mirror of
https://github.com/elyby/accounts.git
synced 2025-05-31 14:11:46 +05:30
Replace custom aud and ely-scopes JWT claims with its public analogues
This commit is contained in:
ErickSkrauch
@@ -31,19 +31,16 @@ class TokenReader {
|
||||
}
|
||||
|
||||
public function getClientId(): ?string {
|
||||
$aud = $this->token->getClaim('aud', false);
|
||||
if ($aud === false) {
|
||||
return null;
|
||||
}
|
||||
|
||||
if (mb_strpos((string)$aud, TokensFactory::AUD_CLIENT_PREFIX) !== 0) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return mb_substr($aud, mb_strlen(TokensFactory::AUD_CLIENT_PREFIX));
|
||||
return $this->token->getClaim('client_id', false) ?: null;
|
||||
}
|
||||
|
||||
public function getScopes(): ?array {
|
||||
$scopes = $this->token->getClaim('scope', false);
|
||||
if ($scopes !== false) {
|
||||
return explode(' ', $scopes);
|
||||
}
|
||||
|
||||
// Handle legacy tokens, which used "ely-scopes" claim and was delimited with comma
|
||||
$scopes = $this->token->getClaim('ely-scopes', false);
|
||||
if ($scopes === false) {
|
||||
return null;
|
||||
|
||||
@@ -18,13 +18,12 @@ use yii\base\Component;
|
||||
class TokensFactory extends Component {
|
||||
|
||||
public const SUB_ACCOUNT_PREFIX = 'ely|';
|
||||
public const AUD_CLIENT_PREFIX = 'client|';
|
||||
|
||||
public function createForWebAccount(Account $account, AccountSession $session = null): Token {
|
||||
$payloads = [
|
||||
'ely-scopes' => $this->prepareScopes([R::ACCOUNTS_WEB_USER]),
|
||||
'sub' => $this->buildSub($account->id),
|
||||
'exp' => Carbon::now()->addHour()->getTimestamp(),
|
||||
'scope' => $this->prepareScopes([R::ACCOUNTS_WEB_USER]),
|
||||
];
|
||||
if ($session === null) {
|
||||
// If we don't remember a session, the token should live longer
|
||||
@@ -39,8 +38,8 @@ class TokensFactory extends Component {
|
||||
|
||||
public function createForOAuthClient(AccessTokenEntityInterface $accessToken): Token {
|
||||
$payloads = [
|
||||
'aud' => $this->buildAud($accessToken->getClient()->getIdentifier()),
|
||||
'ely-scopes' => $this->prepareScopes($accessToken->getScopes()),
|
||||
'client_id' => $accessToken->getClient()->getIdentifier(),
|
||||
'scope' => $this->prepareScopes($accessToken->getScopes()),
|
||||
];
|
||||
if ($accessToken->getExpiryDateTime() > new DateTime()) {
|
||||
$payloads['exp'] = $accessToken->getExpiryDateTime()->getTimestamp();
|
||||
@@ -55,7 +54,7 @@ class TokensFactory extends Component {
|
||||
|
||||
public function createForMinecraftAccount(Account $account, string $clientToken): Token {
|
||||
return Yii::$app->tokens->create([
|
||||
'ely-scopes' => $this->prepareScopes([P::MINECRAFT_SERVER_SESSION]),
|
||||
'scope' => $this->prepareScopes([P::MINECRAFT_SERVER_SESSION]),
|
||||
'ely-client-token' => new EncryptedValue($clientToken),
|
||||
'sub' => $this->buildSub($account->id),
|
||||
'exp' => Carbon::now()->addDays(2)->getTimestamp(),
|
||||
@@ -68,7 +67,7 @@ class TokensFactory extends Component {
|
||||
* @return string
|
||||
*/
|
||||
private function prepareScopes(array $scopes): string {
|
||||
return implode(',', array_map(function($scope): string { // TODO: replace to the space if it's possible
|
||||
return implode(' ', array_map(function($scope): string {
|
||||
if ($scope instanceof ScopeEntityInterface) {
|
||||
return $scope->getIdentifier();
|
||||
}
|
||||
@@ -81,8 +80,4 @@ class TokensFactory extends Component {
|
||||
return self::SUB_ACCOUNT_PREFIX . $accountId;
|
||||
}
|
||||
|
||||
private function buildAud(string $clientId): string {
|
||||
return self::AUD_CLIENT_PREFIX . $clientId;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -24,7 +24,7 @@ class AccessTokenEntityTest extends TestCase {
|
||||
|
||||
$token = (string)$entity;
|
||||
$payloads = json_decode(base64_decode(explode('.', $token)[1]), true);
