mirror of
https://github.com/elyby/oauth2-server.git
synced 2025-05-31 14:12:07 +05:30
Compare commits
89 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
3bec591393 | ||
|
084b779cc6 | ||
|
491f3f0e95 | ||
|
c5db707e69 | ||
|
ed7f78179a | ||
|
6e92239dd7 | ||
|
f5d731def9 | ||
|
03815cec6d | ||
|
c71dc47459 | ||
|
3bcd8fc3f8 | ||
|
db6d4e0dc6 | ||
|
f19189a999 | ||
|
ec9c91cc11 | ||
|
c3457107ee | ||
|
a9f61fd3ed | ||
|
b78d8ca1d8 | ||
|
8f82e8ef86 | ||
|
d88e01c7dd | ||
|
d21374fb0b | ||
|
31e5f4d33c | ||
|
a773405adf | ||
|
ccc845b195 | ||
|
21cd917892 | ||
|
a2c418ee07 | ||
|
b220368583 | ||
|
2d26c38d6c | ||
|
eeaa68400f | ||
|
56c73d2427 | ||
|
f632fcc997 | ||
|
618d84ddcf | ||
|
ace42e89e0 | ||
|
c496df98e4 | ||
|
2496653968 | ||
|
abf66ef9c8 | ||
|
4b9ec488f4 | ||
|
726d879607 | ||
|
b256195421 | ||
|
c84ea1ea62 | ||
|
16685ccde4 | ||
|
7934c7bb53 | ||
|
c174b6fc65 | ||
|
75ced70248 | ||
|
5b7fdaeece | ||
|
430a752315 | ||
|
810544ec0a | ||
|
34a6b66b8c | ||
|
61738a7fe2 | ||
|
51184259d1 | ||
|
b21de11429 | ||
|
cf6e86c9d4 | ||
|
f6fdbc7142 | ||
|
7f7f45662a | ||
|
f92a68cc72 | ||
|
295d8ffa24 | ||
|
3d08140651 | ||
|
ec8a8393ee | ||
|
3869b8f406 | ||
|
7da7484008 | ||
|
b42ba4af17 | ||
|
dd795a82f4 | ||
|
166362d3cd | ||
|
d43391564c | ||
|
ea6edf572a | ||
|
19b64c2e65 | ||
|
612775466c | ||
|
740ea24e08 | ||
|
e1c14abf6c | ||
|
d1aae27359 | ||
|
80aeaf9200 | ||
|
282bb20cc8 | ||
|
b727be55a2 | ||
|
cf80a2d6ce | ||
|
72a5c1794a | ||
|
707c85b0d6 | ||
|
c56562b0b8 | ||
|
d0b2498b43 | ||
|
17be6f4549 | ||
|
b50fbff1e3 | ||
|
7375a348c6 | ||
|
ae5dd9ce65 | ||
|
f9e56ff62a | ||
|
1bcf7ee20f | ||
|
bee9c6a51d | ||
|
851c7c0eb1 | ||
|
7fff4a8fe8 | ||
|
44ac01ee0e | ||
|
60bd334b46 | ||
|
2653a174bb | ||
|
676fb4c06a |
3
.gitignore
vendored
3
.gitignore
vendored
@@ -11,4 +11,5 @@
|
||||
/tests/codecept/tests/_log
|
||||
oauth2-server.paw
|
||||
/output_*/
|
||||
/_site
|
||||
/_site
|
||||
.idea
|
@@ -21,8 +21,7 @@ checks:
|
||||
fix_doc_comments: true
|
||||
tools:
|
||||
external_code_coverage:
|
||||
timeout: 600
|
||||
runs: 3
|
||||
timeout: 1800
|
||||
php_code_coverage: false
|
||||
php_code_sniffer:
|
||||
config:
|
||||
@@ -34,4 +33,4 @@ tools:
|
||||
excluded_dirs: [vendor, tests, examples]
|
||||
php_cpd:
|
||||
enabled: true
|
||||
excluded_dirs: [vendor, tests, examples]
|
||||
excluded_dirs: [vendor, tests, examples]
|
||||
|
26
.travis.yml
26
.travis.yml
@@ -1,10 +1,22 @@
|
||||
language: php
|
||||
|
||||
sudo: false
|
||||
|
||||
cache:
|
||||
directories:
|
||||
- vendor
|
||||
|
||||
php:
|
||||
- 5.4
|
||||
- 5.5
|
||||
- 5.6
|
||||
- 7.0
|
||||
- hhvm
|
||||
|
||||
matrix:
|
||||
allow_failures:
|
||||
- php: 7.0
|
||||
fast_finish: true
|
||||
|
||||
install:
|
||||
- travis_retry composer install --no-interaction --prefer-source
|
||||
@@ -14,8 +26,8 @@ script:
|
||||
- phpunit --coverage-text --verbose --coverage-clover=coverage.clover --coverage-html coverage
|
||||
|
||||
after_script:
|
||||
- wget https://scrutinizer-ci.com/ocular.phar
|
||||
- php ocular.phar code-coverage:upload --format=php-clover coverage.clover
|
||||
- bash -c 'if [ "$TRAVIS_PHP_VERSION" == "5.6" ]; then wget https://scrutinizer-ci.com/ocular.phar; fi;
|
||||
- bash -c 'if [ "$TRAVIS_PHP_VERSION" == "5.6" ]; then php ocular.phar code-coverage:upload --format=php-clover coverage.clover; fi;
|
||||
- git config --global user.email "travis@travis-ci.org"
|
||||
- git config --global user.name "TravisCI"
|
||||
- cp -R coverage ${HOME}/coverage
|
||||
@@ -33,4 +45,12 @@ branches:
|
||||
- master
|
||||
env:
|
||||
global:
|
||||
secure: "C4wD/BQefKSu9W594iyLp+IBCjlM8kKlmp+nXKXnZGi0L8IkV3m4mmNOb8PExxGMhZ3mlev5DnU4Uoh4oJaUxnkR1FpX4dSEpyzU3VknUzSE2yZOlL+bdCw3o85TGoCcp/+ReJCOw5sncxTskJKHlW1YMa33FznaXwLNoImpjTg="
|
||||
secure: "C4wD/BQefKSu9W594iyLp+IBCjlM8kKlmp+nXKXnZGi0L8IkV3m4mmNOb8PExxGMhZ3mlev5DnU4Uoh4oJaUxnkR1FpX4dSEpyzU3VknUzSE2yZOlL+bdCw3o85TGoCcp/+ReJCOw5sncxTskJKHlW1YMa33FznaXwLNoImpjTg="
|
||||
|
||||
notifications:
|
||||
webhooks:
|
||||
urls:
|
||||
- https://webhooks.gitter.im/e/7de0ca12596cd5268f30
|
||||
on_success: always # options: [always|never|change] default: always
|
||||
on_failure: always # options: [always|never|change] default: always
|
||||
on_start: false # default: false
|
||||
|
50
CHANGELOG.md
50
CHANGELOG.md
@@ -1,5 +1,55 @@
|
||||
# Changelog
|
||||
|
||||
## 4.1.6 (released 2016-09-13)
|
||||
|
||||
* Less restrictive on Authorization header check (Issue #652)
|
||||
|
||||
## 4.1.5 (released 2016-01-04)
|
||||
|
||||
* Enable Symfony 3.0 support (#412)
|
||||
|
||||
## 4.1.4 (released 2015-11-13)
|
||||
|
||||
* Fix for determining access token in header (Issue #328)
|
||||
* Refresh tokens are now returned for MAC responses (Issue #356)
|
||||
* Added integration list to readme (Issue #341)
|
||||
* Expose parameter passed to exceptions (Issue #345)
|
||||
* Removed duplicate routing setup code (Issue #346)
|
||||
* Docs fix (Issues #347, #360, #380)
|
||||
* Examples fix (Issues #348, #358)
|
||||
* Fix typo in docblock (Issue #352)
|
||||
* Improved timeouts for MAC tokens (Issue #364)
|
||||
* `hash_hmac()` should output raw binary data, not hexits (Issue #370)
|
||||
* Improved regex for matching all Base64 characters (Issue #371)
|
||||
* Fix incorrect signature parameter (Issue #372)
|
||||
* AuthCodeGrant and RefreshTokenGrant don't require client_secret (Issue #377)
|
||||
* Added priority argument to event listener (Issue #388)
|
||||
|
||||
## 4.1.3 (released 2015-03-22)
|
||||
|
||||
* Docblock, namespace and inconsistency fixes (Issue #303)
|
||||
* Docblock type fix (Issue #310)
|
||||
* Example bug fix (Issue #300)
|
||||
* Updated league/event to ~2.1 (Issue #311)
|
||||
* Fixed missing session scope (Issue #319)
|
||||
* Updated interface docs (Issue #323)
|
||||
* `.travis.yml` updates
|
||||
|
||||
## 4.1.2 (released 2015-01-01)
|
||||
|
||||
* Remove side-effects in hash_equals() implementation (Issue #290)
|
||||
|
||||
## 4.1.1 (released 2014-12-31)
|
||||
|
||||
* Changed `symfony/http-foundation` dependency version to `~2.4` so package can be installed in Laravel `4.1.*`
|
||||
|
||||
## 4.1.0 (released 2014-12-27)
|
||||
|
||||
* Added MAC token support (Issue #158)
|
||||
* Fixed example init code (Issue #280)
|
||||
* Toggle refresh token rotation (Issue #286)
|
||||
* Docblock fixes
|
||||
|
||||
