Merge master into version 8 branch

2025-05-31 14:12:07 +05:30 · 2018-06-24 01:10:02 +01:00
parent ca6be0577c 8184f771d4
commit 369c7005a3
11 changed files with 108 additions and 52 deletions
--- a/src/AuthorizationValidators/BearerTokenValidator.php
+++ b/src/AuthorizationValidators/BearerTokenValidator.php
@@ -65,8 +65,12 @@ class BearerTokenValidator implements AuthorizationValidatorInterface
        try {
            // Attempt to parse and validate the JWT
            $token = (new Parser())->parse($jwt);
-            if ($token->verify(new Sha256(), $this->publicKey->getKeyPath()) === false) {
-                throw OAuthServerException::accessDenied('Access token could not be verified');
+            try {
+                if ($token->verify(new Sha256(), $this->publicKey->getKeyPath()) === false) {
+                    throw OAuthServerException::accessDenied('Access token could not be verified');
+                }
+            } catch (\BadMethodCallException $exception) {
+                throw OAuthServerException::accessDenied('Access token is not signed');
            }

            // Ensure access token hasn't expired
--- a/src/CryptKey.php
+++ b/src/CryptKey.php
@@ -48,7 +48,7 @@ class CryptKey
        if ($keyPermissionsCheck === true) {
            // Verify the permissions of the key
            $keyPathPerms = decoct(fileperms($keyPath) & 0777);
-            if (in_array($keyPathPerms, ['400', '440', '600', '660'], true) === false) {
+            if (in_array($keyPathPerms, ['400', '440', '600', '640', '660'], true) === false) {
                trigger_error(sprintf(
                    'Key file "%s" permissions are not correct, recommend changing to 600 or 660 instead of %s',
                    $keyPath,
--- a/src/CryptTrait.php
+++ b/src/CryptTrait.php
@@ -1,6 +1,6 @@
 <?php
 /**
- * Public/private key encryption.
+ * Encrypt/decrypt with encryptionKey.
 *
 * @author      Alex Bilbie <hello@alexbilbie.com>
 * @copyright   Copyright (c) Alex Bilbie
@@ -22,7 +22,7 @@ trait CryptTrait
    protected $encryptionKey;

    /**
-     * Encrypt data with a private key.
+     * Encrypt data with encryptionKey.
     *
     * @param string $unencryptedData
     *
@@ -44,7 +44,7 @@ trait CryptTrait
    }

    /**
-     * Decrypt data with a public key.
+     * Decrypt data with encryptionKey.
     *
     * @param string $encryptedData
     *
--- a/src/Exception/OAuthServerException.php
+++ b/src/Exception/OAuthServerException.php
@@ -323,6 +323,21 @@ class OAuthServerException extends \Exception
        return $headers;
    }

+    /**
+     * Check if the exception has an associated redirect URI.
+     *
+     * Returns whether the exception includes a redirect, since
+     * getHttpStatusCode() doesn't return a 302 when there's a
+     * redirect enabled. This helps when you want to override local
+     * error pages but want to let redirects through.
+     *
+     * @return bool
+     */
+    public function hasRedirect()
+    {
+        return $this->redirectUri !== null;
+    }
+
    /**
     * Returns the HTTP status code to send when the exceptions is output.
     *
--- a/src/Grant/AbstractGrant.php
+++ b/src/Grant/AbstractGrant.php
@@ -190,25 +190,13 @@ abstract class AbstractGrant implements GrantTypeInterface

        if ($client instanceof ClientEntityInterface === false) {
            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
-            throw OAuthServerException::invalidClient($request);
+            throw OAuthServerException::invalidClient();
        }

        // If a redirect URI is provided ensure it matches what is pre-registered
        $redirectUri = $this->getRequestParameter('redirect_uri', $request, null);
        if ($redirectUri !== null) {
-            if (
-                is_string($client->getRedirectUri())
-                && (strcmp($client->getRedirectUri(), $redirectUri) !== 0)
-            ) {
-                $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
-                throw OAuthServerException::invalidClient($request);
-            } elseif (
-                is_array($client->getRedirectUri())
-                && in_array($redirectUri, $client->getRedirectUri(), true) === false
-            ) {
-                $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
-                throw OAuthServerException::invalidClient($request);
-            }
+            $this->validateRedirectUri($redirectUri, $client, $request);
        }

        return $client;
--- a/src/Grant/AuthCodeGrant.php
+++ b/src/Grant/AuthCodeGrant.php
@@ -236,29 +236,17 @@ class AuthCodeGrant extends AbstractAuthorizeGrant

        if ($client instanceof ClientEntityInterface === false) {
            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
-            throw OAuthServerException::invalidClient($request);
+            throw OAuthServerException::invalidClient();
        }

        $redirectUri = $this->getQueryStringParameter('redirect_uri', $request);

        if ($redirectUri !== null) {
-            if (
-                is_string($client->getRedirectUri())
-                && (strcmp($client->getRedirectUri(), $redirectUri) !== 0)
-            ) {
-                $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
-                throw OAuthServerException::invalidClient($request);
-            } elseif (
-                is_array($client->getRedirectUri())
-                && in_array($redirectUri, $client->getRedirectUri(), true) === false
-            ) {
-                $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
-                throw OAuthServerException::invalidClient($request);
-            }
+            $this->validateRedirectUri($redirectUri, $client, $request);
        } elseif (is_array($client->getRedirectUri()) && count($client->getRedirectUri()) !== 1
            || empty($client->getRedirectUri())) {
            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
-            throw OAuthServerException::invalidClient($request);
+            throw OAuthServerException::invalidClient();
        } else {
            $redirectUri = is_array($client->getRedirectUri())
                ? $client->getRedirectUri()[0]
--- a/src/Grant/ImplicitGrant.php
+++ b/src/Grant/ImplicitGrant.php
@@ -118,6 +118,7 @@ class ImplicitGrant extends AbstractAuthorizeGrant
            $request,
            $this->getServerParameter('PHP_AUTH_USER', $request)
        );
+
        if (is_null($clientId)) {
            throw OAuthServerException::invalidRequest('client_id');
        }
@@ -135,20 +136,9 @@ class ImplicitGrant extends AbstractAuthorizeGrant
        }

        $redirectUri = $this->getQueryStringParameter('redirect_uri', $request);
+
        if ($redirectUri !== null) {
-            if (
-                is_string($client->getRedirectUri())
-                && (strcmp($client->getRedirectUri(), $redirectUri) !== 0)
-            ) {
-                $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
-                throw OAuthServerException::invalidClient($request);
-            } elseif (
-                is_array($client->getRedirectUri())
-                && in_array($redirectUri, $client->getRedirectUri(), true) === false
-            ) {
-                $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
-                throw OAuthServerException::invalidClient($request);
-            }
+            $this->validateRedirectUri($redirectUri, $client, $request);
        } elseif (is_array($client->getRedirectUri()) && count($client->getRedirectUri()) !== 1
            || empty($client->getRedirectUri())) {
            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));