Move OAuth module from API to common and solve PHPStan's errors

This commit is contained in:
ErickSkrauch 2024-12-06 01:34:09 +01:00
parent 8a25ff9223
commit 5ed6f0ce86
No known key found for this signature in database
GPG Key ID: 669339FCBB30EE0E
32 changed files with 155 additions and 377 deletions

View File

@ -1,10 +0,0 @@
<?php
declare(strict_types=1);
namespace api\components\OAuth2\Events;
use League\OAuth2\Server\EventEmitting\AbstractEvent;
class RequestedRefreshToken extends AbstractEvent {
}

View File

@ -1,12 +0,0 @@
<?php
declare(strict_types=1);
namespace api\components\OAuth2\Grants;
use api\components\OAuth2\CryptTrait;
use League\OAuth2\Server\Grant\ClientCredentialsGrant as BaseClientCredentialsGrant;
class ClientCredentialsGrant extends BaseClientCredentialsGrant {
use CryptTrait;
}

View File

@ -1,12 +0,0 @@
<?php
declare(strict_types=1);
namespace api\components\OAuth2\ResponseTypes;
use api\components\OAuth2\CryptTrait;
use League\OAuth2\Server\ResponseTypes\BearerTokenResponse as BaseBearerTokenResponse;
class BearerTokenResponse extends BaseBearerTokenResponse {
use CryptTrait;
}

View File

@ -30,6 +30,9 @@ final readonly class TokenReader {
return $this->token->claims()->get('client_id', false) ?: null; return $this->token->claims()->get('client_id', false) ?: null;
} }
/**
* @return list<string>|null
*/
public function getScopes(): ?array { public function getScopes(): ?array {
$scopes = $this->token->claims()->get('scope', false); $scopes = $this->token->claims()->get('scope', false);
if ($scopes !== false) { if ($scopes !== false) {

View File

@ -26,9 +26,6 @@ return [
'user' => [ 'user' => [
'class' => api\components\User\Component::class, 'class' => api\components\User\Component::class,
], ],
'oauth' => [
'class' => api\components\OAuth2\Component::class,
],
'tokens' => [ 'tokens' => [
'class' => api\components\Tokens\Component::class, 'class' => api\components\Tokens\Component::class,
'privateKeyPath' => getenv('JWT_PRIVATE_KEY_PATH') ?: __DIR__ . '/../../data/certs/private.pem', 'privateKeyPath' => getenv('JWT_PRIVATE_KEY_PATH') ?: __DIR__ . '/../../data/certs/private.pem',

View File

@ -9,10 +9,20 @@ use api\rbac\Permissions as P;
use GuzzleHttp\Psr7\ServerRequest; use GuzzleHttp\Psr7\ServerRequest;
use Psr\Http\Message\ServerRequestInterface; use Psr\Http\Message\ServerRequestInterface;
use Yii; use Yii;
use yii\base\Module;
use yii\filters\AccessControl; use yii\filters\AccessControl;
use yii\helpers\ArrayHelper; use yii\helpers\ArrayHelper;
class AuthorizationController extends Controller { final class AuthorizationController extends Controller {
public function __construct(
string $id,
Module $module,
private readonly OauthProcess $oauthProcess,
array $config = [],
) {
parent::__construct($id, $module, $config);
}
public function behaviors(): array { public function behaviors(): array {
return ArrayHelper::merge(Controller::behaviors(), [ return ArrayHelper::merge(Controller::behaviors(), [
@ -45,19 +55,15 @@ class AuthorizationController extends Controller {
} }
public function actionValidate(): array { public function actionValidate(): array {
return $this->createOauthProcess()->validate($this->getServerRequest()); return $this->oauthProcess->validate($this->getServerRequest());
} }
public function actionComplete(): array { public function actionComplete(): array {
return $this->createOauthProcess()->complete($this->getServerRequest()); return $this->oauthProcess->complete($this->getServerRequest());
} }
public function actionToken(): array { public function actionToken(): array {
return $this->createOauthProcess()->getToken($this->getServerRequest()); return $this->oauthProcess->getToken($this->getServerRequest());
}
private function createOauthProcess(): OauthProcess {
return new OauthProcess(Yii::$app->oauth->getAuthServer());
} }
private function getServerRequest(): ServerRequestInterface { private function getServerRequest(): ServerRequestInterface {