## 4.0.5 (released 2014-12-15)
|
||||
|
||||
* Prevent duplicate session in auth code grant (Issue #282)
|
||||
|
15
README.md
15
README.md
@@ -5,7 +5,7 @@
|
||||
[](https://travis-ci.org/thephpleague/oauth2-server)
|
||||
[](https://scrutinizer-ci.com/g/thephpleague/oauth2-server/code-structure)
|
||||
[](https://scrutinizer-ci.com/g/thephpleague/oauth2-server)
|
||||
[](https://packagist.org/packages/league/oauth2-server)
|
||||
[](https://packagist.org/packages/league/oauth2-server) [](https://gitter.im/thephpleague/oauth2-server?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
|
||||
|
||||
|
||||
A standards compliant [OAuth 2.0](http://tools.ietf.org/wg/oauth/draft-ietf-oauth-v2/) authorization server and resource server written in PHP which makes working with OAuth 2.0 trivial. You can easily configure an OAuth 2.0 server to protect your API with access tokens, or allow clients to request new access tokens and refresh them.
|
||||
@@ -22,9 +22,11 @@ You can also define your own grants.
|
||||
In addition it supports the following token types:
|
||||
|
||||
* Bearer tokens
|
||||
* MAC tokens (coming soon)
|
||||
* MAC tokens
|
||||
* JSON web tokens (coming soon)
|
||||
|
||||
You can also create you own tokens.
|
||||
|
||||
|
||||
## Requirements
|
||||
|
||||
@@ -49,10 +51,19 @@ Contribute to this documentation in the [gh-pages branch](https://github.com/the
|
||||
|
||||
Please see [CONTRIBUTING](https://github.com/thephpleague/oauth2-server/blob/master/CONTRIBUTING.md) for details.
|
||||
|
||||
## Integration
|
||||
|
||||
- [CakePHP 3](https://github.com/uafrica/oauth-server)
|
||||
- [Laravel](https://github.com/lucadegasperi/oauth2-server-laravel)
|
||||
|
||||
## Support
|
||||
|
||||
Bugs and feature request are tracked on [GitHub](https://github.com/thephpleague/oauth2-server/issues)
|
||||
|
||||
## Security
|
||||
|
||||
If you discover any security related issues, please email hello@alexbilbie.com instead of using the issue tracker.
|
||||
|
||||
## License
|
||||
|
||||
This package is released under the MIT License. See the bundled [LICENSE](https://github.com/thephpleague/oauth2-server/blob/master/LICENSE) file for details.
|
||||
|
@@ -5,8 +5,8 @@
|
||||
"license": "MIT",
|
||||
"require": {
|
||||
"php": ">=5.4.0",
|
||||
"symfony/http-foundation": "~2.5",
|
||||
"league/event": "1.0.*"
|
||||
"symfony/http-foundation": "~2.4|~3.0",
|
||||
"league/event": "~2.1"
|
||||
},
|
||||
"require-dev": {
|
||||
"phpunit/phpunit": "4.3.*",
|
||||
|
@@ -86,7 +86,7 @@ class AccessTokenStorage extends AbstractStorage implements AccessTokenInterface
|
||||
*/
|
||||
public function delete(AccessTokenEntity $token)
|
||||
{
|
||||
Capsule::table('oauth_access_token_scopes')
|
||||
Capsule::table('oauth_access_tokens')
|
||||
->where('access_token', $token->getId())
|
||||
->delete();
|
||||
}
|
||||
|
@@ -9,11 +9,6 @@ use RelationalExample\Storage;
|
||||
|
||||
include __DIR__.'/vendor/autoload.php';
|
||||
|
||||
// Routing setup
|
||||
$request = (new Request())->createFromGlobals();
|
||||
$router = new \Orno\Route\RouteCollection();
|
||||
$router->setStrategy(\Orno\Route\RouteStrategyInterface::RESTFUL_STRATEGY);
|
||||
|
||||
// Set up the OAuth 2.0 resource server
|
||||
$sessionStorage = new Storage\SessionStorage();
|
||||
$accessTokenStorage = new Storage\AccessTokenStorage();
|
||||
|
@@ -102,7 +102,7 @@ Capsule::table('oauth_scopes')->insert([
|
||||
print 'Creating sessions table'.PHP_EOL;
|
||||
|
||||
Capsule::schema()->create('oauth_sessions', function ($table) {
|
||||
$table->increments('id');
|
||||
$table->increments('id')->unsigned();
|
||||
$table->string('owner_type');
|
||||
$table->string('owner_id');
|
||||
$table->string('client_id');
|
||||
@@ -135,7 +135,7 @@ print 'Creating access tokens table'.PHP_EOL;
|
||||
|
||||
Capsule::schema()->create('oauth_access_tokens', function ($table) {
|
||||
$table->string('access_token')->primary();
|
||||
$table->integer('session_id');
|
||||
$table->integer('session_id')->unsigned();
|
||||
$table->integer('expire_time');
|
||||
|
||||
$table->foreign('session_id')->references('id')->on('oauth_sessions')->onDelete('cascade');
|
||||
@@ -168,7 +168,7 @@ Capsule::schema()->create('oauth_refresh_tokens', function ($table) {
|
||||
$table->integer('expire_time');
|
||||
$table->string('access_token');
|
||||
|
||||
$table->foreign('access_token')->references('id')->on('oauth_access_tokens')->onDelete('cascade');
|
||||
$table->foreign('access_token')->references('access_token')->on('oauth_access_tokens')->onDelete('cascade');
|
||||
});
|
||||
|
||||
/******************************************************************************/
|
||||
@@ -177,7 +177,7 @@ print 'Creating auth codes table'.PHP_EOL;
|
||||
|
||||
Capsule::schema()->create('oauth_auth_codes', function ($table) {
|
||||
$table->string('auth_code')->primary();
|
||||
$table->integer('session_id');
|
||||
$table->integer('session_id')->unsigned();
|
||||
$table->integer('expire_time');
|
||||
$table->string('client_redirect_uri');
|
||||
|
||||
@@ -189,7 +189,7 @@ Capsule::schema()->create('oauth_auth_codes', function ($table) {
|
||||
print 'Creating oauth access token scopes table'.PHP_EOL;
|
||||
|
||||
Capsule::schema()->create('oauth_access_token_scopes', function ($table) {
|
||||
$table->increments('id');
|
||||
$table->increments('id')->unsigned();
|
||||
$table->string('access_token');
|
||||
$table->string('scope');
|
||||
|
||||
@@ -240,8 +240,8 @@ Capsule::schema()->create('oauth_auth_code_scopes', function ($table) {
|
||||
print 'Creating oauth session scopes table'.PHP_EOL;
|
||||
|
||||
Capsule::schema()->create('oauth_session_scopes', function ($table) {
|
||||
$table->increments('id');
|
||||
$table->string('session_id');
|
||||
$table->increments('id')->unsigned();
|
||||
$table->integer('session_id')->unsigned();
|
||||
$table->string('scope');
|
||||
|
||||
$table->foreign('session_id')->references('id')->on('oauth_sessions')->onDelete('cascade');
|
||||
|
@@ -15,6 +15,7 @@ use League\Event\Emitter;
|
||||
use League\OAuth2\Server\Storage\AccessTokenInterface;
|
||||
use League\OAuth2\Server\Storage\AuthCodeInterface;
|
||||
use League\OAuth2\Server\Storage\ClientInterface;
|
||||
use League\OAuth2\Server\Storage\MacTokenInterface;
|
||||
use League\OAuth2\Server\Storage\RefreshTokenInterface;
|
||||
