mirror of
https://github.com/elyby/oauth2-server.git
synced 2025-02-21 09:49:27 +05:30
27d5c5ed8d
In many cases, we validate client info before pulling from client itself from the repository, in which case it's safe to assume that you can grab the client once validation passes. However on implicit/auth code grants we don't have this guarantee due to non-confidential clients that just reference the client ID. In those cases the client may supply a client ID that doesn't exist, and we don't do a validation step before pulling it from the repo. The issue with that is that ClientRepository doesn't actually enforce returning a ClientInterface via typehint, nor does it even suggest an exception to throw if the client doesn't exist. So in most places we do an instanceof check after the repository returns and throw/emit an error event if the client doesn't exist. This approach ends up being a bit error-prone; we missed one case where we should've been doing this check: in the access token request on an auth code grant. We don't do enough validation beforehand to assume that the incoming request has an accurate client ID, so L96 could absolutely be a method call on a non-object. This commit centralizes the return-check-emit-throw logic so it's a one-liner for wherever we need it, including the access token request processor for auth code grants.