Merge branch 'release/2.0.4'

CHANGELOG.md

@@ -1,6 +1,22 @@
 # Changelog
 
-## 2.0.0 (released 2013-05-06)
+## 2.0.4 (released 2013-05-09)
+
+* Renamed primary key in oauth_client_endpoints table
+* Adding missing column to oauth_session_authcodes
+* SECURITY FIX: A refresh token should be bound to a client ID
+
+## 2.0.3 (released 2013-05-08)
+
+* Fixed a link to code in composer.json
+
+## 2.0.2 (released 2013-05-08)
+
+* Updated README with wiki guides
+* Removed `null` as default parameters in some methods in the storage interfaces
+* Fixed license copyright
+
+## 2.0.0 (released 2013-05-08)
 
 **If you're upgrading from v1.0.8 there are lots of breaking changes**
 

README.md

@@ -43,11 +43,13 @@ Custom grants can be created easily by implementing an interface. Check out a gu
 
 If you are using MySQL and want to very quickly implement the library then all of the storage interfaces have been implemented with PDO classes. Check out the guide here [https://github.com/php-loep/oauth2-server/wiki/Using-the-PDO-storage-classes](https://github.com/php-loep/oauth2-server/wiki/Using-the-PDO-storage-classes).
 
-## Tutorials
+## Tutorials and documentation
 
-A tutorial on how to use the authorization server can be found at [http://alexbilbie.com/2013/02/developing-an-oauth2-authorization-server/](http://alexbilbie.com/2013/02/developing-an-oauth2-authorization-server/).
+The wiki has lots of guides on how to use this library, check it out - [https://github.com/php-loep/oauth2-server/wiki](https://github.com/php-loep/oauth2-server/wiki).
 
-A tutorial on how to use the resource server to secure an API server can be found at [http://alexbilbie.com/2013/02/securing-your-api-with-oauth-2/](http://alexbilbie.com/2013/02/securing-your-api-with-oauth-2/).
+A tutorial on how to use the authorization server can be found on the wiki - (https://github.com/php-loep/oauth2-server/wiki/Developing-an-OAuth-2.0-authorization-server)[https://github.com/php-loep/oauth2-server/wiki/Developing-an-OAuth-2.0-authorization-server].
+
+A tutorial on how to use the resource server to secure an API server can be found at [https://github.com/php-loep/oauth2-server/wiki/Securing-your-API-with-OAuth-2.0](https://github.com/php-loep/oauth2-server/wiki/Securing-your-API-with-OAuth-2.0).
 
 ## Future Goals
 

composer.json

@@ -1,8 +1,8 @@
 {
 	"name": "league/oauth2-server",
 	"description": "A lightweight and powerful OAuth 2.0 authorization and resource server library with support for all the core specification grants. This library will allow you to secure your API with OAuth and allow your applications users to approve apps that want to access their data from your API.",
-	"version": "2.0",
-	"homepage": "https://github.com/php-leop/oauth2-server",
+	"version": "2.0.4",
+	"homepage": "https://github.com/php-loep/oauth2-server",
 	"license": "MIT",
 	"require": {
 		"php": ">=5.3.0",
@@ -35,7 +35,8 @@
 		}
 	],
 	"replace": {
-		"lncd/oauth2": "*"
+		"lncd/oauth2": "*",
+		"league/oauth2server": "*"
 	},
 	"autoload": {
 		"psr-0": {

license.txt

@@ -1,20 +1,20 @@
 MIT License
 
-Copyright (C) 2012 University of Lincoln
+Copyright (C) 2013 PHP League of Extraordinary Packages
 
-Permission is hereby granted, free of charge, to any person obtaining a copy of 
-this software and associated documentation files (the "Software"), to deal in 
-the Software without restriction, including without limitation the rights to 
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
 use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
 the Software, and to permit persons to whom the Software is furnished to do so,
 subject to the following conditions:
 
-The above copyright notice and this permission notice shall be included in all 
+The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 
-COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

sql/mysql.sql

@@ -8,13 +8,13 @@ CREATE TABLE `oauth_clients` (
 ) ENGINE=INNODB DEFAULT CHARSET=utf8;
 
