TokenEndpoint - Code Metrics - Inspection of "Security checks after build" - OAuth2-Framework/oauth2-framework - Measure and Improve Code Quality continuously with Scrutinizer

Failed Conditions

Push — ng ( 280307...a36945 )

by Florent

created 2018-02-25 10:21 UTC

TokenEndpoint A

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	217
Duplicated Lines	0 %

Coupling/Cohesion

Components	1
Dependencies	14

Importance

Changes

Metric	Value
wmc	17
lcom	1
cbo	14
dl	0
loc	217
rs	10
c	0
b	0
f	0

7 Methods

Rating	Name	Size	Complexity
A	__construct()	10	1
B	process()	49	5
A	createResponse()	8	1
A	issueAccessToken()	23	1
A	getResourceOwner()	13	3
A	updateWithTokenTypeParameters()	16	3
A	isGrantTypeAllowedForTheClient()	9	3

<?php

declare(strict_types=1);

/*
 * The MIT License (MIT)
 *
 * Copyright (c) 2014-2018 Spomky-Labs
 *
 * This software may be modified and distributed under the terms
 * of the MIT license.  See the LICENSE file for details.
 */

namespace OAuth2Framework\Component\TokenEndpoint;

use Http\Message\ResponseFactory;
use OAuth2Framework\Component\Core\AccessToken\AccessTokenIdGenerator;
use Psr\Http\Server\RequestHandlerInterface;
use Psr\Http\Server\MiddlewareInterface;
use OAuth2Framework\Component\Core\AccessToken\AccessToken;
use OAuth2Framework\Component\Core\AccessToken\AccessTokenRepository;
use OAuth2Framework\Component\Core\Client\Client;
use OAuth2Framework\Component\Core\Client\ClientId;
use OAuth2Framework\Component\Core\Client\ClientRepository;
use OAuth2Framework\Component\Core\ResourceOwner\ResourceOwnerId;
use OAuth2Framework\Component\Core\ResourceOwner\ResourceOwner;
use OAuth2Framework\Component\Core\UserAccount\UserAccountId;
use OAuth2Framework\Component\Core\UserAccount\UserAccountRepository;
use OAuth2Framework\Component\Core\Exception\OAuth2Exception;
use OAuth2Framework\Component\TokenEndpoint\Extension\TokenEndpointExtensionManager;
use OAuth2Framework\Component\TokenType\TokenType;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;

class TokenEndpoint implements MiddlewareInterface
{
    /**
     * @var TokenEndpointExtensionManager
     */
    private $tokenEndpointExtensionManager;

    /**
     * @var ClientRepository
     */
    private $clientRepository;

    /**
     * @var UserAccountRepository
     */
    private $userAccountRepository;

    /**
     * @var ResponseFactory
     */
    private $responseFactory;

    /**
     * @var AccessTokenIdGenerator
     */
    private $accessTokenIdGenerator;

    /**
     * @var AccessTokenRepository
     */
    private $accessTokenRepository;

    /**
     * @var int
     */
    private $accessTokenLifetime;

    /**
     * TokenEndpoint constructor.
     *
     * @param ClientRepository              $clientRepository
     * @param UserAccountRepository         $userAccountRepository
     * @param TokenEndpointExtensionManager $tokenEndpointExtensionManager
     * @param ResponseFactory               $responseFactory
     * @param AccessTokenRepository         $accessTokenRepository
     * @param AccessTokenIdGenerator        $accessTokenIdGenerator
     * @param int                           $accessLifetime
     */
    public function __construct(ClientRepository $clientRepository, UserAccountRepository $userAccountRepository, TokenEndpointExtensionManager $tokenEndpointExtensionManager, ResponseFactory $responseFactory, AccessTokenRepository $accessTokenRepository, AccessTokenIdGenerator $accessTokenIdGenerator, int $accessLifetime)
    {
        $this->clientRepository = $clientRepository;
        $this->userAccountRepository = $userAccountRepository;
        $this->tokenEndpointExtensionManager = $tokenEndpointExtensionManager;
        $this->responseFactory = $responseFactory;
        $this->accessTokenIdGenerator = $accessTokenIdGenerator;
        $this->accessTokenRepository = $accessTokenRepository;
        $this->accessTokenLifetime = $accessLifetime;
    }

    /**
     * {@inheritdoc}
     */
    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
    {
        // We prepare the Grant Type Data.
        // The client may be null (authenticated by other means).
        $grantTypeData = GrantTypeData::create($request->getAttribute('client'));