View File

@ -3,9 +3,9 @@ declare(strict_types=1);
namespace api\modules\oauth\models; namespace api\modules\oauth\models;
use api\components\OAuth2\Entities\UserEntity;
use api\components\OAuth2\Events\RequestedRefreshToken;
use api\rbac\Permissions as P; use api\rbac\Permissions as P;
use common\components\OAuth2\Entities\UserEntity;
use common\components\OAuth2\Events\RequestedRefreshToken;
use common\models\Account; use common\models\Account;
use common\models\OauthClient; use common\models\OauthClient;
use common\models\OauthSession; use common\models\OauthSession;
@ -18,14 +18,16 @@ use Psr\Http\Message\ServerRequestInterface;
use Webmozart\Assert\Assert; use Webmozart\Assert\Assert;
use Yii; use Yii;
class OauthProcess { final readonly class OauthProcess {
private const array INTERNAL_PERMISSIONS_TO_PUBLIC_SCOPES = [ private const array INTERNAL_PERMISSIONS_TO_PUBLIC_SCOPES = [
P::OBTAIN_OWN_ACCOUNT_INFO => 'account_info', P::OBTAIN_OWN_ACCOUNT_INFO => 'account_info',
P::OBTAIN_ACCOUNT_EMAIL => 'account_email', P::OBTAIN_ACCOUNT_EMAIL => 'account_email',
]; ];
public function __construct(private readonly AuthorizationServer $server) { public function __construct(
private AuthorizationServer $server,
) {
} }
/** /**
@ -43,8 +45,7 @@ class OauthProcess {
* *
* In addition, you can pass the description value to override the application's description. * In addition, you can pass the description value to override the application's description.
* *
* @param ServerRequestInterface $request * @return array<mixed>
* @return array
*/ */
public function validate(ServerRequestInterface $request): array { public function validate(ServerRequestInterface $request): array {
try { try {
@ -77,8 +78,7 @@ class OauthProcess {
* If the field is present, it will be interpreted as any value resulting in false positives. * If the field is present, it will be interpreted as any value resulting in false positives.
* Otherwise, the value will be interpreted as "true". * Otherwise, the value will be interpreted as "true".
* *
* @param ServerRequestInterface $request * @return array<mixed>
* @return array
*/ */
public function complete(ServerRequestInterface $request): array { public function complete(ServerRequestInterface $request): array {
try { try {
@ -144,8 +144,7 @@ class OauthProcess {
* grant_type, * grant_type,
* ] * ]
* *
* @param ServerRequestInterface $request * @return array<mixed>
* @return array
*/ */
public function getToken(ServerRequestInterface $request): array { public function getToken(ServerRequestInterface $request): array {
$params = (array)$request->getParsedBody(); $params = (array)$request->getParsedBody();
@ -232,11 +231,9 @@ class OauthProcess {
} }
/** /**
* @param ServerRequestInterface $request
* @param OauthClient $client
* @param ScopeEntityInterface[] $scopes * @param ScopeEntityInterface[] $scopes
* *
* @return array * @return array<mixed>
*/ */
private function buildSuccessResponse(ServerRequestInterface $request, OauthClient $client, array $scopes): array { private function buildSuccessResponse(ServerRequestInterface $request, OauthClient $client, array $scopes): array {
return [ return [
@ -262,7 +259,7 @@ class OauthProcess {
/** /**
* @param ScopeEntityInterface[] $scopes * @param ScopeEntityInterface[] $scopes
* @return array * @return string[]
*/ */
private function buildScopesArray(array $scopes): array { private function buildScopesArray(array $scopes): array {
$result = []; $result = [];
@ -273,6 +270,15 @@ class OauthProcess {
return $result; return $result;
} }
/**
* @return array{
* success: false,
* error: string,
* parameter: string|null,
* statusCode: int,
* redirectUri?: string,
* }
*/
private function buildCompleteErrorResponse(OAuthServerException $e): array { private function buildCompleteErrorResponse(OAuthServerException $e): array {
$hint = $e->getPayload()['hint'] ?? ''; $hint = $e->getPayload()['hint'] ?? '';
if (preg_match('/the `(\w+)` scope/', $hint, $matches)) { if (preg_match('/the `(\w+)` scope/', $hint, $matches)) {
@ -304,8 +310,10 @@ class OauthProcess {
* *
* Part of the existing texts are the legacy from the previous implementation. * Part of the existing texts are the legacy from the previous implementation.
* *
* @param OAuthServerException $e * @return array{
* @return array * error: string,
* message: string,
* }
*/ */
private function buildIssueErrorResponse(OAuthServerException $e): array { private function buildIssueErrorResponse(OAuthServerException $e): array {
$errorType = $e->getErrorType(); $errorType = $e->getErrorType();
@ -331,6 +339,9 @@ class OauthProcess {
return new OAuthServerException('Client must accept authentication request.', 0, 'accept_required', 401); return new OAuthServerException('Client must accept authentication request.', 0, 'accept_required', 401);
} }
/**
* @return list<string>
*/
private function getScopesList(AuthorizationRequestInterface $request): array { private function getScopesList(AuthorizationRequestInterface $request): array {
return array_values(array_map(fn(ScopeEntityInterface $scope): string => $scope->getIdentifier(), $request->getScopes())); return array_values(array_map(fn(ScopeEntityInterface $scope): string => $scope->getIdentifier(), $request->getScopes()));
} }

View File

@ -3,8 +3,8 @@ declare(strict_types=1);
namespace api\tests\functional\_steps; namespace api\tests\functional\_steps;
use api\components\OAuth2\Repositories\PublicScopeRepository;
use api\tests\FunctionalTester; use api\tests\FunctionalTester;
use common\components\OAuth2\Repositories\PublicScopeRepository;
class OauthSteps extends FunctionalTester { class OauthSteps extends FunctionalTester {

View File

@ -3,8 +3,8 @@ declare(strict_types=1);
namespace api\tests\unit\components\OAuth2\Entities; namespace api\tests\unit\components\OAuth2\Entities;
use api\components\OAuth2\Entities\AccessTokenEntity;
use api\tests\unit\TestCase; use api\tests\unit\TestCase;
use common\components\OAuth2\Entities\AccessTokenEntity;
use DateTimeImmutable; use DateTimeImmutable;
use League\OAuth2\Server\Entities\ClientEntityInterface; use League\OAuth2\Server\Entities\ClientEntityInterface;
use League\OAuth2\Server\Entities\ScopeEntityInterface; use League\OAuth2\Server\Entities\ScopeEntityInterface;

View File

@ -34,7 +34,6 @@ abstract class BaseApplication extends yii\base\Application {
* *
* @property \api\components\User\Component $user * @property \api\components\User\Component $user
* @property \api\components\ReCaptcha\Component $reCaptcha * @property \api\components\ReCaptcha\Component $reCaptcha
* @property \api\components\OAuth2\Component $oauth
* @property \api\components\Tokens\Component $tokens * @property \api\components\Tokens\Component $tokens
* @property \api\components\Tokens\TokensFactory $tokensFactory * @property \api\components\Tokens\TokensFactory $tokensFactory
* *

View File

@ -1,26 +1,16 @@
<?php <?php
declare(strict_types=1); declare(strict_types=1);
namespace api\components\OAuth2; namespace common\components\OAuth2;
use Carbon\CarbonInterval; use Carbon\CarbonInterval;
use DateInterval; use DateInterval;
use League\OAuth2\Server\AuthorizationServer; use League\OAuth2\Server\AuthorizationServer;
use yii\base\Component as BaseComponent; use yii\base\Component as BaseComponent;
final class Component extends BaseComponent { final class AuthorizationServerFactory extends BaseComponent {
private ?AuthorizationServer $_authServer = null; public static function build(): AuthorizationServer {
public function getAuthServer(): AuthorizationServer {
if ($this->_authServer === null) {
$this->_authServer = $this->createAuthServer();
}
return $this->_authServer;
}
private function createAuthServer(): AuthorizationServer {
$clientsRepo = new Repositories\ClientRepository(); $clientsRepo = new Repositories\ClientRepository();
$accessTokensRepo = new Repositories\AccessTokenRepository(); $accessTokensRepo = new Repositories\AccessTokenRepository();
$publicScopesRepo = new Repositories\PublicScopeRepository(); $publicScopesRepo = new Repositories\PublicScopeRepository();

