From 7285ede563476400790db523ab3159f182ccf248 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?I=CC=87smail=20BASKIN?= <ismailbaskin1@gmail.com>
Date: Wed, 4 May 2016 13:34:37 +0300
Subject: [PATCH 1/2] Include redirect_uri check on authorization endpoint

---
 src/Grant/AuthCodeGrant.php       |  5 ++++
 tests/AuthorizationServerTest.php | 45 +++++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+)

diff --git a/src/Grant/AuthCodeGrant.php b/src/Grant/AuthCodeGrant.php
index 9216e167..fe4c5933 100644
--- a/src/Grant/AuthCodeGrant.php
+++ b/src/Grant/AuthCodeGrant.php
@@ -195,6 +195,11 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
                 $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
                 throw OAuthServerException::invalidClient();
             }
+        } elseif (is_array($client->getRedirectUri()) && count($client->getRedirectUri()) !== 1
+            || empty($client->getRedirectUri())
+        ) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
+            throw OAuthServerException::invalidClient();
         }
 
         $scopes = $this->validateScopes(
diff --git a/tests/AuthorizationServerTest.php b/tests/AuthorizationServerTest.php
index 2303b713..67c924a8 100644
--- a/tests/AuthorizationServerTest.php
+++ b/tests/AuthorizationServerTest.php
@@ -135,6 +135,7 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
     public function testValidateAuthorizationRequest()
     {
         $client = new ClientEntity();
+        $client->setRedirectUri('http://foo/bar');
         $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
         $clientRepositoryMock->method('getClientEntity')->willReturn($client);
 
@@ -171,6 +172,50 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
         $this->assertTrue($server->validateAuthorizationRequest($request) instanceof AuthorizationRequest);
     }
 
+    public function testValidateAuthorizationRequestWithMissingRedirectUri()
+    {
+        $client = new ClientEntity();
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $grant = new AuthCodeGrant(
+            $this->getMock(AuthCodeRepositoryInterface::class),
+            $this->getMock(RefreshTokenRepositoryInterface::class),
+            new \DateInterval('PT10M')
+        );
+        $grant->setClientRepository($clientRepositoryMock);
+
+        $server = new AuthorizationServer(
+            $clientRepositoryMock,
+            $this->getMock(AccessTokenRepositoryInterface::class),
+            $this->getMock(ScopeRepositoryInterface::class),
+            'file://' . __DIR__ . '/Stubs/private.key',
+            'file://' . __DIR__ . '/Stubs/public.key'
+        );
+        $server->enableGrantType($grant);
+
+        $request = new ServerRequest(
+            [],
+            [],
+            null,
+            null,
+            'php://input',
+            $headers = [],
+            $cookies = [],
+            $queryParams = [
+                'response_type' => 'code',
+                'client_id'     => 'foo',
+            ]
+        );
+
+        try {
+            $server->validateAuthorizationRequest($request);
+        } catch (OAuthServerException $e) {
+            $this->assertEquals('invalid_client', $e->getErrorType());
+            $this->assertEquals(401, $e->getHttpStatusCode());
+        }
+    }
+
     /**
      * @expectedException  \League\OAuth2\Server\Exception\OAuthServerException
      * @expectedExceptionCode 2

From 9a58bc15f668b19439e7fcbf33572117182408b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?I=CC=87smail=20BASKIN?= <ismailbaskin1@gmail.com>
Date: Sat, 7 May 2016 17:43:43 +0300
Subject: [PATCH 2/2] Include redirect_uri check on authorization endpoint on
 implicit grant

---
 src/Grant/ImplicitGrant.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/Grant/ImplicitGrant.php b/src/Grant/ImplicitGrant.php
index 976acefb..634a79cd 100644
--- a/src/Grant/ImplicitGrant.php
+++ b/src/Grant/ImplicitGrant.php
@@ -142,6 +142,11 @@ class ImplicitGrant extends AbstractAuthorizeGrant
                 $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
                 throw OAuthServerException::invalidClient();
             }
+        } elseif (is_array($client->getRedirectUri()) && count($client->getRedirectUri()) !== 1
+            || empty($client->getRedirectUri())
+        ) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
+            throw OAuthServerException::invalidClient();
         }
 
         $scopes = $this->validateScopes(