|
||||
$this->assertSame('first,second', $payloads['ely-scopes']);
|
||||
$this->assertSame('first second', $payloads['scope']);
|
||||
}
|
||||
|
||||
private function createScopeEntity(string $id): ScopeEntityInterface {
|
||||
|
||||
76
api/tests/unit/components/Tokens/TokenReaderTest.php
Normal file
76
api/tests/unit/components/Tokens/TokenReaderTest.php
Normal file
@@ -0,0 +1,76 @@
|
||||
<?php
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace api\tests\unit\components\Tokens;
|
||||
|
||||
use api\components\Tokens\TokenReader;
|
||||
use api\tests\unit\TestCase;
|
||||
use Lcobucci\JWT\Claim;
|
||||
use Lcobucci\JWT\Token;
|
||||
|
||||
class TokenReaderTest extends TestCase {
|
||||
|
||||
/**
|
||||
* @dataProvider getAccountIdTestCases
|
||||
*/
|
||||
public function testGetAccountId(array $claims, $expectedResult) {
|
||||
$this->assertSame($expectedResult, $this->createReader($claims)->getAccountId());
|
||||
}
|
||||
|
||||
public function getAccountIdTestCases() {
|
||||
yield [['sub' => 'ely|1'], 1];
|
||||
yield [['sub' => '1'], null];
|
||||
yield [['sub' => 'ely-login|1'], null];
|
||||
yield [[], null];
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider getClientIdTestCases
|
||||
*/
|
||||
public function testGetClientId(array $claims, $expectedResult) {
|
||||
$this->assertSame($expectedResult, $this->createReader($claims)->getClientId());
|
||||
}
|
||||
|
||||
public function getClientIdTestCases() {
|
||||
yield [['client_id' => 'find-me'], 'find-me'];
|
||||
yield [[], null];
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider getScopesTestCases
|
||||
*/
|
||||
public function testGetScopes(array $claims, $expectedResult) {
|
||||
$this->assertSame($expectedResult, $this->createReader($claims)->getScopes());
|
||||
}
|
||||
|
||||
public function getScopesTestCases() {
|
||||
yield [['scope' => 'scope1 scope2'], ['scope1', 'scope2']];
|
||||
yield [['ely-scopes' => 'scope1,scope2'], ['scope1', 'scope2']];
|
||||
yield [[], null];
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider getMinecraftClientTokenTestCases
|
||||
*/
|
||||
public function testGetMinecraftClientToken(array $claims, $expectedResult) {
|
||||
$this->assertSame($expectedResult, $this->createReader($claims)->getMinecraftClientToken());
|
||||
}
|
||||
|
||||
public function getMinecraftClientTokenTestCases() {
|
||||
yield [['ely-client-token' => 'GPZiBFlJld30KfGTe-E2yITKbfJYmWFA6Ky5CsllnIsVdmswMu_PXNdYnQGexF_CkXiuOQd1smrO3S4'], 'aaaaa-aaa-aaa-aaaaa'];
|
||||
yield [[], null];
|
||||
}
|
||||
|
||||
private function createReader(array $claims): TokenReader {
|
||||
$claimsObjects = [];
|
||||
foreach ($claims as $key => $value) {
|
||||
$claim = $this->createMock(Claim::class);
|
||||
$claim->method('getName')->willReturn($key);
|
||||
$claim->method('getValue')->willReturn($value);
|
||||
$claimsObjects[$key] = $claim;
|
||||
}
|
||||
|
||||
return new TokenReader(new Token([], $claimsObjects));
|
||||
}
|
||||
|
||||
}
|
||||
@@ -26,7 +26,7 @@ class TokensFactoryTest extends TestCase {
|
||||
$this->assertEqualsWithDelta(time(), $token->getClaim('iat'), 1);
|
||||
$this->assertEqualsWithDelta(time() + 60 * 60 * 24 * 7, $token->getClaim('exp'), 2);
|
||||
$this->assertSame('ely|1', $token->getClaim('sub'));
|
||||
$this->assertSame('accounts_web_user', $token->getClaim('ely-scopes'));
|
||||
$this->assertSame('accounts_web_user', $token->getClaim('scope'));
|
||||
$this->assertArrayNotHasKey('jti', $token->getClaims());
|
||||
|
||||
$session = new AccountSession();
|
||||
@@ -38,7 +38,7 @@ class TokensFactoryTest extends TestCase {
|
||||
$this->assertEqualsWithDelta(time(), $token->getClaim('iat'), 1);
|
||||
$this->assertEqualsWithDelta(time() + 3600, $token->getClaim('exp'), 2);
|
||||
$this->assertSame('ely|1', $token->getClaim('sub'));
|
