From 618d84ddcfceecaffeaf03641f91d8a3f29dd215 Mon Sep 17 00:00:00 2001 From: ApolloPY Date: Sat, 22 Aug 2015 01:47:59 +0800 Subject: [PATCH 1/5] Mac token only get to header --- src/ResourceServer.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/ResourceServer.php b/src/ResourceServer.php index ab9ebec4..245cb4e2 100644 --- a/src/ResourceServer.php +++ b/src/ResourceServer.php @@ -19,6 +19,7 @@ use League\OAuth2\Server\Storage\ClientInterface; use League\OAuth2\Server\Storage\ScopeInterface; use League\OAuth2\Server\Storage\SessionInterface; use League\OAuth2\Server\TokenType\Bearer; +use League\OAuth2\Server\TokenType\MAC; /** * OAuth 2.0 Resource Server @@ -139,7 +140,7 @@ class ResourceServer extends AbstractServer { if ($this->getRequest()->headers->get('Authorization') !== null) { $accessToken = $this->getTokenType()->determineAccessTokenInHeader($this->getRequest()); - } elseif ($headerOnly === false) { + } elseif ($headerOnly === false && (! $this->getTokenType() instanceof MAC)) { $accessToken = ($this->getRequest()->server->get('REQUEST_METHOD') === 'GET') ? $this->getRequest()->query->get($this->tokenKey) : $this->getRequest()->request->get($this->tokenKey); From f632fcc997ce885b71f79e34323ca5c30c32c5b3 Mon Sep 17 00:00:00 2001 From: joao Date: Fri, 28 Aug 2015 10:38:45 +0000 Subject: [PATCH 2/5] ISSUE #356: added the refresh token to the mac token type response --- src/TokenType/MAC.php | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/src/TokenType/MAC.php b/src/TokenType/MAC.php index 1eb3b930..6d5e86e1 100644 --- a/src/TokenType/MAC.php +++ b/src/TokenType/MAC.php @@ -1,14 +1,14 @@ * @copyright Copyright (c) Alex Bilbie * @license http://mit-license.org/ + * * @link https://github.com/thephpleague/oauth2-server */ - namespace League\OAuth2\Server\TokenType; use League\OAuth2\Server\Util\SecureKey; @@ -16,7 +16,7 @@ use Symfony\Component\HttpFoundation\ParameterBag; use Symfony\Component\HttpFoundation\Request; /** - * MAC Token Type + * MAC Token Type. */ class MAC extends AbstractTokenType implements TokenTypeInterface { @@ -29,13 +29,17 @@ class MAC extends AbstractTokenType implements TokenTypeInterface $this->server->getMacStorage()->create($macKey, $this->getParam('access_token')); $response = [ - 'access_token' => $this->getParam('access_token'), - 'token_type' => 'mac', - 'expires_in' => $this->getParam('expires_in'), - 'mac_key' => $macKey, - 'mac_algorithm' => 'hmac-sha-256', + 'access_token' => $this->getParam('access_token'), + 'token_type' => 'mac', + 'expires_in' => $this->getParam('expires_in'), + 'mac_key' => $macKey, + 'mac_algorithm' => 'hmac-sha-256', ]; + if (!is_null($this->getParam('refresh_token'))) { + $response['refresh_token'] = $this->getParam('refresh_token'); + } + return $response; } @@ -121,9 +125,11 @@ class MAC extends AbstractTokenType implements TokenTypeInterface } /** - * Prevent timing attack - * @param string $knownString - * @param string $userString + * Prevent timing attack. + * + * @param string $knownString + * @param string $userString + * * @return bool */ private function hash_equals($knownString, $userString) @@ -136,7 +142,7 @@ class MAC extends AbstractTokenType implements TokenTypeInterface } $len = strlen($knownString); $result = 0; - for ($i = 0; $i < $len; $i++) { + for ($i = 0; $i < $len; ++$i) { $result |= (ord($knownString[$i]) ^ ord($userString[$i])); } // They are only identical strings if $result is exactly 0... From 56c73d2427503d0697867b6af54f5813f4c99063 Mon Sep 17 00:00:00 2001 From: joao Date: Fri, 28 Aug 2015 10:40:13 +0000 Subject: [PATCH 3/5] ISSUE #356: added the refresh token to the mac token type response --- src/TokenType/MAC.php | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/src/TokenType/MAC.php b/src/TokenType/MAC.php index 6d5e86e1..c1c28ab1 100644 --- a/src/TokenType/MAC.php +++ b/src/TokenType/MAC.php @@ -1,14 +1,14 @@ * @copyright Copyright (c) Alex Bilbie * @license http://mit-license.org/ - * * @link https://github.com/thephpleague/oauth2-server */ + namespace League\OAuth2\Server\TokenType; use League\OAuth2\Server\Util\SecureKey; @@ -16,7 +16,7 @@ use Symfony\Component\HttpFoundation\ParameterBag; use Symfony\Component\HttpFoundation\Request; /** - * MAC Token Type. + * MAC Token Type */ class MAC extends AbstractTokenType implements TokenTypeInterface { @@ -29,11 +29,11 @@ class MAC extends AbstractTokenType implements TokenTypeInterface $this->server->getMacStorage()->create($macKey, $this->getParam('access_token')); $response = [ - 'access_token' => $this->getParam('access_token'), - 'token_type' => 'mac', - 'expires_in' => $this->getParam('expires_in'), - 'mac_key' => $macKey, - 'mac_algorithm' => 'hmac-sha-256', + 'access_token' => $this->getParam('access_token'), + 'token_type' => 'mac', + 'expires_in' => $this->getParam('expires_in'), + 'mac_key' => $macKey, + 'mac_algorithm' => 'hmac-sha-256', ]; if (!is_null($this->getParam('refresh_token'))) { @@ -125,11 +125,9 @@ class MAC extends AbstractTokenType implements TokenTypeInterface } /** - * Prevent timing attack. - * - * @param string $knownString - * @param string $userString - * + * Prevent timing attack + * @param string $knownString + * @param string $userString * @return bool */ private function hash_equals($knownString, $userString) @@ -142,7 +140,7 @@ class MAC extends AbstractTokenType implements TokenTypeInterface } $len = strlen($knownString); $result = 0; - for ($i = 0; $i < $len; ++$i) { + for ($i = 0; $i < $len; $i++) { $result |= (ord($knownString[$i]) ^ ord($userString[$i])); } // They are only identical strings if $result is exactly 0... From b2203685835472ef157de51dc1236e4e44cdefc0 Mon Sep 17 00:00:00 2001 From: Michael Hogg Date: Fri, 28 Aug 2015 14:01:22 +0100 Subject: [PATCH 4/5] Fix bug: regex doesn't match all Base64 characters --- src/TokenType/MAC.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/TokenType/MAC.php b/src/TokenType/MAC.php index 1eb3b930..e4b97a66 100644 --- a/src/TokenType/MAC.php +++ b/src/TokenType/MAC.php @@ -61,7 +61,7 @@ class MAC extends AbstractTokenType implements TokenTypeInterface array_map(function ($param) use (&$params) { $param = trim($param); - preg_match_all('/([a-zA-Z]*)="([\w=]*)"/', $param, $matches); + preg_match_all('/([a-zA-Z]*)="([\w=\/+]*)"/', $param, $matches); // @codeCoverageIgnoreStart if (count($matches) !== 3) { From a2c418ee074a99bfdad76d58dc09b1a6040dd68a Mon Sep 17 00:00:00 2001 From: Michael Hogg Date: Fri, 28 Aug 2015 16:41:12 +0100 Subject: [PATCH 5/5] Fix bug: incorrect signature parameter --- src/TokenType/MAC.php | 2 +- tests/unit/TokenType/MacTest.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/TokenType/MAC.php b/src/TokenType/MAC.php index 1eb3b930..54a40ef2 100644 --- a/src/TokenType/MAC.php +++ b/src/TokenType/MAC.php @@ -105,7 +105,7 @@ class MAC extends AbstractTokenType implements TokenTypeInterface $timestamp, $nonce, strtoupper($request->getMethod()), - $request->getUri(), + $request->getRequestUri(), $request->getHost(), $request->getPort(), ]; diff --git a/tests/unit/TokenType/MacTest.php b/tests/unit/TokenType/MacTest.php index fce568fa..f0fc2fc2 100644 --- a/tests/unit/TokenType/MacTest.php +++ b/tests/unit/TokenType/MacTest.php @@ -52,7 +52,7 @@ class MacTest extends \PHPUnit_Framework_TestCase $ts, 'foo', strtoupper($request->getMethod()), - $request->getUri(), + $request->getRequestUri(), $request->getHost(), $request->getPort(), 'ext'