ElyBy-Mirror/accounts
1
0
Fork 0
mirror of https://github.com/elyby/accounts.git synced 2025-05-31 14:11:46 +05:30
Code Issues Packages Projects Releases Wiki Activity

Allow users to manually decline auth request even when an application was authenticated before

Browse Source
This commit is contained in:
ErickSkrauch
2021-03-29 04:47:27 +02:00
parent 65284727ba
commit e6b6f3f169
2 changed files with 17 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
api/modules/oauth/models/OauthProcess.php
View File

@ -25,10 +25,7 @@ class OauthProcess {
P::OBTAIN_ACCOUNT_EMAIL => 'account_email', P::OBTAIN_ACCOUNT_EMAIL => 'account_email',
]; ];
/** private AuthorizationServer $server;
* @var AuthorizationServer
*/
private $server;
public function __construct(AuthorizationServer $server) { public function __construct(AuthorizationServer $server) {
$this->server = $server; $this->server = $server;
@ -96,20 +93,23 @@ class OauthProcess {
/** @var OauthClient $client */ /** @var OauthClient $client */
$client = $this->findClient($authRequest->getClient()->getIdentifier()); $client = $this->findClient($authRequest->getClient()->getIdentifier());
$approved = $this->canAutoApprove($account, $client, $authRequest); $canBeAutoApproved = $this->canBeAutoApproved($account, $client, $authRequest);
if (!$approved) {
Yii::$app->statsd->inc('oauth.complete.approve_required');
$acceptParam = ((array)$request->getParsedBody())['accept'] ?? null; $acceptParam = ((array)$request->getParsedBody())['accept'] ?? null;
if ($acceptParam === null) { if ($acceptParam === null && !$canBeAutoApproved) {
throw $this->createAcceptRequiredException(); throw $this->createAcceptRequiredException();
} }
Yii::$app->statsd->inc('oauth.complete.approve_required');
if ($acceptParam === null && $canBeAutoApproved) {
$approved = true;
} else {
$approved = in_array($acceptParam, [1, '1', true, 'true'], true); $approved = in_array($acceptParam, [1, '1', true, 'true'], true);
}
if ($approved) { if ($approved) {
$this->storeOauthSession($account, $client, $authRequest); $this->storeOauthSession($account, $client, $authRequest);
} }
}
$authRequest->setUser(new UserEntity($account->id)); $authRequest->setUser(new UserEntity($account->id));
$authRequest->setAuthorizationApproved($approved); $authRequest->setAuthorizationApproved($approved);
@ -123,6 +123,7 @@ class OauthProcess {
Yii::$app->statsd->inc('oauth.complete.success'); Yii::$app->statsd->inc('oauth.complete.success');
} catch (OAuthServerException $e) { } catch (OAuthServerException $e) {
if ($e->getErrorType() === 'accept_required') { if ($e->getErrorType() === 'accept_required') {
// TODO: revoke access if there previously was an oauth session?
Yii::$app->statsd->inc('oauth.complete.fail'); Yii::$app->statsd->inc('oauth.complete.fail');
} }
@ -213,7 +214,7 @@ class OauthProcess {
* *
* @return bool * @return bool
*/ */
private function canAutoApprove(Account $account, OauthClient $client, AuthorizationRequest $request): bool { private function canBeAutoApproved(Account $account, OauthClient $client, AuthorizationRequest $request): bool {
if ($client->is_trusted) { if ($client->is_trusted) {
return true; return true;
} }

2
api/tests/functional/oauth/AuthCodeCest.php
View File

@ -134,8 +134,8 @@ class AuthCodeCest {
'error' => 'access_denied', 'error' => 'access_denied',
'parameter' => null, 'parameter' => null,
'statusCode' => 401, 'statusCode' => 401,
'redirectUri' => 'http://ely.by?&error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request.&hint=The+user+denied+the+request&message=The+resource+owner+or+authorization+server+denied+the+request.',
]); ]);
$I->canSeeResponseJsonMatchesJsonPath('$.redirectUri');
} }
public function invalidClientId(FunctionalTester $I) { public function invalidClientId(FunctionalTester $I) {