Replace separate minecraft access tokens with JWT

This commit is contained in:
ErickSkrauch 2019-12-04 21:10:15 +03:00
parent 060a4e960a
commit a81ef5cac2
34 changed files with 432 additions and 303 deletions

View File

@ -4,13 +4,13 @@ declare(strict_types=1);
namespace api\components\OAuth2\Entities; namespace api\components\OAuth2\Entities;
use api\components\OAuth2\Repositories\PublicScopeRepository; use api\components\OAuth2\Repositories\PublicScopeRepository;
use api\components\Tokens\TokensFactory;
use DateTimeImmutable; use DateTimeImmutable;
use League\OAuth2\Server\CryptKeyInterface; use League\OAuth2\Server\CryptKeyInterface;
use League\OAuth2\Server\Entities\AccessTokenEntityInterface; use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
use League\OAuth2\Server\Entities\ScopeEntityInterface; use League\OAuth2\Server\Entities\ScopeEntityInterface;
use League\OAuth2\Server\Entities\Traits\EntityTrait; use League\OAuth2\Server\Entities\Traits\EntityTrait;
use League\OAuth2\Server\Entities\Traits\TokenEntityTrait; use League\OAuth2\Server\Entities\Traits\TokenEntityTrait;
use Yii;
class AccessTokenEntity implements AccessTokenEntityInterface { class AccessTokenEntity implements AccessTokenEntityInterface {
use EntityTrait; use EntityTrait;
@ -31,7 +31,7 @@ class AccessTokenEntity implements AccessTokenEntityInterface {
return $scope->getIdentifier() !== PublicScopeRepository::OFFLINE_ACCESS; return $scope->getIdentifier() !== PublicScopeRepository::OFFLINE_ACCESS;
}); });
$token = TokensFactory::createForOAuthClient($this); $token = Yii::$app->tokensFactory->createForOAuthClient($this);
$this->scopes = $scopes; $this->scopes = $scopes;

View File

@ -4,6 +4,7 @@ declare(strict_types=1);
namespace api\components\Tokens; namespace api\components\Tokens;
use Carbon\Carbon; use Carbon\Carbon;
use Defuse\Crypto\Crypto;
use Exception; use Exception;
use Lcobucci\JWT\Builder; use Lcobucci\JWT\Builder;
use Lcobucci\JWT\Parser; use Lcobucci\JWT\Parser;
@ -35,6 +36,11 @@ class Component extends BaseComponent {
*/ */
public $privateKeyPass; public $privateKeyPass;
/**
* @var string|\Defuse\Crypto\Key
*/
public $encryptionKey;
/** /**
* @var AlgorithmsManager|null * @var AlgorithmsManager|null
*/ */
@ -45,6 +51,7 @@ class Component extends BaseComponent {
Assert::notEmpty($this->hmacKey, 'hmacKey must be set'); Assert::notEmpty($this->hmacKey, 'hmacKey must be set');
Assert::notEmpty($this->privateKeyPath, 'privateKeyPath must be set'); Assert::notEmpty($this->privateKeyPath, 'privateKeyPath must be set');
Assert::notEmpty($this->publicKeyPath, 'publicKeyPath must be set'); Assert::notEmpty($this->publicKeyPath, 'publicKeyPath must be set');
Assert::notEmpty($this->encryptionKey, 'encryptionKey must be set');
} }
public function create(array $payloads = [], array $headers = []): Token { public function create(array $payloads = [], array $headers = []): Token {
@ -53,11 +60,11 @@ class Component extends BaseComponent {
->issuedAt($now->getTimestamp()) ->issuedAt($now->getTimestamp())
->expiresAt($now->addHour()->getTimestamp()); ->expiresAt($now->addHour()->getTimestamp());
foreach ($payloads as $claim => $value) { foreach ($payloads as $claim => $value) {
$builder->withClaim($claim, $value); $builder->withClaim($claim, $this->prepareValue($value));
} }
foreach ($headers as $claim => $value) { foreach ($headers as $claim => $value) {
$builder->withHeader($claim, $value); $builder->withHeader($claim, $this->prepareValue($value));
} }
/** @noinspection PhpUnhandledExceptionInspection */ /** @noinspection PhpUnhandledExceptionInspection */
@ -85,6 +92,10 @@ class Component extends BaseComponent {
} }
} }
public function decryptValue(string $encryptedValue): string {
return Crypto::decryptWithPassword($encryptedValue, $this->encryptionKey);
}
private function getAlgorithmManager(): AlgorithmsManager { private function getAlgorithmManager(): AlgorithmsManager {
if ($this->algorithmManager === null) { if ($this->algorithmManager === null) {
$this->algorithmManager = new AlgorithmsManager([ $this->algorithmManager = new AlgorithmsManager([
@ -100,4 +111,12 @@ class Component extends BaseComponent {
return $this->algorithmManager; return $this->algorithmManager;
} }
private function prepareValue($value) {
if ($value instanceof EncryptedValue) {
return Crypto::encryptWithPassword($value->getValue(), $this->encryptionKey);
}
return $value;
}
} }

View File

@ -0,0 +1,21 @@
<?php
declare(strict_types=1);
namespace api\components\Tokens;
class EncryptedValue {
/**
* @var string
*/
private $value;
public function __construct(string $value) {
$this->value = $value;
}
public function getValue(): string {
return $this->value;
}
}

View File

@ -3,6 +3,8 @@ declare(strict_types=1);
namespace api\components\Tokens; namespace api\components\Tokens;
use api\rbac\Permissions as P;
use api\rbac\Roles as R;
use Carbon\Carbon; use Carbon\Carbon;
use common\models\Account; use common\models\Account;
use common\models\AccountSession; use common\models\AccountSession;
@ -10,16 +12,17 @@ use Lcobucci\JWT\Token;
use League\OAuth2\Server\Entities\AccessTokenEntityInterface; use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
use League\OAuth2\Server\Entities\ScopeEntityInterface; use League\OAuth2\Server\Entities\ScopeEntityInterface;
use Yii; use Yii;
use yii\base\Component;
class TokensFactory { class TokensFactory extends Component {
public const SUB_ACCOUNT_PREFIX = 'ely|'; public const SUB_ACCOUNT_PREFIX = 'ely|';
public const AUD_CLIENT_PREFIX = 'client|'; public const AUD_CLIENT_PREFIX = 'client|';
public static function createForAccount(Account $account, AccountSession $session = null): Token { public function createForWebAccount(Account $account, AccountSession $session = null): Token {
$payloads = [ $payloads = [
'ely-scopes' => 'accounts_web_user', 'ely-scopes' => R::ACCOUNTS_WEB_USER,
'sub' => self::buildSub($account->id), 'sub' => $this->buildSub($account->id),
]; ];
if ($session === null) { if ($session === null) {
// If we don't remember a session, the token should live longer // If we don't remember a session, the token should live longer
@ -32,26 +35,39 @@ class TokensFactory {
return Yii::$app->tokens->create($payloads); return Yii::$app->tokens->create($payloads);
} }
public static function createForOAuthClient(AccessTokenEntityInterface $accessToken): Token { public function createForOAuthClient(AccessTokenEntityInterface $accessToken): Token {
$payloads = [ $payloads = [
'aud' => self::buildAud($accessToken->getClient()->getIdentifier()), 'aud' => $this->buildAud($accessToken->getClient()->getIdentifier()),
'ely-scopes' => implode(',', array_map(static function(ScopeEntityInterface $scope): string { 'ely-scopes' => $this->joinScopes(array_map(static function(ScopeEntityInterface $scope): string {
return $scope->getIdentifier(); return $scope->getIdentifier();
}, $accessToken->getScopes())), }, $accessToken->getScopes())),
'exp' => $accessToken->getExpiryDateTime()->getTimestamp(), 'exp' => $accessToken->getExpiryDateTime()->getTimestamp(),
]; ];
if ($accessToken->getUserIdentifier() !== null) { if ($accessToken->getUserIdentifier() !== null) {
$payloads['sub'] = self::buildSub($accessToken->getUserIdentifier()); $payloads['sub'] = $this->buildSub($accessToken->getUserIdentifier());
} }
return Yii::$app->tokens->create($payloads); return Yii::$app->tokens->create($payloads);
} }
private static function buildSub(int $accountId): string { public function createForMinecraftAccount(Account $account, string $clientToken): Token {
return Yii::$app->tokens->create([
'ely-scopes' => $this->joinScopes([P::MINECRAFT_SERVER_SESSION]),
'ely-client-token' => new EncryptedValue($clientToken),
'sub' => $this->buildSub($account->id),
'exp' => Carbon::now()->addDays(2)->getTimestamp(),
]);
}
private function joinScopes(array $scopes): string {
return implode(',', $scopes);
}
private function buildSub(int $accountId): string {
return self::SUB_ACCOUNT_PREFIX . $accountId; return self::SUB_ACCOUNT_PREFIX . $accountId;
} }
private static function buildAud(string $clientId): string { private function buildAud(string $clientId): string {
return self::AUD_CLIENT_PREFIX . $clientId; return self::AUD_CLIENT_PREFIX . $clientId;
} }