||||
$this->assertSame('accounts_web_user', $token->getClaim('ely-scopes'));
|
||||
$this->assertSame('accounts_web_user', $token->getClaim('scope'));
|
||||
$this->assertSame(2, $token->getClaim('jti'));
|
||||
}
|
||||
|
||||
@@ -67,8 +67,8 @@ class TokensFactoryTest extends TestCase {
|
||||
$this->assertEqualsWithDelta(time(), $token->getClaim('iat'), 1);
|
||||
$this->assertEqualsWithDelta($expiryDateTime->getTimestamp(), $token->getClaim('exp'), 2);
|
||||
$this->assertSame('ely|1', $token->getClaim('sub'));
|
||||
$this->assertSame('client|clientId', $token->getClaim('aud'));
|
||||
$this->assertSame('scope1,scope2', $token->getClaim('ely-scopes'));
|
||||
$this->assertSame('clientId', $token->getClaim('client_id'));
|
||||
$this->assertSame('scope1 scope2', $token->getClaim('scope'));
|
||||
|
||||
// Create for client credentials grant
|
||||
|
||||
@@ -93,7 +93,7 @@ class TokensFactoryTest extends TestCase {
|
||||
$token = $factory->createForMinecraftAccount($account, $clientToken);
|
||||
$this->assertEqualsWithDelta(time(), $token->getClaim('iat'), 5);
|
||||
$this->assertEqualsWithDelta(time() + 60 * 60 * 24 * 2, $token->getClaim('exp'), 5);
|
||||
$this->assertSame('minecraft_server_session', $token->getClaim('ely-scopes'));
|
||||
$this->assertSame('minecraft_server_session', $token->getClaim('scope'));
|
||||
$this->assertNotSame('e44fae79-f80e-4975-952e-47e8a9ed9472', $token->getClaim('ely-client-token'));
|
||||
$this->assertSame('ely|1', $token->getClaim('sub'));
|
||||
}
|
||||
|
||||
@@ -51,7 +51,7 @@ class JwtIdentityTest extends TestCase {
|
||||
'Incorrect token',
|
||||
];
|
||||
yield 'revoked by oauth client' => [
|
||||
'eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJlbHktc2NvcGVzIjoiYWNjb3VudF9pbmZvLG1pbmVjcmFmdF9zZXJ2ZXJfc2Vzc2lvbiIsImlhdCI6MTU2NDYxMDUwMCwic3ViIjoiZWx5fDEiLCJhdWQiOiJjbGllbnR8dGxhdW5jaGVyIn0.YzUzvnREEoQPu8CvU6WLdysUU0bC_xzigQPs2LK1su38uysSYgSbPzNOZYkQnvcmVLehHY-ON44x-oA8Os-9ZA',
|
||||
'eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJlbHktc2NvcGVzIjoiYWNjb3VudF9pbmZvLG1pbmVjcmFmdF9zZXJ2ZXJfc2Vzc2lvbiIsImlhdCI6MTU2NDYxMDUwMCwic3ViIjoiZWx5fDEiLCJjbGllbnRfaWQiOiJ0bGF1bmNoZXIifQ.qmiPOjI8jGAQdP5LoAVHO8L75Ly7fRcrTB_iYsUgQ4azgsPnLEhvG7dUnQ9utEd3RK5swDpaZ0bXf90vRbvnmg',
|
||||
'Token has been revoked',
|
||||
];
|
||||
yield 'revoked by unauthorized minecraft launcher' => [
|
||||
|
||||
@@ -31,7 +31,7 @@ class RefreshTokenFormTest extends TestCase {
|
||||
|
||||
$token = $result->getToken();
|
||||
$this->assertSame('ely|1', $token->getClaim('sub'));
|
||||
$this->assertSame('accounts_web_user', $token->getClaim('ely-scopes'));
|
||||
$this->assertSame('accounts_web_user', $token->getClaim('scope'));
|
||||
$this->assertEqualsWithDelta(time(), $token->getClaim('iat'), 5);
|
||||
$this->assertEqualsWithDelta(time() + 3600, $token->getClaim('exp'), 5);
|
||||
$this->assertSame(1, $token->getClaim('jti'));
|
||||
|
||||
@@ -112,11 +112,14 @@ class RegistrationFormTest extends TestCase {
|
||||
])
|
||||
->one();
|
||||
$this->assertInstanceOf(EmailActivation::class, $activation, 'email activation code exists in database');
|
||||
$this->assertTrue(UsernameHistory::find()->andWhere([
|
||||
'username' => $account->username,
|
||||
'account_id' => $account->id,
|
||||
'applied_in' => $account->created_at,
|
||||
])->exists(), 'username history record exists in database');
|
||||
$this->assertTrue(
|
||||
UsernameHistory::find()
|
||||
->andWhere(['username' => $account->username])
|
||||
->andWhere(['account_id' => $account->id])
|
||||
->andWhere(['>=', 'applied_in', $account->created_at])
|
||||
->exists(),
|
||||
'username history record exists in database'
|
||||
);
|
||||
|
||||
/** @var SendRegistrationEmail $job */
|
||||
$job = $this->tester->grabLastQueuedJob();
|
||||
|
||||
Reference in New Issue
Block a user