Rework identity provider for the legacy OAuth2 tokens [skip ci]

api/components/OAuth2/Component.php

@@ -11,9 +11,6 @@ use League\OAuth2\Server\AuthorizationServer;
 use League\OAuth2\Server\Grant;
 use yii\base\Component as BaseComponent;
 
-/**
- * @property AuthorizationServer $authServer
- */
 class Component extends BaseComponent {
 
     /**
@@ -39,7 +36,6 @@ class Component extends BaseComponent {
                 new EmptyKey(),
                 '123' // TODO: extract to the variable
             );
-            /** @noinspection PhpUnhandledExceptionInspection */
             $authCodeGrant = new AuthCodeGrant($authCodesRepo, $refreshTokensRepo, new DateInterval('PT10M'));
             $authCodeGrant->disableRequireCodeChallengeForPublicClients();
             $authServer->enableGrantType($authCodeGrant, $accessTokenTTL);

api/components/OAuth2/Repositories/AccessTokenStorage.php

@@ -1,70 +0,0 @@
-<?php
-namespace api\components\OAuth2\Repositories;
-
-use api\components\OAuth2\Entities\AccessTokenEntity;
-use common\components\Redis\Key;
-use common\components\Redis\Set;
-use League\OAuth2\Server\Entity\AccessTokenEntity as OriginalAccessTokenEntity;
-use League\OAuth2\Server\Entity\ScopeEntity;
-use League\OAuth2\Server\Storage\AbstractStorage;
-use League\OAuth2\Server\Storage\AccessTokenInterface;
-use yii\helpers\Json;
-
-class AccessTokenStorage extends AbstractStorage implements AccessTokenInterface {
-
-    public $dataTable = 'oauth_access_tokens';
-
-    public function get($token) {
-        $result = Json::decode((new Key($this->dataTable, $token))->getValue());
-        if ($result === null) {
-            return null;
-        }
-
-        $token = new AccessTokenEntity($this->server);
-        $token->setId($result['id']);
-        $token->setExpireTime($result['expire_time']);
-        $token->setSessionId($result['session_id']);
-
-        return $token;
-    }
-
-    public function getScopes(OriginalAccessTokenEntity $token) {
-        $scopes = $this->scopes($token->getId());
-        $entities = [];
-        foreach ($scopes as $scope) {
-            if ($this->server->getScopeStorage()->get($scope) !== null) {
-                $entities[] = (new ScopeEntity($this->server))->hydrate(['id' => $scope]);
-            }
-        }
-
-        return $entities;
-    }
-
-    public function create($token, $expireTime, $sessionId) {
-        $payload = Json::encode([
-            'id' => $token,
-            'expire_time' => $expireTime,
-            'session_id' => $sessionId,
-        ]);
-
-        $this->key($token)->setValue($payload)->expireAt($expireTime);
-    }
-
-    public function associateScope(OriginalAccessTokenEntity $token, ScopeEntity $scope) {
-        $this->scopes($token->getId())->add($scope->getId())->expireAt($token->getExpireTime());
-    }
-
-    public function delete(OriginalAccessTokenEntity $token) {
-        $this->key($token->getId())->delete();
-        $this->scopes($token->getId())->delete();
-    }
-
-    private function key(string $token): Key {
-        return new Key($this->dataTable, $token);
-    }
-
-    private function scopes(string $token): Set {
-        return new Set($this->dataTable, $token, 'scopes');
-    }
-
-}

api/components/User/IdentityFactory.php

@@ -8,19 +8,24 @@ use yii\web\UnauthorizedHttpException;
 class IdentityFactory {
 
     /**
-     * @throws UnauthorizedHttpException
+     * @param string $token
+     * @param string $type
+     *
      * @return IdentityInterface
+     * @throws UnauthorizedHttpException
      */
     public static function findIdentityByAccessToken($token, $type = null): IdentityInterface {
-        if (empty($token)) {
-            throw new UnauthorizedHttpException('Incorrect token');
+        if (!empty($token)) {
+            if (mb_strlen($token) === 40) {
+                return LegacyOAuth2Identity::findIdentityByAccessToken($token, $type);
+            }
+
+            if (substr_count($token, '.') === 2) {
+                return JwtIdentity::findIdentityByAccessToken($token, $type);
+            }
         }
 
-        if (substr_count($token, '.') === 2) {
-            return JwtIdentity::findIdentityByAccessToken($token, $type);
-        }
-
-        return OAuth2Identity::findIdentityByAccessToken($token, $type);
+        throw new UnauthorizedHttpException('Incorrect token');
     }
 
