mirror of
https://github.com/elyby/oauth2-server.git
synced 2024-12-23 05:29:52 +05:30
A refresh token should be bound to a client ID
This commit is contained in:
parent
86a483f288
commit
c0683586e2
@ -57,7 +57,10 @@ CREATE TABLE `oauth_session_refresh_tokens` (
|
||||
`session_access_token_id` int(10) unsigned NOT NULL,
|
||||
`refresh_token` char(40) NOT NULL DEFAULT '',
|
||||
`refresh_token_expires` int(10) unsigned NOT NULL,
|
||||
`client_id` char(40) NOT NULL DEFAULT '',
|
||||
PRIMARY KEY (`session_access_token_id`),
|
||||
KEY `client_id` (`client_id`),
|
||||
CONSTRAINT `oauth_session_refresh_tokens_ibfk_1` FOREIGN KEY (`client_id`) REFERENCES `oauth_clients` (`id`) ON DELETE CASCADE,
|
||||
CONSTRAINT `f_oasetore_setoid` FOREIGN KEY (`session_access_token_id`) REFERENCES `oauth_session_access_tokens` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION
|
||||
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
|
||||
|
||||
|
@ -283,7 +283,7 @@ class AuthCode implements GrantTypeInterface {
|
||||
if ($this->authServer->hasGrantType('refresh_token')) {
|
||||
$refreshToken = SecureKey::make();
|
||||
$refreshTokenTTL = time() + $this->authServer->getGrantType('refresh_token')->getRefreshTokenTTL();
|
||||
$this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL);
|
||||
$this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL, $authParams['client_id']);
|
||||
$response['refresh_token'] = $refreshToken;
|
||||
}
|
||||
|
||||
|
@ -214,7 +214,7 @@ class Password implements GrantTypeInterface {
|
||||
if ($this->authServer->hasGrantType('refresh_token')) {
|
||||
$refreshToken = SecureKey::make();
|
||||
$refreshTokenTTL = time() + $this->authServer->getGrantType('refresh_token')->getRefreshTokenTTL();
|
||||
$this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL);
|
||||
$this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL, $authParams['client_id']);
|
||||
$response['refresh_token'] = $refreshToken;
|
||||
}
|
||||
|
||||
|
@ -143,7 +143,7 @@ class RefreshToken implements GrantTypeInterface {
|
||||
}
|
||||
|
||||
// Validate refresh token
|
||||
$accessTokenId = $this->authServer->getStorage('session')->validateRefreshToken($authParams['refresh_token']);
|
||||
$accessTokenId = $this->authServer->getStorage('session')->validateRefreshToken($authParams['refresh_token'], $authParams['client_id']);
|
||||
|
||||
if ($accessTokenId === false) {
|
||||
throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_refresh'), 0);
|
||||
@ -168,7 +168,7 @@ class RefreshToken implements GrantTypeInterface {
|
||||
$this->authServer->getStorage('session')->associateScope($newAccessTokenId, $scope['id']);
|
||||
}
|
||||
|
||||
$this->authServer->getStorage('session')->associateRefreshToken($newAccessTokenId, $refreshToken, $refreshTokenExpires);
|
||||
$this->authServer->getStorage('session')->associateRefreshToken($newAccessTokenId, $refreshToken, $refreshTokenExpires, $authParams['client_id']);
|
||||
|
||||
return array(
|
||||
'access_token' => $accessToken,
|
||||
|
@ -91,15 +91,16 @@ class Session implements SessionInterface
|
||||
* @param int $expireTime Unix timestamp of the refresh token expiry time
|
||||
* @return void
|
||||
*/
|
||||
public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime)
|
||||
public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime, $clientId)
|
||||
{
|
||||
$db = \ezcDbInstance::get();
|
||||
|
||||
$stmt = $db->prepare('INSERT INTO oauth_session_refresh_tokens (session_access_token_id, refresh_token, refresh_token_expires) VALUE
|
||||
(:accessTokenId, :refreshToken, :expireTime)');
|
||||
$stmt = $db->prepare('INSERT INTO oauth_session_refresh_tokens (session_access_token_id, refresh_token, refresh_token_expires, client_id) VALUE
|
||||
(:accessTokenId, :refreshToken, :expireTime, :clientId)');
|
||||
$stmt->bindValue(':accessTokenId', $accessTokenId);
|
||||
$stmt->bindValue(':refreshToken', $refreshToken);
|
||||
$stmt->bindValue(':expireTime', $expireTime);
|
||||
$stmt->bindValue(':clientId', $clientId);
|
||||
$stmt->execute();
|
||||
}
|
||||
|
||||
@ -188,13 +189,14 @@ class Session implements SessionInterface
|
||||
* @param string $refreshToken The access token
|
||||
* @return void
|
||||
*/
|
||||
public function validateRefreshToken($refreshToken)
|
||||
public function validateRefreshToken($refreshToken, $clientId)
|
||||
{
|
||||
$db = \ezcDbInstance::get();
|
||||
|
||||
$stmt = $db->prepare('SELECT session_access_token_id FROM `oauth_session_refresh_tokens` WHERE
|
||||
refresh_token = :refreshToken AND refresh_token_expires >= ' . time());
|
||||
refresh_token = :refreshToken AND client_id = :clientId AND refresh_token_expires >= ' . time());
|
||||
$stmt->bindValue(':refreshToken', $refreshToken);
|
||||
$stmt->bindValue(':clientId', $clientId);
|
||||
$stmt->execute();
|
||||
|
||||
$result = $stmt->fetchObject();
|
||||
|
@ -91,9 +91,10 @@ interface SessionInterface
|
||||
* @param int $accessTokenId The access token ID
|
||||
* @param string $refreshToken The refresh token
|
||||
* @param int $expireTime Unix timestamp of the refresh token expiry time
|
||||
* @param string $clientId The client ID
|
||||
* @return void
|
||||
*/
|
||||
public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime);
|
||||
public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime, $clientId);
|
||||
|
||||
/**
|
||||
* Assocate an authorization code with a session
|
||||
@ -191,13 +192,14 @@ interface SessionInterface
|
||||
*
|
||||
* <code>
|
||||
* SELECT session_access_token_id FROM `oauth_session_refresh_tokens` WHERE refresh_token = :refreshToken
|
||||
* AND refresh_token_expires >= UNIX_TIMESTAMP(NOW())
|
||||
* AND refresh_token_expires >= UNIX_TIMESTAMP(NOW()) AND client_id = :clientId
|
||||
* </code>
|
||||
*
|
||||
* @param string $refreshToken The access token
|
||||
* @param string $clientId The client ID
|
||||
* @return int|bool The ID of the access token the refresh token is linked to (or false if invalid)
|
||||
*/
|
||||
public function validateRefreshToken($refreshToken);
|
||||
public function validateRefreshToken($refreshToken, $clientId);
|
||||
|
||||
/**
|
||||
* Get an access token by ID
|
||||
|
Loading…
Reference in New Issue
Block a user