        // We retrieve the Grant Type.
        // This middleware must be behind the GrantTypeMiddleware
        $grantType = $request->getAttribute('grant_type');
        if (!$grantType instanceof GrantType) {
            throw new OAuth2Exception(500, OAuth2Exception::ERROR_INTERNAL, null);
        }

        // We check that the request has all parameters needed for the selected grant type
        $grantType->checkRequest($request);

        // The grant type prepare the token response
        // The grant type data should be updated accordingly
        $grantTypeData = $grantType->prepareResponse($request, $grantTypeData);

        // At this stage, the client should be authenticated
        // If not, we stop the authorization grant
        if (null === $grantTypeData->getClient() || $grantTypeData->getClient()->isDeleted()) {
            throw new OAuth2Exception(401, OAuth2Exception::ERROR_INVALID_CLIENT, 'Client authentication failed.');
        }

        // We check the client is allowed to use the selected grant type
        if (!$grantTypeData->getClient()->isGrantTypeAllowed($grantType->name())) {
            throw new OAuth2Exception(400, OAuth2Exception::ERROR_UNAUTHORIZED_CLIENT, sprintf('The grant type "%s" is unauthorized for this client.', $grantType->name()));
        }

        // We populate the token type parameters
        $grantTypeData = $this->updateWithTokenTypeParameters($request, $grantTypeData);

        // We call for extensions prior to the Access Token issuance
        $grantTypeData = $this->tokenEndpointExtensionManager->handleBeforeAccessTokenIssuance($request, $grantTypeData, $grantType);

        // We grant the client
        $grantTypeData = $grantType->grant($request, $grantTypeData);

        // Everything is fine so we can issue the access token
        $accessToken = $this->issueAccessToken($grantTypeData);
        $resourceOwner = $this->getResourceOwner($grantTypeData->getResourceOwnerId());

        // We call for extensions after to the Access Token issuance
        $data = $this->tokenEndpointExtensionManager->handleAfterAccessTokenIssuance($grantTypeData->getClient(), $resourceOwner, $accessToken);

        return $this->createResponse($data);
    }

    /**
     * @param array $data
     *
     * @return ResponseInterface
     */
    private function createResponse(array $data): ResponseInterface
    {
        $headers = ['Content-Type' => 'application/json; charset=UTF-8', 'Cache-Control' => 'no-cache, no-store, max-age=0, must-revalidate, private', 'Pragma' => 'no-cache'];
        $response = $this->responseFactory->createResponse(200, null, $headers);
        $response->getBody()->write(json_encode($data, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES));

        return $response;
    }

    /**
     * @param GrantTypeData $grantTypeData
     *
     * @return AccessToken
     */
    private function issueAccessToken(GrantTypeData $grantTypeData): AccessToken
    {
        $accessTokenId = $this->accessTokenIdGenerator->create(
            $grantTypeData->getResourceOwnerId(),
/** @return stdClass|null */
function mayReturnNull() { }

function doesNotAcceptNull(stdClass $x) { }

// With potential error.
function withoutCheck() {
    $x = mayReturnNull();
    doesNotAcceptNull($x); // Potential error here.
}

// Safe - Alternative 1
function withCheck1() {
    $x = mayReturnNull();
    if ( ! $x instanceof stdClass) {
        throw new \LogicException('$x must be defined.');
    }
    doesNotAcceptNull($x);
}

// Safe - Alternative 2
function withCheck2() {
    $x = mayReturnNull();
    if ($x instanceof stdClass) {
        doesNotAcceptNull($x);
    }
}
            $grantTypeData->getClient()->getPublicId(),
            $grantTypeData->getParameters(),
            $grantTypeData->getMetadatas(),
            null
        );
        $accessToken = AccessToken::createEmpty();
        $accessToken = $accessToken->create(
            $accessTokenId,
            $grantTypeData->getResourceOwnerId(),
            $grantTypeData->getClient()->getPublicId(),
            $grantTypeData->getParameters(),
            $grantTypeData->getMetadatas(),
            new \DateTimeImmutable(sprintf('now +%d seconds', $this->accessTokenLifetime)),
            null
        );
        $this->accessTokenRepository->save($accessToken);

        return $accessToken;
    }

    /**
     * @param ResourceOwnerId $resourceOwnerId
     *
     * @throws OAuth2Exception
     *
     * @return ResourceOwner
     */
    private function getResourceOwner(ResourceOwnerId $resourceOwnerId): ResourceOwner
    {
        $resourceOwner = $this->clientRepository->find(ClientId::create($resourceOwnerId->getValue()));
        if (null === $resourceOwner) {
            $resourceOwner = $this->userAccountRepository->find(UserAccountId::create($resourceOwnerId->getValue()));
        }

