mirror of
https://github.com/elyby/accounts.git
synced 2024-11-30 10:42:16 +05:30
Implemented public scopes repository. Fix some auth cases [skip ci]
This commit is contained in:
parent
4dc2a3025b
commit
8a1d7148d0
@ -25,6 +25,7 @@ class Component extends BaseComponent {
|
|||||||
$clientsRepo = new Repositories\ClientRepository();
|
$clientsRepo = new Repositories\ClientRepository();
|
||||||
$accessTokensRepo = new Repositories\AccessTokenRepository();
|
$accessTokensRepo = new Repositories\AccessTokenRepository();
|
||||||
$scopesRepo = new Repositories\ScopeRepository();
|
$scopesRepo = new Repositories\ScopeRepository();
|
||||||
|
$publicScopesRepo = new Repositories\PublicScopeRepository();
|
||||||
$authCodesRepo = new Repositories\AuthCodeRepository();
|
$authCodesRepo = new Repositories\AuthCodeRepository();
|
||||||
$refreshTokensRepo = new Repositories\RefreshTokenRepository();
|
$refreshTokensRepo = new Repositories\RefreshTokenRepository();
|
||||||
|
|
||||||
@ -41,6 +42,7 @@ class Component extends BaseComponent {
|
|||||||
$authCodeGrant = new Grant\AuthCodeGrant($authCodesRepo, $refreshTokensRepo, new DateInterval('PT10M'));
|
$authCodeGrant = new Grant\AuthCodeGrant($authCodesRepo, $refreshTokensRepo, new DateInterval('PT10M'));
|
||||||
$authCodeGrant->disableRequireCodeChallengeForPublicClients();
|
$authCodeGrant->disableRequireCodeChallengeForPublicClients();
|
||||||
$authServer->enableGrantType($authCodeGrant, $accessTokenTTL);
|
$authServer->enableGrantType($authCodeGrant, $accessTokenTTL);
|
||||||
|
$authCodeGrant->setScopeRepository($publicScopesRepo); // Change repository after enabling
|
||||||
$authServer->enableGrantType(new Grant\RefreshTokenGrant($refreshTokensRepo), $accessTokenTTL);
|
$authServer->enableGrantType(new Grant\RefreshTokenGrant($refreshTokensRepo), $accessTokenTTL);
|
||||||
$authServer->enableGrantType(new Grant\ClientCredentialsGrant(), $accessTokenTTL);
|
$authServer->enableGrantType(new Grant\ClientCredentialsGrant(), $accessTokenTTL);
|
||||||
|
|
||||||
|
54
api/components/OAuth2/Repositories/PublicScopeRepository.php
Normal file
54
api/components/OAuth2/Repositories/PublicScopeRepository.php
Normal file
@ -0,0 +1,54 @@
|
|||||||
|
<?php
|
||||||
|
declare(strict_types=1);
|
||||||
|
|
||||||
|
namespace api\components\OAuth2\Repositories;
|
||||||
|
|
||||||
|
use api\components\OAuth2\Entities\ScopeEntity;
|
||||||
|
use api\rbac\Permissions as P;
|
||||||
|
use League\OAuth2\Server\Entities\ClientEntityInterface;
|
||||||
|
use League\OAuth2\Server\Entities\ScopeEntityInterface;
|
||||||
|
use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
|
||||||
|
|
||||||
|
class PublicScopeRepository implements ScopeRepositoryInterface {
|
||||||
|
|
||||||
|
private const OFFLINE_ACCESS = 'offline_access';
|
||||||
|
private const CHANGE_SKIN = 'change_skin';
|
||||||
|
private const ACCOUNT_INFO = 'account_info';
|
||||||
|
private const ACCOUNT_EMAIL = 'account_email';
|
||||||
|
|
||||||
|
private const PUBLIC_SCOPES_TO_INTERNAL_PERMISSIONS = [
|
||||||
|
