diff --git a/src/Grant/AuthCodeGrant.php b/src/Grant/AuthCodeGrant.php index 14aac2a3..6a2ee795 100644 --- a/src/Grant/AuthCodeGrant.php +++ b/src/Grant/AuthCodeGrant.php @@ -28,11 +28,6 @@ class AuthCodeGrant extends AbstractAuthorizeGrant */ private $authCodeTTL; - /** - * @var bool - */ - private $enableCodeExchangeProof = false; - /** * @param AuthCodeRepositoryInterface $authCodeRepository * @param RefreshTokenRepositoryInterface $refreshTokenRepository @@ -49,11 +44,6 @@ class AuthCodeGrant extends AbstractAuthorizeGrant $this->refreshTokenTTL = new \DateInterval('P1M'); } - public function enableCodeExchangeProof() - { - $this->enableCodeExchangeProof = true; - } - /** * Respond to an access token request. * @@ -81,6 +71,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant // Validate the authorization code try { $authCodePayload = json_decode($this->decrypt($encryptedAuthCode)); + if (time() > $authCodePayload->expire_time) { throw OAuthServerException::invalidRequest('code', 'Authorization code has expired'); } @@ -104,6 +95,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant } $scopes = []; + foreach ($authCodePayload->scopes as $scopeId) { $scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeId); @@ -127,9 +119,11 @@ class AuthCodeGrant extends AbstractAuthorizeGrant throw OAuthServerException::invalidRequest('code', 'Cannot decrypt the authorization code'); } + // Validate code challenge - if ($this->enableCodeExchangeProof === true) { - $codeVerifier = $this->getRequestParameter('code_verifier', $request, null); + if (!empty($authCodePayload->code_challenge)) { + $codeVerifier = $this->getRequestParameter('code_verifier', $request, null); + if ($codeVerifier === null) { throw OAuthServerException::invalidRequest('code_verifier'); } diff --git a/tests/Grant/AuthCodeGrantTest.php b/tests/Grant/AuthCodeGrantTest.php index 6bc2dd7a..5ca3c8f1 100644 --- a/tests/Grant/AuthCodeGrantTest.php +++ b/tests/Grant/AuthCodeGrantTest.php @@ -173,7 +173,7 @@ class AuthCodeGrantTest extends TestCase $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(), new \DateInterval('PT10M') ); - $grant->enableCodeExchangeProof(); + $grant->setClientRepository($clientRepositoryMock); $grant->setScopeRepository($scopeRepositoryMock); $grant->setDefaultScope(self::DEFAULT_SCOPE); @@ -249,7 +249,7 @@ class AuthCodeGrantTest extends TestCase $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(), new \DateInterval('PT10M') ); - $grant->enableCodeExchangeProof(); + $grant->setClientRepository($clientRepositoryMock); $request = new ServerRequest( @@ -286,7 +286,7 @@ class AuthCodeGrantTest extends TestCase $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(), new \DateInterval('PT10M') ); - $grant->enableCodeExchangeProof(); + $grant->setClientRepository($clientRepositoryMock); $request = new ServerRequest( @@ -464,7 +464,7 @@ class AuthCodeGrantTest extends TestCase $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(), new \DateInterval('PT10M') ); - $grant->enableCodeExchangeProof(); + $grant->setClientRepository($clientRepositoryMock); $grant->setScopeRepository($scopeRepositoryMock); $grant->setDefaultScope(self::DEFAULT_SCOPE); @@ -629,7 +629,7 @@ class AuthCodeGrantTest extends TestCase $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(), new \DateInterval('PT10M') ); - $grant->enableCodeExchangeProof(); + $grant->setClientRepository($clientRepositoryMock); $grant->setScopeRepository($scopeRepositoryMock); $grant->setAccessTokenRepository($accessTokenRepositoryMock); @@ -701,7 +701,7 @@ class AuthCodeGrantTest extends TestCase $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(), new \DateInterval('PT10M') ); - $grant->enableCodeExchangeProof(); + $grant->setClientRepository($clientRepositoryMock); $grant->setScopeRepository($scopeRepositoryMock); $grant->setAccessTokenRepository($accessTokenRepositoryMock); @@ -1145,7 +1145,7 @@ class AuthCodeGrantTest extends TestCase $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(), new \DateInterval('PT10M') ); - $grant->enableCodeExchangeProof(); + $grant->setClientRepository($clientRepositoryMock); $grant->setAccessTokenRepository($accessTokenRepositoryMock); $grant->setRefreshTokenRepository($refreshTokenRepositoryMock); @@ -1217,7 +1217,7 @@ class AuthCodeGrantTest extends TestCase $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(), new \DateInterval('PT10M') ); - $grant->enableCodeExchangeProof(); + $grant->setClientRepository($clientRepositoryMock); $grant->setAccessTokenRepository($accessTokenRepositoryMock); $grant->setRefreshTokenRepository($refreshTokenRepositoryMock); @@ -1289,7 +1289,7 @@ class AuthCodeGrantTest extends TestCase $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(), new \DateInterval('PT10M') ); - $grant->enableCodeExchangeProof(); + $grant->setClientRepository($clientRepositoryMock); $grant->setAccessTokenRepository($accessTokenRepositoryMock); $grant->setRefreshTokenRepository($refreshTokenRepositoryMock); @@ -1361,7 +1361,7 @@ class AuthCodeGrantTest extends TestCase $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(), new \DateInterval('PT10M') ); - $grant->enableCodeExchangeProof(); + $grant->setClientRepository($clientRepositoryMock); $grant->setAccessTokenRepository($accessTokenRepositoryMock); $grant->setRefreshTokenRepository($refreshTokenRepositoryMock); @@ -1433,7 +1433,7 @@ class AuthCodeGrantTest extends TestCase $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(), new \DateInterval('PT10M') ); - $grant->enableCodeExchangeProof(); + $grant->setClientRepository($clientRepositoryMock); $grant->setAccessTokenRepository($accessTokenRepositoryMock); $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);