        if (null === $resourceOwner) {
            throw new OAuth2Exception(400, OAuth2Exception::ERROR_INVALID_REQUEST, 'Unable to find the associated resource owner.');
        }

        return $resourceOwner;
    }

    /**
     * @param ServerRequestInterface $request
     * @param GrantTypeData          $grantTypeData
     *
     * @return GrantTypeData
     *
     * @throws OAuth2Exception
     */
    private function updateWithTokenTypeParameters(ServerRequestInterface $request, GrantTypeData $grantTypeData): GrantTypeData
    {
        /** @var TokenType $tokenType */
        $tokenType = $request->getAttribute('token_type');
        if (!$grantTypeData->getClient()->isTokenTypeAllowed($tokenType->name())) {
            throw new OAuth2Exception(400, OAuth2Exception::ERROR_INVALID_REQUEST, sprintf('The token type "%s" is not allowed for the client.', $tokenType->name()));
        }

        $info = $tokenType->getAdditionalInformation();
        $info['token_type'] = $tokenType->name();
        foreach ($info as $k => $v) {
            $grantTypeData = $grantTypeData->withParameter($k, $v);
        }

        return $grantTypeData;
    }

    /**
     * @param Client $client
     * @param string $grant_type
     *
     * @return bool
     */
    private function isGrantTypeAllowedForTheClient(Client $client, string $grant_type): bool

    {
        $grant_types = $client->has('grant_types') ? $client->get('grant_types') : [];
        if (!is_array($grant_types)) {
            throw new \InvalidArgumentException('The metadata "grant_types" must be an array.');
        }