 CREATE TABLE `oauth_client_endpoints` (
-  `endpoint_id` INT(10) UNSIGNED NOT NULL AUTO_INCREMENT,
-  `client_id` CHAR(40) NOT NULL,
-  `redirect_uri` VARCHAR(255) NOT NULL,
-  PRIMARY KEY (`endpoint_id`),
+  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
+  `client_id` char(40) NOT NULL,
+  `redirect_uri` varchar(255) NOT NULL,
+  PRIMARY KEY (`id`),
   KEY `i_oaclen_clid` (`client_id`),
   CONSTRAINT `f_oaclen_clid` FOREIGN KEY (`client_id`) REFERENCES `oauth_clients` (`id`) ON DELETE CASCADE ON UPDATE CASCADE
-) ENGINE=INNODB DEFAULT CHARSET=utf8;
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 
 CREATE TABLE `oauth_sessions` (
   `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
@@ -41,6 +41,7 @@ CREATE TABLE `oauth_session_authcodes` (
   `session_id` int(10) unsigned NOT NULL,
   `auth_code` char(40) NOT NULL DEFAULT '',
   `auth_code_expires` int(10) unsigned NOT NULL,
+  `scope_ids` char(255) DEFAULT NULL,
   PRIMARY KEY (`session_id`),
   CONSTRAINT `f_oaseau_seid` FOREIGN KEY (`session_id`) REFERENCES `oauth_sessions` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
@@ -56,7 +57,10 @@ CREATE TABLE `oauth_session_refresh_tokens` (
   `session_access_token_id` int(10) unsigned NOT NULL,
   `refresh_token` char(40) NOT NULL DEFAULT '',
   `refresh_token_expires` int(10) unsigned NOT NULL,
+  `client_id` char(40) NOT NULL DEFAULT '',
   PRIMARY KEY (`session_access_token_id`),
+  KEY `client_id` (`client_id`),
+  CONSTRAINT `oauth_session_refresh_tokens_ibfk_1` FOREIGN KEY (`client_id`) REFERENCES `oauth_clients` (`id`) ON DELETE CASCADE,
   CONSTRAINT `f_oasetore_setoid` FOREIGN KEY (`session_access_token_id`) REFERENCES `oauth_session_access_tokens` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 

src/League/OAuth2/Server/Grant/AuthCode.php

@@ -127,7 +127,7 @@ class AuthCode implements GrantTypeInterface {
         }
 
         // Validate client ID and redirect URI
-        $clientDetails = $this->authServer->getStorage('client')->getClient($authParams['client_id'], null, $authParams['redirect_uri']);
+        $clientDetails = $this->authServer->getStorage('client')->getClient($authParams['client_id'], null, $authParams['redirect_uri'], $this->identifier);
 
         if ($clientDetails === false) {
             throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_client'), 8);
@@ -283,7 +283,7 @@ class AuthCode implements GrantTypeInterface {
         if ($this->authServer->hasGrantType('refresh_token')) {
             $refreshToken = SecureKey::make();
             $refreshTokenTTL = time() + $this->authServer->getGrantType('refresh_token')->getRefreshTokenTTL();
-            $this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL);
+            $this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL, $authParams['client_id']);
             $response['refresh_token'] = $refreshToken;
         }
 

src/League/OAuth2/Server/Grant/Password.php

@@ -214,7 +214,7 @@ class Password implements GrantTypeInterface {
         if ($this->authServer->hasGrantType('refresh_token')) {
             $refreshToken = SecureKey::make();
             $refreshTokenTTL = time() + $this->authServer->getGrantType('refresh_token')->getRefreshTokenTTL();
-            $this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL);
+            $this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL, $authParams['client_id']);
             $response['refresh_token'] = $refreshToken;
         }
 

src/League/OAuth2/Server/Grant/RefreshToken.php

@@ -143,7 +143,7 @@ class RefreshToken implements GrantTypeInterface {
         }
 
         // Validate refresh token
-        $accessTokenId = $this->authServer->getStorage('session')->validateRefreshToken($authParams['refresh_token']);
+        $accessTokenId = $this->authServer->getStorage('session')->validateRefreshToken($authParams['refresh_token'], $authParams['client_id']);
 
         if ($accessTokenId === false) {
             throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_refresh'), 0);
@@ -168,7 +168,7 @@ class RefreshToken implements GrantTypeInterface {
             $this->authServer->getStorage('session')->associateScope($newAccessTokenId, $scope['id']);
         }
 