View File

@ -9,6 +9,7 @@ return [
'privateKeyPath' => codecept_data_dir('certs/private.pem'), 'privateKeyPath' => codecept_data_dir('certs/private.pem'),
'privateKeyPass' => null, 'privateKeyPass' => null,
'publicKeyPath' => codecept_data_dir('certs/public.pem'), 'publicKeyPath' => codecept_data_dir('certs/public.pem'),
'encryptionKey' => 'mock-encryption-key',
], ],
'reCaptcha' => [ 'reCaptcha' => [
'public' => 'public-key', 'public' => 'public-key',

View File

@ -21,6 +21,10 @@ return [
'privateKeyPath' => getenv('JWT_PRIVATE_KEY_PATH') ?: __DIR__ . '/../../data/certs/private.pem', 'privateKeyPath' => getenv('JWT_PRIVATE_KEY_PATH') ?: __DIR__ . '/../../data/certs/private.pem',
'privateKeyPass' => getenv('JWT_PRIVATE_KEY_PASS') ?: null, 'privateKeyPass' => getenv('JWT_PRIVATE_KEY_PASS') ?: null,
'publicKeyPath' => getenv('JWT_PUBLIC_KEY_PATH') ?: __DIR__ . '/../../data/certs/public.pem', 'publicKeyPath' => getenv('JWT_PUBLIC_KEY_PATH') ?: __DIR__ . '/../../data/certs/public.pem',
'encryptionKey' => getenv('JWT_ENCRYPTION_KEY'),
],
'tokensFactory' => [
'class' => api\components\Tokens\TokensFactory::class,
], ],
'log' => [ 'log' => [
'traceLevel' => YII_DEBUG ? 3 : 0, 'traceLevel' => YII_DEBUG ? 3 : 0,

View File

@ -4,7 +4,6 @@ declare(strict_types=1);
namespace api\models\authentication; namespace api\models\authentication;
use api\aop\annotations\CollectModelMetrics; use api\aop\annotations\CollectModelMetrics;
use api\components\Tokens\TokensFactory;
use api\models\base\ApiForm; use api\models\base\ApiForm;
use api\validators\EmailActivationKeyValidator; use api\validators\EmailActivationKeyValidator;
use common\models\Account; use common\models\Account;
@ -48,7 +47,7 @@ class ConfirmEmailForm extends ApiForm {
$session->generateRefreshToken(); $session->generateRefreshToken();
Assert::true($session->save(), 'Cannot save account session model'); Assert::true($session->save(), 'Cannot save account session model');
$token = TokensFactory::createForAccount($account, $session); $token = Yii::$app->tokensFactory->createForWebAccount($account, $session);
$transaction->commit(); $transaction->commit();

View File

@ -4,7 +4,6 @@ declare(strict_types=1);
namespace api\models\authentication; namespace api\models\authentication;
use api\aop\annotations\CollectModelMetrics; use api\aop\annotations\CollectModelMetrics;
use api\components\Tokens\TokensFactory;
use api\models\base\ApiForm; use api\models\base\ApiForm;
use api\traits\AccountFinder; use api\traits\AccountFinder;
use api\validators\TotpValidator; use api\validators\TotpValidator;
@ -121,7 +120,7 @@ class LoginForm extends ApiForm {
Assert::true($session->save(), 'Cannot save account session model'); Assert::true($session->save(), 'Cannot save account session model');
} }
$token = TokensFactory::createForAccount($account, $session); $token = Yii::$app->tokensFactory->createForWebAccount($account, $session);
$transaction->commit(); $transaction->commit();

View File

@ -4,7 +4,6 @@ declare(strict_types=1);
namespace api\models\authentication; namespace api\models\authentication;
use api\aop\annotations\CollectModelMetrics; use api\aop\annotations\CollectModelMetrics;
use api\components\Tokens\TokensFactory;
use api\models\base\ApiForm; use api\models\base\ApiForm;
use api\validators\EmailActivationKeyValidator; use api\validators\EmailActivationKeyValidator;
use common\helpers\Error as E; use common\helpers\Error as E;
@ -56,7 +55,7 @@ class RecoverPasswordForm extends ApiForm {
Assert::true($account->save(), 'Unable activate user account.'); Assert::true($account->save(), 'Unable activate user account.');
$token = TokensFactory::createForAccount($account); $token = Yii::$app->tokensFactory->createForWebAccount($account);
$transaction->commit(); $transaction->commit();

View File

@ -4,7 +4,6 @@ declare(strict_types=1);
namespace api\models\authentication; namespace api\models\authentication;
use api\aop\annotations\CollectModelMetrics; use api\aop\annotations\CollectModelMetrics;
use api\components\Tokens\TokensFactory;
use api\models\base\ApiForm; use api\models\base\ApiForm;
use common\helpers\Error as E; use common\helpers\Error as E;
use common\models\AccountSession; use common\models\AccountSession;
@ -47,7 +46,7 @@ class RefreshTokenForm extends ApiForm {
$transaction = Yii::$app->db->beginTransaction(); $transaction = Yii::$app->db->beginTransaction();
$token = TokensFactory::createForAccount($account, $session); $token = Yii::$app->tokensFactory->createForWebAccount($account, $session);
$session->setIp(Yii::$app->request->userIP); $session->setIp(Yii::$app->request->userIP);
$session->touch('last_refreshed_at'); $session->touch('last_refreshed_at');

View File

@ -1,11 +1,13 @@
<?php <?php
declare(strict_types=1);
namespace api\models\base; namespace api\models\base;
use yii\base\Model; use yii\base\Model;
class ApiForm extends Model { class ApiForm extends Model {
public function formName() { public function formName(): string {
return ''; return '';
} }