        return in_array($grant_type, $grant_types);
    }
}


1			<?php
2
3			declare(strict_types=1);
4
5			/*
6			* The MIT License (MIT)
7			*
8			* Copyright (c) 2014-2018 Spomky-Labs
9			*
10			* This software may be modified and distributed under the terms
11			* of the MIT license. See the LICENSE file for details.
12			*/
13
14			namespace OAuth2Framework\Component\TokenEndpoint;
15
16			use Http\Message\ResponseFactory;
17			use OAuth2Framework\Component\Core\AccessToken\AccessTokenIdGenerator;
18			use Psr\Http\Server\RequestHandlerInterface;
19			use Psr\Http\Server\MiddlewareInterface;
20			use OAuth2Framework\Component\Core\AccessToken\AccessToken;
21			use OAuth2Framework\Component\Core\AccessToken\AccessTokenRepository;
22			use OAuth2Framework\Component\Core\Client\Client;
23			use OAuth2Framework\Component\Core\Client\ClientId;
24			use OAuth2Framework\Component\Core\Client\ClientRepository;
25			use OAuth2Framework\Component\Core\ResourceOwner\ResourceOwnerId;
26			use OAuth2Framework\Component\Core\ResourceOwner\ResourceOwner;
27			use OAuth2Framework\Component\Core\UserAccount\UserAccountId;
28			use OAuth2Framework\Component\Core\UserAccount\UserAccountRepository;
29			use OAuth2Framework\Component\Core\Exception\OAuth2Exception;
30			use OAuth2Framework\Component\TokenEndpoint\Extension\TokenEndpointExtensionManager;
31			use OAuth2Framework\Component\TokenType\TokenType;
32			use Psr\Http\Message\ResponseInterface;
33			use Psr\Http\Message\ServerRequestInterface;
34
35			class TokenEndpoint implements MiddlewareInterface
36			{
37			/**
38			* @var TokenEndpointExtensionManager
39			*/
40			private $tokenEndpointExtensionManager;
41
42			/**
43			* @var ClientRepository
44			*/
45			private $clientRepository;
46
47			/**
48			* @var UserAccountRepository
49			*/
50			private $userAccountRepository;
51
52			/**
53			* @var ResponseFactory
54			*/
55			private $responseFactory;
56
57			/**
58			* @var AccessTokenIdGenerator
59			*/
60			private $accessTokenIdGenerator;
61
62			/**
63			* @var AccessTokenRepository
64			*/
65			private $accessTokenRepository;
66
67			/**
68			* @var int
69			*/
70			private $accessTokenLifetime;
71
72			/**
73			* TokenEndpoint constructor.
74			*
75			* @param ClientRepository $clientRepository
76			* @param UserAccountRepository $userAccountRepository
77			* @param TokenEndpointExtensionManager $tokenEndpointExtensionManager
78			* @param ResponseFactory $responseFactory
79			* @param AccessTokenRepository $accessTokenRepository
80			* @param AccessTokenIdGenerator $accessTokenIdGenerator
81			* @param int $accessLifetime
82			*/
83			public function __construct(ClientRepository $clientRepository, UserAccountRepository $userAccountRepository, TokenEndpointExtensionManager $tokenEndpointExtensionManager, ResponseFactory $responseFactory, AccessTokenRepository $accessTokenRepository, AccessTokenIdGenerator $accessTokenIdGenerator, int $accessLifetime)
84			{
85			$this->clientRepository = $clientRepository;
86			$this->userAccountRepository = $userAccountRepository;
87			$this->tokenEndpointExtensionManager = $tokenEndpointExtensionManager;
88			$this->responseFactory = $responseFactory;
89			$this->accessTokenIdGenerator = $accessTokenIdGenerator;
90			$this->accessTokenRepository = $accessTokenRepository;
91			$this->accessTokenLifetime = $accessLifetime;
92			}
93
94			/**
95			* {@inheritdoc}
96			*/
97			public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
98			{
99			// We prepare the Grant Type Data.
100			// The client may be null (authenticated by other means).
101			$grantTypeData = GrantTypeData::create($request->getAttribute('client'));
102
103			// We retrieve the Grant Type.
104			// This middleware must be behind the GrantTypeMiddleware
105			$grantType = $request->getAttribute('grant_type');
106			if (!$grantType instanceof GrantType) {
107			throw new OAuth2Exception(500, OAuth2Exception::ERROR_INTERNAL, null);
108			}
109
110			// We check that the request has all parameters needed for the selected grant type
111			$grantType->checkRequest($request);
112
113			// The grant type prepare the token response
114			// The grant type data should be updated accordingly
115			$grantTypeData = $grantType->prepareResponse($request, $grantTypeData);
116
117			// At this stage, the client should be authenticated
118			// If not, we stop the authorization grant
119			if (null === $grantTypeData->getClient() \|\| $grantTypeData->getClient()->isDeleted()) {
120			throw new OAuth2Exception(401, OAuth2Exception::ERROR_INVALID_CLIENT, 'Client authentication failed.');
121			}
122
123			// We check the client is allowed to use the selected grant type
124			if (!$grantTypeData->getClient()->isGrantTypeAllowed($grantType->name())) {
125			throw new OAuth2Exception(400, OAuth2Exception::ERROR_UNAUTHORIZED_CLIENT, sprintf('The grant type "%s" is unauthorized for this client.', $grantType->name()));
126			}
127
128			// We populate the token type parameters
129			$grantTypeData = $this->updateWithTokenTypeParameters($request, $grantTypeData);
130
131			// We call for extensions prior to the Access Token issuance
132			$grantTypeData = $this->tokenEndpointExtensionManager->handleBeforeAccessTokenIssuance($request, $grantTypeData, $grantType);
133
134			// We grant the client
135			$grantTypeData = $grantType->grant($request, $grantTypeData);
136
137			// Everything is fine so we can issue the access token
