* @copyright Copyright (c) Alex Bilbie * @license http://mit-license.org/ * @link https://github.com/thephpleague/oauth2-server */ namespace League\OAuth2\Server; use League\OAuth2\Server\Entity\AccessTokenEntity; use League\OAuth2\Server\Storage\AccessTokenInterface; use League\OAuth2\Server\Storage\ClientInterface; use League\OAuth2\Server\Storage\ScopeInterface; use League\OAuth2\Server\Storage\SessionInterface; use League\OAuth2\Server\TokenType\Bearer; /** * OAuth 2.0 Resource Server */ class ResourceServer extends AbstractServer { /** * The access token * @var \League\OAuth2\Server\Entity\AccessTokenEntity */ protected $accessToken; /** * The query string key which is used by clients to present the access token (default: access_token) * @var string */ protected $tokenKey = 'access_token'; /** * Initialise the resource server * @param SessionInterface $sessionStorage * @param AccessTokenInterface $accessTokenStorage * @param ClientInterface $clientStorage * @param ScopeInterface $scopeStorage * @return self */ public function __construct( SessionInterface $sessionStorage, AccessTokenInterface $accessTokenStorage, ClientInterface $clientStorage, ScopeInterface $scopeStorage ) { $this->setSessionStorage($sessionStorage); $this->setAccessTokenStorage($accessTokenStorage); $this->setClientStorage($clientStorage); $this->setScopeStorage($scopeStorage); // Set Bearer as the default token type $this->setTokenType(new Bearer()); parent::__construct(); return $this; } /** * Sets the query string key for the access token. * @param string $key The new query string key * @return self */ public function setIdKey($key) { $this->tokenKey = $key; return $this; } /** * Gets the access token * @return \League\OAuth2\Server\Entity\AccessTokenEntity */ public function getAccessToken() { return $this->accessToken; } /** * Checks if the access token is valid or not * @param bool $headersOnly Limit Access Token to Authorization header only * @param AccessTokenEntity|null $accessToken Access Token * * @return bool * * @throws */ public function isValidRequest($headersOnly = true, $accessToken = null) { $accessTokenString = ($accessToken !== null) ? $accessToken : $this->determineAccessToken($headersOnly); // Set the access token $this->accessToken = $this->getAccessTokenStorage()->get($accessTokenString); // Ensure the access token exists if (!$this->accessToken instanceof AccessTokenEntity) { throw new Exception\AccessDeniedException(); } // Check the access token hasn't expired // Ensure the auth code hasn't expired if ($this->accessToken->isExpired() === true) { throw new Exception\AccessDeniedException(); } return true; } /** * Reads in the access token from the headers * @param bool $headersOnly Limit Access Token to Authorization header only * @throws Exception\InvalidRequestException Thrown if there is no access token presented * @return string */ public function determineAccessToken($headersOnly = false) { if ($this->getRequest()->headers->get('Authorization') !== null) { $accessToken = $this->getTokenType()->determineAccessTokenInHeader($this->getRequest()); } elseif ($headersOnly === false) { $accessToken = ($this->getRequest()->server->get('REQUEST_METHOD') === 'GET') ? $this->getRequest()->query->get($this->tokenKey) : $this->getRequest()->request->get($this->tokenKey); } if (empty($accessToken)) { throw new Exception\InvalidRequestException('access token'); } return $accessToken; } }