View File

@ -1,7 +1,7 @@
<?php <?php
declare(strict_types=1); declare(strict_types=1);
namespace api\components\OAuth2; namespace common\components\OAuth2;
use LogicException; use LogicException;
use RangeException; use RangeException;
@ -18,11 +18,11 @@ use Yii;
*/ */
trait CryptTrait { trait CryptTrait {
protected function encrypt($unencryptedData): string { protected function encrypt(string $unencryptedData): string {
return Yii::$app->tokens->encryptValue($unencryptedData); return Yii::$app->tokens->encryptValue($unencryptedData);
} }
protected function decrypt($encryptedData): string { protected function decrypt(string $encryptedData): string {
try { try {
return Yii::$app->tokens->decryptValue($encryptedData); return Yii::$app->tokens->decryptValue($encryptedData);
} catch (SodiumException|RangeException $e) { } catch (SodiumException|RangeException $e) {

View File

@ -1,7 +1,7 @@
<?php <?php
declare(strict_types=1); declare(strict_types=1);
namespace api\components\OAuth2\Entities; namespace common\components\OAuth2\Entities;
use League\OAuth2\Server\CryptKeyInterface; use League\OAuth2\Server\CryptKeyInterface;
use League\OAuth2\Server\Entities\AccessTokenEntityInterface; use League\OAuth2\Server\Entities\AccessTokenEntityInterface;

View File

@ -1,14 +1,14 @@
<?php <?php
declare(strict_types=1); declare(strict_types=1);
namespace api\components\OAuth2\Entities; namespace common\components\OAuth2\Entities;
use League\OAuth2\Server\Entities\AuthCodeEntityInterface; use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
use League\OAuth2\Server\Entities\Traits\AuthCodeTrait; use League\OAuth2\Server\Entities\Traits\AuthCodeTrait;
use League\OAuth2\Server\Entities\Traits\EntityTrait; use League\OAuth2\Server\Entities\Traits\EntityTrait;
use League\OAuth2\Server\Entities\Traits\TokenEntityTrait; use League\OAuth2\Server\Entities\Traits\TokenEntityTrait;
class AuthCodeEntity implements AuthCodeEntityInterface { final class AuthCodeEntity implements AuthCodeEntityInterface {
use EntityTrait; use EntityTrait;
use AuthCodeTrait; use AuthCodeTrait;
use TokenEntityTrait; use TokenEntityTrait;

View File

@ -1,19 +1,19 @@
<?php <?php
declare(strict_types=1); declare(strict_types=1);
namespace api\components\OAuth2\Entities; namespace common\components\OAuth2\Entities;
use League\OAuth2\Server\Entities\ClientEntityInterface; use League\OAuth2\Server\Entities\ClientEntityInterface;
use League\OAuth2\Server\Entities\Traits\ClientTrait; use League\OAuth2\Server\Entities\Traits\ClientTrait;
use League\OAuth2\Server\Entities\Traits\EntityTrait; use League\OAuth2\Server\Entities\Traits\EntityTrait;
class ClientEntity implements ClientEntityInterface { final class ClientEntity implements ClientEntityInterface {
use EntityTrait; use EntityTrait;
use ClientTrait; use ClientTrait;
/** /**
* @param non-empty-string $id * @phpstan-param non-empty-string $id
* @param string|string[] $redirectUri * @phpstan-param string|list<string> $redirectUri
*/ */
public function __construct( public function __construct(
string $id, string $id,

View File

@ -1,16 +1,19 @@
<?php <?php
declare(strict_types=1); declare(strict_types=1);
namespace api\components\OAuth2\Entities; namespace common\components\OAuth2\Entities;
use League\OAuth2\Server\Entities\ScopeEntityInterface; use League\OAuth2\Server\Entities\ScopeEntityInterface;
use League\OAuth2\Server\Entities\Traits\EntityTrait; use League\OAuth2\Server\Entities\Traits\EntityTrait;
use League\OAuth2\Server\Entities\Traits\ScopeTrait; use League\OAuth2\Server\Entities\Traits\ScopeTrait;
class ScopeEntity implements ScopeEntityInterface { final class ScopeEntity implements ScopeEntityInterface {
use EntityTrait; use EntityTrait;
use ScopeTrait; use ScopeTrait;
/**
* @phpstan-param non-empty-string $id
*/
public function __construct(string $id) { public function __construct(string $id) {
$this->identifier = $id; $this->identifier = $id;
} }

View File

@ -1,12 +1,12 @@
<?php <?php
declare(strict_types=1); declare(strict_types=1);
namespace api\components\OAuth2\Entities; namespace common\components\OAuth2\Entities;
use League\OAuth2\Server\Entities\Traits\EntityTrait; use League\OAuth2\Server\Entities\Traits\EntityTrait;
use League\OAuth2\Server\Entities\UserEntityInterface; use League\OAuth2\Server\Entities\UserEntityInterface;
class UserEntity implements UserEntityInterface { final class UserEntity implements UserEntityInterface {
use EntityTrait; use EntityTrait;
public function __construct(int $id) { public function __construct(int $id) {

View File

@ -0,0 +1,10 @@
<?php
declare(strict_types=1);
namespace common\components\OAuth2\Events;
use League\OAuth2\Server\EventEmitting\AbstractEvent;
final class RequestedRefreshToken extends AbstractEvent {
}

