accounts/api/components/User/JwtIdentity.php
Octol1ttle 57d492da8a
Upgrade project to PHP 8.3, add PHPStan, upgrade almost every dependency (#36)
* start updating to PHP 8.3

* taking off!

Co-authored-by: ErickSkrauch <erickskrauch@yandex.ru>
Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com>

* dropped this

Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com>

* migrate to symfonymailer

Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com>

* this is so stupid 😭

Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com>

* ah, free, at last.

Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com>

* oh, Gabriel.

Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com>

* now dawns thy reckoning.

Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com>

* and thy gore shall GLISTEN before the temples of man.

Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com>

* creature of steel.

Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com>

* my gratitude upon thee for my freedom.

Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com>

* but the crimes thy kind has committed against humanity

Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com>

* Upgrade PHP-CS-Fixer and do fix the codebase

* First review round (maybe I have broken something)

* are NOT forgotten.

Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com>

* Enable parallel PHP-CS-Fixer runner

* PHPStan level 1

* PHPStan level 2

* PHPStan level 3

* PHPStan level 4

* PHPStan level 5

* Levels 6 and 7 takes too much effort. Generate a baseline and fix them eventually

* Resolve TODO's related to the php-mock

* Drastically reduce baseline size with the Rector

* More code modernization with help of the Rector

* Update GitLab CI

---------

Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com>
Co-authored-by: ErickSkrauch <erickskrauch@yandex.ru>
2024-12-02 11:10:55 +01:00

119 lines
3.7 KiB
PHP

<?php
declare(strict_types=1);
namespace api\components\User;
use api\components\Tokens\TokenReader;
use Carbon\Carbon;
use Carbon\FactoryImmutable;
use common\models\Account;
use common\models\OauthClient;
use common\models\OauthSession;
use DateTimeImmutable;
use Exception;
use Lcobucci\JWT\UnencryptedToken;
use Lcobucci\JWT\Validation\Constraint\LooseValidAt;
use Lcobucci\JWT\Validation\Validator;
use Yii;
use yii\base\NotSupportedException;
use yii\web\UnauthorizedHttpException;
class JwtIdentity implements IdentityInterface {
private ?TokenReader $reader = null;
private function __construct(
private readonly UnencryptedToken $token,
) {
}
public static function findIdentityByAccessToken($token, $type = null): IdentityInterface {
try {
$parsedToken = Yii::$app->tokens->parse($token);
} catch (Exception $e) {
Yii::error($e);
throw new UnauthorizedHttpException('Incorrect token');
}
if (!Yii::$app->tokens->verify($parsedToken)) {
throw new UnauthorizedHttpException('Incorrect token');
}
$now = Carbon::now();
if ($parsedToken->isExpired($now)) {
throw new UnauthorizedHttpException('Token expired');
}
if (!(new Validator())->validate($parsedToken, new LooseValidAt(FactoryImmutable::getDefaultInstance()))) {
throw new UnauthorizedHttpException('Incorrect token');
}
$tokenReader = new TokenReader($parsedToken);
$accountId = $tokenReader->getAccountId();
if ($accountId !== null) {
/** @var DateTimeImmutable $iat */
$iat = $parsedToken->claims()->get('iat');
if ($tokenReader->getMinecraftClientToken() !== null
&& self::isRevoked($accountId, OauthClient::UNAUTHORIZED_MINECRAFT_GAME_LAUNCHER, $iat)
) {
throw new UnauthorizedHttpException('Token has been revoked');
}
if ($tokenReader->getClientId() !== null
&& self::isRevoked($accountId, $tokenReader->getClientId(), $iat)
) {
throw new UnauthorizedHttpException('Token has been revoked');
}
}
return new self($parsedToken);
}
public function getToken(): UnencryptedToken {
return $this->token;
}
public function getAccount(): ?Account {
return Account::findOne(['id' => $this->getReader()->getAccountId()]);
}
public function getAssignedPermissions(): array {
return $this->getReader()->getScopes() ?? [];
}
public function getId(): string {
return $this->token->toString();
}
/** @codeCoverageIgnoreStart */
public function getAuthKey() {
throw new NotSupportedException('This method used for cookie auth, except we using Bearer auth');
}
public function validateAuthKey($authKey) {
throw new NotSupportedException('This method used for cookie auth, except we using Bearer auth');
}
/**
* @throws NotSupportedException
*/
public static function findIdentity($id) {
throw new NotSupportedException('This method used for cookie auth, except we using Bearer auth');
}
private static function isRevoked(int $accountId, string $clientId, DateTimeImmutable $iat): bool {
$session = OauthSession::findOne(['account_id' => $accountId, 'client_id' => $clientId]);
return $session !== null && $session->revoked_at !== null && $session->revoked_at > $iat->getTimestamp();
}
/** @codeCoverageIgnoreEnd */
private function getReader(): TokenReader {
if ($this->reader === null) {
$this->reader = new TokenReader($this->token);
}
return $this->reader;
}
}