorization code was not issued to this client');
|
|
||||||
}
|
|
||||||
|
|
||||||
// The redirect URI is required in this request
|
|
||||||
$redirectUri = $this->getRequestParameter('redirect_uri', $request, null);
|
|
||||||
if (empty($authCodePayload->redirect_uri) === false && $redirectUri === null) {
|
|
||||||
throw OAuthServerException::invalidRequest('redirect_uri');
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($authCodePayload->redirect_uri !== $redirectUri) {
|
|
||||||
throw OAuthServerException::invalidRequest('redirect_uri', 'Invalid redirect URI');
|
|
||||||
}
|
|
||||||
|
|
||||||
$scopes = [];
|
|
||||||
foreach ($authCodePayload->scopes as $scopeId) {
|
|
||||||
$scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeId);
|
|
||||||
|
|
||||||
if ($scope instanceof ScopeEntityInterface === false) {
|
|
||||||
// @codeCoverageIgnoreStart
|
|
||||||
throw OAuthServerException::invalidScope($scopeId);
|
|
||||||
// @codeCoverageIgnoreEnd
|
|
||||||
}
|
|
||||||
|
|
||||||
$scopes[] = $scope;
|
|
||||||
}
|
|
||||||
|
|
||||||
// Finalize the requested scopes
|
|
||||||
$scopes = $this->scopeRepository->finalizeScopes(
|
$scopes = $this->scopeRepository->finalizeScopes(
|
||||||
$scopes,
|
$this->getScopes($authCodePayload),
|
||||||
$this->getIdentifier(),
|
$this->getIdentifier(),
|
||||||
$client,
|
$client,
|
||||||
$authCodePayload->user_id
|
$authCodePayload->user_id
|
||||||
@ -133,6 +100,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
|
|||||||
// Validate code challenge
|
// Validate code challenge
|
||||||
if ($this->enableCodeExchangeProof === true) {
|
if ($this->enableCodeExchangeProof === true) {
|
||||||
$codeVerifier = $this->getRequestParameter('code_verifier', $request, null);
|
$codeVerifier = $this->getRequestParameter('code_verifier', $request, null);
|
||||||
|
|
||||||
if ($codeVerifier === null) {
|
if ($codeVerifier === null) {
|
||||||
throw OAuthServerException::invalidRequest('code_verifier');
|
throw OAuthServerException::invalidRequest('code_verifier');
|
||||||
}
|
}
|
||||||
@ -193,6 +161,69 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
|
|||||||
return $responseType;
|
return $responseType;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Validate the authorization code.
|
||||||
|
*
|
||||||
|
* @param AuthCodeEntityInterface $authCodePayload
|
||||||
|
* @param ClientEntityInterface $client
|
||||||
|
* @param ServerRequestInterface $request
|
||||||
|
*
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
private function validateAuthorizationCode(
|
||||||
|
$authCodePayload,
|
||||||
|
ClientEntityInterface $client,
|
||||||
|
ServerRequestInterface $request
|
||||||
|
) {
|
||||||
|
if (time() > $authCodePayload->expire_time) {
|
||||||
|
throw OAuthServerException::invalidRequest('code', 'Authorization code has expired');
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($this->authCodeRepository->isAuthCodeRevoked($authCodePayload->auth_code_id) === true) {
|
||||||
|
throw OAuthServerException::invalidRequest('code', 'Authorization code has been revoked');
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($authCodePayload->client_id !== $client->getIdentifier()) {
|
||||||
|
throw OAuthServerException::invalidRequest('code', 'Authorization code was not issued to this client');
|
||||||
|
}
|
||||||
|
|
||||||
|
// The redirect URI is required in this request
|
||||||
|
$redirectUri = $this->getRequestParameter('redirect_uri', $request, null);
|
||||||
|
if (empty($authCodePayload->redirect_uri) === false && $redirectUri === null) {
|
||||||
|
throw OAuthServerException::invalidRequest('redirect_uri');
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($authCodePayload->redirect_uri !== $redirectUri) {
|
||||||
|
throw OAuthServerException::invalidRequest('redirect_uri', 'Invalid redirect URI');
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Get scopes from the auth code payload.
|
||||||
|
*
|
||||||
|
* @param AuthCodeEntityInterface $authCodePayload
|
||||||
|
*
|
||||||
|
* @return array
|
||||||
|
*/
|
||||||
|
private function getScopes($authCodePayload)
|
||||||
|
{
|
||||||
|
$scopes = [];
|
||||||
|
|
||||||
|
foreach ($authCodePayload->scopes as $scopeId) {
|
||||||
|
$scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeId);
|
||||||
|
|
||||||
|
if ($scope instanceof ScopeEntityInterface === false) {
|
||||||
|
// @codeCoverageIgnoreStart
|
||||||
|
throw OAuthServerException::invalidScope($scopeId);
|
||||||
|
// @codeCoverageIgnoreEnd
|
||||||
|
}
|
||||||
|
|
||||||
|
$scopes[] = $scope;
|
||||||
|
}
|
||||||
|
|
||||||
|
return $scopes;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Return the grant identifier that can be used in matching up requests.