use League\OAuth2\Server\Storage\ScopeInterface;
|
||||
use League\OAuth2\Server\Storage\SessionInterface;
|
||||
@@ -75,6 +76,11 @@ abstract class AbstractServer
|
||||
*/
|
||||
protected $clientStorage;
|
||||
|
||||
/**
|
||||
* @var \League\OAuth2\Server\Storage\MacTokenInterface
|
||||
*/
|
||||
protected $macStorage;
|
||||
|
||||
/**
|
||||
* Token type
|
||||
*
|
||||
@@ -116,10 +122,11 @@ abstract class AbstractServer
|
||||
*
|
||||
* @param string $eventName Event name
|
||||
* @param callable $listener Callable function or method
|
||||
* @param int $priority Priority of event listener
|
||||
*/
|
||||
public function addEventListener($eventName, callable $listener)
|
||||
public function addEventListener($eventName, callable $listener, $priority = Emitter::P_NORMAL)
|
||||
{
|
||||
$this->eventEmitter->addListener($eventName, $listener);
|
||||
$this->eventEmitter->addListener($eventName, $listener, $priority);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -332,4 +339,20 @@ abstract class AbstractServer
|
||||
{
|
||||
return $this->tokenType;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return MacTokenInterface
|
||||
*/
|
||||
public function getMacStorage()
|
||||
{
|
||||
return $this->macStorage;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param MacTokenInterface $macStorage
|
||||
*/
|
||||
public function setMacStorage(MacTokenInterface $macStorage)
|
||||
{
|
||||
$this->macStorage = $macStorage;
|
||||
}
|
||||
}
|
||||
|
@@ -20,7 +20,7 @@ use League\OAuth2\Server\TokenType\Bearer;
|
||||
class AuthorizationServer extends AbstractServer
|
||||
{
|
||||
/**
|
||||
* The delimeter between scopes specified in the scope query string parameter
|
||||
* The delimiter between scopes specified in the scope query string parameter
|
||||
* The OAuth 2 specification states it should be a space but most use a comma
|
||||
*
|
||||
* @var string
|
||||
@@ -181,7 +181,7 @@ class AuthorizationServer extends AbstractServer
|
||||
}
|
||||
|
||||
/**
|
||||
* Require the "state" paremter in checkAuthoriseParams()
|
||||
* Require the "state" parameter in checkAuthoriseParams()
|
||||
*
|
||||
* @return bool
|
||||
*/
|
||||
@@ -191,7 +191,7 @@ class AuthorizationServer extends AbstractServer
|
||||
}
|
||||
|
||||
/**
|
||||
* Require the "state" paremter in checkAuthoriseParams()
|
||||
* Require the "state" parameter in checkAuthoriseParams()
|
||||
*
|
||||
* @param boolean $require
|
||||
*
|
||||
|
@@ -12,7 +12,7 @@
|
||||
namespace League\OAuth2\Server\Entity;
|
||||
|
||||
/**
|
||||
* Access token entity class
|
||||
* Auth Code entity class
|
||||
*/
|
||||
class AuthCodeEntity extends AbstractTokenEntity
|
||||
{
|
||||
|
@@ -32,6 +32,7 @@ class InvalidGrantException extends OAuthException
|
||||
|
||||
public function __construct($parameter)
|
||||
{
|
||||
$this->parameter = $parameter;
|
||||
parent::__construct(
|
||||
sprintf(
|
||||
'The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. Check the "%s" parameter.',
|
||||
|
@@ -32,6 +32,7 @@ class InvalidRequestException extends OAuthException
|
||||
|
||||
public function __construct($parameter, $redirectUri = null)
|
||||
{
|
||||
$this->parameter = $parameter;
|
||||
parent::__construct(
|
||||
sprintf(
|
||||
'The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the "%s" parameter.',
|
||||
|
@@ -32,6 +32,7 @@ class InvalidScopeException extends OAuthException
|
||||
|
||||
public function __construct($parameter, $redirectUri = null)
|
||||
{
|
||||
$this->parameter = $parameter;
|
||||
parent::__construct(
|
||||
sprintf(
|
||||
'The requested scope is invalid, unknown, or malformed. Check the "%s" scope.',
|
||||
|
@@ -36,6 +36,11 @@ class OAuthException extends \Exception
|
||||
*/
|
||||
public $errorType = '';
|
||||
|
||||
/**
|
||||
* Parameter eventually passed to Exception
|
||||
*/
|
||||
public $parameter = '';
|
||||
|
||||
/**
|
||||
* Throw a new exception
|
||||
*
|
||||
@@ -72,6 +77,16 @@ class OAuthException extends \Exception
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* Return parameter if set
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
public function getParameter()
|
||||
{
|
||||
return $this->parameter;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get all headers that have to be send with the error response
|
||||
*
|
||||
|
@@ -31,7 +31,9 @@ class ServerErrorException extends OAuthException
|
||||
*/
|
||||
public function __construct($parameter = null)
|
||||
{
|
||||
$this->parameter = $parameter;
|
||||
$parameter = is_null($parameter) ? 'The authorization server encountered an unexpected condition which prevented it from fulfilling the request.' : $parameter;
|
||||
parent::__construct($parameter);
|
||||
|
||||
}
|
||||
}
|
||||
|
@@ -32,6 +32,7 @@ class UnsupportedGrantTypeException extends OAuthException
|
||||
|
||||
public function __construct($parameter)
|
||||
{
|
||||
$this->parameter = $parameter;
|
||||
parent::__construct(
|
||||
sprintf(
|
||||
'The authorization grant type "%s" is not supported by the authorization server.',
|
||||
|
@@ -31,6 +31,7 @@ class UnsupportedResponseTypeException extends OAuthException
|
||||
*/
|
||||
public function __construct($parameter, $redirectUri = null)
|
||||
{
|
||||
$this->parameter = $parameter;
|
||||
parent::__construct('The authorization server does not support obtaining an access token using this method.');
|
||||
$this->redirectUri = $redirectUri;
|
||||
}
|
||||
|
@@ -60,6 +60,14 @@ class AuthCodeGrant extends AbstractGrant
|
||||
*/
|
||||
protected $authTokenTTL = 600;
|
||||
|
||||
/**
|
||||
* Whether to require the client secret when
|
||||
* completing the flow.
|
||||
*
|
||||
* @var boolean
|
||||
*/
|
||||
protected $requireClientSecret = true;
|
||||
|
||||
/**
|
||||
* Override the default access token expire time
|
||||
*
|
||||
@@ -72,6 +80,27 @@ class AuthCodeGrant extends AbstractGrant
|
||||
$this->authTokenTTL = $authTokenTTL;
|
||||
}
|
||||
|
||||
/**
|
||||
*
|
||||
* @param bool $required True to require client secret during access
|
||||
* token request. False if not. Default = true
|
||||
*/
|
||||
public function setRequireClientSecret($required)
|
||||
{
|
||||
$this->requireClientSecret = $required;
|
||||
}
|
||||
|
||||
/**
|
||||
* True if client secret is required during
|
||||
* access token request. False if it isn't.