 }

api/components/User/LegacyOAuth2Identity.php

@@ -0,0 +1,119 @@
+<?php
+declare(strict_types=1);
+
+namespace api\components\User;
+
+use common\models\Account;
+use common\models\OauthSession;
+use Exception;
+use Yii;
+use yii\base\NotSupportedException;
+use yii\web\UnauthorizedHttpException;
+
+class LegacyOAuth2Identity implements IdentityInterface {
+
+    /**
+     * @var string
+     */
+    private $accessToken;
+
+    /**
+     * @var string
+     */
+    private $sessionId;
+
+    /**
+     * @var string[]
+     */
+    private $scopes;
+
+    /**
+     * @var OauthSession|null
+     */
+    private $session = false;
+
+    private function __construct(string $accessToken, string $sessionId, array $scopes) {
+        $this->accessToken = $accessToken;
+        $this->sessionId = $sessionId;
+        $this->scopes = $scopes;
+    }
+
+    /**
+     * @inheritdoc
+     * @throws UnauthorizedHttpException
+     * @return IdentityInterface
+     */
+    public static function findIdentityByAccessToken($token, $type = null): IdentityInterface {
+        $tokenParams = self::findRecordOnLegacyStorage($token);
+        if ($tokenParams === null) {
+            throw new UnauthorizedHttpException('Incorrect token');
+        }
+
+        if ($tokenParams['expire_time'] < time()) {
+            throw new UnauthorizedHttpException('Token expired');
+        }
+
+        return new static($token, $tokenParams['session_id'], $tokenParams['scopes']);
+    }
+
+    public function getAccount(): ?Account {
+        $session = $this->getSession();
+        if ($session === null) {
+            return null;
+        }
+
+        return $session->account;
+    }
+
+    /**
+     * @return string[]
+     */
+    public function getAssignedPermissions(): array {
+        return $this->scopes;
+    }
+
+    public function getId(): string {
+        return $this->accessToken;
+    }
+
+    // @codeCoverageIgnoreStart
+    public function getAuthKey() {
+        throw new NotSupportedException('This method used for cookie auth, except we using Bearer auth');
+    }
+
+    public function validateAuthKey($authKey) {
+        throw new NotSupportedException('This method used for cookie auth, except we using Bearer auth');
+    }
+
+    public static function findIdentity($id) {
+        throw new NotSupportedException('This method used for cookie auth, except we using Bearer auth');
+    }
+
+    // @codeCoverageIgnoreEnd
+
+    private static function findRecordOnLegacyStorage(string $accessToken): ?array {
+        $record = Yii::$app->redis->get("oauth:access:tokens:{$accessToken}");
+        if ($record === null) {
+            return null;
+        }
+
+        try {
+            $data = json_decode($record, true, 512, JSON_THROW_ON_ERROR);
+        } catch (Exception $e) {
+            return null;
+        }
+
+        $data['scopes'] = (array)Yii::$app->redis->smembers("oauth:access:tokens:{$accessToken}:scopes");
+
+        return $data;
+    }
+
+    private function getSession(): ?OauthSession {
+        if ($this->session === false) {
+            $this->session = OauthSession::findOne(['id' => $this->sessionId]);
+        }
+
+        return $this->session;
+    }
+
+}

api/components/User/OAuth2Identity.php

@@ -1,78 +0,0 @@
-<?php
-declare(strict_types=1);
-
-namespace api\components\User;
-
-use api\components\OAuth2\Entities\AccessTokenEntity;
-use common\models\Account;
-use common\models\OauthSession;
-use Yii;
-use yii\base\NotSupportedException;
-use yii\web\UnauthorizedHttpException;
-
-class OAuth2Identity implements IdentityInterface {
-
-    /**
-     * @var AccessTokenEntity
-     */
-    private $_accessToken;
-
-    private function __construct(AccessTokenEntity $accessToken) {
-        $this->_accessToken = $accessToken;
-    }
-
-    /**
-     * @inheritdoc
-     * @throws UnauthorizedHttpException
-     * @return IdentityInterface
-     */
-    public static function findIdentityByAccessToken($token, $type = null): IdentityInterface {
-        /** @var AccessTokenEntity|null $model */
-        // TODO: rework
-        $model = Yii::$app->oauth->getAccessTokenStorage()->get($token);
-        if ($model === null) {
-            throw new UnauthorizedHttpException('Incorrect token');
-        }
-
-        if ($model->isExpired()) {
-            throw new UnauthorizedHttpException('Token expired');
-        }
-
-        return new static($model);
-    }
-
-    public function getAccount(): ?Account {
-        return $this->getSession()->account;
-    }
-
-    /**
-     * @return string[]
-     */
-    public function getAssignedPermissions(): array {
-        return array_keys($this->_accessToken->getScopes());
-    }
-
-    public function getId(): string {
-        return $this->_accessToken->getId();
-    }
-
-    // @codeCoverageIgnoreStart
-    public function getAuthKey() {
-        throw new NotSupportedException('This method used for cookie auth, except we using Bearer auth');
-    }
-
-    public function validateAuthKey($authKey) {
-        throw new NotSupportedException('This method used for cookie auth, except we using Bearer auth');
-    }
-
-    public static function findIdentity($id) {
-        throw new NotSupportedException('This method used for cookie auth, except we using Bearer auth');
-    }
-
-    // @codeCoverageIgnoreEnd
-
-    private function getSession(): OauthSession {
-        return OauthSession::findOne(['id' => $this->_accessToken->getSessionId()]);
-    }
-
-}