-        $this->authServer->getStorage('session')->associateRefreshToken($newAccessTokenId, $refreshToken, $refreshTokenExpires);
+        $this->authServer->getStorage('session')->associateRefreshToken($newAccessTokenId, $refreshToken, $refreshTokenExpires, $authParams['client_id']);
 
         return array(
             'access_token'  =>  $accessToken,

src/League/OAuth2/Server/Storage/ClientInterface.php

@@ -53,5 +53,5 @@ interface ClientInterface
      * @param  string     $grantType    The grant type used in the request
      * @return bool|array               Returns false if the validation fails, array on success
      */
-    public function getClient($clientId = null, $clientSecret = null, $redirectUri = null, $grantType = null);
+    public function getClient($clientId, $clientSecret = null, $redirectUri = null, $grantType);
 }

src/League/OAuth2/Server/Storage/PDO/Client.php

@@ -6,7 +6,7 @@ use League\OAuth2\Server\Storage\ClientInterface;
 
 class Client implements ClientInterface
 {
-    public function getClient($clientId = null, $clientSecret = null, $redirectUri = null, $grantType = null)
+    public function getClient($clientId, $clientSecret = null, $redirectUri = null, $grantType)
     {
         $db = \ezcDbInstance::get();
 

src/League/OAuth2/Server/Storage/PDO/Session.php

@@ -6,13 +6,6 @@ use League\OAuth2\Server\Storage\SessionInterface;
 
 class Session implements SessionInterface
 {
-    /**
-     * Create a new session
-     * @param  string $clientId  The client ID
-     * @param  string $ownerType The type of the session owner (e.g. "user")
-     * @param  string $ownerId   The ID of the session owner (e.g. "123")
-     * @return int               The session ID
-     */
     public function createSession($clientId, $ownerType, $ownerId)
     {
         $db = \ezcDbInstance::get();
@@ -27,13 +20,6 @@ class Session implements SessionInterface
         return $db->lastInsertId();
     }
 
-    /**
-     * Delete a session
-     * @param  string $clientId  The client ID
-     * @param  string $ownerType The type of the session owner (e.g. "user")
-     * @param  string $ownerId   The ID of the session owner (e.g. "123")
-     * @return void
-     */
     public function deleteSession($clientId, $ownerType, $ownerId)
     {
         $db = \ezcDbInstance::get();
@@ -46,12 +32,6 @@ class Session implements SessionInterface
         $stmt->execute();
     }
 
-    /**
-     * Associate a redirect URI with a session
-     * @param  int    $sessionId   The session ID
-     * @param  string $redirectUri The redirect URI
-     * @return void
-     */
     public function associateRedirectUri($sessionId, $redirectUri)
     {
         $db = \ezcDbInstance::get();
@@ -63,13 +43,6 @@ class Session implements SessionInterface
         $stmt->execute();
     }
 
-    /**
-     * Associate an access token with a session
-     * @param  int    $sessionId   The session ID
-     * @param  string $accessToken The access token
-     * @param  int    $expireTime  Unix timestamp of the access token expiry time
-     * @return void
-     */
     public function associateAccessToken($sessionId, $accessToken, $expireTime)
     {
         $db = \ezcDbInstance::get();
@@ -84,33 +57,19 @@ class Session implements SessionInterface
         return $db->lastInsertId();
     }
 
-    /**
-     * Associate a refresh token with a session
-     * @param  int    $accessTokenId The access token ID
-     * @param  string $refreshToken  The refresh token
-     * @param  int    $expireTime    Unix timestamp of the refresh token expiry time
-     * @return void
-     */
-    public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime)
+    public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime, $clientId)
     {
         $db = \ezcDbInstance::get();
 
-        $stmt = $db->prepare('INSERT INTO oauth_session_refresh_tokens (session_access_token_id, refresh_token, refresh_token_expires) VALUE
-         (:accessTokenId, :refreshToken, :expireTime)');
+        $stmt = $db->prepare('INSERT INTO oauth_session_refresh_tokens (session_access_token_id, refresh_token, refresh_token_expires, client_id) VALUE
+         (:accessTokenId, :refreshToken, :expireTime, :clientId)');
         $stmt->bindValue(':accessTokenId', $accessTokenId);
         $stmt->bindValue(':refreshToken', $refreshToken);
         $stmt->bindValue(':expireTime', $expireTime);
+        $stmt->bindValue(':clientId', $clientId);
         $stmt->execute();
     }
 
-    /**
-     * Assocate an authorization code with a session
-     * @param  int    $sessionId  The session ID
-     * @param  string $authCode   The authorization code
-     * @param  int    $expireTime Unix timestamp of the access token expiry time
-     * @param  string $scopeIds   Comma seperated list of scope IDs to be later associated (default = null)
-     * @return void
-     */
     public function associateAuthCode($sessionId, $authCode, $expireTime, $scopeIds = null)
     {
         $db = \ezcDbInstance::get();
@@ -124,11 +83,6 @@ class Session implements SessionInterface
         $stmt->execute();
     }
 