|
||||
*
|
||||
* @return bool
|
||||
*/
|
||||
public function shouldRequireClientSecret()
|
||||
{
|
||||
return $this->requireClientSecret;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check authorize parameters
|
||||
*
|
||||
@@ -148,7 +177,6 @@ class AuthCodeGrant extends AbstractGrant
|
||||
$session = new SessionEntity($this->server);
|
||||
$session->setOwner($type, $typeId);
|
||||
$session->associateClient($authParams['client']);
|
||||
$session->save();
|
||||
|
||||
// Create a new auth code
|
||||
$authCode = new AuthCodeEntity($this->server);
|
||||
@@ -158,8 +186,10 @@ class AuthCodeGrant extends AbstractGrant
|
||||
|
||||
foreach ($authParams['scopes'] as $scope) {
|
||||
$authCode->associateScope($scope);
|
||||
$session->associateScope($scope);
|
||||
}
|
||||
|
||||
$session->save();
|
||||
$authCode->setSession($session);
|
||||
$authCode->save();
|
||||
|
||||
@@ -183,7 +213,7 @@ class AuthCodeGrant extends AbstractGrant
|
||||
|
||||
$clientSecret = $this->server->getRequest()->request->get('client_secret',
|
||||
$this->server->getRequest()->getPassword());
|
||||
if (is_null($clientSecret)) {
|
||||
if ($this->shouldRequireClientSecret() && is_null($clientSecret)) {
|
||||
throw new Exception\InvalidRequestException('client_secret');
|
||||
}
|
||||
|
||||
@@ -270,4 +300,4 @@ class AuthCodeGrant extends AbstractGrant
|
||||
|
||||
return $this->server->getTokenType()->generateResponse();
|
||||
}
|
||||
}
|
||||
}
|
@@ -19,7 +19,7 @@ use League\OAuth2\Server\Exception;
|
||||
use League\OAuth2\Server\Util\SecureKey;
|
||||
|
||||
/**
|
||||
* Referesh token grant
|
||||
* Refresh token grant
|
||||
*/
|
||||
class RefreshTokenGrant extends AbstractGrant
|
||||
{
|
||||
@@ -35,6 +35,21 @@ class RefreshTokenGrant extends AbstractGrant
|
||||
*/
|
||||
protected $refreshTokenTTL = 604800;
|
||||
|
||||
/**
|
||||
* Rotate token (default = true)
|
||||
*
|
||||
* @var integer
|
||||
*/
|
||||
protected $refreshTokenRotate = true;
|
||||
|
||||
/**
|
||||
* Whether to require the client secret when
|
||||
* completing the flow.
|
||||
*
|
||||
* @var boolean
|
||||
*/
|
||||
protected $requireClientSecret = true;
|
||||
|
||||
/**
|
||||
* Set the TTL of the refresh token
|
||||
*
|
||||
@@ -57,6 +72,47 @@ class RefreshTokenGrant extends AbstractGrant
|
||||
return $this->refreshTokenTTL;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the rotation boolean of the refresh token
|
||||
* @param bool $refreshTokenRotate
|
||||
*/
|
||||
public function setRefreshTokenRotation($refreshTokenRotate = true)
|
||||
{
|
||||
$this->refreshTokenRotate = $refreshTokenRotate;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get rotation boolean of the refresh token
|
||||
*
|
||||
* @return bool
|
||||
*/
|
||||
public function shouldRotateRefreshTokens()
|
||||
{
|
||||
return $this->refreshTokenRotate;
|
||||
}
|
||||
|
||||
/**
|
||||
*
|
||||
* @param bool $required True to require client secret during access
|
||||
* token request. False if not. Default = true
|
||||
*/
|
||||
public function setRequireClientSecret($required)
|
||||
{
|
||||
$this->requireClientSecret = $required;
|
||||
}
|
||||
|
||||
/**
|
||||
* True if client secret is required during
|
||||
* access token request. False if it isn't.
|
||||
*
|
||||
* @return bool
|
||||
*/
|
||||
public function shouldRequireClientSecret()
|
||||
{
|
||||
return $this->requireClientSecret;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* {@inheritdoc}
|
||||
*/
|
||||
@@ -69,7 +125,7 @@ class RefreshTokenGrant extends AbstractGrant
|
||||
|
||||
$clientSecret = $this->server->getRequest()->request->get('client_secret',
|
||||
$this->server->getRequest()->getPassword());
|
||||
if (is_null($clientSecret)) {
|
||||
if ($this->shouldRequireClientSecret() && is_null($clientSecret)) {
|
||||
throw new Exception\InvalidRequestException('client_secret');
|
||||
}
|
||||
|
||||
@@ -146,18 +202,22 @@ class RefreshTokenGrant extends AbstractGrant
|
||||
$this->server->getTokenType()->setParam('access_token', $newAccessToken->getId());
|
||||
$this->server->getTokenType()->setParam('expires_in', $this->getAccessTokenTTL());
|
||||
|
||||
// Expire the old refresh token
|
||||
$oldRefreshToken->expire();
|
||||
if ($this->shouldRotateRefreshTokens()) {
|
||||
// Expire the old refresh token
|
||||
$oldRefreshToken->expire();
|
||||
|
||||
// Generate a new refresh token
|
||||
$newRefreshToken = new RefreshTokenEntity($this->server);
|
||||
$newRefreshToken->setId(SecureKey::generate());
|
||||
$newRefreshToken->setExpireTime($this->getRefreshTokenTTL() + time());
|
||||
$newRefreshToken->setAccessToken($newAccessToken);
|
||||
$newRefreshToken->save();
|
||||
// Generate a new refresh token
|
||||
$newRefreshToken = new RefreshTokenEntity($this->server);
|
||||
$newRefreshToken->setId(SecureKey::generate());
|
||||
$newRefreshToken->setExpireTime($this->getRefreshTokenTTL() + time());
|
||||
$newRefreshToken->setAccessToken($newAccessToken);
|
||||
$newRefreshToken->save();
|
||||
|
||||
$this->server->getTokenType()->setParam('refresh_token', $newRefreshToken->getId());
|
||||
$this->server->getTokenType()->setParam('refresh_token', $newRefreshToken->getId());
|
||||
} else {
|
||||
$this->server->getTokenType()->setParam('refresh_token', $oldRefreshToken->getId());
|
||||
}
|
||||
|
||||
return $this->server->getTokenType()->generateResponse();
|
||||
}
|
||||
}
|
||||
}
|
@@ -12,11 +12,14 @@
|
||||
namespace League\OAuth2\Server;
|
||||
|
||||
use League\OAuth2\Server\Entity\AccessTokenEntity;
|
||||
use League\OAuth2\Server\Exception\AccessDeniedException;
|
||||
use League\OAuth2\Server\Exception\InvalidRequestException;
|
||||
use League\OAuth2\Server\Storage\AccessTokenInterface;
|
||||
use League\OAuth2\Server\Storage\ClientInterface;
|
||||
use League\OAuth2\Server\Storage\ScopeInterface;
|
||||
use League\OAuth2\Server\Storage\SessionInterface;
|
||||
use League\OAuth2\Server\TokenType\Bearer;
|
||||
use League\OAuth2\Server\TokenType\MAC;
|
||||
|
||||
/**
|
||||
* OAuth 2.0 Resource Server
|
||||
@@ -40,10 +43,10 @@ class ResourceServer extends AbstractServer
|
||||
/**
|
||||
* Initialise the resource server
|
||||
*
|
||||
* @param SessionInterface $sessionStorage
|
||||
* @param AccessTokenInterface $accessTokenStorage
|
||||
* @param ClientInterface $clientStorage
|
||||
* @param ScopeInterface $scopeStorage
|
||||
* @param \League\OAuth2\Server\Storage\SessionInterface $sessionStorage
|
||||
* @param \League\OAuth2\Server\Storage\AccessTokenInterface $accessTokenStorage
|
||||
* @param \League\OAuth2\Server\Storage\ClientInterface $clientStorage
|
||||
* @param \League\OAuth2\Server\Storage\ScopeInterface $scopeStorage
|
||||
*
|
||||
* @return self
|
||||
*/
|
||||
@@ -93,31 +96,32 @@ class ResourceServer extends AbstractServer
|
||||
/**
|
||||
