|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
declare(strict_types=1); |
|
4
|
|
|
|
|
5
|
|
|
/* |
|
6
|
|
|
* The MIT License (MIT) |
|
7
|
|
|
* |
|
8
|
|
|
* Copyright (c) 2014-2018 Spomky-Labs |
|
9
|
|
|
* |
|
10
|
|
|
* This software may be modified and distributed under the terms |
|
11
|
|
|
* of the MIT license. See the LICENSE file for details. |
|
12
|
|
|
*/ |
|
13
|
|
|
|
|
14
|
|
|
namespace OAuth2Framework\Component\AuthorizationEndpoint; |
|
15
|
|
|
|
|
16
|
|
|
use Http\Message\MessageFactory; |
|
17
|
|
|
use OAuth2Framework\Component\AuthorizationEndpoint\AuthorizationRequest\AuthorizationRequest; |
|
18
|
|
|
use OAuth2Framework\Component\AuthorizationEndpoint\AuthorizationRequest\AuthorizationRequestLoader; |
|
19
|
|
|
use OAuth2Framework\Component\AuthorizationEndpoint\Extension\ExtensionManager; |
|
20
|
|
|
use OAuth2Framework\Component\AuthorizationEndpoint\ParameterChecker\ParameterCheckerManager; |
|
21
|
|
|
use OAuth2Framework\Component\AuthorizationEndpoint\UserAccount\UserAccountCheckerManager; |
|
22
|
|
|
use OAuth2Framework\Component\AuthorizationEndpoint\UserAccount\UserAccountDiscovery; |
|
23
|
|
|
use OAuth2Framework\Component\Core\Message\OAuth2Error; |
|
24
|
|
|
use Psr\Http\Message\ResponseInterface; |
|
25
|
|
|
use Psr\Http\Message\ServerRequestInterface; |
|
26
|
|
|
use Psr\Http\Server\MiddlewareInterface; |
|
27
|
|
|
use Psr\Http\Server\RequestHandlerInterface; |
|
28
|
|
|
|
|
29
|
|
|
abstract class AuthorizationEndpoint implements MiddlewareInterface |
|
30
|
|
|
{ |
|
31
|
|
|
protected $messageFactory; |
|
32
|
|
|
|
|
33
|
|
|
protected $authorizationRequestLoader; |
|
34
|
|
|
|
|
35
|
|
|
protected $parameterCheckerManager; |
|
36
|
|
|
|
|
37
|
|
|
protected $userAccountDiscovery; |
|
38
|
|
|
|
|
39
|
|
|
protected $userAccountCheckerManager; |
|
40
|
|
|
|
|
41
|
|
|
protected $extensionManager; |
|
42
|
|
|
|
|
43
|
|
|
public function __construct(MessageFactory $messageFactory, AuthorizationRequestLoader $authorizationRequestLoader, ParameterCheckerManager $parameterCheckerManager, UserAccountDiscovery $userAccountDiscovery, UserAccountCheckerManager $userAccountCheckerManager, ExtensionManager $extensionManager) |
|
44
|
|
|
{ |
|
45
|
|
|
$this->messageFactory = $messageFactory; |
|
46
|
|
|
$this->authorizationRequestLoader = $authorizationRequestLoader; |
|
47
|
|
|
$this->parameterCheckerManager = $parameterCheckerManager; |
|
48
|
|
|
$this->userAccountDiscovery = $userAccountDiscovery; |
|
49
|
|
|
$this->userAccountCheckerManager = $userAccountCheckerManager; |
|
50
|
|
|
$this->extensionManager = $extensionManager; |
|
51
|
|
|
} |
|
52
|
|
|
|
|
53
|
|
|
abstract protected function redirectToLoginPage(ServerRequestInterface $request, AuthorizationRequest $authorization): ResponseInterface; |
|
54
|
|
|
|
|
55
|
|
|
abstract protected function processConsentScreen(ServerRequestInterface $request, AuthorizationRequest $authorization): ResponseInterface; |
|
56
|
|
|
|
|
57
|
|
|
public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface |
|
58
|
|
|
{ |
|
59
|
|
|
try { |
|
60
|
|
|
// Loads the request and check the parameters |
|
61
|
|
|
$authorization = $this->authorizationRequestLoader->load($request); |
|
62
|
|
|
$authorization = $this->parameterCheckerManager->process($authorization); |
|
63
|
|
|
|
|
64
|
|
|
//Retrieve the end user account |
|
65
|
|
|
$userAccount = $this->userAccountDiscovery->find(); |
|
66
|
|
|
if (null !== $userAccount) { |
|
67
|
