Start to add code challenge verifier interfaces

This commit is contained in:
sephster 2018-09-14 18:56:22 +01:00
parent e3e7abf41e
commit 6a1645aebc
No known key found for this signature in database
GPG Key ID: 077754CA23023F4F

View File

@ -9,6 +9,9 @@
namespace League\OAuth2\Server\Grant; namespace League\OAuth2\Server\Grant;
use League\OAuth2\Server\CodeChallengeVerifiers\CodeChallengeVerifierInterface;
use League\OAuth2\Server\CodeChallengeVerifiers\PlainVerifier;
use League\OAuth2\Server\CodeChallengeVerifiers\S256Verifier;
use League\OAuth2\Server\Entities\ClientEntityInterface; use League\OAuth2\Server\Entities\ClientEntityInterface;
use League\OAuth2\Server\Entities\ScopeEntityInterface; use League\OAuth2\Server\Entities\ScopeEntityInterface;
use League\OAuth2\Server\Entities\UserEntityInterface; use League\OAuth2\Server\Entities\UserEntityInterface;
@ -33,6 +36,11 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
*/ */
private $requireCodeChallengeForPublicClients = true; private $requireCodeChallengeForPublicClients = true;
/**
* @var CodeChallengeVerifierInterface[]
*/
private $codeChallengeVerifiers = [];
/** /**
* @param AuthCodeRepositoryInterface $authCodeRepository * @param AuthCodeRepositoryInterface $authCodeRepository
* @param RefreshTokenRepositoryInterface $refreshTokenRepository * @param RefreshTokenRepositoryInterface $refreshTokenRepository
@ -47,6 +55,15 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
$this->setRefreshTokenRepository($refreshTokenRepository); $this->setRefreshTokenRepository($refreshTokenRepository);
$this->authCodeTTL = $authCodeTTL; $this->authCodeTTL = $authCodeTTL;
$this->refreshTokenTTL = new \DateInterval('P1M'); $this->refreshTokenTTL = new \DateInterval('P1M');
// SHOULD ONLY DO THIS IS SHA256 is supported
$s256Verifier = new S256Verifier();
$plainVerifier = new PlainVerifier();
$codeChallengeVerifiers = [
$s256Verifier->getMethod() => $s256Verifier,
$plainVerifier->getMethod() => $plainVerifier,
];
} }
/** /**
@ -161,32 +178,19 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
); );
} }
switch ($authCodePayload->code_challenge_method) { if (isset($this->codeChallengeVerifiers[$authCodePayLoad->code_challenge_method])) {
case 'plain': $codeChallengeVerifier = $this->codeChallengeVerifiers[$authCodePayload->code_challenge_method];
if (hash_equals($codeVerifier, $authCodePayload->code_challenge) === false) {
throw OAuthServerException::invalidGrant('Failed to verify `code_verifier`.');
}
break; if ($codeChallengeVerifier->verifyCodeChallenge($codeVerifier, $authCodePayload->code_challenge) === false) {
case 'S256': throw OAuthServerException::invalidGrant('Failed to verify `code_verifier`.');
if ( }
hash_equals( } else {
strtr(rtrim(base64_encode(hash('sha256', $codeVerifier, true)), '='), '+/', '-_'), throw OAuthServerException::serverError(
$authCodePayload->code_challenge sprintf(
) === false 'Unsupported code challenge method `%s`',
) { $authCodePayload->code_challenge_method
throw OAuthServerException::invalidGrant('Failed to verify `code_verifier`.'); )
} );
// @codeCoverageIgnoreStart
break;
default:
throw OAuthServerException::serverError(
sprintf(
'Unsupported code challenge method `%s`',
$authCodePayload->code_challenge_method
)
);
// @codeCoverageIgnoreEnd
} }
} }
@ -289,10 +293,13 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
if ($codeChallenge !== null) { if ($codeChallenge !== null) {
$codeChallengeMethod = $this->getQueryStringParameter('code_challenge_method', $request, 'plain'); $codeChallengeMethod = $this->getQueryStringParameter('code_challenge_method', $request, 'plain');
if (in_array($codeChallengeMethod, ['plain', 'S256'], true) === false) { if (array_key_exitst($codeChallengeMethod, $this->codeChallengeVerifiers) === false) {
throw OAuthServerException::invalidRequest( throw OAuthServerException::invalidRequest(
'code_challenge_method', 'code_challenge_method',
'Code challenge method must be `plain` or `S256`' 'Code challenge method must be one of ' . implode(', ', array_map(
function ($method) { return '`' . $method . '`'; },
array_keys($this->codeChallengeVerifiers)
))
); );
} }