* Checks if the access token is valid or not
|
||||
*
|
||||
* @param bool $headersOnly Limit Access Token to Authorization header only
|
||||
* @param AccessTokenEntity|null $accessToken Access Token
|
||||
* @param bool $headerOnly Limit Access Token to Authorization header
|
||||
* @param \League\OAuth2\Server\Entity\AccessTokenEntity|null $accessToken Access Token
|
||||
*
|
||||
* @throws \League\OAuth2\Server\Exception\AccessDeniedException
|
||||
* @throws \League\OAuth2\Server\Exception\InvalidRequestException
|
||||
*
|
||||
* @return bool
|
||||
*
|
||||
* @throws
|
||||
*/
|
||||
public function isValidRequest($headersOnly = true, $accessToken = null)
|
||||
public function isValidRequest($headerOnly = true, $accessToken = null)
|
||||
{
|
||||
$accessTokenString = ($accessToken !== null)
|
||||
? $accessToken
|
||||
: $this->determineAccessToken($headersOnly);
|
||||
: $this->determineAccessToken($headerOnly);
|
||||
|
||||
// Set the access token
|
||||
$this->accessToken = $this->getAccessTokenStorage()->get($accessTokenString);
|
||||
|
||||
// Ensure the access token exists
|
||||
if (!$this->accessToken instanceof AccessTokenEntity) {
|
||||
throw new Exception\AccessDeniedException();
|
||||
throw new AccessDeniedException();
|
||||
}
|
||||
|
||||
// Check the access token hasn't expired
|
||||
// Ensure the auth code hasn't expired
|
||||
if ($this->accessToken->isExpired() === true) {
|
||||
throw new Exception\AccessDeniedException();
|
||||
throw new AccessDeniedException();
|
||||
}
|
||||
|
||||
return true;
|
||||
@@ -126,24 +130,24 @@ class ResourceServer extends AbstractServer
|
||||
/**
|
||||
* Reads in the access token from the headers
|
||||
*
|
||||
* @param bool $headersOnly Limit Access Token to Authorization header only
|
||||
* @param bool $headerOnly Limit Access Token to Authorization header
|
||||
*
|
||||
* @throws Exception\InvalidRequestException Thrown if there is no access token presented
|
||||
* @throws \League\OAuth2\Server\Exception\InvalidRequestException Thrown if there is no access token presented
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
public function determineAccessToken($headersOnly = false)
|
||||
public function determineAccessToken($headerOnly = false)
|
||||
{
|
||||
if ($this->getRequest()->headers->get('Authorization') !== null) {
|
||||
if (!empty($this->getRequest()->headers->get('Authorization'))) {
|
||||
$accessToken = $this->getTokenType()->determineAccessTokenInHeader($this->getRequest());
|
||||
} elseif ($headersOnly === false) {
|
||||
} elseif ($headerOnly === false && (! $this->getTokenType() instanceof MAC)) {
|
||||
$accessToken = ($this->getRequest()->server->get('REQUEST_METHOD') === 'GET')
|
||||
? $this->getRequest()->query->get($this->tokenKey)
|
||||
: $this->getRequest()->request->get($this->tokenKey);
|
||||
}
|
||||
|
||||
if (empty($accessToken)) {
|
||||
throw new Exception\InvalidRequestException('access token');
|
||||
throw new InvalidRequestException('access token');
|
||||
}
|
||||
|
||||
return $accessToken;
|
||||
|
@@ -24,7 +24,7 @@ interface AccessTokenInterface extends StorageInterface
|
||||
*
|
||||
* @param string $token The access token
|
||||
*
|
||||
* @return \League\OAuth2\Server\Entity\AccessTokenEntity
|
||||
* @return \League\OAuth2\Server\Entity\AccessTokenEntity | null
|
||||
*/
|
||||
public function get($token);
|
||||
|
||||
@@ -33,7 +33,7 @@ interface AccessTokenInterface extends StorageInterface
|
||||
*
|
||||
* @param \League\OAuth2\Server\Entity\AccessTokenEntity $token The access token
|
||||
*
|
||||
* @return array Array of \League\OAuth2\Server\Entity\ScopeEntity
|
||||
* @return \League\OAuth2\Server\Entity\ScopeEntity[] Array of \League\OAuth2\Server\Entity\ScopeEntity
|
||||
*/
|
||||
public function getScopes(AccessTokenEntity $token);
|
||||
|
||||
|
@@ -24,7 +24,7 @@ interface AuthCodeInterface extends StorageInterface
|
||||
*
|
||||
* @param string $code
|
||||
*
|
||||
* @return \League\OAuth2\Server\Entity\AuthCodeEntity
|
||||
* @return \League\OAuth2\Server\Entity\AuthCodeEntity | null
|
||||
*/
|
||||
public function get($code);
|
||||
|
||||
@@ -45,7 +45,7 @@ interface AuthCodeInterface extends StorageInterface
|
||||
*
|
||||
* @param \League\OAuth2\Server\Entity\AuthCodeEntity $token The auth code
|
||||
*
|
||||
* @return array Array of \League\OAuth2\Server\Entity\ScopeEntity
|
||||
* @return \League\OAuth2\Server\Entity\ScopeEntity[] Array of \League\OAuth2\Server\Entity\ScopeEntity
|
||||
*/
|
||||
public function getScopes(AuthCodeEntity $token);
|
||||
|
||||
|
@@ -26,7 +26,7 @@ interface ClientInterface extends StorageInterface
|
||||
* @param string $redirectUri The client's redirect URI (default = "null")
|
||||
* @param string $grantType The grant type used (default = "null")
|
||||
*
|
||||
* @return \League\OAuth2\Server\Entity\ClientEntity
|
||||
* @return \League\OAuth2\Server\Entity\ClientEntity | null
|
||||
*/
|
||||
public function get($clientId, $clientSecret = null, $redirectUri = null, $grantType = null);
|
||||
|
||||
@@ -35,7 +35,7 @@ interface ClientInterface extends StorageInterface
|
||||
*
|
||||
* @param \League\OAuth2\Server\Entity\SessionEntity $session The session
|
||||
*
|
||||
* @return \League\OAuth2\Server\Entity\ClientEntity
|
||||
* @return \League\OAuth2\Server\Entity\ClientEntity | null
|
||||
*/
|
||||
public function getBySession(SessionEntity $session);
|
||||
}
|
||||
|
34
src/Storage/MacTokenInterface.php
Normal file
34
src/Storage/MacTokenInterface.php
Normal file
@@ -0,0 +1,34 @@
|
||||
<?php
|
||||
/**
|
||||
* OAuth 2.0 MAC Token Interface
|
||||
*
|
||||
* @package league/oauth2-server
|
||||
* @author Alex Bilbie <hello@alexbilbie.com>
|
||||
* @copyright Copyright (c) Alex Bilbie
|
||||
* @license http://mit-license.org/
|
||||
* @link https://github.com/thephpleague/oauth2-server
|
||||
*/
|
||||
|
||||
namespace League\OAuth2\Server\Storage;
|
||||
|
||||
|
||||
/**
|
||||
* MacTokenInterface
|
||||
*/
|
||||
interface MacTokenInterface extends StorageInterface
|
||||
{
|
||||
/**
|
||||
* Create a MAC key linked to an access token
|
||||
* @param string $macKey
|
||||
* @param string $accessToken
|
||||
* @return void
|
||||
*/
|
||||
public function create($macKey, $accessToken);
|
||||
|
||||
/**
|
||||
* Get a MAC key by access token
|
||||
* @param string $accessToken
|
||||
* @return string
|
||||
*/
|
||||
public function getByAccessToken($accessToken);
|
||||
}
|
@@ -23,7 +23,7 @@ interface RefreshTokenInterface extends StorageInterface
|
||||
*
|
||||
* @param string $token
|
||||
*
|
||||
* @return \League\OAuth2\Server\Entity\RefreshTokenEntity
|
||||
* @return \League\OAuth2\Server\Entity\RefreshTokenEntity | null
|
||||
*/
|
||||
public function get($token);
|
||||
|
||||
|
@@ -23,7 +23,7 @@ interface ScopeInterface extends StorageInterface
