From c0683586e2fe6e03b219edb54b305e6ec05e20b2 Mon Sep 17 00:00:00 2001 From: Alex Bilbie Date: Thu, 9 May 2013 07:55:10 -0700 Subject: [PATCH] A refresh token should be bound to a client ID --- sql/mysql.sql | 3 +++ src/League/OAuth2/Server/Grant/AuthCode.php | 2 +- src/League/OAuth2/Server/Grant/Password.php | 2 +- src/League/OAuth2/Server/Grant/RefreshToken.php | 4 ++-- src/League/OAuth2/Server/Storage/PDO/Session.php | 12 +++++++----- .../OAuth2/Server/Storage/SessionInterface.php | 8 +++++--- 6 files changed, 19 insertions(+), 12 deletions(-) diff --git a/sql/mysql.sql b/sql/mysql.sql index 925b202f..11b0de2a 100644 --- a/sql/mysql.sql +++ b/sql/mysql.sql @@ -57,7 +57,10 @@ CREATE TABLE `oauth_session_refresh_tokens` ( `session_access_token_id` int(10) unsigned NOT NULL, `refresh_token` char(40) NOT NULL DEFAULT '', `refresh_token_expires` int(10) unsigned NOT NULL, + `client_id` char(40) NOT NULL DEFAULT '', PRIMARY KEY (`session_access_token_id`), + KEY `client_id` (`client_id`), + CONSTRAINT `oauth_session_refresh_tokens_ibfk_1` FOREIGN KEY (`client_id`) REFERENCES `oauth_clients` (`id`) ON DELETE CASCADE, CONSTRAINT `f_oasetore_setoid` FOREIGN KEY (`session_access_token_id`) REFERENCES `oauth_session_access_tokens` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION ) ENGINE=InnoDB DEFAULT CHARSET=utf8; diff --git a/src/League/OAuth2/Server/Grant/AuthCode.php b/src/League/OAuth2/Server/Grant/AuthCode.php index 9ea1e9da..504a729a 100644 --- a/src/League/OAuth2/Server/Grant/AuthCode.php +++ b/src/League/OAuth2/Server/Grant/AuthCode.php @@ -283,7 +283,7 @@ class AuthCode implements GrantTypeInterface { if ($this->authServer->hasGrantType('refresh_token')) { $refreshToken = SecureKey::make(); $refreshTokenTTL = time() + $this->authServer->getGrantType('refresh_token')->getRefreshTokenTTL(); - $this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL); + $this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL, $authParams['client_id']); $response['refresh_token'] = $refreshToken; } diff --git a/src/League/OAuth2/Server/Grant/Password.php b/src/League/OAuth2/Server/Grant/Password.php index 45e6c0ee..e59f5ecf 100644 --- a/src/League/OAuth2/Server/Grant/Password.php +++ b/src/League/OAuth2/Server/Grant/Password.php @@ -214,7 +214,7 @@ class Password implements GrantTypeInterface { if ($this->authServer->hasGrantType('refresh_token')) { $refreshToken = SecureKey::make(); $refreshTokenTTL = time() + $this->authServer->getGrantType('refresh_token')->getRefreshTokenTTL(); - $this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL); + $this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL, $authParams['client_id']); $response['refresh_token'] = $refreshToken; } diff --git a/src/League/OAuth2/Server/Grant/RefreshToken.php b/src/League/OAuth2/Server/Grant/RefreshToken.php index fe62291d..cf5dfe3b 100644 --- a/src/League/OAuth2/Server/Grant/RefreshToken.php +++ b/src/League/OAuth2/Server/Grant/RefreshToken.php @@ -143,7 +143,7 @@ class RefreshToken implements GrantTypeInterface { } // Validate refresh token - $accessTokenId = $this->authServer->getStorage('session')->validateRefreshToken($authParams['refresh_token']); + $accessTokenId = $this->authServer->getStorage('session')->validateRefreshToken($authParams['refresh_token'], $authParams['client_id']); if ($accessTokenId === false) { throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_refresh'), 0); @@ -168,7 +168,7 @@ class RefreshToken implements GrantTypeInterface { $this->authServer->getStorage('session')->associateScope($newAccessTokenId, $scope['id']); } - $this->authServer->getStorage('session')->associateRefreshToken($newAccessTokenId, $refreshToken, $refreshTokenExpires); + $this->authServer->getStorage('session')->associateRefreshToken($newAccessTokenId, $refreshToken, $refreshTokenExpires, $authParams['client_id']); return array( 'access_token' => $accessToken, diff --git a/src/League/OAuth2/Server/Storage/PDO/Session.php b/src/League/OAuth2/Server/Storage/PDO/Session.php index cc2b21ba..34321039 100644 --- a/src/League/OAuth2/Server/Storage/PDO/Session.php +++ b/src/League/OAuth2/Server/Storage/PDO/Session.php @@ -91,15 +91,16 @@ class Session implements SessionInterface * @param int $expireTime Unix timestamp of the refresh token expiry time * @return void */ - public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime) + public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime, $clientId) { $db = \ezcDbInstance::get(); - $stmt = $db->prepare('INSERT INTO oauth_session_refresh_tokens (session_access_token_id, refresh_token, refresh_token_expires) VALUE - (:accessTokenId, :refreshToken, :expireTime)'); + $stmt = $db->prepare('INSERT INTO oauth_session_refresh_tokens (session_access_token_id, refresh_token, refresh_token_expires, client_id) VALUE + (:accessTokenId, :refreshToken, :expireTime, :clientId)'); $stmt->bindValue(':accessTokenId', $accessTokenId); $stmt->bindValue(':refreshToken', $refreshToken); $stmt->bindValue(':expireTime', $expireTime); + $stmt->bindValue(':clientId', $clientId); $stmt->execute(); } @@ -188,13 +189,14 @@ class Session implements SessionInterface * @param string $refreshToken The access token * @return void */ - public function validateRefreshToken($refreshToken) + public function validateRefreshToken($refreshToken, $clientId) { $db = \ezcDbInstance::get(); $stmt = $db->prepare('SELECT session_access_token_id FROM `oauth_session_refresh_tokens` WHERE - refresh_token = :refreshToken AND refresh_token_expires >= ' . time()); + refresh_token = :refreshToken AND client_id = :clientId AND refresh_token_expires >= ' . time()); $stmt->bindValue(':refreshToken', $refreshToken); + $stmt->bindValue(':clientId', $clientId); $stmt->execute(); $result = $stmt->fetchObject(); diff --git a/src/League/OAuth2/Server/Storage/SessionInterface.php b/src/League/OAuth2/Server/Storage/SessionInterface.php index 5cd5c84f..46c207a8 100644 --- a/src/League/OAuth2/Server/Storage/SessionInterface.php +++ b/src/League/OAuth2/Server/Storage/SessionInterface.php @@ -91,9 +91,10 @@ interface SessionInterface * @param int $accessTokenId The access token ID * @param string $refreshToken The refresh token * @param int $expireTime Unix timestamp of the refresh token expiry time + * @param string $clientId The client ID * @return void */ - public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime); + public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime, $clientId); /** * Assocate an authorization code with a session @@ -191,13 +192,14 @@ interface SessionInterface * * * SELECT session_access_token_id FROM `oauth_session_refresh_tokens` WHERE refresh_token = :refreshToken - * AND refresh_token_expires >= UNIX_TIMESTAMP(NOW()) + * AND refresh_token_expires >= UNIX_TIMESTAMP(NOW()) AND client_id = :clientId * * * @param string $refreshToken The access token + * @param string $clientId The client ID * @return int|bool The ID of the access token the refresh token is linked to (or false if invalid) */ - public function validateRefreshToken($refreshToken); + public function validateRefreshToken($refreshToken, $clientId); /** * Get an access token by ID