mirror of
https://github.com/elyby/accounts.git
synced 2024-12-27 23:50:19 +05:30
Implemented public scopes repository. Fix some auth cases [skip ci]
This commit is contained in:
parent
4dc2a3025b
commit
8a1d7148d0
@ -25,6 +25,7 @@ class Component extends BaseComponent {
|
||||
$clientsRepo = new Repositories\ClientRepository();
|
||||
$accessTokensRepo = new Repositories\AccessTokenRepository();
|
||||
$scopesRepo = new Repositories\ScopeRepository();
|
||||
$publicScopesRepo = new Repositories\PublicScopeRepository();
|
||||
$authCodesRepo = new Repositories\AuthCodeRepository();
|
||||
$refreshTokensRepo = new Repositories\RefreshTokenRepository();
|
||||
|
||||
@ -41,6 +42,7 @@ class Component extends BaseComponent {
|
||||
$authCodeGrant = new Grant\AuthCodeGrant($authCodesRepo, $refreshTokensRepo, new DateInterval('PT10M'));
|
||||
$authCodeGrant->disableRequireCodeChallengeForPublicClients();
|
||||
$authServer->enableGrantType($authCodeGrant, $accessTokenTTL);
|
||||
$authCodeGrant->setScopeRepository($publicScopesRepo); // Change repository after enabling
|
||||
$authServer->enableGrantType(new Grant\RefreshTokenGrant($refreshTokensRepo), $accessTokenTTL);
|
||||
$authServer->enableGrantType(new Grant\ClientCredentialsGrant(), $accessTokenTTL);
|
||||
|
||||
|
54
api/components/OAuth2/Repositories/PublicScopeRepository.php
Normal file
54
api/components/OAuth2/Repositories/PublicScopeRepository.php
Normal file
@ -0,0 +1,54 @@
|
||||
<?php
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace api\components\OAuth2\Repositories;
|
||||
|
||||
use api\components\OAuth2\Entities\ScopeEntity;
|
||||
use api\rbac\Permissions as P;
|
||||
use League\OAuth2\Server\Entities\ClientEntityInterface;
|
||||
use League\OAuth2\Server\Entities\ScopeEntityInterface;
|
||||
use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
|
||||
|
||||
class PublicScopeRepository implements ScopeRepositoryInterface {
|
||||
|
||||
private const OFFLINE_ACCESS = 'offline_access';
|
||||
private const CHANGE_SKIN = 'change_skin';
|
||||
private const ACCOUNT_INFO = 'account_info';
|
||||
private const ACCOUNT_EMAIL = 'account_email';
|
||||
|
||||
private const PUBLIC_SCOPES_TO_INTERNAL_PERMISSIONS = [
|
||||
self::ACCOUNT_INFO => P::OBTAIN_OWN_ACCOUNT_INFO,
|
||||
self::ACCOUNT_EMAIL => P::OBTAIN_ACCOUNT_EMAIL,
|
||||
];
|
||||
|
||||
private const ALLOWED_SCOPES = [
|
||||
P::OBTAIN_OWN_ACCOUNT_INFO,
|
||||
P::OBTAIN_ACCOUNT_EMAIL,
|
||||
P::MINECRAFT_SERVER_SESSION,
|
||||
self::OFFLINE_ACCESS,
|
||||
self::CHANGE_SKIN,
|
||||
];
|
||||
|
||||
public function getScopeEntityByIdentifier($identifier): ?ScopeEntityInterface {
|
||||
$identifier = $this->convertToInternalPermission($identifier);
|
||||
if (!in_array($identifier, self::ALLOWED_SCOPES, true)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return new ScopeEntity($identifier);
|
||||
}
|
||||
|
||||
public function finalizeScopes(
|
||||
array $scopes,
|
||||
$grantType,
|
||||
ClientEntityInterface $clientEntity,
|
||||
$userIdentifier = null
|
||||
): array {
|
||||
return $scopes;
|
||||
}
|
||||
|
||||
private function convertToInternalPermission(string $publicScope): string {
|
||||
return self::PUBLIC_SCOPES_TO_INTERNAL_PERMISSIONS[$publicScope] ?? $publicScope;
|
||||
}
|
||||
|
||||
}
|
@ -107,6 +107,7 @@ class OauthProcess {
|
||||
}
|
||||
|
||||
$authRequest->setUser(new UserEntity($account->id));
|
||||
$authRequest->setAuthorizationApproved(true);
|
||||
$responseObj = $this->server->completeAuthorizationRequest($authRequest, new Response(200));
|
||||
|
||||
$response = [
|
||||
@ -250,10 +251,15 @@ class OauthProcess {
|
||||
}
|
||||
|
||||
private function buildErrorResponse(OAuthServerException $e): array {
|
||||
$hint = $e->getPayload()['hint'] ?? '';
|
||||
if (preg_match('/the `(\w+)` scope/', $hint, $matches)) {
|
||||
$parameter = $matches[1];
|
||||
}
|
||||
|
||||
$response = [
|
||||
'success' => false,
|
||||
'error' => $e->getErrorType(),
|
||||
// 'parameter' => $e->parameter, // TODO: if this is necessary, the parameter can be extracted from the hint
|
||||
'parameter' => $parameter ?? null,
|
||||
'statusCode' => $e->getHttpStatusCode(),
|
||||
];
|
||||
|
||||
|
@ -132,7 +132,7 @@ class AuthCodeCest {
|
||||
$I->canSeeResponseContainsJson([
|
||||
'success' => false,
|
||||
'error' => 'access_denied',
|
||||
'parameter' => '',
|
||||
'parameter' => null,
|
||||
'statusCode' => 401,
|
||||
]);
|
||||
$I->canSeeResponseJsonMatchesJsonPath('$.redirectUri');
|
||||
|
Loading…
Reference in New Issue
Block a user