|
* Return the grant identifier that can be used in matching up requests.
|
||||||
*
|
*
|
||||||
@ -226,7 +257,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
|
|||||||
$this->getServerParameter('PHP_AUTH_USER', $request)
|
$this->getServerParameter('PHP_AUTH_USER', $request)
|
||||||
);
|
);
|
||||||
|
|
||||||
if (is_null($clientId)) {
|
if ($clientId === null) {
|
||||||
throw OAuthServerException::invalidRequest('client_id');
|
throw OAuthServerException::invalidRequest('client_id');
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -246,12 +277,12 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
|
|||||||
|
|
||||||
if ($redirectUri !== null) {
|
if ($redirectUri !== null) {
|
||||||
$this->validateRedirectUri($redirectUri, $client, $request);
|
$this->validateRedirectUri($redirectUri, $client, $request);
|
||||||
} elseif (is_array($client->getRedirectUri()) && count($client->getRedirectUri()) !== 1
|
} elseif (empty($client->getRedirectUri()) ||
|
||||||
|| empty($client->getRedirectUri())) {
|
(\is_array($client->getRedirectUri()) && \count($client->getRedirectUri()) !== 1)) {
|
||||||
$this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
|
$this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
|
||||||
throw OAuthServerException::invalidClient();
|
throw OAuthServerException::invalidClient();
|
||||||
} else {
|
} else {
|
||||||
$redirectUri = is_array($client->getRedirectUri())
|
$redirectUri = \is_array($client->getRedirectUri())
|
||||||
? $client->getRedirectUri()[0]
|
? $client->getRedirectUri()[0]
|
||||||
: $client->getRedirectUri();
|
: $client->getRedirectUri();
|
||||||
}
|
}
|
||||||
@ -282,7 +313,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
|
|||||||
|
|
||||||
$codeChallengeMethod = $this->getQueryStringParameter('code_challenge_method', $request, 'plain');
|
$codeChallengeMethod = $this->getQueryStringParameter('code_challenge_method', $request, 'plain');
|
||||||
|
|
||||||
if (in_array($codeChallengeMethod, ['plain', 'S256'], true) === false) {
|
if (\in_array($codeChallengeMethod, ['plain', 'S256'], true) === false) {
|
||||||
throw OAuthServerException::invalidRequest(
|
throw OAuthServerException::invalidRequest(
|
||||||
'code_challenge_method',
|
'code_challenge_method',
|
||||||
'Code challenge method must be `plain` or `S256`'
|
'Code challenge method must be `plain` or `S256`'
|
||||||
@ -314,11 +345,8 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
|
|||||||
throw new \LogicException('An instance of UserEntityInterface should be set on the AuthorizationRequest');
|
throw new \LogicException('An instance of UserEntityInterface should be set on the AuthorizationRequest');
|
||||||
}
|
}
|
||||||
|
|
||||||
$finalRedirectUri = ($authorizationRequest->getRedirectUri() === null)
|
$finalRedirectUri = $authorizationRequest->getRedirectUri()
|
||||||
? is_array($authorizationRequest->getClient()->getRedirectUri())
|
?? $this->getClientRedirectUri($authorizationRequest);
|
||||||
? $authorizationRequest->getClient()->getRedirectUri()[0]
|
|
||||||
: $authorizationRequest->getClient()->getRedirectUri()
|
|
||||||
: $authorizationRequest->getRedirectUri();
|
|
||||||
|
|
||||||
// The user approved the client, redirect them back with an auth code
|
// The user approved the client, redirect them back with an auth code
|
||||||
if ($authorizationRequest->isAuthorizationApproved() === true) {
|
if ($authorizationRequest->isAuthorizationApproved() === true) {
|
||||||
@ -370,4 +398,18 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
|
|||||||
)
|
)
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Get the client redirect URI if not set in the request.
|
||||||
|
*
|
||||||
|
* @param AuthorizationRequest $authorizationRequest
|
||||||
|
*
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
private function getClientRedirectUri(AuthorizationRequest $authorizationRequest)
|
||||||
|
{
|
||||||
|
return \is_array($authorizationRequest->getClient()->getRedirectUri())
|
||||||
|
? $authorizationRequest->getClient()->getRedirectUri()[0]
|
||||||
|
: $authorizationRequest->getClient()->getRedirectUri();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user