View File

@ -1,35 +1,23 @@
<?php <?php
declare(strict_types=1); declare(strict_types=1);
namespace api\components\OAuth2\Grants; namespace common\components\OAuth2\Grants;
use api\components\OAuth2\CryptTrait; use common\components\OAuth2\CryptTrait;
use api\components\OAuth2\Events\RequestedRefreshToken; use common\components\OAuth2\Events\RequestedRefreshToken;
use api\components\OAuth2\Repositories\PublicScopeRepository; use common\components\OAuth2\Repositories\PublicScopeRepository;
use DateInterval; use DateInterval;
use League\OAuth2\Server\Entities\AccessTokenEntityInterface; use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
use League\OAuth2\Server\Entities\ClientEntityInterface; use League\OAuth2\Server\Entities\ClientEntityInterface;
use League\OAuth2\Server\Entities\ScopeEntityInterface;
use League\OAuth2\Server\Exception\OAuthServerException; use League\OAuth2\Server\Exception\OAuthServerException;
use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
use League\OAuth2\Server\Grant\AuthCodeGrant as BaseAuthCodeGrant; use League\OAuth2\Server\Grant\AuthCodeGrant as BaseAuthCodeGrant;
use League\OAuth2\Server\RequestEvent; use League\OAuth2\Server\RequestEvent;
use Psr\Http\Message\ServerRequestInterface; use Psr\Http\Message\ServerRequestInterface;
use yii\helpers\StringHelper; use yii\helpers\StringHelper;
class AuthCodeGrant extends BaseAuthCodeGrant { final class AuthCodeGrant extends BaseAuthCodeGrant {
use CryptTrait; use CryptTrait;
/**
* @param DateInterval $accessTokenTTL
* @param ClientEntityInterface $client
* @param string|null $userIdentifier
* @param ScopeEntityInterface[] $scopes
*
* @return AccessTokenEntityInterface
* @throws OAuthServerException
* @throws UniqueTokenIdentifierConstraintViolationException
*/
protected function issueAccessToken( protected function issueAccessToken(
DateInterval $accessTokenTTL, DateInterval $accessTokenTTL,
ClientEntityInterface $client, ClientEntityInterface $client,

View File

@ -0,0 +1,12 @@
<?php
declare(strict_types=1);
namespace common\components\OAuth2\Grants;
use common\components\OAuth2\CryptTrait;
use League\OAuth2\Server\Grant\ClientCredentialsGrant as BaseClientCredentialsGrant;
final class ClientCredentialsGrant extends BaseClientCredentialsGrant {
use CryptTrait;
}

View File

@ -1,11 +1,11 @@
<?php <?php
declare(strict_types=1); declare(strict_types=1);
namespace api\components\OAuth2\Grants; namespace common\components\OAuth2\Grants;
use api\components\OAuth2\CryptTrait;
use api\components\Tokens\TokenReader; use api\components\Tokens\TokenReader;
use Carbon\FactoryImmutable; use Carbon\FactoryImmutable;
use common\components\OAuth2\CryptTrait;
use common\models\OauthSession; use common\models\OauthSession;
use InvalidArgumentException; use InvalidArgumentException;
use Lcobucci\JWT\Validation\Constraint\LooseValidAt; use Lcobucci\JWT\Validation\Constraint\LooseValidAt;
@ -18,7 +18,7 @@ use Psr\Http\Message\ServerRequestInterface;
use Throwable; use Throwable;
use Yii; use Yii;
class RefreshTokenGrant extends BaseRefreshTokenGrant { final class RefreshTokenGrant extends BaseRefreshTokenGrant {
use CryptTrait; use CryptTrait;
/** /**
@ -26,11 +26,7 @@ class RefreshTokenGrant extends BaseRefreshTokenGrant {
* If received refresh token is matches the legacy token template, * If received refresh token is matches the legacy token template,
* restore the information from the legacy storage. * restore the information from the legacy storage.
* *
* @param ServerRequestInterface $request * @inheritDoc
* @param string $clientId
*
* @return array
* @throws OAuthServerException
*/ */
protected function validateOldRefreshToken(ServerRequestInterface $request, string $clientId): array { protected function validateOldRefreshToken(ServerRequestInterface $request, string $clientId): array {
$refreshToken = $this->getRequestParameter('refresh_token', $request); $refreshToken = $this->getRequestParameter('refresh_token', $request);
@ -45,18 +41,13 @@ class RefreshTokenGrant extends BaseRefreshTokenGrant {
* Currently we're not rotating refresh tokens. * Currently we're not rotating refresh tokens.
* So we're overriding this method to always return null, which means, * So we're overriding this method to always return null, which means,
* that refresh_token will not be issued. * that refresh_token will not be issued.
*
* @param AccessTokenEntityInterface $accessToken
*
* @return RefreshTokenEntityInterface|null
*/ */
protected function issueRefreshToken(AccessTokenEntityInterface $accessToken): ?RefreshTokenEntityInterface { protected function issueRefreshToken(AccessTokenEntityInterface $accessToken): ?RefreshTokenEntityInterface {
return null; return null;
} }
/** /**
* @param string $refreshToken * @return array<string, mixed>
* @return array
* @throws OAuthServerException * @throws OAuthServerException
*/ */
private function validateLegacyRefreshToken(string $refreshToken): array { private function validateLegacyRefreshToken(string $refreshToken): array {
@ -91,14 +82,7 @@ class RefreshTokenGrant extends BaseRefreshTokenGrant {
} }
/** /**
* @return array{ * @return array<string, mixed>
* client_id: string,
* refresh_token_id?: string,
* access_token_id?: string,
* scopes: list<string>|null,
* user_id: string|null,
* expire_time: int|null,
* }
* @throws OAuthServerException * @throws OAuthServerException
*/ */
private function validateAccessToken(string $jwt): array { private function validateAccessToken(string $jwt): array {

View File

@ -1,11 +1,11 @@
<?php <?php
declare(strict_types=1); declare(strict_types=1);
namespace api\components\OAuth2\Keys; namespace common\components\OAuth2\Keys;
use League\OAuth2\Server\CryptKeyInterface; use League\OAuth2\Server\CryptKeyInterface;
class EmptyKey implements CryptKeyInterface { final class EmptyKey implements CryptKeyInterface {
public function getKeyPath(): string { public function getKeyPath(): string {
return ''; return '';