View File

@ -1,4 +1,6 @@
<?php <?php
declare(strict_types=1);
namespace api\modules\authserver\controllers; namespace api\modules\authserver\controllers;
use api\controllers\Controller; use api\controllers\Controller;
@ -14,7 +16,7 @@ class AuthenticationController extends Controller {
return $behaviors; return $behaviors;
} }
public function verbs() { public function verbs(): array {
return [ return [
'authenticate' => ['POST'], 'authenticate' => ['POST'],
'refresh' => ['POST'], 'refresh' => ['POST'],
@ -24,21 +26,35 @@ class AuthenticationController extends Controller {
]; ];
} }
public function actionAuthenticate() { /**
* @return array
* @throws \api\modules\authserver\exceptions\ForbiddenOperationException
* @throws \api\modules\authserver\exceptions\IllegalArgumentException
*/
public function actionAuthenticate(): array {
$model = new models\AuthenticationForm(); $model = new models\AuthenticationForm();
$model->load(Yii::$app->request->post()); $model->load(Yii::$app->request->post());
return $model->authenticate()->getResponseData(true); return $model->authenticate()->getResponseData(true);
} }
public function actionRefresh() { /**
* @return array
* @throws \api\modules\authserver\exceptions\ForbiddenOperationException
* @throws \api\modules\authserver\exceptions\IllegalArgumentException
*/
public function actionRefresh(): array {
$model = new models\RefreshTokenForm(); $model = new models\RefreshTokenForm();
$model->load(Yii::$app->request->post()); $model->load(Yii::$app->request->post());
return $model->refresh()->getResponseData(false); return $model->refresh()->getResponseData(false);
} }
public function actionValidate() { /**
* @throws \api\modules\authserver\exceptions\ForbiddenOperationException
* @throws \api\modules\authserver\exceptions\IllegalArgumentException
*/
public function actionValidate(): void {
$model = new models\ValidateForm(); $model = new models\ValidateForm();
$model->load(Yii::$app->request->post()); $model->load(Yii::$app->request->post());
$model->validateToken(); $model->validateToken();
@ -46,7 +62,11 @@ class AuthenticationController extends Controller {
// In case of an error, an exception is thrown which will be processed by ErrorHandler // In case of an error, an exception is thrown which will be processed by ErrorHandler
} }
public function actionSignout() { /**
* @throws \api\modules\authserver\exceptions\ForbiddenOperationException
* @throws \api\modules\authserver\exceptions\IllegalArgumentException
*/
public function actionSignout(): void {
$model = new models\SignoutForm(); $model = new models\SignoutForm();
$model->load(Yii::$app->request->post()); $model->load(Yii::$app->request->post());
$model->signout(); $model->signout();
@ -54,7 +74,10 @@ class AuthenticationController extends Controller {
// In case of an error, an exception is thrown which will be processed by ErrorHandler // In case of an error, an exception is thrown which will be processed by ErrorHandler
} }
public function actionInvalidate() { /**
* @throws \api\modules\authserver\exceptions\IllegalArgumentException
*/
public function actionInvalidate(): void {
$model = new models\InvalidateForm(); $model = new models\InvalidateForm();
$model->load(Yii::$app->request->post()); $model->load(Yii::$app->request->post());
$model->invalidateToken(); $model->invalidateToken();

View File

@ -1,39 +1,47 @@
<?php <?php
declare(strict_types=1);
namespace api\modules\authserver\models; namespace api\modules\authserver\models;
use common\models\MinecraftAccessKey; use common\models\Account;
use Lcobucci\JWT\Token;
class AuthenticateData { class AuthenticateData {
/** /**
* @var MinecraftAccessKey * @var Account
*/ */
private $minecraftAccessKey; private $account;
public function __construct(MinecraftAccessKey $minecraftAccessKey) { /**
$this->minecraftAccessKey = $minecraftAccessKey; * @var Token
} */
private $accessToken;
public function getMinecraftAccessKey(): MinecraftAccessKey { /**
return $this->minecraftAccessKey; * @var string
*/
private $clientToken;
public function __construct(Account $account, string $accessToken, string $clientToken) {
$this->account = $account;
$this->accessToken = $accessToken;
$this->clientToken = $clientToken;
} }
public function getResponseData(bool $includeAvailableProfiles = false): array { public function getResponseData(bool $includeAvailableProfiles = false): array {
$accessKey = $this->minecraftAccessKey;
$account = $accessKey->account;
$result = [ $result = [
'accessToken' => $accessKey->access_token, 'accessToken' => $this->accessToken,
'clientToken' => $accessKey->client_token, 'clientToken' => $this->clientToken,
'selectedProfile' => [ 'selectedProfile' => [
'id' => $account->uuid, 'id' => $this->account->uuid,
'name' => $account->username, 'name' => $this->account->username,
'legacy' => false, 'legacy' => false,
], ],
]; ];
if ($includeAvailableProfiles) { if ($includeAvailableProfiles) {
// The Moiangs themselves haven't come up with anything yet with these availableProfiles // The Mojang themselves haven't come up with anything yet with these availableProfiles
$availableProfiles[0] = $result['selectedProfile']; $availableProfiles[0] = $result['selectedProfile'];
$result['availableProfiles'] = $availableProfiles; $result['availableProfiles'] = $availableProfiles;
} }

View File

@ -1,4 +1,6 @@
<?php <?php
declare(strict_types=1);
namespace api\modules\authserver\models; namespace api\modules\authserver\models;
use api\models\authentication\LoginForm; use api\models\authentication\LoginForm;
@ -9,17 +11,26 @@ use api\modules\authserver\validators\ClientTokenValidator;
use api\modules\authserver\validators\RequiredValidator; use api\modules\authserver\validators\RequiredValidator;
use common\helpers\Error as E; use common\helpers\Error as E;
use common\models\Account; use common\models\Account;
use common\models\MinecraftAccessKey; use Yii;
class AuthenticationForm extends ApiForm { class AuthenticationForm extends ApiForm {
/**
* @var string
*/
public $username; public $username;
/**
* @var string
*/
public $password; public $password;
/**
* @var string
*/
public $clientToken; public $clientToken;
public function rules() { public function rules(): array {
return [ return [
[['username', 'password', 'clientToken'], RequiredValidator::class], [['username', 'password', 'clientToken'], RequiredValidator::class],
[['clientToken'], ClientTokenValidator::class], [['clientToken'], ClientTokenValidator::class],
@ -28,14 +39,16 @@ class AuthenticationForm extends ApiForm {
/** /**
* @return AuthenticateData * @return AuthenticateData
* @throws \api\modules\authserver\exceptions\AuthserverException * @throws \api\modules\authserver\exceptions\IllegalArgumentException
* @throws \api\modules\authserver\exceptions\ForbiddenOperationException
*/ */
public function authenticate() { public function authenticate(): AuthenticateData {
// This validating method will throw an exception in case when validation will not pass successfully
$this->validate(); $this->validate();
Authserver::info("Trying to authenticate user by login = '{$this->username}'."); Authserver::info("Trying to authenticate user by login = '{$this->username}'.");
$loginForm = $this->createLoginForm(); $loginForm = new LoginForm();
$loginForm->login = $this->username; $loginForm->login = $this->username;
$loginForm->password = $this->password; $loginForm->password = $this->password;
if (!$loginForm->validate()) { if (!$loginForm->validate()) {
@ -68,37 +81,14 @@ class AuthenticationForm extends ApiForm {
throw new ForbiddenOperationException("Invalid credentials. Invalid {$attribute} or password."); throw new ForbiddenOperationException("Invalid credentials. Invalid {$attribute} or password.");
} }
/** @var Account $account */
$account = $loginForm->getAccount(); $account = $loginForm->getAccount();
$accessTokenModel = $this->createMinecraftAccessToken($account); $token = Yii::$app->tokensFactory->createForMinecraftAccount($account, $this->clientToken);
$dataModel = new AuthenticateData($accessTokenModel); $dataModel = new AuthenticateData($account, (string)$token, $this->clientToken);
Authserver::info("User with id = {$account->id}, username = '{$account->username}' and email = '{$account->email}' successfully logged in."); Authserver::info("User with id = {$account->id}, username = '{$account->username}' and email = '{$account->email}' successfully logged in.");
return $dataModel; return $dataModel;
} }
protected function createMinecraftAccessToken(Account $account): MinecraftAccessKey {
/** @var MinecraftAccessKey|null $accessTokenModel */
$accessTokenModel = MinecraftAccessKey::findOne([
'account_id' => $account->id,
'client_token' => $this->clientToken,
]);
if ($accessTokenModel === null) {
$accessTokenModel = new MinecraftAccessKey();
$accessTokenModel->client_token = $this->clientToken;
$accessTokenModel->account_id = $account->id;
$accessTokenModel->insert();
} else {
$accessTokenModel->refreshPrimaryKeyValue();
$accessTokenModel->update();
}
return $accessTokenModel;
}
protected function createLoginForm(): LoginForm {
return new LoginForm();
}
} }