138			$accessToken = $this->issueAccessToken($grantTypeData);
139			$resourceOwner = $this->getResourceOwner($grantTypeData->getResourceOwnerId());
140
141			// We call for extensions after to the Access Token issuance
142			$data = $this->tokenEndpointExtensionManager->handleAfterAccessTokenIssuance($grantTypeData->getClient(), $resourceOwner, $accessToken);
143
144			return $this->createResponse($data);
145			}
146
147			/**
148			* @param array $data
149			*
150			* @return ResponseInterface
151			*/
152			private function createResponse(array $data): ResponseInterface
153			{
154			$headers = ['Content-Type' => 'application/json; charset=UTF-8', 'Cache-Control' => 'no-cache, no-store, max-age=0, must-revalidate, private', 'Pragma' => 'no-cache'];
155			$response = $this->responseFactory->createResponse(200, null, $headers);
156			$response->getBody()->write(json_encode($data, JSON_UNESCAPED_UNICODE \| JSON_UNESCAPED_SLASHES));
157
158			return $response;
159			}
160
161			/**
162			* @param GrantTypeData $grantTypeData
163			*
164			* @return AccessToken
165			*/
166			private function issueAccessToken(GrantTypeData $grantTypeData): AccessToken
167			{
168			$accessTokenId = $this->accessTokenIdGenerator->create(
169			$grantTypeData->getResourceOwnerId(),
			0 ignored issues – show Bug introduced 2018-01-20 13:12 UTC by Report Bug Copy Issue Report It seems like `$grantTypeData->getResourceOwnerId()` can be `null`; however, `create()` does not accept `null`, maybe add an additional type check? Unless you are absolutely sure that the expression can never be null because of other conditions, we strongly recommend to add an additional type check to your code: /** @return stdClass\|null */ function mayReturnNull() { } function doesNotAcceptNull(stdClass $x) { } // With potential error. function withoutCheck() { $x = mayReturnNull(); doesNotAcceptNull($x); // Potential error here. } // Safe - Alternative 1 function withCheck1() { $x = mayReturnNull(); if ( ! $x instanceof stdClass) { throw new \LogicException('$x must be defined.'); } doesNotAcceptNull($x); } // Safe - Alternative 2 function withCheck2() { $x = mayReturnNull(); if ($x instanceof stdClass) { doesNotAcceptNull($x); } } Loading history...
170			$grantTypeData->getClient()->getPublicId(),
171			$grantTypeData->getParameters(),
172			$grantTypeData->getMetadatas(),
173			null
174			);
175			$accessToken = AccessToken::createEmpty();
176			$accessToken = $accessToken->create(
177			$accessTokenId,
178			$grantTypeData->getResourceOwnerId(),
179			$grantTypeData->getClient()->getPublicId(),
180			$grantTypeData->getParameters(),
181			$grantTypeData->getMetadatas(),
182			new \DateTimeImmutable(sprintf('now +%d seconds', $this->accessTokenLifetime)),
183			null
184			);
185			$this->accessTokenRepository->save($accessToken);
186
187			return $accessToken;
188			}
189
190			/**
191			* @param ResourceOwnerId $resourceOwnerId
192			*
193			* @throws OAuth2Exception
194			*
195			* @return ResourceOwner
196			*/
197			private function getResourceOwner(ResourceOwnerId $resourceOwnerId): ResourceOwner
198			{
199			$resourceOwner = $this->clientRepository->find(ClientId::create($resourceOwnerId->getValue()));
200			if (null === $resourceOwner) {
201			$resourceOwner = $this->userAccountRepository->find(UserAccountId::create($resourceOwnerId->getValue()));
202			}
203
204			if (null === $resourceOwner) {
205			throw new OAuth2Exception(400, OAuth2Exception::ERROR_INVALID_REQUEST, 'Unable to find the associated resource owner.');
206			}
207
208			return $resourceOwner;
209			}
210
211			/**
212			* @param ServerRequestInterface $request
213			* @param GrantTypeData $grantTypeData
214			*
215			* @return GrantTypeData
216			*
217			* @throws OAuth2Exception
218			*/
219			private function updateWithTokenTypeParameters(ServerRequestInterface $request, GrantTypeData $grantTypeData): GrantTypeData
220			{
221			/** @var TokenType $tokenType */
222			$tokenType = $request->getAttribute('token_type');
223			if (!$grantTypeData->getClient()->isTokenTypeAllowed($tokenType->name())) {
224			throw new OAuth2Exception(400, OAuth2Exception::ERROR_INVALID_REQUEST, sprintf('The token type "%s" is not allowed for the client.', $tokenType->name()));
225			}
226
227			$info = $tokenType->getAdditionalInformation();
228			$info['token_type'] = $tokenType->name();
229			foreach ($info as $k => $v) {
230			$grantTypeData = $grantTypeData->withParameter($k, $v);
231			}
232
233			return $grantTypeData;
234			}
235
236			/**
237			* @param Client $client
238			* @param string $grant_type
239			*
240			* @return bool
241			*/
242			private function isGrantTypeAllowedForTheClient(Client $client, string $grant_type): bool
			0 ignored issues – show Unused Code introduced 2018-02-09 21:55 UTC by Report Bug Copy Issue Report This method is not used, and could be removed. Loading history...
243			{
244			$grant_types = $client->has('grant_types') ? $client->get('grant_types') : [];
245			if (!is_array($grant_types)) {
246			throw new \InvalidArgumentException('The metadata "grant_types" must be an array.');
247			}
248
249			return in_array($grant_type, $grant_types);
250			}
251			}
252

OAuth2-Framework / oauth2-framework

Push — ng ( 280307...a36945 )

TokenEndpoint A

Complexity

Size/Duplication

Coupling/Cohesion

Importance

7 Methods

Duplication Side-by-Side

Filter issues like