From b9debaab2670575a776730d09ec9bc5654b704d4 Mon Sep 17 00:00:00 2001 From: Alex Bilbie Date: Sat, 8 Nov 2014 16:44:39 +0000 Subject: [PATCH] Fix #231 --- .../relational/Storage/AccessTokenStorage.php | 1 - .../Storage/RefreshTokenStorage.php | 1 - src/Entity/AbstractTokenEntity.php | 9 +++ src/Grant/AuthCodeGrant.php | 5 ++ src/ResourceServer.php | 7 +++ tests/unit/Grant/AuthCodeGrantTest.php | 4 +- tests/unit/ResourceServerTest.php | 58 ++++++++++++++++++- 7 files changed, 80 insertions(+), 5 deletions(-) diff --git a/examples/relational/Storage/AccessTokenStorage.php b/examples/relational/Storage/AccessTokenStorage.php index faccb46c..55949314 100644 --- a/examples/relational/Storage/AccessTokenStorage.php +++ b/examples/relational/Storage/AccessTokenStorage.php @@ -20,7 +20,6 @@ class AccessTokenStorage extends Adapter implements AccessTokenInterface { $result = Capsule::table('oauth_access_tokens') ->where('access_token', $token) - ->where('expire_time', '>=', time()) ->get(); if (count($result) === 1) { diff --git a/examples/relational/Storage/RefreshTokenStorage.php b/examples/relational/Storage/RefreshTokenStorage.php index ab291802..92c52647 100644 --- a/examples/relational/Storage/RefreshTokenStorage.php +++ b/examples/relational/Storage/RefreshTokenStorage.php @@ -17,7 +17,6 @@ class RefreshTokenStorage extends Adapter implements RefreshTokenInterface { $result = Capsule::table('oauth_refresh_tokens') ->where('refresh_token', $token) - ->where('expire_time', '>=', time()) ->get(); if (count($result) === 1) { diff --git a/src/Entity/AbstractTokenEntity.php b/src/Entity/AbstractTokenEntity.php index 04ca81f6..5eeb775f 100644 --- a/src/Entity/AbstractTokenEntity.php +++ b/src/Entity/AbstractTokenEntity.php @@ -96,6 +96,15 @@ abstract class AbstractTokenEntity return $this->expireTime; } + /** + * Is the token expired? + * @return bool + */ + public function isExpired() + { + return ((time() - $this->expireTime) > 0); + } + /** * Set token ID * @param string $token Token ID diff --git a/src/Grant/AuthCodeGrant.php b/src/Grant/AuthCodeGrant.php index df6c58b0..8d73560d 100644 --- a/src/Grant/AuthCodeGrant.php +++ b/src/Grant/AuthCodeGrant.php @@ -209,6 +209,11 @@ class AuthCodeGrant extends AbstractGrant throw new Exception\InvalidRequestException('code'); } + // Ensure the auth code hasn't expired + if ($code->isExpired() === true) { + throw new Exception\InvalidRequestException('code'); + } + // Check redirect URI presented matches redirect URI originally used in authorize request if ($code->getRedirectUri() !== $redirectUri) { throw new Exception\InvalidRequestException('redirect_uri'); diff --git a/src/ResourceServer.php b/src/ResourceServer.php index f9d9f6ea..6596a559 100644 --- a/src/ResourceServer.php +++ b/src/ResourceServer.php @@ -99,10 +99,17 @@ class ResourceServer extends AbstractServer // Set the access token $this->accessToken = $this->getAccessTokenStorage()->get($accessTokenString); + // Ensure the access token exists if (!$this->accessToken instanceof AccessTokenEntity) { throw new Exception\AccessDeniedException; } + // Check the access token hasn't expired + // Ensure the auth code hasn't expired + if ($this->accessToken->isExpired() === true) { + throw new Exception\AccessDeniedException; + } + return true; } diff --git a/tests/unit/Grant/AuthCodeGrantTest.php b/tests/unit/Grant/AuthCodeGrantTest.php index 1f281240..ad36a011 100644 --- a/tests/unit/Grant/AuthCodeGrantTest.php +++ b/tests/unit/Grant/AuthCodeGrantTest.php @@ -551,7 +551,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase $authCodeStorage->shouldReceive('setServer'); $authCodeStorage->shouldReceive('delete'); $authCodeStorage->shouldReceive('get')->andReturn( - (new AuthCodeEntity($server))->setId('foobar')->setRedirectUri('http://foo/bar') + (new AuthCodeEntity($server))->setId('foobar')->setRedirectUri('http://foo/bar')->setExpireTime(time() + 300) ); $authCodeStorage->shouldReceive('getScopes')->andReturn([ (new ScopeEntity($server))->hydrate(['id' => 'foo']) @@ -622,7 +622,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase $authCodeStorage->shouldReceive('setServer'); $authCodeStorage->shouldReceive('delete'); $authCodeStorage->shouldReceive('get')->andReturn( - (new AuthCodeEntity($server))->setId('foobar')->setRedirectUri('http://foo/bar') + (new AuthCodeEntity($server))->setId('foobar')->setRedirectUri('http://foo/bar')->setExpireTime(time() + 300) ); $authCodeStorage->shouldReceive('getScopes')->andReturn([ (new ScopeEntity($server))->hydrate(['id' => 'foo']) diff --git a/tests/unit/ResourceServerTest.php b/tests/unit/ResourceServerTest.php index 16d35b3f..34d61547 100644 --- a/tests/unit/ResourceServerTest.php +++ b/tests/unit/ResourceServerTest.php @@ -142,7 +142,7 @@ class ResourceServerTest extends \PHPUnit_Framework_TestCase }); $accessTokenStorage->shouldReceive('get')->andReturn( - (new AccessTokenEntity($server))->setId('abcdef') + (new AccessTokenEntity($server))->setId('abcdef')->setExpireTime(time() + 300) ); $accessTokenStorage->shouldReceive('getScopes')->andReturn([ @@ -167,4 +167,60 @@ class ResourceServerTest extends \PHPUnit_Framework_TestCase $this->assertTrue($server->isValidRequest()); $this->assertEquals('abcdef', $server->getAccessToken()); } + + /** + * @expectedException League\OAuth2\Server\Exception\AccessDeniedException + */ + public function testIsValidExpiredToken() + { + $sessionStorage = M::mock('League\OAuth2\Server\Storage\SessionInterface'); + $sessionStorage->shouldReceive('setServer'); + + $accessTokenStorage = M::mock('League\OAuth2\Server\Storage\AccessTokenInterface'); + $accessTokenStorage->shouldReceive('setServer'); + + $clientStorage = M::mock('League\OAuth2\Server\Storage\ClientInterface'); + $clientStorage->shouldReceive('setServer'); + + $scopeStorage = M::mock('League\OAuth2\Server\Storage\ScopeInterface'); + $scopeStorage->shouldReceive('setServer'); + + $server = new ResourceServer( + $sessionStorage, + $accessTokenStorage, + $clientStorage, + $scopeStorage + ); + + $server->setIdKey('at'); + + $server->addEventListener('session.owner', function($event) { + $this->assertTrue($event->getSession() instanceof \League\OAuth2\Server\Entity\SessionEntity); + }); + + $accessTokenStorage->shouldReceive('get')->andReturn( + (new AccessTokenEntity($server))->setId('abcdef')->setExpireTime(time() - 300) + ); + + $accessTokenStorage->shouldReceive('getScopes')->andReturn([ + (new ScopeEntity($server))->hydrate(['id' => 'foo']), + (new ScopeEntity($server))->hydrate(['id' => 'bar']) + ]); + + $sessionStorage->shouldReceive('getByAccessToken')->andReturn( + (new SessionEntity($server))->setId('foobar')->setOwner('user', 123) + ); + + $clientStorage->shouldReceive('getBySession')->andReturn( + (new ClientEntity($server))->hydrate(['id' => 'testapp']) + ); + + $request = new \Symfony\Component\HttpFoundation\Request(); + $request->headers = new \Symfony\Component\HttpFoundation\ParameterBag([ + 'Authorization' => 'Bearer abcdef' + ]); + $server->setRequest($request); + + $server->isValidRequest(); + } }