From ef5904ab1a9ed04d2d67be09c9575dc235d0fe83 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Juli=C3=A1n=20Guti=C3=A9rrez?= <juliangut@gmail.com>
Date: Wed, 20 Jan 2016 00:32:59 +0100
Subject: [PATCH] exception based determineAccessTokenInHeader

---
 src/Middleware/ResourceServerMiddleware.php | 16 +++++-----------
 src/ResponseTypes/AbstractResponseType.php  | 16 +++++++++++++++-
 src/ResponseTypes/BearerTokenResponse.php   | 12 +++++++-----
 3 files changed, 27 insertions(+), 17 deletions(-)

diff --git a/src/Middleware/ResourceServerMiddleware.php b/src/Middleware/ResourceServerMiddleware.php
index 874a14c6..ebcf2794 100644
--- a/src/Middleware/ResourceServerMiddleware.php
+++ b/src/Middleware/ResourceServerMiddleware.php
@@ -33,18 +33,12 @@ class ResourceServerMiddleware
      */
     public function __invoke(ServerRequestInterface $request, ResponseInterface $response, callable $next)
     {
-        if ($request->hasHeader('authorization') === false) {
-            $exception = OAuthServerException::accessDenied('Missing authorization header');
-
-            return $exception->generateHttpResponse($response);
-        }
-
-        $request = $this->server->getResponseType()->determineAccessTokenInHeader($request);
-
-        if ($request->getAttribute('oauth_access_token') === null) {
-            $exception = OAuthServerException::accessDenied($request->getAttribute('oauth_access_token_error'));
-
+        try {
+            $request = $this->server->getResponseType()->determineAccessTokenInHeader($request);
+        } catch (OAuthServerException $exception) {
             return $exception->generateHttpResponse($response);
+        } catch (\Exception $exception) {
+            return $response->withStatus(500)->write($exception->getMessage());
         }
 
         // Pass the request and response on to the next responder in the chain
diff --git a/src/ResponseTypes/AbstractResponseType.php b/src/ResponseTypes/AbstractResponseType.php
index 2388582f..9605a463 100644
--- a/src/ResponseTypes/AbstractResponseType.php
+++ b/src/ResponseTypes/AbstractResponseType.php
@@ -13,7 +13,9 @@ namespace League\OAuth2\Server\ResponseTypes;
 
 use League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface;
+use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use Psr\Http\Message\ServerRequestInterface;
 
 abstract class AbstractResponseType implements ResponseTypeInterface
 {
@@ -66,10 +68,22 @@ abstract class AbstractResponseType implements ResponseTypeInterface
     }
 
     /**
-     * @param \League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface $refreshToken
+     * {@inheritdoc}
      */
     public function setRefreshToken(RefreshTokenEntityInterface $refreshToken)
     {
         $this->refreshToken = $refreshToken;
     }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function determineAccessTokenInHeader(ServerRequestInterface $request)
+    {
+        if ($request->hasHeader('authorization') === false) {
+            throw OAuthServerException::accessDenied('Missing "Authorization" header');
+        }
+
+        return $request;
+    }
 }
diff --git a/src/ResponseTypes/BearerTokenResponse.php b/src/ResponseTypes/BearerTokenResponse.php
index 278b166d..c67bc990 100644
--- a/src/ResponseTypes/BearerTokenResponse.php
+++ b/src/ResponseTypes/BearerTokenResponse.php
@@ -16,10 +16,10 @@ use Lcobucci\JWT\Parser;
 use Lcobucci\JWT\Signer\Key;
 use Lcobucci\JWT\Signer\Rsa\Sha256;
 use League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface;
+use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Utils\KeyCrypt;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
-use Zend\Diactoros\Response;
 
 class BearerTokenResponse extends AbstractResponseType
 {
@@ -78,6 +78,8 @@ class BearerTokenResponse extends AbstractResponseType
      */
     public function determineAccessTokenInHeader(ServerRequestInterface $request)
     {
+        $request = parent::determineAccessTokenInHeader($request);
+
         $header = $request->getHeader('authorization');
         $jwt = trim(preg_replace('/^(?:\s+)?Bearer\s/', '', $header[0]));
 
@@ -85,12 +87,12 @@ class BearerTokenResponse extends AbstractResponseType
             // Attempt to parse and validate the JWT
             $token = (new Parser())->parse($jwt);
             if ($token->verify(new Sha256(), $this->pathToPublicKey) === false) {
-                return $request->withAttribute('oauth_access_token_error', 'Access token could not be verified');
+                throw OAuthServerException::accessDenied('Access token could not be verified');
             }
 
             // Check if token has been revoked
             if ($this->accessTokenRepository->isAccessTokenRevoked($token->getClaim('jti'))) {
-                return $request->withAttribute('oauth_access_token_error', 'Access token has been revoked');
+                throw OAuthServerException::accessDenied('Access token has been revoked');
             }
 
             // Return the request with additional attributes
@@ -98,9 +100,9 @@ class BearerTokenResponse extends AbstractResponseType
                 ->withAttribute('oauth_client_id', $token->getClaim('aud'))
                 ->withAttribute('oauth_user_id', $token->getClaim('sub'))
                 ->withAttribute('oauth_scopes', $token->getClaim('scopes'));
-        } catch (\InvalidArgumentException $e) {
+        } catch (\InvalidArgumentException $exception) {
             // JWT couldn't be parsed so return the request as is
-            return $request->withAttribute('oauth_access_token_error', $e->getMessage());
+            throw OAuthServerException::accessDenied($exception->getMessage());
         }
     }
 }