View File

@ -1,28 +1,23 @@
<?php <?php
declare(strict_types=1); declare(strict_types=1);
namespace api\components\OAuth2\Repositories; namespace common\components\OAuth2\Repositories;
use api\components\OAuth2\Entities\AccessTokenEntity; use common\components\OAuth2\Entities\AccessTokenEntity;
use League\OAuth2\Server\Entities\AccessTokenEntityInterface; use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
use League\OAuth2\Server\Entities\ClientEntityInterface; use League\OAuth2\Server\Entities\ClientEntityInterface;
use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface; use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
class AccessTokenRepository implements AccessTokenRepositoryInterface { final class AccessTokenRepository implements AccessTokenRepositoryInterface {
/** /**
* Create a new access token * @inheritDoc
* * @phpstan-param non-empty-string|null $userIdentifier
* @param ClientEntityInterface $clientEntity
* @param \League\OAuth2\Server\Entities\ScopeEntityInterface[] $scopes
* @param mixed $userIdentifier
*
* @return AccessTokenEntityInterface
*/ */
public function getNewToken( public function getNewToken(
ClientEntityInterface $clientEntity, ClientEntityInterface $clientEntity,
array $scopes, array $scopes,
$userIdentifier = null, ?string $userIdentifier = null,
): AccessTokenEntityInterface { ): AccessTokenEntityInterface {
$accessToken = new AccessTokenEntity(); $accessToken = new AccessTokenEntity();
$accessToken->setClient($clientEntity); $accessToken->setClient($clientEntity);
@ -38,11 +33,11 @@ class AccessTokenRepository implements AccessTokenRepositoryInterface {
// We don't store access tokens, so there's no need to do anything here // We don't store access tokens, so there's no need to do anything here
} }
public function revokeAccessToken($tokenId): void { public function revokeAccessToken(string $tokenId): void {
// We don't store access tokens, so there's no need to do anything here // We don't store access tokens, so there's no need to do anything here
} }
public function isAccessTokenRevoked($tokenId): bool { public function isAccessTokenRevoked(string $tokenId): bool {
return false; return false;
} }

View File

@ -1,13 +1,13 @@
<?php <?php
declare(strict_types=1); declare(strict_types=1);
namespace api\components\OAuth2\Repositories; namespace common\components\OAuth2\Repositories;
use api\components\OAuth2\Entities\AuthCodeEntity; use common\components\OAuth2\Entities\AuthCodeEntity;
use League\OAuth2\Server\Entities\AuthCodeEntityInterface; use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface; use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
class AuthCodeRepository implements AuthCodeRepositoryInterface { final class AuthCodeRepository implements AuthCodeRepositoryInterface {
public function getNewAuthCode(): AuthCodeEntityInterface { public function getNewAuthCode(): AuthCodeEntityInterface {
return new AuthCodeEntity(); return new AuthCodeEntity();
@ -16,10 +16,10 @@ class AuthCodeRepository implements AuthCodeRepositoryInterface {
public function persistNewAuthCode(AuthCodeEntityInterface $authCodeEntity): void { public function persistNewAuthCode(AuthCodeEntityInterface $authCodeEntity): void {
} }
public function revokeAuthCode($codeId): void { public function revokeAuthCode(string $codeId): void {
} }
public function isAuthCodeRevoked($codeId): bool { public function isAuthCodeRevoked(string $codeId): bool {
return false; return false;
} }

View File

@ -1,26 +1,27 @@
<?php <?php
declare(strict_types=1); declare(strict_types=1);
namespace api\components\OAuth2\Repositories; namespace common\components\OAuth2\Repositories;
use api\components\OAuth2\Entities\ClientEntity; use common\components\OAuth2\Entities\ClientEntity;
use common\models\OauthClient; use common\models\OauthClient;
use League\OAuth2\Server\Entities\ClientEntityInterface; use League\OAuth2\Server\Entities\ClientEntityInterface;
use League\OAuth2\Server\Repositories\ClientRepositoryInterface; use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
class ClientRepository implements ClientRepositoryInterface { final class ClientRepository implements ClientRepositoryInterface {
public function getClientEntity($clientId): ?ClientEntityInterface { public function getClientEntity(string $clientIdentifier): ?ClientEntityInterface {
$client = $this->findModel($clientId); $client = $this->findModel($clientIdentifier);
if ($client === null) { if ($client === null) {
return null; return null;
} }
return new ClientEntity($client->id, $client->name, $client->redirect_uri ?? '', (bool)$client->is_trusted); // @phpstan-ignore argument.type
return new ClientEntity($client->id, $client->name, $client->redirect_uri ?: '', (bool)$client->is_trusted);
} }
public function validateClient($clientId, $clientSecret, $grantType): bool { public function validateClient(string $clientIdentifier, ?string $clientSecret, ?string $grantType): bool {
$client = $this->findModel($clientId); $client = $this->findModel($clientIdentifier);
if ($client === null) { if ($client === null) {
return false; return false;
} }

View File

@ -1,7 +1,7 @@
<?php <?php
declare(strict_types=1); declare(strict_types=1);
namespace api\components\OAuth2\Repositories; namespace common\components\OAuth2\Repositories;
use League\OAuth2\Server\Entities\ClientEntityInterface; use League\OAuth2\Server\Entities\ClientEntityInterface;
use League\OAuth2\Server\Entities\ScopeEntityInterface; use League\OAuth2\Server\Entities\ScopeEntityInterface;
@ -12,7 +12,7 @@ use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
* To create an instance of the authorization server, you need to pass the scopes * To create an instance of the authorization server, you need to pass the scopes
* repository. This class acts as a dummy to meet this requirement. * repository. This class acts as a dummy to meet this requirement.
*/ */
class EmptyScopeRepository implements ScopeRepositoryInterface { final class EmptyScopeRepository implements ScopeRepositoryInterface {
public function getScopeEntityByIdentifier($identifier): ?ScopeEntityInterface { public function getScopeEntityByIdentifier($identifier): ?ScopeEntityInterface {
return null; return null;
@ -20,9 +20,9 @@ class EmptyScopeRepository implements ScopeRepositoryInterface {
public function finalizeScopes( public function finalizeScopes(
array $scopes, array $scopes,
$grantType, string $grantType,
ClientEntityInterface $clientEntity, ClientEntityInterface $clientEntity,
$userIdentifier = null, ?string $userIdentifier = null,
?string $authCodeId = null, ?string $authCodeId = null,
): array { ): array {
return $scopes; return $scopes;