View File

@ -1,17 +1,24 @@
<?php <?php
declare(strict_types=1);
namespace api\modules\authserver\models; namespace api\modules\authserver\models;
use api\models\base\ApiForm; use api\models\base\ApiForm;
use api\modules\authserver\validators\RequiredValidator; use api\modules\authserver\validators\RequiredValidator;
use common\models\MinecraftAccessKey;
class InvalidateForm extends ApiForm { class InvalidateForm extends ApiForm {
/**
* @var string
*/
public $accessToken; public $accessToken;
/**
* @var string
*/
public $clientToken; public $clientToken;
public function rules() { public function rules(): array {
return [ return [
[['accessToken', 'clientToken'], RequiredValidator::class], [['accessToken', 'clientToken'], RequiredValidator::class],
]; ];
@ -19,19 +26,12 @@ class InvalidateForm extends ApiForm {
/** /**
* @return bool * @return bool
* @throws \api\modules\authserver\exceptions\AuthserverException * @throws \api\modules\authserver\exceptions\IllegalArgumentException
*/ */
public function invalidateToken(): bool { public function invalidateToken(): bool {
$this->validate(); $this->validate();
$token = MinecraftAccessKey::findOne([ // We're can't invalidate access token because it's not stored in our database
'access_token' => $this->accessToken,
'client_token' => $this->clientToken,
]);
if ($token !== null) {
$token->delete();
}
return true; return true;
} }

View File

@ -1,48 +1,71 @@
<?php <?php
declare(strict_types=1);
namespace api\modules\authserver\models; namespace api\modules\authserver\models;
use api\models\base\ApiForm; use api\models\base\ApiForm;
use api\modules\authserver\exceptions\ForbiddenOperationException; use api\modules\authserver\exceptions\ForbiddenOperationException;
use api\modules\authserver\validators\AccessTokenValidator;
use api\modules\authserver\validators\RequiredValidator; use api\modules\authserver\validators\RequiredValidator;
use common\models\Account; use common\models\Account;
use common\models\MinecraftAccessKey; use common\models\MinecraftAccessKey;
use Yii;
class RefreshTokenForm extends ApiForm { class RefreshTokenForm extends ApiForm {
/**
* @var string
*/
public $accessToken; public $accessToken;
/**
* @var string
*/
public $clientToken; public $clientToken;
public function rules() { public function rules(): array {
return [ return [
[['accessToken', 'clientToken'], RequiredValidator::class], [['accessToken', 'clientToken'], RequiredValidator::class],
[['accessToken'], AccessTokenValidator::class, 'verifyExpiration' => false],
]; ];
} }
/** /**
* @return AuthenticateData * @return AuthenticateData
* @throws \api\modules\authserver\exceptions\AuthserverException * @throws \api\modules\authserver\exceptions\IllegalArgumentException
* @throws \api\modules\authserver\exceptions\ForbiddenOperationException
*/ */
public function refresh() { public function refresh(): AuthenticateData {
$this->validate(); $this->validate();
/** @var MinecraftAccessKey|null $accessToken */ if (mb_strlen($this->accessToken) === 36) {
$accessToken = MinecraftAccessKey::findOne([ /** @var MinecraftAccessKey $token */
$token = MinecraftAccessKey::findOne([
'access_token' => $this->accessToken, 'access_token' => $this->accessToken,
'client_token' => $this->clientToken, 'client_token' => $this->clientToken,
]); ]);
if ($accessToken === null) { $account = $token->account;
} else {
$token = Yii::$app->tokens->parse($this->accessToken);
$encodedClientToken = $token->getClaim('ely-client-token');
$clientToken = Yii::$app->tokens->decryptValue($encodedClientToken);
if ($clientToken !== $this->clientToken) {
throw new ForbiddenOperationException('Invalid token.'); throw new ForbiddenOperationException('Invalid token.');
} }
if ($accessToken->account->status === Account::STATUS_BANNED) { $accountClaim = $token->getClaim('sub');
$accountId = (int)explode('|', $accountClaim)[1];
$account = Account::findOne(['id' => $accountId]);
}
if ($account === null || $account->status === Account::STATUS_BANNED) {
throw new ForbiddenOperationException('This account has been suspended.'); throw new ForbiddenOperationException('This account has been suspended.');
} }
$accessToken->refreshPrimaryKeyValue(); $token = Yii::$app->tokensFactory->createForMinecraftAccount($account, $this->clientToken);
$accessToken->update();
return new AuthenticateData($accessToken); return new AuthenticateData($account, (string)$token, $this->clientToken);
} }
} }

View File

@ -1,4 +1,6 @@
<?php <?php
declare(strict_types=1);
namespace api\modules\authserver\models; namespace api\modules\authserver\models;
use api\models\authentication\LoginForm; use api\models\authentication\LoginForm;
@ -6,21 +8,30 @@ use api\models\base\ApiForm;
use api\modules\authserver\exceptions\ForbiddenOperationException; use api\modules\authserver\exceptions\ForbiddenOperationException;
use api\modules\authserver\validators\RequiredValidator; use api\modules\authserver\validators\RequiredValidator;
use common\helpers\Error as E; use common\helpers\Error as E;
use common\models\MinecraftAccessKey;
use Yii;
class SignoutForm extends ApiForm { class SignoutForm extends ApiForm {
/**
* @var string
*/
public $username; public $username;
/**
* @var string
*/
public $password; public $password;
public function rules() { public function rules(): array {
return [ return [
[['username', 'password'], RequiredValidator::class], [['username', 'password'], RequiredValidator::class],
]; ];
} }
/**
* @return bool
* @throws ForbiddenOperationException
* @throws \api\modules\authserver\exceptions\IllegalArgumentException
*/
public function signout(): bool { public function signout(): bool {
$this->validate(); $this->validate();
@ -44,16 +55,7 @@ class SignoutForm extends ApiForm {
throw new ForbiddenOperationException("Invalid credentials. Invalid {$attribute} or password."); throw new ForbiddenOperationException("Invalid credentials. Invalid {$attribute} or password.");
} }
$account = $loginForm->getAccount(); // We're unable to invalidate access tokens because they aren't stored in our database
/** @noinspection SqlResolve */
Yii::$app->db->createCommand('
DELETE
FROM ' . MinecraftAccessKey::tableName() . '
WHERE account_id = :userId
', [
'userId' => $account->id,
])->execute();
return true; return true;
} }

View File

@ -1,35 +1,33 @@
<?php <?php
declare(strict_types=1);
namespace api\modules\authserver\models; namespace api\modules\authserver\models;
use api\models\base\ApiForm; use api\models\base\ApiForm;
use api\modules\authserver\exceptions\ForbiddenOperationException; use api\modules\authserver\validators\AccessTokenValidator;
use api\modules\authserver\validators\RequiredValidator; use api\modules\authserver\validators\RequiredValidator;
use common\models\MinecraftAccessKey;
class ValidateForm extends ApiForm { class ValidateForm extends ApiForm {
/**
* @var string
*/
public $accessToken; public $accessToken;
public function rules() { public function rules(): array {
return [ return [
[['accessToken'], RequiredValidator::class], [['accessToken'], RequiredValidator::class],
[['accessToken'], AccessTokenValidator::class],
]; ];
} }
/**
* @return bool
* @throws \api\modules\authserver\exceptions\ForbiddenOperationException
* @throws \api\modules\authserver\exceptions\IllegalArgumentException
*/
public function validateToken(): bool { public function validateToken(): bool {
$this->validate(); return $this->validate();
/** @var MinecraftAccessKey|null $result */
$result = MinecraftAccessKey::findOne($this->accessToken);
if ($result === null) {
throw new ForbiddenOperationException('Invalid token.');
}
if ($result->isExpired()) {
throw new ForbiddenOperationException('Token expired.');
}
return true;
} }
} }

View File

@ -0,0 +1,69 @@
<?php
declare(strict_types=1);
namespace api\modules\authserver\validators;
use api\modules\authserver\exceptions\ForbiddenOperationException;
use Carbon\Carbon;
use common\models\MinecraftAccessKey;
use Exception;
use Lcobucci\JWT\ValidationData;
use Yii;
use yii\validators\Validator;
class AccessTokenValidator extends Validator {
/**
* @var bool
*/
public $verifyExpiration = true;
/**
* @param string $value
*
* @return array|null
* @throws ForbiddenOperationException
*/
protected function validateValue($value): ?array {
if (mb_strlen($value) === 36) {
return $this->validateLegacyToken($value);
}
try {
$token = Yii::$app->tokens->parse($value);
} catch (Exception $e) {
throw new ForbiddenOperationException('Invalid token.');
}
if (!Yii::$app->tokens->verify($token)) {
throw new ForbiddenOperationException('Invalid token.');
}
if ($this->verifyExpiration && !$token->validate(new ValidationData(Carbon::now()->getTimestamp()))) {
throw new ForbiddenOperationException('Token expired.');
}
return null;
}
/**
* @param string $value
*
* @return array|null
* @throws ForbiddenOperationException
*/
private function validateLegacyToken(string $value): ?array {
/** @var MinecraftAccessKey|null $result */
$result = MinecraftAccessKey::findOne(['access_token' => $value]);
if ($result === null) {
throw new ForbiddenOperationException('Invalid token.');
}
if ($this->verifyExpiration && $result->isExpired()) {
throw new ForbiddenOperationException('Token expired.');
}
return null;
}
}

