diff --git a/resource-server-securing-api.md b/resource-server-securing-api.md index aa058164..214d082c 100755 --- a/resource-server-securing-api.md +++ b/resource-server-securing-api.md @@ -94,12 +94,12 @@ When `$server->isValidRequest()` is called the library will run the following ta Assuming an exception isn’t thrown you can then use the following functions in your API code: -* `getOwnerType()` - This will return the type of the owner of the access token. For example if a user has authorized another client to use their resources the owner type would be “user”. -* `getOwnerId()` - This will return the ID of the access token owner. You can use this to check if the owner has permission to do take some sort of action (such as retrieve a document or upload a file to a folder). -* `getClientId()` - Returns the ID of the client that was involved in creating the session that the access token is linked to. -* `getAccessToken()` - Returns the access token used in the request. -* `hasScope()` - You can use this function to see if a specific scope (or several scopes) has been associated with the access token. You can use this to limit the contents of an API response or prevent access to an API endpoint without the correct scope. -* `getScopes()` - Returns all scopes attached to the access token. +* `$server->getAccessToken()->getSession()->getOwnerType()` - This will return the type of the owner of the access token. For example if a user has authorized another client to use their resources the owner type would be “user”. +* `$server->getAccessToken()->getSession()->getOwnerId()` - This will return the ID of the access token owner. You can use this to check if the owner has permission to do take some sort of action (such as retrieve a document or upload a file to a folder). +* `$server->getAccessToken()->getSession()->getClient()->getId()` - Returns the ID of the client that was involved in creating the session that the access token is linked to. +* `$server->getAccessToken()` - Returns the access token used in the request. +* `$server->getAccessToken()->hasScope()` - You can use this function to see if a specific scope (or several scopes) has been associated with the access token. You can use this to limit the contents of an API response or prevent access to an API endpoint without the correct scope. +* `$server->getAccessToken()->getScopes()` - Returns all scopes attached to the access token. ## A simple example @@ -136,7 +136,7 @@ $router->get('/users/{username}', function (Request $request, $args) use ($serve In this example, only a user’s access token is valid: ~~~ php -if ($server->getOwnerType() !== 'user') { +if ($server->getAccessToken()->getSession()->getOwnerType() !== 'user') { throw new Exception\AccessDeniedException; } ~~~ @@ -146,7 +146,7 @@ if ($server->getOwnerType() !== 'user') { In this example, the endpoint will only respond to access tokens that are owner by client applications and that have the scope `users.list`. ~~~ php -if ($server->getOwnerType() !== 'client' && $server->hasScope('users.list')) { +if ($server->getAccessToken()->getSession()->getOwnerType() !== 'client' && $server->getAccessToken()->hasScope('users.list')) { throw new Exception\AccessDeniedException; } ~~~ @@ -156,7 +156,7 @@ You might secure an endpoint in this way to only allow specific clients (such as ## Return resource based on access token owner ~~~ php -$photos = $model->getPhotos($server->getOwnerId()); +$photos = $model->getPhotos($server->getAccessToken()->getSession()->getOwnerId()); ~~~