View File

@ -1,17 +1,17 @@
<?php <?php
declare(strict_types=1); declare(strict_types=1);
namespace api\components\OAuth2\Repositories; namespace common\components\OAuth2\Repositories;
use api\components\OAuth2\Entities\ClientEntity;
use api\components\OAuth2\Entities\ScopeEntity;
use api\rbac\Permissions as P; use api\rbac\Permissions as P;
use common\components\OAuth2\Entities\ClientEntity;
use common\components\OAuth2\Entities\ScopeEntity;
use League\OAuth2\Server\Entities\ClientEntityInterface; use League\OAuth2\Server\Entities\ClientEntityInterface;
use League\OAuth2\Server\Entities\ScopeEntityInterface; use League\OAuth2\Server\Entities\ScopeEntityInterface;
use League\OAuth2\Server\Exception\OAuthServerException; use League\OAuth2\Server\Exception\OAuthServerException;
use League\OAuth2\Server\Repositories\ScopeRepositoryInterface; use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
class InternalScopeRepository implements ScopeRepositoryInterface { final class InternalScopeRepository implements ScopeRepositoryInterface {
private const array ALLOWED_SCOPES = [ private const array ALLOWED_SCOPES = [
P::CHANGE_ACCOUNT_USERNAME, P::CHANGE_ACCOUNT_USERNAME,
@ -39,9 +39,9 @@ class InternalScopeRepository implements ScopeRepositoryInterface {
*/ */
public function finalizeScopes( public function finalizeScopes(
array $scopes, array $scopes,
$grantType, string $grantType,
ClientEntityInterface $clientEntity, ClientEntityInterface $clientEntity,
$userIdentifier = null, ?string $userIdentifier = null,
?string $authCodeId = null, ?string $authCodeId = null,
): array { ): array {
if (empty($scopes)) { if (empty($scopes)) {

View File

@ -1,15 +1,15 @@
<?php <?php
declare(strict_types=1); declare(strict_types=1);
namespace api\components\OAuth2\Repositories; namespace common\components\OAuth2\Repositories;
use api\components\OAuth2\Entities\ScopeEntity;
use api\rbac\Permissions as P; use api\rbac\Permissions as P;
use common\components\OAuth2\Entities\ScopeEntity;
use League\OAuth2\Server\Entities\ClientEntityInterface; use League\OAuth2\Server\Entities\ClientEntityInterface;
use League\OAuth2\Server\Entities\ScopeEntityInterface; use League\OAuth2\Server\Entities\ScopeEntityInterface;
use League\OAuth2\Server\Repositories\ScopeRepositoryInterface; use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
class PublicScopeRepository implements ScopeRepositoryInterface { final class PublicScopeRepository implements ScopeRepositoryInterface {
public const string OFFLINE_ACCESS = 'offline_access'; public const string OFFLINE_ACCESS = 'offline_access';
public const string CHANGE_SKIN = 'change_skin'; public const string CHANGE_SKIN = 'change_skin';
@ -41,9 +41,9 @@ class PublicScopeRepository implements ScopeRepositoryInterface {
public function finalizeScopes( public function finalizeScopes(
array $scopes, array $scopes,
$grantType, string $grantType,
ClientEntityInterface $clientEntity, ClientEntityInterface $clientEntity,
$userIdentifier = null, ?string $userIdentifier = null,
?string $authCodeId = null, ?string $authCodeId = null,
): array { ): array {
return $scopes; return $scopes;

View File

@ -1,12 +1,12 @@
<?php <?php
declare(strict_types=1); declare(strict_types=1);
namespace api\components\OAuth2\Repositories; namespace common\components\OAuth2\Repositories;
use League\OAuth2\Server\Entities\RefreshTokenEntityInterface; use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface; use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
class RefreshTokenRepository implements RefreshTokenRepositoryInterface { final class RefreshTokenRepository implements RefreshTokenRepositoryInterface {
public function getNewRefreshToken(): ?RefreshTokenEntityInterface { public function getNewRefreshToken(): ?RefreshTokenEntityInterface {
return null; return null;
@ -16,11 +16,11 @@ class RefreshTokenRepository implements RefreshTokenRepositoryInterface {
// Do nothing // Do nothing
} }
public function revokeRefreshToken($tokenId): void { public function revokeRefreshToken(string $tokenId): void {
// Do nothing // Do nothing
} }
public function isRefreshTokenRevoked($tokenId): bool { public function isRefreshTokenRevoked(string $tokenId): bool {
return false; return false;
} }

View File

@ -0,0 +1,12 @@
<?php
declare(strict_types=1);
namespace common\components\OAuth2\ResponseTypes;
use common\components\OAuth2\CryptTrait;
use League\OAuth2\Server\ResponseTypes\BearerTokenResponse as BaseBearerTokenResponse;
final class BearerTokenResponse extends BaseBearerTokenResponse {
use CryptTrait;
}

View File

@ -26,6 +26,7 @@ return [
'http://' . (getenv('CHRLY_HOST') ?: 'skinsystem.ely.by'), 'http://' . (getenv('CHRLY_HOST') ?: 'skinsystem.ely.by'),
], ],
], ],
League\OAuth2\Server\AuthorizationServer::class => common\components\OAuth2\AuthorizationServerFactory::build(...),
], ],
], ],
'components' => [ 'components' => [