|
||||
* @param string $grantType The grant type used in the request (default = "null")
|
||||
* @param string $clientId The client sending the request (default = "null")
|
||||
*
|
||||
* @return \League\OAuth2\Server\Entity\ScopeEntity
|
||||
* @return \League\OAuth2\Server\Entity\ScopeEntity | null
|
||||
*/
|
||||
public function get($scope, $grantType = null, $clientId = null);
|
||||
}
|
||||
|
@@ -26,7 +26,7 @@ interface SessionInterface extends StorageInterface
|
||||
*
|
||||
* @param \League\OAuth2\Server\Entity\AccessTokenEntity $accessToken The access token
|
||||
*
|
||||
* @return \League\OAuth2\Server\Entity\SessionEntity
|
||||
* @return \League\OAuth2\Server\Entity\SessionEntity | null
|
||||
*/
|
||||
public function getByAccessToken(AccessTokenEntity $accessToken);
|
||||
|
||||
@@ -35,7 +35,7 @@ interface SessionInterface extends StorageInterface
|
||||
*
|
||||
* @param \League\OAuth2\Server\Entity\AuthCodeEntity $authCode The auth code
|
||||
*
|
||||
* @return \League\OAuth2\Server\Entity\SessionEntity
|
||||
* @return \League\OAuth2\Server\Entity\SessionEntity | null
|
||||
*/
|
||||
public function getByAuthCode(AuthCodeEntity $authCode);
|
||||
|
||||
@@ -44,7 +44,7 @@ interface SessionInterface extends StorageInterface
|
||||
*
|
||||
* @param \League\OAuth2\Server\Entity\SessionEntity
|
||||
*
|
||||
* @return array Array of \League\OAuth2\Server\Entity\ScopeEntity
|
||||
* @return \League\OAuth2\Server\Entity\ScopeEntity[] Array of \League\OAuth2\Server\Entity\ScopeEntity
|
||||
*/
|
||||
public function getScopes(SessionEntity $session);
|
||||
|
||||
|
@@ -38,9 +38,16 @@ class Bearer extends AbstractTokenType implements TokenTypeInterface
|
||||
*/
|
||||
public function determineAccessTokenInHeader(Request $request)
|
||||
{
|
||||
$header = $request->headers->get('Authorization');
|
||||
$accessToken = trim(preg_replace('/^(?:\s+)?Bearer\s/', '', $header));
|
||||
if ($request->headers->has('Authorization') === false) {
|
||||
return;
|
||||
}
|
||||
|
||||
return ($accessToken === 'Bearer') ? '' : $accessToken;
|
||||
$header = $request->headers->get('Authorization');
|
||||
|
||||
if (substr($header, 0, 7) !== 'Bearer ') {
|
||||
return;
|
||||
}
|
||||
|
||||
return trim(substr($header, 7));
|
||||
}
|
||||
}
|
||||
|
156
src/TokenType/MAC.php
Normal file
156
src/TokenType/MAC.php
Normal file
@@ -0,0 +1,156 @@
|
||||
<?php
|
||||
/**
|
||||
* OAuth 2.0 MAC Token Type
|
||||
*
|
||||
* @package league/oauth2-server
|
||||
* @author Alex Bilbie <hello@alexbilbie.com>
|
||||
* @copyright Copyright (c) Alex Bilbie
|
||||
* @license http://mit-license.org/
|
||||
* @link https://github.com/thephpleague/oauth2-server
|
||||
*/
|
||||
|
||||
namespace League\OAuth2\Server\TokenType;
|
||||
|
||||
use League\OAuth2\Server\Util\SecureKey;
|
||||
use Symfony\Component\HttpFoundation\ParameterBag;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
|
||||
/**
|
||||
* MAC Token Type
|
||||
*/
|
||||
class MAC extends AbstractTokenType implements TokenTypeInterface
|
||||
{
|
||||
/**
|
||||
* {@inheritdoc}
|
||||
*/
|
||||
public function generateResponse()
|
||||
{
|
||||
$macKey = SecureKey::generate();
|
||||
$this->server->getMacStorage()->create($macKey, $this->getParam('access_token'));
|
||||
|
||||
$response = [
|
||||
'access_token' => $this->getParam('access_token'),
|
||||
'token_type' => 'mac',
|
||||
'expires_in' => $this->getParam('expires_in'),
|
||||
'mac_key' => $macKey,
|
||||
'mac_algorithm' => 'hmac-sha-256',
|
||||
];
|
||||
|
||||
if (!is_null($this->getParam('refresh_token'))) {
|
||||
$response['refresh_token'] = $this->getParam('refresh_token');
|
||||
}
|
||||
|
||||
return $response;
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritdoc}
|
||||
*/
|
||||
public function determineAccessTokenInHeader(Request $request)
|
||||
{
|
||||
if ($request->headers->has('Authorization') === false) {
|
||||
return;
|
||||
}
|
||||
|
||||
$header = $request->headers->get('Authorization');
|
||||
|
||||
if (substr($header, 0, 4) !== 'MAC ') {
|
||||
return;
|
||||
}
|
||||
|
||||
// Find all the parameters expressed in the header
|
||||
$paramsRaw = explode(',', substr($header, 4));
|
||||
$params = new ParameterBag();
|
||||
|
||||
array_map(function ($param) use (&$params) {
|
||||
$param = trim($param);
|
||||
|
||||
preg_match_all('/([a-zA-Z]*)="([\w=\/+]*)"/', $param, $matches);
|
||||
|
||||
// @codeCoverageIgnoreStart
|
||||
if (count($matches) !== 3) {
|
||||
return;
|
||||
}
|
||||
// @codeCoverageIgnoreEnd
|
||||
|
||||
$key = reset($matches[1]);
|
||||
$value = trim(reset($matches[2]));
|
||||
|
||||
if (empty($value)) {
|
||||
return;
|
||||
}
|
||||
|
||||
$params->set($key, $value);
|
||||
}, $paramsRaw);
|
||||
|
||||
// Validate parameters
|
||||
if ($params->has('id') === false || $params->has('ts') === false || $params->has('nonce') === false || $params->has('mac') === false) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (abs($params->get('ts') - time()) > 300) {
|
||||
return;
|
||||
}
|
||||
|
||||
$accessToken = $params->get('id');
|
||||
$timestamp = (int) $params->get('ts');
|
||||
$nonce = $params->get('nonce');
|
||||
$signature = $params->get('mac');
|
||||
|
||||
// Try to find the MAC key for the access token
|
||||
$macKey = $this->server->getMacStorage()->getByAccessToken($accessToken);
|
||||
|
||||
if ($macKey === null) {
|
||||
return;
|
||||
}
|
||||
|
||||
// Calculate and compare the signature
|
||||
$calculatedSignatureParts = [
|
||||
$timestamp,
|
||||
$nonce,
|
||||
strtoupper($request->getMethod()),
|
||||
$request->getRequestUri(),
|
||||
$request->getHost(),
|
||||
$request->getPort(),
|
||||
];
|
||||
|
||||
if ($params->has('ext')) {
|
||||
$calculatedSignatureParts[] = $params->get('ext');
|
||||
}
|
||||
|
||||
$calculatedSignature = base64_encode(
|
||||
hash_hmac(
|
||||
'sha256',
|
||||
implode("\n", $calculatedSignatureParts),
|
||||
$macKey,
|
||||
true // raw_output: outputs raw binary data
|
||||
)
|
||||
);
|
||||
|
||||
// Return the access token if the signature matches
|
||||
return ($this->hash_equals($calculatedSignature, $signature)) ? $accessToken : null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Prevent timing attack
|
||||
* @param string $knownString
|
||||
* @param string $userString
|
||||
* @return bool
|
||||
*/
|
||||
private function hash_equals($knownString, $userString)
|
||||
{
|
||||
if (function_exists('\hash_equals')) {
|
||||
return \hash_equals($knownString, $userString);
|
||||
}
|
||||
if (strlen($knownString) !== strlen($userString)) {
|
||||
return false;
|
||||
}
|
||||
$len = strlen($knownString);
|
||||
$result = 0;
|
||||
for ($i = 0; $i < $len; $i++) {
|
||||
$result |= (ord($knownString[$i]) ^ ord($userString[$i]));
|
||||
}
|
||||
// They are only identical strings if $result is exactly 0...