View File

@ -1,20 +1,23 @@
<?php <?php
declare(strict_types=1);
namespace api\modules\authserver\validators; namespace api\modules\authserver\validators;
use api\modules\authserver\exceptions\IllegalArgumentException; use api\modules\authserver\exceptions\IllegalArgumentException;
use yii\validators\Validator;
/** /**
* The maximum length of clientToken for our database is 255. * The maximum length of clientToken for our database is 255.
* If the token is longer, we do not accept the passed token at all. * If the token is longer, we do not accept the passed token at all.
*/ */
class ClientTokenValidator extends \yii\validators\RequiredValidator { class ClientTokenValidator extends Validator {
/** /**
* @param string $value * @param string $value
* @return null * @return null
* @throws \api\modules\authserver\exceptions\AuthserverException * @throws \api\modules\authserver\exceptions\AuthserverException
*/ */
protected function validateValue($value) { protected function validateValue($value): ?array {
if (mb_strlen($value) > 255) { if (mb_strlen($value) > 255) {
throw new IllegalArgumentException('clientToken is too long.'); throw new IllegalArgumentException('clientToken is too long.');
} }

View File

@ -1,4 +1,6 @@
<?php <?php
declare(strict_types=1);
namespace api\modules\authserver\validators; namespace api\modules\authserver\validators;
use api\modules\authserver\exceptions\IllegalArgumentException; use api\modules\authserver\exceptions\IllegalArgumentException;
@ -14,7 +16,7 @@ class RequiredValidator extends \yii\validators\RequiredValidator {
* @return null * @return null
* @throws \api\modules\authserver\exceptions\AuthserverException * @throws \api\modules\authserver\exceptions\AuthserverException
*/ */
protected function validateValue($value) { protected function validateValue($value): ?array {
if (parent::validateValue($value) !== null) { if (parent::validateValue($value) !== null) {
throw new IllegalArgumentException(); throw new IllegalArgumentException();
} }

View File

@ -1,26 +0,0 @@
<?php
namespace api\tests\_pages;
class AuthserverRoute extends BasePage {
public function authenticate($params) {
$this->getActor()->sendPOST('/api/authserver/authentication/authenticate', $params);
}
public function refresh($params) {
$this->getActor()->sendPOST('/api/authserver/authentication/refresh', $params);
}
public function validate($params) {
$this->getActor()->sendPOST('/api/authserver/authentication/validate', $params);
}
public function invalidate($params) {
$this->getActor()->sendPOST('/api/authserver/authentication/invalidate', $params);
}
public function signout($params) {
$this->getActor()->sendPOST('/api/authserver/authentication/signout', $params);
}
}

View File

@ -3,7 +3,6 @@ declare(strict_types=1);
namespace api\tests; namespace api\tests;
use api\components\Tokens\TokensFactory;
use api\tests\_generated\FunctionalTesterActions; use api\tests\_generated\FunctionalTesterActions;
use Codeception\Actor; use Codeception\Actor;
use common\models\Account; use common\models\Account;
@ -20,7 +19,7 @@ class FunctionalTester extends Actor {
throw new InvalidArgumentException("Cannot find account with username \"{$asUsername}\""); throw new InvalidArgumentException("Cannot find account with username \"{$asUsername}\"");
} }
$token = TokensFactory::createForAccount($account); $token = Yii::$app->tokensFactory->createForWebAccount($account);
$this->amBearerAuthenticated((string)$token); $this->amBearerAuthenticated((string)$token);
return $account->id; return $account->id;

View File

@ -3,16 +3,14 @@ declare(strict_types=1);
namespace api\tests\functional\_steps; namespace api\tests\functional\_steps;
use api\tests\_pages\AuthserverRoute;
use api\tests\FunctionalTester; use api\tests\FunctionalTester;
use Ramsey\Uuid\Uuid; use Ramsey\Uuid\Uuid;
class AuthserverSteps extends FunctionalTester { class AuthserverSteps extends FunctionalTester {
public function amAuthenticated(string $asUsername = 'admin', string $password = 'password_0') { public function amAuthenticated(string $asUsername = 'admin', string $password = 'password_0'): array {
$route = new AuthserverRoute($this);
$clientToken = Uuid::uuid4()->toString(); $clientToken = Uuid::uuid4()->toString();
$route->authenticate([ $this->sendPOST('/api/authserver/authentication/authenticate', [
'username' => $asUsername, 'username' => $asUsername,
'password' => $password, 'password' => $password,
'clientToken' => $clientToken, 'clientToken' => $clientToken,