View File

@ -5,151 +5,6 @@ parameters:
count: 1 count: 1
path: api/components/ErrorHandler.php path: api/components/ErrorHandler.php
-
message: "#^Property api\\\\components\\\\OAuth2\\\\Entities\\\\ScopeEntity\\:\\:\\$identifier \\(non\\-empty\\-string\\) does not accept string\\.$#"
count: 1
path: api/components/OAuth2/Entities/ScopeEntity.php
-
message: "#^Method api\\\\components\\\\OAuth2\\\\Grants\\\\AuthCodeGrant\\:\\:decrypt\\(\\) has parameter \\$encryptedData with no type specified\\.$#"
count: 1
path: api/components/OAuth2/Grants/AuthCodeGrant.php
-
message: "#^Method api\\\\components\\\\OAuth2\\\\Grants\\\\AuthCodeGrant\\:\\:encrypt\\(\\) has parameter \\$unencryptedData with no type specified\\.$#"
count: 1
path: api/components/OAuth2/Grants/AuthCodeGrant.php
-
message: "#^Method api\\\\components\\\\OAuth2\\\\Grants\\\\ClientCredentialsGrant\\:\\:decrypt\\(\\) has parameter \\$encryptedData with no type specified\\.$#"
count: 1
path: api/components/OAuth2/Grants/ClientCredentialsGrant.php
-
message: "#^Method api\\\\components\\\\OAuth2\\\\Grants\\\\ClientCredentialsGrant\\:\\:encrypt\\(\\) has parameter \\$unencryptedData with no type specified\\.$#"
count: 1
path: api/components/OAuth2/Grants/ClientCredentialsGrant.php
-
message: "#^Method api\\\\components\\\\OAuth2\\\\Grants\\\\RefreshTokenGrant\\:\\:decrypt\\(\\) has parameter \\$encryptedData with no type specified\\.$#"
count: 1
path: api/components/OAuth2/Grants/RefreshTokenGrant.php
-
message: "#^Method api\\\\components\\\\OAuth2\\\\Grants\\\\RefreshTokenGrant\\:\\:encrypt\\(\\) has parameter \\$unencryptedData with no type specified\\.$#"
count: 1
path: api/components/OAuth2/Grants/RefreshTokenGrant.php
-
message: "#^Method api\\\\components\\\\OAuth2\\\\Grants\\\\RefreshTokenGrant\\:\\:validateAccessToken\\(\\) should return array\\{client_id\\: string, refresh_token_id\\?\\: string, access_token_id\\?\\: string, scopes\\: array\\<int, string\\>\\|null, user_id\\: string\\|null, expire_time\\: int\\|null\\} but returns array\\{client_id\\: string\\|null, refresh_token_id\\: '', access_token_id\\: '', scopes\\: array\\|null, user_id\\: int\\|null, expire_time\\: null\\}\\.$#"
count: 1
path: api/components/OAuth2/Grants/RefreshTokenGrant.php
-
message: "#^Method api\\\\components\\\\OAuth2\\\\Grants\\\\RefreshTokenGrant\\:\\:validateLegacyRefreshToken\\(\\) return type has no value type specified in iterable type array\\.$#"
count: 1
path: api/components/OAuth2/Grants/RefreshTokenGrant.php
-
message: "#^Method api\\\\components\\\\OAuth2\\\\Grants\\\\RefreshTokenGrant\\:\\:validateOldRefreshToken\\(\\) return type has no value type specified in iterable type array\\.$#"
count: 1
path: api/components/OAuth2/Grants/RefreshTokenGrant.php
-
message: "#^Method api\\\\components\\\\OAuth2\\\\Repositories\\\\AccessTokenRepository\\:\\:isAccessTokenRevoked\\(\\) has parameter \\$tokenId with no type specified\\.$#"
count: 1
path: api/components/OAuth2/Repositories/AccessTokenRepository.php
-
message: "#^Method api\\\\components\\\\OAuth2\\\\Repositories\\\\AccessTokenRepository\\:\\:revokeAccessToken\\(\\) has parameter \\$tokenId with no type specified\\.$#"
count: 1
path: api/components/OAuth2/Repositories/AccessTokenRepository.php
-
message: "#^Method api\\\\components\\\\OAuth2\\\\Repositories\\\\AuthCodeRepository\\:\\:isAuthCodeRevoked\\(\\) has parameter \\$codeId with no type specified\\.$#"
count: 1
path: api/components/OAuth2/Repositories/AuthCodeRepository.php
-
message: "#^Method api\\\\components\\\\OAuth2\\\\Repositories\\\\AuthCodeRepository\\:\\:revokeAuthCode\\(\\) has parameter \\$codeId with no type specified\\.$#"
count: 1
path: api/components/OAuth2/Repositories/AuthCodeRepository.php
-
message: "#^Method api\\\\components\\\\OAuth2\\\\Repositories\\\\ClientRepository\\:\\:getClientEntity\\(\\) has parameter \\$clientId with no type specified\\.$#"
count: 1
path: api/components/OAuth2/Repositories/ClientRepository.php
-
message: "#^Method api\\\\components\\\\OAuth2\\\\Repositories\\\\ClientRepository\\:\\:validateClient\\(\\) has parameter \\$clientId with no type specified\\.$#"
count: 1
path: api/components/OAuth2/Repositories/ClientRepository.php
-
message: "#^Method api\\\\components\\\\OAuth2\\\\Repositories\\\\ClientRepository\\:\\:validateClient\\(\\) has parameter \\$clientSecret with no type specified\\.$#"
count: 1
path: api/components/OAuth2/Repositories/ClientRepository.php
-
message: "#^Method api\\\\components\\\\OAuth2\\\\Repositories\\\\ClientRepository\\:\\:validateClient\\(\\) has parameter \\$grantType with no type specified\\.$#"
count: 1
path: api/components/OAuth2/Repositories/ClientRepository.php
-
message: "#^Parameter \\#1 \\$id of class api\\\\components\\\\OAuth2\\\\Entities\\\\ClientEntity constructor expects non\\-empty\\-string, string given\\.$#"
count: 1
path: api/components/OAuth2/Repositories/ClientRepository.php
-
message: "#^Method api\\\\components\\\\OAuth2\\\\Repositories\\\\EmptyScopeRepository\\:\\:finalizeScopes\\(\\) has parameter \\$grantType with no type specified\\.$#"
count: 1
path: api/components/OAuth2/Repositories/EmptyScopeRepository.php
-
message: "#^Method api\\\\components\\\\OAuth2\\\\Repositories\\\\EmptyScopeRepository\\:\\:finalizeScopes\\(\\) has parameter \\$userIdentifier with no type specified\\.$#"
count: 1
path: api/components/OAuth2/Repositories/EmptyScopeRepository.php
-
message: "#^Method api\\\\components\\\\OAuth2\\\\Repositories\\\\InternalScopeRepository\\:\\:finalizeScopes\\(\\) has parameter \\$grantType with no type specified\\.$#"
count: 1
path: api/components/OAuth2/Repositories/InternalScopeRepository.php
