From d755a8c01ddc5214f4c5964c4181aeafce60b7a8 Mon Sep 17 00:00:00 2001 From: Alex Bilbie Date: Sun, 17 Jan 2016 13:57:07 +0000 Subject: [PATCH] Updated the validation to BearerTokenResponse --- src/ResponseTypes/BearerTokenResponse.php | 25 +++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/src/ResponseTypes/BearerTokenResponse.php b/src/ResponseTypes/BearerTokenResponse.php index 2397286e..d714b5b3 100644 --- a/src/ResponseTypes/BearerTokenResponse.php +++ b/src/ResponseTypes/BearerTokenResponse.php @@ -12,6 +12,7 @@ namespace League\OAuth2\Server\ResponseTypes; use Lcobucci\JWT\Builder; +use Lcobucci\JWT\Parser; use Lcobucci\JWT\Signer\Key; use Lcobucci\JWT\Signer\Rsa\Sha256; use League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface; @@ -78,8 +79,28 @@ class BearerTokenResponse extends AbstractResponseType public function determineAccessTokenInHeader(ServerRequestInterface $request) { $header = $request->getHeader('authorization'); - $accessToken = trim(preg_replace('/^(?:\s+)?Bearer\s/', '', $header)); + $jwt = trim(preg_replace('/^(?:\s+)?Bearer\s/', '', $header)); - return ($accessToken === 'Bearer') ? '' : $accessToken; + try { + // Attempt to parse and validate the JWT + $token = (new Parser())->parse($jwt); + if ($token->verify(new Sha256(), $this->pathToPublicKey) === false) { + return $request; + } + + // Check if token has been revoked + if ($this->accessTokenRepository->isAccessTokenRevoked($token->getClaim('jwt'))) { + return $request; + } + + // Return the request with additional attributes + return $request->withAttribute('oauth_access_token', $token->getClaim('jti')) + ->withAttribute('oauth_client_id', $token->getClaim('aud')) + ->withAttribute('oauth_user_id', $token->getClaim('sub')) + ->withAttribute('oauth_scopes', $token->getClaim('scopes')); + } catch (\InvalidArgumentException $e) { + // JWT couldn't be parsed so return the request as is + return $request; + } } }