ElyBy-Mirror/oauth2-server
1
0
Fork 0
mirror of https://github.com/elyby/oauth2-server.git synced 2025-01-05 19:43:56 +05:30
Code Issues Packages Projects Releases Wiki Activity
2,314 Commits 11 Branches 86 Tags 15 MiB
27d5c5ed8d
Commit Graph

1229 Commits

Author SHA1 Message Date
Ian Littman
27d5c5ed8d
Ensure unvalidated ClientEntity gets throw/emit if they return null 
In many cases, we validate client info before pulling from client itself
from the repository, in which case it's safe to assume that you can grab
the client once validation passes. However on implicit/auth code grants
we don't have this guarantee due to non-confidential clients that just
reference the client ID. In those cases the client may supply a client
ID that doesn't exist, and we don't do a validation step before pulling
it from the repo.

The issue with that is that ClientRepository doesn't actually enforce
returning a ClientInterface via typehint, nor does it even suggest an
exception to throw if the client doesn't exist. So in most places we
do an instanceof check after the repository returns and throw/emit an
error event if the client doesn't exist.

This approach ends up being a bit error-prone; we missed one case where
we should've been doing this check: in the access token request on an
auth code grant. We don't do enough validation beforehand to assume that
the incoming request has an accurate client ID, so L96 could absolutely
be a method call on a non-object.

This commit centralizes the return-check-emit-throw logic so it's a
one-liner for wherever we need it, including the access token request
processor for auth code grants.
 2019-05-11 14:35:59 -05:00
sephster
16f37560d4
Merge latest version of 8 branch 2018-12-19 13:03:10 +00:00
sephster
c2cd12e0b8
Remove return types 2018-12-19 12:54:26 +00:00
Chris Tanaskoski
b6955a6c65 Fixed respondToAccessTokenRequest such that it accepts client_id through request body and Http Basic Auth 2018-11-30 10:19:06 +01:00
sephster
2b4974b697
Change to use invalid_grant 2018-11-13 18:18:07 +00:00
Marc Bennewitz
16f9de86f2 cleanup DateTime handline 
* DateTime -> DateTimeImmutable
* DateTime::format('U') -> DateTime::getTimestamp()
* (new DateTime())->getTimestamp() -> time()
 2018-11-08 12:45:18 +01:00
sephster
fcd6eb8a3c
Fix variable name 2018-09-18 18:01:24 +01:00
sephster
133d9cc97a
Fix missing 2018-09-18 17:51:11 +01:00
Andrew Millington
592dd2f433
Fix typo in function name 2018-09-17 20:10:26 +01:00
sephster
4a464dd336
Fix coding standard issue 2018-09-17 12:49:37 +01:00
sephster
970df8f34b
Add code challenge verifiers 2018-09-17 12:48:32 +01:00
sephster
6a1645aebc
Start to add code challenge verifier interfaces 2018-09-14 18:56:22 +01:00
sephster
e3e7abf41e
Set default isConfidential to false for client entity 2018-09-03 13:09:52 +01:00
sephster
d831868d58
Fix getClientEntity parameters 2018-09-02 16:27:31 +01:00
sephster
07ebe43b91
Change else if to elseif 2018-09-02 16:17:34 +01:00
sephster
e85a8e31e8
Remove assignment as not needed 2018-09-02 14:58:02 +01:00
sephster
3eabbafe5b
Client says if it is confidential instead of repository 2018-09-01 14:53:27 +01:00
sephster
cfa9b8d3b4
Move grant check for client back to validate method 2018-09-01 14:38:31 +01:00
sephster
060a090479
Change tests to use validClient instead of getClientEntity 2018-09-01 14:26:22 +01:00
sephster
46c2f99b06
Change function name to be more explicit 2018-09-01 13:17:36 +01:00
sephster
491852b521
Move code challenge check to auth code request 2018-08-13 21:47:53 +01:00
Andrew Millington
04807a1e2a
Fix incorrect variable reference 2018-08-12 20:29:39 +01:00
Andrew Millington
d07b5a4a03
Add isConfidential function to client entity trait 2018-08-12 20:26:46 +01:00
Andrew Millington
838f206832
Tidy up comments 2018-08-12 20:09:55 +01:00
Andrew Millington
972808561d
Add optional code challenge check for public clients 2018-08-12 20:06:34 +01:00
Andrew Millington
5ad00b0e33
Remove enableCodeExchangeProof function 2018-07-29 22:34:37 +01:00
Andrew Millington
f49cc65c13
Change to store code challenge and method whenever sent for PKCE 2018-07-29 19:56:30 +01:00
Andrew Millington
0c542637fe
Merge branch '8.0.0' into fix-909-v2 2018-06-24 13:51:04 +01:00
Andrew Millington
7df0dfff9d
Remove double function calls 2018-06-24 13:31:38 +01:00
Andrew Millington
ca5fe10934
Fix merge issues 2018-06-24 01:30:15 +01:00
Andrew Millington
369c7005a3
Merge master into version 8 branch 2018-06-24 01:10:02 +01:00
Erik van Velzen
ffffc4bfeb
Allow 640 as key file permisions 2018-06-21 17:02:01 +02:00
Ilya Bulah
224763cda6 Fix docblock 2018-06-15 00:06:33 +03:00
Ilya Bulah
a31bc7d4cc Extract validateRedirectUri() 2018-06-14 23:50:58 +03:00
Ilya Bulah
0d20c755d4 Formatting 2018-06-14 23:50:58 +03:00
Ilya Bulah
e36ff17ad9 Fix psr2 2018-06-14 23:15:01 +03:00
Andrew Millington
09bf988922
Add capital letter to start of class doc summary 2018-06-05 10:34:12 +01:00
Ilya Bulakh
a571e2262b
Update CryptTrait.php 2018-06-04 16:32:02 +03:00
Andrew Millington
68c9fbd83c
Add a summary for hasRedirect function 2018-05-25 09:53:59 +01:00
Andrew Millington
466e1a639d
Merge remote-tracking branch 'upstream/master' into exception-has-redirect 2018-05-25 09:49:14 +01:00
Andrew Millington
aac64e49cf
Fix style issue 2018-05-23 16:36:43 +01:00
Andrew Millington
61156ef8c7
Use __toString() for access token 2018-05-23 16:34:39 +01:00
Martin Dzibela
9941a96feb Fix uncaught exception produced by unsigned token 2018-05-22 14:22:12 +02:00
Andrew Millington
4aeb92aa98
Merge remote-tracking branch 'upstream/8.0.0' into access-token-jwt 2018-05-21 16:18:24 +01:00
Andrew Millington
b182389395
Remove native type hints 2018-05-21 15:45:09 +01:00
Andrew Millington
2e3ee60a2a Remove additional whitespace 2018-05-17 13:27:30 +01:00
Andrew Millington
0242d0c996 Remove spaces at end of line 2018-05-17 13:21:39 +01:00
Andrew Millington
3ea0cdc936 Set authScheme 2018-05-17 13:19:32 +01:00
Andrew Millington
19d782d223 Fix alignment 2018-05-17 13:13:30 +01:00
Andrew Millington
a3d4f583ed Fix #745 2018-05-17 13:06:03 +01:00