-
message: "#^Method api\\\\components\\\\OAuth2\\\\Repositories\\\\InternalScopeRepository\\:\\:finalizeScopes\\(\\) has parameter \\$userIdentifier with no type specified\\.$#"
count: 1
path: api/components/OAuth2/Repositories/InternalScopeRepository.php
-
message: "#^Method api\\\\components\\\\OAuth2\\\\Repositories\\\\PublicScopeRepository\\:\\:finalizeScopes\\(\\) has parameter \\$grantType with no type specified\\.$#"
count: 1
path: api/components/OAuth2/Repositories/PublicScopeRepository.php
-
message: "#^Method api\\\\components\\\\OAuth2\\\\Repositories\\\\PublicScopeRepository\\:\\:finalizeScopes\\(\\) has parameter \\$userIdentifier with no type specified\\.$#"
count: 1
path: api/components/OAuth2/Repositories/PublicScopeRepository.php
-
message: "#^Method api\\\\components\\\\OAuth2\\\\Repositories\\\\RefreshTokenRepository\\:\\:isRefreshTokenRevoked\\(\\) has parameter \\$tokenId with no type specified\\.$#"
count: 1
path: api/components/OAuth2/Repositories/RefreshTokenRepository.php
-
message: "#^Method api\\\\components\\\\OAuth2\\\\Repositories\\\\RefreshTokenRepository\\:\\:revokeRefreshToken\\(\\) has parameter \\$tokenId with no type specified\\.$#"
count: 1
path: api/components/OAuth2/Repositories/RefreshTokenRepository.php
-
message: "#^Method api\\\\components\\\\OAuth2\\\\ResponseTypes\\\\BearerTokenResponse\\:\\:decrypt\\(\\) has parameter \\$encryptedData with no type specified\\.$#"
count: 1
path: api/components/OAuth2/ResponseTypes/BearerTokenResponse.php
-
message: "#^Method api\\\\components\\\\OAuth2\\\\ResponseTypes\\\\BearerTokenResponse\\:\\:encrypt\\(\\) has parameter \\$unencryptedData with no type specified\\.$#"
count: 1
path: api/components/OAuth2/ResponseTypes/BearerTokenResponse.php
- -
message: "#^Property api\\\\components\\\\ReCaptcha\\\\Component\\:\\:\\$public has no type specified\\.$#" message: "#^Property api\\\\components\\\\ReCaptcha\\\\Component\\:\\:\\$public has no type specified\\.$#"
count: 1 count: 1
@ -220,11 +75,6 @@ parameters:
count: 1 count: 1
path: api/components/Tokens/Component.php path: api/components/Tokens/Component.php
-
message: "#^Method api\\\\components\\\\Tokens\\\\TokenReader\\:\\:getScopes\\(\\) return type has no value type specified in iterable type array\\.$#"
count: 1
path: api/components/Tokens/TokenReader.php
- -
message: "#^Property api\\\\components\\\\User\\\\Component\\:\\:\\$loginUrl type has no value type specified in iterable type array\\.$#" message: "#^Property api\\\\components\\\\User\\\\Component\\:\\:\\$loginUrl type has no value type specified in iterable type array\\.$#"
count: 1 count: 1
@ -305,16 +155,6 @@ parameters:
count: 1 count: 1
path: api/models/authentication/ConfirmEmailForm.php path: api/models/authentication/ConfirmEmailForm.php
-
message: "#^Property api\\\\models\\\\authentication\\\\ForgotPasswordForm\\:\\:\\$captcha has no type specified\\.$#"
count: 1
path: api/models/authentication/ForgotPasswordForm.php
-
message: "#^Property api\\\\models\\\\authentication\\\\ForgotPasswordForm\\:\\:\\$login has no type specified\\.$#"
count: 1
path: api/models/authentication/ForgotPasswordForm.php
- -
message: "#^Property api\\\\models\\\\authentication\\\\RecoverPasswordForm\\:\\:\\$key has no type specified\\.$#" message: "#^Property api\\\\models\\\\authentication\\\\RecoverPasswordForm\\:\\:\\$key has no type specified\\.$#"
count: 1 count: 1
@ -695,46 +535,6 @@ parameters:
count: 1 count: 1
path: api/modules/oauth/models/OauthClientTypeForm.php path: api/modules/oauth/models/OauthClientTypeForm.php
-
message: "#^Method api\\\\modules\\\\oauth\\\\models\\\\OauthProcess\\:\\:buildCompleteErrorResponse\\(\\) return type has no value type specified in iterable type array\\.$#"
count: 1
path: api/modules/oauth/models/OauthProcess.php
-
message: "#^Method api\\\\modules\\\\oauth\\\\models\\\\OauthProcess\\:\\:buildIssueErrorResponse\\(\\) return type has no value type specified in iterable type array\\.$#"
count: 1
path: api/modules/oauth/models/OauthProcess.php
-
message: "#^Method api\\\\modules\\\\oauth\\\\models\\\\OauthProcess\\:\\:buildScopesArray\\(\\) return type has no value type specified in iterable type array\\.$#"
count: 1
path: api/modules/oauth/models/OauthProcess.php
-
message: "#^Method api\\\\modules\\\\oauth\\\\models\\\\OauthProcess\\:\\:buildSuccessResponse\\(\\) return type has no value type specified in iterable type array\\.$#"
count: 1
path: api/modules/oauth/models/OauthProcess.php
-
message: "#^Method api\\\\modules\\\\oauth\\\\models\\\\OauthProcess\\:\\:complete\\(\\) return type has no value type specified in iterable type array\\.$#"
count: 1
path: api/modules/oauth/models/OauthProcess.php
-
message: "#^Method api\\\\modules\\\\oauth\\\\models\\\\OauthProcess\\:\\:getScopesList\\(\\) return type has no value type specified in iterable type array\\.$#"
count: 1
path: api/modules/oauth/models/OauthProcess.php
-
message: "#^Method api\\\\modules\\\\oauth\\\\models\\\\OauthProcess\\:\\:getToken\\(\\) return type has no value type specified in iterable type array\\.$#"
count: 1
path: api/modules/oauth/models/OauthProcess.php
-
message: "#^Method api\\\\modules\\\\oauth\\\\models\\\\OauthProcess\\:\\:validate\\(\\) return type has no value type specified in iterable type array\\.$#"
count: 1
path: api/modules/oauth/models/OauthProcess.php
- -
message: "#^Method api\\\\modules\\\\session\\\\Module\\:\\:error\\(\\) has parameter \\$message with no type specified\\.$#" message: "#^Method api\\\\modules\\\\session\\\\Module\\:\\:error\\(\\) has parameter \\$message with no type specified\\.$#"
count: 1 count: 1