View File

@ -1,48 +1,38 @@
<?php <?php
declare(strict_types=1);
namespace api\tests\functional\authserver; namespace api\tests\functional\authserver;
use api\tests\_pages\AuthserverRoute;
use api\tests\FunctionalTester; use api\tests\FunctionalTester;
use Codeception\Example;
use Ramsey\Uuid\Uuid; use Ramsey\Uuid\Uuid;
class AuthorizationCest { class AuthorizationCest {
/** /**
* @var AuthserverRoute * @example {"login": "admin", "password": "password_0"}
* @example {"login": "admin@ely.by", "password": "password_0"}
*/ */
private $route; public function byFormParamsPostRequest(FunctionalTester $I, Example $example) {
public function _before(FunctionalTester $I) {
$this->route = new AuthserverRoute($I);
}
public function byName(FunctionalTester $I) {
$I->wantTo('authenticate by username and password'); $I->wantTo('authenticate by username and password');
$this->route->authenticate([ $I->sendPOST('/api/authserver/authentication/authenticate', [
'username' => 'admin', 'username' => $example['login'],
'password' => 'password_0', 'password' => $example['password'],
'clientToken' => Uuid::uuid4()->toString(), 'clientToken' => Uuid::uuid4()->toString(),
]); ]);
$this->testSuccessResponse($I); $this->testSuccessResponse($I);
} }
public function byEmail(FunctionalTester $I) { /**
$I->wantTo('authenticate by email and password'); * @example {"login": "admin", "password": "password_0"}
$this->route->authenticate([ * @example {"login": "admin@ely.by", "password": "password_0"}
'username' => 'admin@ely.by', */
'password' => 'password_0', public function byJsonPostRequest(FunctionalTester $I, Example $example) {
'clientToken' => Uuid::uuid4()->toString(),
]);
$this->testSuccessResponse($I);
}
public function byNamePassedViaPOSTBody(FunctionalTester $I) {
$I->wantTo('authenticate by username and password sent via post body'); $I->wantTo('authenticate by username and password sent via post body');
$this->route->authenticate(json_encode([ $I->sendPOST('/api/authserver/authentication/authenticate', json_encode([
'username' => 'admin', 'username' => $example['login'],
'password' => 'password_0', 'password' => $example['password'],
'clientToken' => Uuid::uuid4()->toString(), 'clientToken' => Uuid::uuid4()->toString(),
])); ]));
@ -51,7 +41,7 @@ class AuthorizationCest {
public function byEmailWithEnabledTwoFactorAuth(FunctionalTester $I) { public function byEmailWithEnabledTwoFactorAuth(FunctionalTester $I) {
$I->wantTo('get valid error by authenticate account with enabled two factor auth'); $I->wantTo('get valid error by authenticate account with enabled two factor auth');
$this->route->authenticate([ $I->sendPOST('/api/authserver/authentication/authenticate', [
'username' => 'otp@gmail.com', 'username' => 'otp@gmail.com',
'password' => 'password_0', 'password' => 'password_0',
'clientToken' => Uuid::uuid4()->toString(), 'clientToken' => Uuid::uuid4()->toString(),
@ -64,30 +54,9 @@ class AuthorizationCest {
]); ]);
} }
public function byEmailWithParamsAsJsonInPostBody(FunctionalTester $I) {
$I->wantTo('authenticate by email and password, passing values as serialized string in post body');
$this->route->authenticate(json_encode([
'username' => 'admin@ely.by',
'password' => 'password_0',
'clientToken' => Uuid::uuid4()->toString(),
]));
$this->testSuccessResponse($I);
}
public function longClientToken(FunctionalTester $I) {
$I->wantTo('send non uuid clientToken, but less then 255 characters');
$this->route->authenticate([
'username' => 'admin@ely.by',
'password' => 'password_0',
'clientToken' => str_pad('', 255, 'x'),
]);
$this->testSuccessResponse($I);
}
public function tooLongClientToken(FunctionalTester $I) { public function tooLongClientToken(FunctionalTester $I) {
$I->wantTo('send non uuid clientToken with more then 255 characters length'); $I->wantTo('send non uuid clientToken with more then 255 characters length');
$this->route->authenticate([ $I->sendPOST('/api/authserver/authentication/authenticate', [
'username' => 'admin@ely.by', 'username' => 'admin@ely.by',
'password' => 'password_0', 'password' => 'password_0',
'clientToken' => str_pad('', 256, 'x'), 'clientToken' => str_pad('', 256, 'x'),
@ -102,7 +71,7 @@ class AuthorizationCest {
public function wrongArguments(FunctionalTester $I) { public function wrongArguments(FunctionalTester $I) {
$I->wantTo('get error on wrong amount of arguments'); $I->wantTo('get error on wrong amount of arguments');
$this->route->authenticate([ $I->sendPOST('/api/authserver/authentication/authenticate', [
'key' => 'value', 'key' => 'value',
]); ]);
$I->canSeeResponseCodeIs(400); $I->canSeeResponseCodeIs(400);
@ -115,7 +84,7 @@ class AuthorizationCest {
public function wrongNicknameAndPassword(FunctionalTester $I) { public function wrongNicknameAndPassword(FunctionalTester $I) {
$I->wantTo('authenticate by username and password with wrong data'); $I->wantTo('authenticate by username and password with wrong data');
$this->route->authenticate([ $I->sendPOST('/api/authserver/authentication/authenticate', [
'username' => 'nonexistent_user', 'username' => 'nonexistent_user',
'password' => 'nonexistent_password', 'password' => 'nonexistent_password',
'clientToken' => Uuid::uuid4()->toString(), 'clientToken' => Uuid::uuid4()->toString(),
@ -130,7 +99,7 @@ class AuthorizationCest {
public function bannedAccount(FunctionalTester $I) { public function bannedAccount(FunctionalTester $I) {
$I->wantTo('authenticate in suspended account'); $I->wantTo('authenticate in suspended account');
$this->route->authenticate([ $I->sendPOST('/api/authserver/authentication/authenticate', [
'username' => 'Banned', 'username' => 'Banned',
'password' => 'password_0', 'password' => 'password_0',
'clientToken' => Uuid::uuid4()->toString(), 'clientToken' => Uuid::uuid4()->toString(),

View File

@ -3,25 +3,15 @@ declare(strict_types=1);
namespace api\tests\functional\authserver; namespace api\tests\functional\authserver;
use api\tests\_pages\AuthserverRoute;
use api\tests\functional\_steps\AuthserverSteps; use api\tests\functional\_steps\AuthserverSteps;
use Ramsey\Uuid\Uuid; use Ramsey\Uuid\Uuid;
class InvalidateCest { class InvalidateCest {
/**
* @var AuthserverRoute
*/
private $route;
public function _before(AuthserverSteps $I) {
$this->route = new AuthserverRoute($I);
}
public function invalidate(AuthserverSteps $I) { public function invalidate(AuthserverSteps $I) {
$I->wantTo('invalidate my token'); $I->wantTo('invalidate my token');
[$accessToken, $clientToken] = $I->amAuthenticated(); [$accessToken, $clientToken] = $I->amAuthenticated();
$this->route->invalidate([ $I->sendPOST('/api/authserver/authentication/invalidate', [
'accessToken' => $accessToken, 'accessToken' => $accessToken,
'clientToken' => $clientToken, 'clientToken' => $clientToken,
]); ]);
@ -31,7 +21,7 @@ class InvalidateCest {
public function wrongArguments(AuthserverSteps $I) { public function wrongArguments(AuthserverSteps $I) {
$I->wantTo('get error on wrong amount of arguments'); $I->wantTo('get error on wrong amount of arguments');
$this->route->invalidate([ $I->sendPOST('/api/authserver/authentication/invalidate', [
'key' => 'value', 'key' => 'value',
]); ]);
$I->canSeeResponseCodeIs(400); $I->canSeeResponseCodeIs(400);
@ -44,7 +34,7 @@ class InvalidateCest {
public function wrongAccessTokenOrClientToken(AuthserverSteps $I) { public function wrongAccessTokenOrClientToken(AuthserverSteps $I) {
$I->wantTo('invalidate by wrong client and access token'); $I->wantTo('invalidate by wrong client and access token');
$this->route->invalidate([ $I->sendPOST('/api/authserver/authentication/invalidate', [
'accessToken' => Uuid::uuid4()->toString(), 'accessToken' => Uuid::uuid4()->toString(),
'clientToken' => Uuid::uuid4()->toString(), 'clientToken' => Uuid::uuid4()->toString(),
]); ]);