|
||||
return 0 === $result;
|
||||
}
|
||||
}
|
@@ -421,4 +421,150 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
|
||||
|
||||
$server->issueAccessToken();
|
||||
}
|
||||
|
||||
public function testCompleteFlowRotateRefreshToken()
|
||||
{
|
||||
$_POST = [
|
||||
'grant_type' => 'refresh_token',
|
||||
'client_id' => 'testapp',
|
||||
'client_secret' => 'foobar',
|
||||
'refresh_token' => 'refresh_token',
|
||||
];
|
||||
|
||||
$server = new AuthorizationServer();
|
||||
$grant = new RefreshTokenGrant();
|
||||
|
||||
$clientStorage = M::mock('League\OAuth2\Server\Storage\ClientInterface');
|
||||
$clientStorage->shouldReceive('setServer');
|
||||
$clientStorage->shouldReceive('get')->andReturn(
|
||||
(new ClientEntity($server))->hydrate(['id' => 'testapp'])
|
||||
);
|
||||
|
||||
$sessionStorage = M::mock('League\OAuth2\Server\Storage\SessionInterface');
|
||||
$sessionStorage->shouldReceive('setServer');
|
||||
$sessionStorage->shouldReceive('getScopes')->shouldReceive('getScopes')->andReturn([]);
|
||||
$sessionStorage->shouldReceive('associateScope');
|
||||
$sessionStorage->shouldReceive('getByAccessToken')->andReturn(
|
||||
(new SessionEntity($server))
|
||||
);
|
||||
|
||||
$accessTokenStorage = M::mock('League\OAuth2\Server\Storage\AccessTokenInterface');
|
||||
$accessTokenStorage->shouldReceive('setServer');
|
||||
$accessTokenStorage->shouldReceive('get')->andReturn(
|
||||
(new AccessTokenEntity($server))
|
||||
);
|
||||
$accessTokenStorage->shouldReceive('delete');
|
||||
$accessTokenStorage->shouldReceive('create');
|
||||
$accessTokenStorage->shouldReceive('getScopes')->andReturn([
|
||||
(new ScopeEntity($server))->hydrate(['id' => 'foo']),
|
||||
]);
|
||||
$accessTokenStorage->shouldReceive('associateScope');
|
||||
|
||||
$refreshTokenStorage = M::mock('League\OAuth2\Server\Storage\RefreshTokenInterface');
|
||||
$refreshTokenStorage->shouldReceive('setServer');
|
||||
$refreshTokenStorage->shouldReceive('associateScope');
|
||||
$refreshTokenStorage->shouldReceive('delete');
|
||||
$refreshTokenStorage->shouldReceive('create');
|
||||
$refreshTokenStorage->shouldReceive('get')->andReturn(
|
||||
(new RefreshTokenEntity($server))->setId('refresh_token')->setExpireTime(time() + 86400)
|
||||
);
|
||||
|
||||
$scopeStorage = M::mock('League\OAuth2\Server\Storage\ScopeInterface');
|
||||
$scopeStorage->shouldReceive('setServer');
|
||||
$scopeStorage->shouldReceive('get')->andReturn(
|
||||
(new ScopeEntity($server))->hydrate(['id' => 'foo'])
|
||||
);
|
||||
|
||||
$server->setClientStorage($clientStorage);
|
||||
$server->setScopeStorage($scopeStorage);
|
||||
$server->setSessionStorage($sessionStorage);
|
||||
$server->setAccessTokenStorage($accessTokenStorage);
|
||||
$server->setRefreshTokenStorage($refreshTokenStorage);
|
||||
|
||||
$server->addGrantType($grant);
|
||||
|
||||
$response = $server->issueAccessToken();
|
||||
$this->assertTrue(array_key_exists('access_token', $response));
|
||||
$this->assertTrue(array_key_exists('refresh_token', $response));
|
||||
$this->assertTrue(array_key_exists('token_type', $response));
|
||||
$this->assertTrue(array_key_exists('expires_in', $response));
|
||||
$this->assertNotEquals($response['refresh_token'], $_POST['refresh_token']);
|
||||
|
||||
$grant->setRefreshTokenRotation(false);
|
||||
$response = $server->issueAccessToken();
|
||||
$this->assertTrue(array_key_exists('access_token', $response));
|
||||
$this->assertTrue(array_key_exists('refresh_token', $response));
|
||||
$this->assertTrue(array_key_exists('token_type', $response));
|
||||
$this->assertTrue(array_key_exists('expires_in', $response));
|
||||
$this->assertEquals($response['refresh_token'], $_POST['refresh_token']);
|
||||
}
|
||||
|
||||
public function testCompleteFlowShouldRequireClientSecret()
|
||||
{
|
||||
$_POST = [
|
||||
'grant_type' => 'refresh_token',
|
||||
'client_id' => 'testapp',
|
||||
'refresh_token' => 'refresh_token',
|
||||
];
|
||||
|
||||
$server = new AuthorizationServer();
|
||||
$grant = new RefreshTokenGrant();
|
||||
$grant->setRequireClientSecret(false);
|
||||
|
||||
$clientStorage = M::mock('League\OAuth2\Server\Storage\ClientInterface');
|
||||
$clientStorage->shouldReceive('setServer');
|
||||
$clientStorage->shouldReceive('get')->andReturn(
|
||||
(new ClientEntity($server))->hydrate(['id' => 'testapp'])
|
||||
);
|
||||
|
||||
$sessionStorage = M::mock('League\OAuth2\Server\Storage\SessionInterface');
|
||||
$sessionStorage->shouldReceive('setServer');
|
||||
$sessionStorage->shouldReceive('getScopes')->shouldReceive('getScopes')->andReturn([]);
|
||||
$sessionStorage->shouldReceive('associateScope');
|
||||
$sessionStorage->shouldReceive('getByAccessToken')->andReturn(
|
||||
(new SessionEntity($server))
|
||||
);
|
||||
|
||||
$accessTokenStorage = M::mock('League\OAuth2\Server\Storage\AccessTokenInterface');
|
||||
$accessTokenStorage->shouldReceive('setServer');
|
||||
$accessTokenStorage->shouldReceive('get')->andReturn(
|
||||
(new AccessTokenEntity($server))
|
||||
);
|
||||
$accessTokenStorage->shouldReceive('delete');
|
||||
$accessTokenStorage->shouldReceive('create');
|
||||
$accessTokenStorage->shouldReceive('getScopes')->andReturn([
|
||||
(new ScopeEntity($server))->hydrate(['id' => 'foo']),
|
||||
]);
|
||||
$accessTokenStorage->shouldReceive('associateScope');
|
||||
|
||||
$refreshTokenStorage = M::mock('League\OAuth2\Server\Storage\RefreshTokenInterface');
|
||||
$refreshTokenStorage->shouldReceive('setServer');
|
||||
$refreshTokenStorage->shouldReceive('associateScope');
|
||||
$refreshTokenStorage->shouldReceive('delete');
|
||||
$refreshTokenStorage->shouldReceive('create');
|
||||
$refreshTokenStorage->shouldReceive('get')->andReturn(
|
||||
(new RefreshTokenEntity($server))->setId('refresh_token')->setExpireTime(time() + 86400)
|
||||
);
|
||||
|
||||
$scopeStorage = M::mock('League\OAuth2\Server\Storage\ScopeInterface');
|
||||
$scopeStorage->shouldReceive('setServer');
|
||||
$scopeStorage->shouldReceive('get')->andReturn(
|
||||
(new ScopeEntity($server))->hydrate(['id' => 'foo'])
|
||||
);
|
||||
|
||||
$server->setClientStorage($clientStorage);
|
||||
$server->setScopeStorage($scopeStorage);
|
||||
$server->setSessionStorage($sessionStorage);
|
||||
$server->setAccessTokenStorage($accessTokenStorage);
|
||||
$server->setRefreshTokenStorage($refreshTokenStorage);
|
||||
|
||||
$server->addGrantType($grant);
|
||||
|
||||
