ElyBy-Mirror/accounts
1
0
Fork 0
mirror of https://github.com/elyby/accounts.git synced 2025-05-31 14:11:46 +05:30
Code Issues Packages Projects Releases Wiki Activity

Implemented features to revoke access for previously authorized OAuth 2.0 clients

Browse Source
This commit is contained in:
ErickSkrauch
2020-09-30 20:30:04 +03:00
parent 2a4f29801d
commit b904d5d314
12 changed files with 240 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

120
api/modules/oauth/controllers/ClientsController.php
View File

@ -1,4 +1,6 @@
<?php
declare(strict_types=1);
namespace api\modules\oauth\controllers;
use api\controllers\Controller;
@ -11,7 +13,10 @@ use common\models\Account;
use common\models\OauthClient;
use Webmozart\Assert\Assert;
use Yii;
use yii\db\ActiveQuery;
use yii\db\Expression;
use yii\filters\AccessControl;
use yii\filters\VerbFilter;
use yii\helpers\ArrayHelper;
use yii\web\NotFoundHttpException;
@ -31,32 +36,47 @@ class ClientsController extends Controller {
'actions' => ['update', 'delete', 'reset'],
'allow' => true,
'permissions' => [P::MANAGE_OAUTH_CLIENTS],
'roleParams' => function() {
return [
'clientId' => Yii::$app->request->get('clientId'),
];
},
'roleParams' => fn() => [
'clientId' => Yii::$app->request->get('clientId'),
],
],
[
'actions' => ['get'],
'allow' => true,
'permissions' => [P::VIEW_OAUTH_CLIENTS],
'roleParams' => function() {
return [
'clientId' => Yii::$app->request->get('clientId'),
];
},
'roleParams' => fn() => [
'clientId' => Yii::$app->request->get('clientId'),
],
],
[
'actions' => ['get-per-account'],
'allow' => true,
'permissions' => [P::VIEW_OAUTH_CLIENTS],
'roleParams' => function() {
return [
'accountId' => Yii::$app->request->get('accountId'),
];
},
'roleParams' => fn() => [
'accountId' => Yii::$app->request->get('accountId'),
],
],
[
'actions' => ['get-authorized-clients', 'revoke-client'],
'allow' => true,
'permissions' => [P::MANAGE_OAUTH_SESSIONS],
'roleParams' => fn() => [
'accountId' => Yii::$app->request->get('accountId'),
],
],
],
],
'verb' => [
'class' => VerbFilter::class,
'actions' => [
'get' => ['GET'],
'create' => ['POST'],
'update' => ['PUT'],
'delete' => ['DELETE'],
'reset' => ['POST'],
'get-per-account' => ['GET'],
'get-authorized-clients' => ['GET'],
'revoke-client' => ['DELETE'],
],
],
]);
@ -128,18 +148,60 @@ class ClientsController extends Controller {
}
public function actionGetPerAccount(int $accountId): array {
/** @var Account|null $account */
$account = Account::findOne(['id' => $accountId]);
if ($account === null) {
throw new NotFoundHttpException();
}
/** @var OauthClient[] $clients */
$clients = $account->getOauthClients()->orderBy(['created_at' => SORT_ASC])->all();
$clients = $this->findAccount($accountId)->getOauthClients()->orderBy(['created_at' => SORT_ASC])->all();
return array_map(fn(OauthClient $client): array => $this->formatClient($client), $clients);
}
public function actionGetAuthorizedClients(int $accountId): array {
$account = $this->findAccount($accountId);
$result = [];
/** @var \common\models\OauthSession[] $oauthSessions */
$oauthSessions = $account->getOauthSessions()
->innerJoinWith(['client c' => function(ActiveQuery $query): void {
$query->andOnCondition(['c.type' => OauthClient::TYPE_APPLICATION]);
}])
->andWhere([
'OR',
['revoked_at' => null],
['>', 'last_used_at', new Expression('`revoked_at`')],
])
->all();
foreach ($oauthSessions as $oauthSession) {
$client = $oauthSession->client;
if ($client === null) {
continue;
}
$result[] = [
'id' => $client->id,
'name' => $client->name,
'description' => $client->description,
'scopes' => $oauthSession->getScopes(),
'authorizedAt' => $oauthSession->created_at,
'lastUsedAt' => $oauthSession->last_used_at,
];
}
return $result;
}
public function actionRevokeClient(int $accountId, string $clientId): ?array {
$account = $this->findAccount($accountId);
$client = $this->findOauthClient($clientId);
/** @var \common\models\OauthSession|null $session */
$session = $account->getOauthSessions()->andWhere(['client_id' => $client->id])->one();
if ($session !== null && !$session->isRevoked()) {
$session->revoked_at = time();
Assert::true($session->save());
}
return ['success' => true];
}
private function formatClient(OauthClient $client): array {
$result = [
'clientId' => $client->id,
@ -168,16 +230,26 @@ class ClientsController extends Controller {
try {
$model = OauthClientFormFactory::create($client);
} catch (UnsupportedOauthClientType $e) {
Yii::warning('Someone tried use ' . $client->type . ' type of oauth form.');
Yii::warning('Someone tried to use ' . $client->type . ' type of oauth form.');
throw new NotFoundHttpException(null, 0, $e);
}
return $model;
}
private function findAccount(int $id): Account {
/** @var Account|null $account */
$account = Account::findOne(['id' => $id]);
if ($account === null) {
throw new NotFoundHttpException();
}
return $account;
}
private function findOauthClient(string $clientId): OauthClient {
/** @var OauthClient|null $client */
$client = OauthClient::findOne($clientId);
$client = OauthClient::findOne(['id' => $clientId]);
if ($client === null) {
throw new NotFoundHttpException();
}