self::ACCOUNT_INFO => P::OBTAIN_OWN_ACCOUNT_INFO,
|
||||||
|
self::ACCOUNT_EMAIL => P::OBTAIN_ACCOUNT_EMAIL,
|
||||||
|
];
|
||||||
|
|
||||||
|
private const ALLOWED_SCOPES = [
|
||||||
|
P::OBTAIN_OWN_ACCOUNT_INFO,
|
||||||
|
P::OBTAIN_ACCOUNT_EMAIL,
|
||||||
|
P::MINECRAFT_SERVER_SESSION,
|
||||||
|
self::OFFLINE_ACCESS,
|
||||||
|
self::CHANGE_SKIN,
|
||||||
|
];
|
||||||
|
|
||||||
|
public function getScopeEntityByIdentifier($identifier): ?ScopeEntityInterface {
|
||||||
|
$identifier = $this->convertToInternalPermission($identifier);
|
||||||
|
if (!in_array($identifier, self::ALLOWED_SCOPES, true)) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
return new ScopeEntity($identifier);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function finalizeScopes(
|
||||||
|
array $scopes,
|
||||||
|
$grantType,
|
||||||
|
ClientEntityInterface $clientEntity,
|
||||||
|
$userIdentifier = null
|
||||||
|
): array {
|
||||||
|
return $scopes;
|
||||||
|
}
|
||||||
|
|
||||||
|
private function convertToInternalPermission(string $publicScope): string {
|
||||||
|
return self::PUBLIC_SCOPES_TO_INTERNAL_PERMISSIONS[$publicScope] ?? $publicScope;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -107,6 +107,7 @@ class OauthProcess {
|
|||||||
}
|
}
|
||||||
|
|
||||||
$authRequest->setUser(new UserEntity($account->id));
|
$authRequest->setUser(new UserEntity($account->id));
|
||||||
|
$authRequest->setAuthorizationApproved(true);
|
||||||
$responseObj = $this->server->completeAuthorizationRequest($authRequest, new Response(200));
|
$responseObj = $this->server->completeAuthorizationRequest($authRequest, new Response(200));
|
||||||
|
|
||||||
$response = [
|
$response = [
|
||||||
@ -250,10 +251,15 @@ class OauthProcess {
|
|||||||
}
|
}
|
||||||
|
|
||||||
private function buildErrorResponse(OAuthServerException $e): array {
|
private function buildErrorResponse(OAuthServerException $e): array {
|
||||||
|
$hint = $e->getPayload()['hint'] ?? '';
|
||||||
|
if (preg_match('/the `(\w+)` scope/', $hint, $matches)) {
|
||||||
|
$parameter = $matches[1];
|
||||||
|
}
|
||||||
|
|
||||||
$response = [
|
$response = [
|
||||||
'success' => false,
|
'success' => false,
|
||||||
'error' => $e->getErrorType(),
|
'error' => $e->getErrorType(),
|
||||||
// 'parameter' => $e->parameter, // TODO: if this is necessary, the parameter can be extracted from the hint
|
'parameter' => $parameter ?? null,
|
||||||
'statusCode' => $e->getHttpStatusCode(),
|
'statusCode' => $e->getHttpStatusCode(),
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -132,7 +132,7 @@ class AuthCodeCest {
|
|||||||
$I->canSeeResponseContainsJson([
|
$I->canSeeResponseContainsJson([
|
||||||
'success' => false,
|
'success' => false,
|
||||||
'error' => 'access_denied',
|
'error' => 'access_denied',
|
||||||
'parameter' => '',
|
'parameter' => null,
|
||||||
'statusCode' => 401,
|
'statusCode' => 401,
|
||||||
]);
|
]);
|
||||||
$I->canSeeResponseJsonMatchesJsonPath('$.redirectUri');
|
$I->canSeeResponseJsonMatchesJsonPath('$.redirectUri');
|
||||||
|
Loading…
Reference in New Issue
Block a user