$response = $server->issueAccessToken();
|
||||
$this->assertTrue(array_key_exists('access_token', $response));
|
||||
$this->assertTrue(array_key_exists('refresh_token', $response));
|
||||
$this->assertTrue(array_key_exists('token_type', $response));
|
||||
$this->assertTrue(array_key_exists('expires_in', $response));
|
||||
|
||||
}
|
||||
}
|
||||
|
165
tests/unit/TokenType/MacTest.php
Normal file
165
tests/unit/TokenType/MacTest.php
Normal file
@@ -0,0 +1,165 @@
|
||||
<?php
|
||||
|
||||
namespace LeagueTests\TokenType;
|
||||
|
||||
use League\OAuth2\Server\AuthorizationServer;
|
||||
use League\OAuth2\Server\Entity\AccessTokenEntity;
|
||||
use League\OAuth2\Server\TokenType\MAC;
|
||||
use Mockery as M;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
|
||||
class MacTest extends \PHPUnit_Framework_TestCase
|
||||
{
|
||||
public function testGenerateResponse()
|
||||
{
|
||||
$macStorage = M::mock('\League\OAuth2\Server\Storage\MacTokenInterface');
|
||||
$macStorage->shouldReceive('create');
|
||||
|
||||
$server = new AuthorizationServer();
|
||||
$server->setMacStorage($macStorage);
|
||||
|
||||
$tokenType = new MAC();
|
||||
$tokenType->setServer($server);
|
||||
|
||||
$accessToken = new AccessTokenEntity($server);
|
||||
$accessToken->setId(uniqid());
|
||||
$accessToken->setExpireTime(time());
|
||||
|
||||
$tokenType->setParam('access_token', $accessToken->getId());
|
||||
$tokenType->setParam('expires_in', 3600);
|
||||
|
||||
$response = $tokenType->generateResponse();
|
||||
|
||||
$this->assertEquals($accessToken->getId(), $response['access_token']);
|
||||
$this->assertEquals('mac', $response['token_type']);
|
||||
$this->assertEquals(3600, $response['expires_in']);
|
||||
$this->assertEquals('hmac-sha-256', $response['mac_algorithm']);
|
||||
$this->assertArrayHasKey('mac_key', $response);
|
||||
}
|
||||
|
||||
public function testDetermineAccessTokenInHeaderValid()
|
||||
{
|
||||
$macStorage = M::mock('\League\OAuth2\Server\Storage\MacTokenInterface');
|
||||
$macStorage->shouldReceive('getByAccessToken')->andReturn('abcdef');
|
||||
|
||||
$server = new AuthorizationServer();
|
||||
$server->setMacStorage($macStorage);
|
||||
|
||||
$ts = time();
|
||||
|
||||
$request = Request::createFromGlobals();
|
||||
$calculatedSignatureParts = [
|
||||
$ts,
|
||||
'foo',
|
||||
strtoupper($request->getMethod()),
|
||||
$request->getRequestUri(),
|
||||
$request->getHost(),
|
||||
$request->getPort(),
|
||||
'ext'
|
||||
];
|
||||
$calculatedSignature = base64_encode(hash_hmac('sha256', implode("\n", $calculatedSignatureParts), 'abcdef', true));
|
||||
|
||||
$request->headers->set('Authorization', sprintf('MAC id="foo", nonce="foo", ts="%s", mac="%s", ext="ext"', $ts, $calculatedSignature));
|
||||
|
||||
$tokenType = new MAC();
|
||||
$tokenType->setServer($server);
|
||||
|
||||
$response = $tokenType->determineAccessTokenInHeader($request);
|
||||
$this->assertEquals('foo', $response);
|
||||
}
|
||||
|
||||
public function testDetermineAccessTokenInHeaderMissingHeader()
|
||||
{
|
||||
$macStorage = M::mock('\League\OAuth2\Server\Storage\MacTokenInterface');
|
||||
$macStorage->shouldReceive('getByAccessToken')->andReturn('abcdef');
|
||||
|
||||
$server = new AuthorizationServer();
|
||||
$server->setMacStorage($macStorage);
|
||||
|
||||
$request = Request::createFromGlobals();
|
||||
$tokenType = new MAC();
|
||||
$tokenType->setServer($server);
|
||||
|
||||
$response = $tokenType->determineAccessTokenInHeader($request);
|
||||
|
||||
$this->assertEquals(null, $response);
|
||||
}
|
||||
|
||||
public function testDetermineAccessTokenInHeaderMissingAuthMac()
|
||||
{
|
||||
$macStorage = M::mock('\League\OAuth2\Server\Storage\MacTokenInterface');
|
||||
$macStorage->shouldReceive('getByAccessToken')->andReturn('abcdef');
|
||||
|
||||
$server = new AuthorizationServer();
|
||||
$server->setMacStorage($macStorage);
|
||||
|
||||
$request = Request::createFromGlobals();
|
||||
$request->headers->set('Authorization', '');
|
||||
|
||||
$tokenType = new MAC();
|
||||
$tokenType->setServer($server);
|
||||
|
||||
$response = $tokenType->determineAccessTokenInHeader($request);
|
||||
|
||||
$this->assertEquals(null, $response);
|
||||
}
|
||||
|
||||
public function testDetermineAccessTokenInHeaderInvalidParam()
|
||||
{
|
||||
$macStorage = M::mock('\League\OAuth2\Server\Storage\MacTokenInterface');
|
||||
$macStorage->shouldReceive('getByAccessToken')->andReturn('abcdef');
|
||||
|
||||
$server = new AuthorizationServer();
|
||||
$server->setMacStorage($macStorage);
|
||||
|
||||
$request = Request::createFromGlobals();
|
||||
$request->headers->set('Authorization', 'MAC ');
|
||||
|
||||
$tokenType = new MAC();
|
||||
$tokenType->setServer($server);
|
||||
|
||||
$response = $tokenType->determineAccessTokenInHeader($request);
|
||||
|
||||
$this->assertEquals(null, $response);
|
||||
}
|
||||
|
||||
public function testDetermineAccessTokenInHeaderMismatchTimestamp()
|
||||
{
|
||||
$macStorage = M::mock('\League\OAuth2\Server\Storage\MacTokenInterface');
|
||||
$macStorage->shouldReceive('getByAccessToken')->andReturn('abcdef');
|
||||
|
||||
$server = new AuthorizationServer();
|
||||
$server->setMacStorage($macStorage);
|
||||
|
||||
$ts = time() - 100;
|
||||
|
||||
$request = Request::createFromGlobals();
|
||||
$request->headers->set('Authorization', sprintf('MAC id="foo", nonce="foo", ts="%s", mac="%s", ext="ext"', $ts, 'foo'));
|
||||
|
||||
$tokenType = new MAC();
|
||||
$tokenType->setServer($server);
|
||||
|
||||
$response = $tokenType->determineAccessTokenInHeader($request);
|
||||
$this->assertEquals(null, $response);
|
||||
}
|
||||
|
||||
public function testDetermineAccessTokenInHeaderMissingMacKey()
|
||||
{
|
||||
$macStorage = M::mock('\League\OAuth2\Server\Storage\MacTokenInterface');
|
||||
$macStorage->shouldReceive('getByAccessToken')->andReturn(null);
|
||||
|
||||
$server = new AuthorizationServer();
|
||||
$server->setMacStorage($macStorage);
|
||||
|
||||
$ts = time();
|
||||
|
||||
$request = Request::createFromGlobals();
|
||||
$request->headers->set('Authorization', sprintf('MAC id="foo", nonce="foo", ts="%s", mac="%s", ext="ext"', $ts, 'foo'));
|
||||
|
||||
$tokenType = new MAC();
|
||||
$tokenType->setServer($server);
|
||||
|
||||
$response = $tokenType->determineAccessTokenInHeader($request);
|
||||
$this->assertEquals(null, $response);
|
||||
}
|
||||
}
|
Reference in New Issue
Block a user