View File

@ -1,42 +1,49 @@
<?php <?php
declare(strict_types=1);
namespace api\tests\functional\authserver; namespace api\tests\functional\authserver;
use api\tests\_pages\AuthserverRoute;
use api\tests\functional\_steps\AuthserverSteps; use api\tests\functional\_steps\AuthserverSteps;
use Codeception\Example;
use Ramsey\Uuid\Uuid; use Ramsey\Uuid\Uuid;
class RefreshCest { class RefreshCest {
/**
* @var AuthserverRoute
*/
private $route;
public function _before(AuthserverSteps $I) {
$this->route = new AuthserverRoute($I);
}
public function refresh(AuthserverSteps $I) { public function refresh(AuthserverSteps $I) {
$I->wantTo('refresh my accessToken'); $I->wantTo('refresh accessToken');
[$accessToken, $clientToken] = $I->amAuthenticated(); [$accessToken, $clientToken] = $I->amAuthenticated();
$this->route->refresh([ $I->sendPOST('/api/authserver/authentication/refresh', [
'accessToken' => $accessToken, 'accessToken' => $accessToken,
'clientToken' => $clientToken, 'clientToken' => $clientToken,
]); ]);
$this->assertSuccessResponse($I);
}
$I->seeResponseCodeIs(200); public function refreshLegacyAccessToken(AuthserverSteps $I) {
$I->seeResponseIsJson(); $I->wantTo('refresh legacy accessToken');
$I->canSeeResponseJsonMatchesJsonPath('$.accessToken'); $I->sendPOST('/api/authserver/authentication/refresh', [
$I->canSeeResponseJsonMatchesJsonPath('$.clientToken'); 'accessToken' => 'e7bb6648-2183-4981-9b86-eba5e7f87b42',
$I->canSeeResponseJsonMatchesJsonPath('$.selectedProfile.id'); 'clientToken' => '6f380440-0c05-47bd-b7c6-d011f1b5308f',
$I->canSeeResponseJsonMatchesJsonPath('$.selectedProfile.name'); ]);
$I->canSeeResponseJsonMatchesJsonPath('$.selectedProfile.legacy'); $this->assertSuccessResponse($I);
$I->cantSeeResponseJsonMatchesJsonPath('$.availableProfiles'); }
/**
* @example {"accessToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1NzU0Nzk1NTMsImV4cCI6MTU3NTY1MjM1MywiZWx5LXNjb3BlcyI6Im1pbmVjcmFmdF9zZXJ2ZXJfc2Vzc2lvbiIsImVseS1jbGllbnQtdG9rZW4iOiJkZWY1MDIwMDE2ZTEzMTBmMzM2YzVjYWQzZDdiMTJmYjcyNmVhYzdlYjgyOGUzMzg1MzBhMmFmODdkZTJhMjRiMTVmNzAxNWQ1MjU1MjhiNGZiMjgzMTgxOTA2ODhlMWE4Njk5MjAwMzBlMTQyZmQ5ZWM5ODBlZDkzMWI1Mzc2MzgyMTliMjVjMjI1MjQyYzdmMjgzMjE0NjcyNDg3ZDQ4MTYxYjMwMGU1MGIzYWJlMTYwYjVkMmE4ZWMyMzMwMGJhMGNlMTg3MzYyYTgyMjJiYjQ4OTU0MzM4MDJiNTBlZDBhYzFhMWUwZDk3NDgxNDciLCJzdWIiOiJlbHl8MSJ9.PuM-8rzj4qtD9l0lUANSIWC8yjJe8ifarOYsAjc3r4iYFt0P6za-gzJEPncDC80oCXsYVlJHtrEypcsB9wJFSg", "clientToken": "d1b1162c-3d73-4b35-b64f-7bf68bd0e853"}
* @example {"accessToken": "6042634a-a1e2-4aed-866c-c661fe4e63e2", "clientToken": "47fb164a-2332-42c1-8bad-549e67bb210c"}
*/
public function refreshExpiredToken(AuthserverSteps $I, Example $example) {
$I->wantTo('refresh legacy accessToken');
$I->sendPOST('/api/authserver/authentication/refresh', [
'accessToken' => $example['accessToken'],
'clientToken' => $example['clientToken'],
]);
$this->assertSuccessResponse($I);
} }
public function wrongArguments(AuthserverSteps $I) { public function wrongArguments(AuthserverSteps $I) {
$I->wantTo('get error on wrong amount of arguments'); $I->wantTo('get error on wrong amount of arguments');
$this->route->refresh([ $I->sendPOST('/api/authserver/authentication/refresh', [
'key' => 'value', 'key' => 'value',
]); ]);
$I->canSeeResponseCodeIs(400); $I->canSeeResponseCodeIs(400);
@ -49,7 +56,7 @@ class RefreshCest {
public function wrongAccessToken(AuthserverSteps $I) { public function wrongAccessToken(AuthserverSteps $I) {
$I->wantTo('get error on wrong access or client tokens'); $I->wantTo('get error on wrong access or client tokens');
$this->route->refresh([ $I->sendPOST('/api/authserver/authentication/refresh', [
'accessToken' => Uuid::uuid4()->toString(), 'accessToken' => Uuid::uuid4()->toString(),
'clientToken' => Uuid::uuid4()->toString(), 'clientToken' => Uuid::uuid4()->toString(),
]); ]);
@ -63,7 +70,7 @@ class RefreshCest {
public function refreshTokenFromBannedUser(AuthserverSteps $I) { public function refreshTokenFromBannedUser(AuthserverSteps $I) {
$I->wantTo('refresh token from suspended account'); $I->wantTo('refresh token from suspended account');
$this->route->refresh([ $I->sendPOST('/api/authserver/authentication/refresh', [
'accessToken' => '918ecb41-616c-40ee-a7d2-0b0ef0d0d732', 'accessToken' => '918ecb41-616c-40ee-a7d2-0b0ef0d0d732',
'clientToken' => '6042634a-a1e2-4aed-866c-c661fe4e63e2', 'clientToken' => '6042634a-a1e2-4aed-866c-c661fe4e63e2',
]); ]);
@ -74,4 +81,15 @@ class RefreshCest {
]); ]);
} }
private function assertSuccessResponse(AuthserverSteps $I) {
$I->seeResponseCodeIs(200);
$I->seeResponseIsJson();
$I->canSeeResponseJsonMatchesJsonPath('$.accessToken');
$I->canSeeResponseJsonMatchesJsonPath('$.clientToken');
$I->canSeeResponseJsonMatchesJsonPath('$.selectedProfile.id');
$I->canSeeResponseJsonMatchesJsonPath('$.selectedProfile.name');
$I->canSeeResponseJsonMatchesJsonPath('$.selectedProfile.legacy');
$I->cantSeeResponseJsonMatchesJsonPath('$.availableProfiles');
}
} }

View File

@ -1,35 +1,22 @@
<?php <?php
declare(strict_types=1);
namespace api\tests\functional\authserver; namespace api\tests\functional\authserver;
use api\tests\_pages\AuthserverRoute;
use api\tests\functional\_steps\AuthserverSteps; use api\tests\functional\_steps\AuthserverSteps;
use Codeception\Example;
class SignoutCest { class SignoutCest {
/** /**
* @var AuthserverRoute * @example {"login": "admin", "password": "password_0"}
* @example {"login": "admin@ely.by", "password": "password_0"}
*/ */
private $route; public function signout(AuthserverSteps $I, Example $example) {
public function _before(AuthserverSteps $I) {
$this->route = new AuthserverRoute($I);
}
public function byName(AuthserverSteps $I) {
$I->wantTo('signout by nickname and password'); $I->wantTo('signout by nickname and password');
$this->route->signout([ $I->sendPOST('/api/authserver/authentication/signout', [
'username' => 'admin', 'username' => $example['login'],
'password' => 'password_0', 'password' => $example['password'],
]);
$I->canSeeResponseCodeIs(200);
$I->canSeeResponseEquals('');
}
public function byEmail(AuthserverSteps $I) {
$I->wantTo('signout by email and password');
$this->route->signout([
'username' => 'admin@ely.by',
'password' => 'password_0',
]); ]);
$I->canSeeResponseCodeIs(200); $I->canSeeResponseCodeIs(200);
$I->canSeeResponseEquals(''); $I->canSeeResponseEquals('');
@ -37,7 +24,7 @@ class SignoutCest {
public function wrongArguments(AuthserverSteps $I) { public function wrongArguments(AuthserverSteps $I) {
$I->wantTo('get error on wrong amount of arguments'); $I->wantTo('get error on wrong amount of arguments');
$this->route->signout([ $I->sendPOST('/api/authserver/authentication/signout', [
'key' => 'value', 'key' => 'value',
]); ]);
$I->canSeeResponseCodeIs(400); $I->canSeeResponseCodeIs(400);
@ -50,7 +37,7 @@ class SignoutCest {
public function wrongNicknameAndPassword(AuthserverSteps $I) { public function wrongNicknameAndPassword(AuthserverSteps $I) {
$I->wantTo('signout by nickname and password with wrong data'); $I->wantTo('signout by nickname and password with wrong data');
$this->route->signout([ $I->sendPOST('/api/authserver/authentication/signout', [
'username' => 'nonexistent_user', 'username' => 'nonexistent_user',
'password' => 'nonexistent_password', 'password' => 'nonexistent_password',
]); ]);
@ -64,7 +51,7 @@ class SignoutCest {
public function bannedAccount(AuthserverSteps $I) { public function bannedAccount(AuthserverSteps $I) {
$I->wantTo('signout from banned account'); $I->wantTo('signout from banned account');
$this->route->signout([ $I->sendPOST('/api/authserver/authentication/signout', [
'username' => 'Banned', 'username' => 'Banned',
'password' => 'password_0', 'password' => 'password_0',
]); ]);