-    /**
-     * Remove an associated authorization token from a session
-     * @param  int    $sessionId   The session ID
-     * @return void
-     */
     public function removeAuthCode($sessionId)
     {
         $db = \ezcDbInstance::get();
@@ -138,13 +92,6 @@ class Session implements SessionInterface
         $stmt->execute();
     }
 
-    /**
-     * Validate an authorization code
-     * @param  string $clientId    The client ID
-     * @param  string $redirectUri The redirect URI
-     * @param  string $authCode    The authorization code
-     * @return void
-     */
     public function validateAuthCode($clientId, $redirectUri, $authCode)
     {
         $db = \ezcDbInstance::get();
@@ -166,11 +113,6 @@ class Session implements SessionInterface
         return ($result === false) ? false : (array) $result;
     }
 
-    /**
-     * Validate an access token
-     * @param  string $accessToken The access token to be validated
-     * @return void
-     */
     public function validateAccessToken($accessToken)
     {
         $db = \ezcDbInstance::get();
@@ -183,29 +125,20 @@ class Session implements SessionInterface
         return ($result === false) ? false : (array) $result;
     }
 
-    /**
-     * Validate a refresh token
-     * @param  string $refreshToken The access token
-     * @return void
-     */
-    public function validateRefreshToken($refreshToken)
+    public function validateRefreshToken($refreshToken, $clientId)
     {
         $db = \ezcDbInstance::get();
 
         $stmt = $db->prepare('SELECT session_access_token_id FROM `oauth_session_refresh_tokens` WHERE
-         refresh_token = :refreshToken AND refresh_token_expires >= ' . time());
+         refresh_token = :refreshToken AND client_id = :clientId AND refresh_token_expires >= ' . time());
         $stmt->bindValue(':refreshToken', $refreshToken);
+        $stmt->bindValue(':clientId', $clientId);
         $stmt->execute();
 
         $result = $stmt->fetchObject();
         return ($result === false) ? false : $result->session_access_token_id;
     }
 
-    /**
-     * Get an access token by ID
-     * @param  int    $accessTokenId The access token ID
-     * @return array
-     */
     public function getAccessToken($accessTokenId)
     {
         $db = \ezcDbInstance::get();
@@ -218,12 +151,6 @@ class Session implements SessionInterface
         return ($result === false) ? false : (array) $result;
     }
 
-    /**
-     * Associate a scope with an access token
-     * @param  int    $accessTokenId The ID of the access token
-     * @param  int    $scopeId       The ID of the scope
-     * @return void
-     */
     public function associateScope($accessTokenId, $scopeId)
     {
         $db = \ezcDbInstance::get();
@@ -235,11 +162,6 @@ class Session implements SessionInterface
         $stmt->execute();
     }
 
-    /**
-     * Get all associated access tokens for an access token
-     * @param  string $accessToken The access token
-     * @return array
-     */
     public function getScopes($accessToken)
     {
         $db = \ezcDbInstance::get();

src/League/OAuth2/Server/Storage/SessionInterface.php

@@ -91,9 +91,10 @@ interface SessionInterface
      * @param  int    $accessTokenId The access token ID
      * @param  string $refreshToken  The refresh token
      * @param  int    $expireTime    Unix timestamp of the refresh token expiry time
+     * @param  string $clientId      The client ID
      * @return void
      */
-    public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime);
+    public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime, $clientId);
 
     /**
      * Assocate an authorization code with a session
@@ -191,13 +192,14 @@ interface SessionInterface
      *
      * <code>
      * SELECT session_access_token_id FROM `oauth_session_refresh_tokens` WHERE refresh_token = :refreshToken
-     *  AND refresh_token_expires >= UNIX_TIMESTAMP(NOW())
+     *  AND refresh_token_expires >= UNIX_TIMESTAMP(NOW()) AND client_id = :clientId
      * </code>
      *
      * @param  string   $refreshToken The access token
+     * @param  string   $clientId     The client ID
      * @return int|bool               The ID of the access token the refresh token is linked to (or false if invalid)
      */
-    public function validateRefreshToken($refreshToken);
+    public function validateRefreshToken($refreshToken, $clientId);
 
     /**
      * Get an access token by ID