ElyBy-Mirror/oauth2-server
1
0
Fork 0
mirror of https://github.com/elyby/oauth2-server.git synced 2024-12-26 15:00:19 +05:30
Code Issues Packages Projects Releases Wiki Activity

Rewrote validateClient method to progressively test client secret and redirect URI

Browse Source
This commit is contained in:
Alex Bilbie 2016-02-18 10:49:05 +00:00
parent 7f67000d53
commit 3b36ae9000
1 changed files with 20 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
src/Grant/AbstractGrant.php
View File

@ -130,17 +130,12 @@ abstract class AbstractGrant implements GrantTypeInterface
* Validate the client * Validate the client
* *
* @param \Psr\Http\Message\ServerRequestInterface $request * @param \Psr\Http\Message\ServerRequestInterface $request
* @param bool $validateSecret
* @param bool $validateRedirectUri
* *
* @return \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface * @return \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface
* @throws \League\OAuth2\Server\Exception\OAuthServerException * @throws \League\OAuth2\Server\Exception\OAuthServerException
*/ */
protected function validateClient( protected function validateClient(ServerRequestInterface $request)
ServerRequestInterface $request, {
$validateSecret = true,
$validateRedirectUri = false
) {
$clientId = $this->getRequestParameter( $clientId = $this->getRequestParameter(
'client_id', 'client_id',
$request, $request,
@ -150,30 +145,34 @@ abstract class AbstractGrant implements GrantTypeInterface
throw OAuthServerException::invalidRequest('client_id', null, '`%s` parameter is missing'); throw OAuthServerException::invalidRequest('client_id', null, '`%s` parameter is missing');
} }
$client = $this->clientRepository->getClientEntity(
$clientId,
$this->getIdentifier()
);
if (!$client instanceof ClientEntityInterface) {
throw OAuthServerException::invalidClient();
}
// If the client is confidential require the client secret
$clientSecret = $this->getRequestParameter( $clientSecret = $this->getRequestParameter(
'client_secret', 'client_secret',
$request, $request,
$this->getServerParameter('PHP_AUTH_PW', $request) $this->getServerParameter('PHP_AUTH_PW', $request)
); );
if (is_null($clientSecret) && $validateSecret === true) {
if ($client->canKeepASecret() && is_null($clientSecret)) {
throw OAuthServerException::invalidRequest('client_secret', null, '`%s` parameter is missing'); throw OAuthServerException::invalidRequest('client_secret', null, '`%s` parameter is missing');
} }
$redirectUri = $this->getRequestParameter('redirect_uri', $request, null); if ($client->canKeepASecret() && $client->validateSecret($clientSecret) === false) {
if (is_null($redirectUri) && $validateRedirectUri === true) { $this->getEmitter()->emit(new Event('client.authentication.failed', $request));
throw OAuthServerException::invalidRequest('redirect_uri', null, '`%s` parameter is missing'); throw OAuthServerException::invalidClient();
} }
$client = $this->clientRepository->getClientEntity( // If a redirect URI is provided ensure it matches what is pre-registered
$clientId, $redirectUri = $this->getRequestParameter('redirect_uri', $request, null);
$clientSecret, if ($redirectUri !== null && (strcmp($client->getRedirectUri(), $redirectUri) !== 0)) {
$redirectUri,
$this->getIdentifier()
);
if (!$client instanceof ClientEntityInterface) {
$this->getEmitter()->emit(new Event('client.authentication.failed', $request));
throw OAuthServerException::invalidClient(); throw OAuthServerException::invalidClient();
} }