View File

@ -1,34 +1,35 @@
<?php <?php
declare(strict_types=1);
namespace api\tests\functional\authserver; namespace api\tests\functional\authserver;
use api\tests\_pages\AuthserverRoute;
use api\tests\functional\_steps\AuthserverSteps; use api\tests\functional\_steps\AuthserverSteps;
use Ramsey\Uuid\Uuid; use Ramsey\Uuid\Uuid;
class ValidateCest { class ValidateCest {
/**
* @var AuthserverRoute
*/
private $route;
public function _before(AuthserverSteps $I) {
$this->route = new AuthserverRoute($I);
}
public function validate(AuthserverSteps $I) { public function validate(AuthserverSteps $I) {
$I->wantTo('validate my accessToken'); $I->wantTo('validate my accessToken');
[$accessToken] = $I->amAuthenticated(); [$accessToken] = $I->amAuthenticated();
$this->route->validate([ $I->sendPOST('/api/authserver/authentication/validate', [
'accessToken' => $accessToken, 'accessToken' => $accessToken,
]); ]);
$I->seeResponseCodeIs(200); $I->seeResponseCodeIs(200);
$I->canSeeResponseEquals(''); $I->canSeeResponseEquals('');
} }
public function validateLegacyToken(AuthserverSteps $I) {
$I->wantTo('validate my legacy accessToken');
$I->sendPOST('/api/authserver/authentication/validate', [
'accessToken' => 'e7bb6648-2183-4981-9b86-eba5e7f87b42',
]);
$I->seeResponseCodeIs(200);
$I->canSeeResponseEquals('');
}
public function wrongArguments(AuthserverSteps $I) { public function wrongArguments(AuthserverSteps $I) {
$I->wantTo('get error on wrong amount of arguments'); $I->wantTo('get error on wrong amount of arguments');
$this->route->validate([ $I->sendPOST('/api/authserver/authentication/validate', [
'key' => 'value', 'key' => 'value',
]); ]);
$I->canSeeResponseCodeIs(400); $I->canSeeResponseCodeIs(400);
@ -41,7 +42,7 @@ class ValidateCest {
public function wrongAccessToken(AuthserverSteps $I) { public function wrongAccessToken(AuthserverSteps $I) {
$I->wantTo('get error on wrong accessToken'); $I->wantTo('get error on wrong accessToken');
$this->route->validate([ $I->sendPOST('/api/authserver/authentication/validate', [
'accessToken' => Uuid::uuid4()->toString(), 'accessToken' => Uuid::uuid4()->toString(),
]); ]);
$I->canSeeResponseCodeIs(401); $I->canSeeResponseCodeIs(401);
@ -54,9 +55,21 @@ class ValidateCest {
public function expiredAccessToken(AuthserverSteps $I) { public function expiredAccessToken(AuthserverSteps $I) {
$I->wantTo('get error on expired accessToken'); $I->wantTo('get error on expired accessToken');
$this->route->validate([ $I->sendPOST('/api/authserver/authentication/validate', [
// Knowingly expired token from the dump 'accessToken' => 'eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1NzU0Nzk1NTMsImV4cCI6MTU3NTQ3OTU1MywiZWx5LXNjb3BlcyI6Im1pbmVjcmFmdF9zZXJ2ZXJfc2Vzc2lvbiIsImVseS1jbGllbnQtdG9rZW4iOiJyZW1vdmVkIiwic3ViIjoiZWx5fDEifQ.xDMs5B48nH6p3a1k3WoZKtW4zoNHGGaLD1OGTFte-sUJb2fNMR65LuuBW8DzqO2odgco2xX660zqbhB-tp2OsA',
'accessToken' => '6042634a-a1e2-4aed-866c-c661fe4e63e2', ]);
$I->canSeeResponseCodeIs(401);
$I->canSeeResponseIsJson();
$I->canSeeResponseContainsJson([
'error' => 'ForbiddenOperationException',
'errorMessage' => 'Token expired.',
]);
}
public function expiredLegacyAccessToken(AuthserverSteps $I) {
$I->wantTo('get error on expired legacy accessToken');
$I->sendPOST('/api/authserver/authentication/validate', [
'accessToken' => '6042634a-a1e2-4aed-866c-c661fe4e63e2', // Already expired token from the fixtures
]); ]);
$I->canSeeResponseCodeIs(401); $I->canSeeResponseCodeIs(401);
$I->canSeeResponseIsJson(); $I->canSeeResponseIsJson();

View File

@ -14,7 +14,9 @@ class TokensFactoryTest extends TestCase {
$account = new Account(); $account = new Account();
$account->id = 1; $account->id = 1;
$token = TokensFactory::createForAccount($account); $factory = new TokensFactory();
$token = $factory->createForWebAccount($account);
$this->assertEqualsWithDelta(time(), $token->getClaim('iat'), 1); $this->assertEqualsWithDelta(time(), $token->getClaim('iat'), 1);
$this->assertEqualsWithDelta(time() + 60 * 60 * 24 * 7, $token->getClaim('exp'), 2); $this->assertEqualsWithDelta(time() + 60 * 60 * 24 * 7, $token->getClaim('exp'), 2);
$this->assertSame('ely|1', $token->getClaim('sub')); $this->assertSame('ely|1', $token->getClaim('sub'));
@ -24,7 +26,7 @@ class TokensFactoryTest extends TestCase {
$session = new AccountSession(); $session = new AccountSession();
$session->id = 2; $session->id = 2;
$token = TokensFactory::createForAccount($account, $session); $token = $factory->createForWebAccount($account, $session);
$this->assertEqualsWithDelta(time(), $token->getClaim('iat'), 1); $this->assertEqualsWithDelta(time(), $token->getClaim('iat'), 1);
$this->assertEqualsWithDelta(time() + 3600, $token->getClaim('exp'), 2); $this->assertEqualsWithDelta(time() + 3600, $token->getClaim('exp'), 2);
$this->assertSame('ely|1', $token->getClaim('sub')); $this->assertSame('ely|1', $token->getClaim('sub'));

View File

@ -79,7 +79,7 @@ class AuthenticationFormTest extends TestCase {
$result = $authForm->authenticate(); $result = $authForm->authenticate();
$this->assertInstanceOf(AuthenticateData::class, $result); $this->assertInstanceOf(AuthenticateData::class, $result);
$this->assertSame($minecraftAccessKey->access_token, $result->getMinecraftAccessKey()->access_token); $this->assertSame($minecraftAccessKey->access_token, $result->getToken()->access_token);
} }
public function testCreateMinecraftAccessToken() { public function testCreateMinecraftAccessToken() {

View File

@ -24,7 +24,6 @@ class Yii extends \yii\BaseYii {
* @property \mito\sentry\Component $sentry * @property \mito\sentry\Component $sentry
* @property \common\components\StatsD $statsd * @property \common\components\StatsD $statsd
* @property \yii\queue\Queue $queue * @property \yii\queue\Queue $queue
* @property \api\components\Tokens\Component $tokens
*/ */
abstract class BaseApplication extends yii\base\Application { abstract class BaseApplication extends yii\base\Application {
} }
@ -33,9 +32,11 @@ abstract class BaseApplication extends yii\base\Application {
* Class WebApplication * Class WebApplication
* Include only Web application related components here * Include only Web application related components here
* *
* @property \api\components\User\Component $user User component. * @property \api\components\User\Component $user
* @property \api\components\ReCaptcha\Component $reCaptcha * @property \api\components\ReCaptcha\Component $reCaptcha
* @property \api\components\OAuth2\Component $oauth * @property \api\components\OAuth2\Component $oauth
* @property \api\components\Tokens\Component $tokens
* @property \api\components\Tokens\TokensFactory $tokensFactory
* *
* @method \api\components\User\Component getUser() * @method \api\components\User\Component getUser()
*/ */

View File

@ -13,6 +13,7 @@
"ext-pdo": "*", "ext-pdo": "*",
"ext-simplexml": "*", "ext-simplexml": "*",
"bacon/bacon-qr-code": "^1.0", "bacon/bacon-qr-code": "^1.0",
"defuse/php-encryption": "^2.2",
"domnikl/statsd": "^2.6", "domnikl/statsd": "^2.6",
"ely/mojang-api": "^0.2.0", "ely/mojang-api": "^0.2.0",
"ely/yii2-tempmail-validator": "^2.0", "ely/yii2-tempmail-validator": "^2.0",

2
composer.lock generated
View File

@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically" "This file is @generated automatically"
], ],
"content-hash": "7ee1d380684b79ffabf92f115d7de4a8", "content-hash": "10af6b999939a9f213664883387184ed",
"packages": [ "packages": [
{ {
"name": "bacon/bacon-qr-code", "name": "bacon/bacon-qr-code",