|
|
// Process with authenticated user |
|
68
|
|
|
$isFullyAuthenticated = $this->userAccountDiscovery->isFullyAuthenticated(); |
|
69
|
|
|
$authorization->setUserAccount($userAccount, $isFullyAuthenticated); |
|
70
|
|
|
|
|
71
|
|
|
//Check the user against the available rules e.g.: |
|
72
|
|
|
// * prompt login => redirect to login page |
|
73
|
|
|
// * max_age/default_max_age => redirect to login page |
|
74
|
|
|
if (!$isFullyAuthenticated) { |
|
75
|
|
|
$this->userAccountCheckerManager->check($authorization); |
|
76
|
|
|
} |
|
77
|
|
|
|
|
78
|
|
|
if ($authorization->hasPrompt('none')) { |
|
79
|
|
|
//TODO: No interaction. Should verified if the authorization has previously been given |
|
80
|
|
|
$this->throwOAuth2Error($authorization, OAuth2Error::ERROR_INTERACTION_REQUIRED, 'The resource owner consent is required.'); |
|
81
|
|
|
} else { |
|
82
|
|
|
//Ask for consent |
|
83
|
|
|
$authorization = $this->extensionManager->processBefore($request, $authorization); |
|
84
|
|
|
} |
|
85
|
|
|
|
|
86
|
|
|
return $this->processConsentScreen($request, $authorization); |
|
87
|
|
|
} else { |
|
88
|
|
|
// Process with unauthenticated user |
|
89
|
|
|
|
|
90
|
|
|
// If prompt = none => no interaction |
|
91
|
|
|
if ($authorization->hasPrompt('none')) { |
|
92
|
|
|
//throw error login required |
|
93
|
|
|
$this->throwOAuth2Error($authorization, OAuth2Error::ERROR_LOGIN_REQUIRED, 'The resource owner is not logged in.'); |
|
94
|
|
|
} |
|
95
|
|
|
|
|
96
|
|
|
// Else => user authentication required |
|
97
|
|
|
return $this->redirectToLoginPage($request, $authorization); |
|
98
|
|
|
} |
|
99
|
|
|
} catch (OAuth2Error $e) { |
|
100
|
|
|
throw $e; |
|
101
|
|
|
} catch (\Exception $e) { |
|
102
|
|
|
throw $e; |
|
103
|
|
|
}/* catch (Exception\ProcessAuthorizationException $e) { |
|
|
|
|
|
|
104
|
|
|
$authorization = $e->getAuthorization(); |
|
105
|
|
|
$authorization = $this->extensionManager->processAfter($request, $authorization); |
|
106
|
|
|
if (false === $authorization->isAuthorized()) { |
|
107
|
|
|
$this->throwOAuth2Error($authorization, OAuth2Message::ERROR_ACCESS_DENIED, 'The resource owner denied access to your client.'); |
|
108
|
|
|
} |
|
109
|
|
|
|
|
110
|
|
|
$responseType = $authorization->getResponseType(); |
|
111
|
|
|
|
|
112
|
|
|
try { |
|
113
|
|
|
$authorization = $responseType->preProcess($authorization); |
|
114
|
|
|
$authorization = $responseType->process($authorization); |
|
115
|
|
|
} catch (OAuth2Message $e) { |
|
116
|
|
|
$this->throwOAuth2Error($authorization, $e->getMessage(), $e->getErrorDescription()); |
|
117
|
|
|
} |
|
118
|
|
|
|
|
119
|
|
|
return $this->buildResponse($authorization); |
|
120
|
|
|
} catch (Exception\CreateRedirectionException $e) { |
|
121
|
|
|
$this->throwOAuth2Error($e->getAuthorization(), $e->getMessage(), $e->getDescription()); |
|
122
|
|
|
} catch (Exception\ShowConsentScreenException $e) { |
|
123
|
|
|
return $this->processConsentScreen($request, $e->getAuthorization()); |
|
124
|
|
|
} catch (Exception\RedirectToLoginPageException $e) { |
|
125
|
|
|
return $this->redirectToLoginPage($request, $e->getAuthorization()); |
|
126
|
|
|
}*/ |
|
127
|
|
|
} |
|
128
|
|
|
|
|
129
|
|
|
protected function buildResponse(AuthorizationRequest $authorization): ResponseInterface |
|
130
|
|
|
{ |
|
131
|
|
|
$response = $authorization->getResponseMode()->buildResponse( |
|
132
|
|
|
$this->messageFactory->createResponse(), |
|
133
|
|
|
$authorization->getRedirectUri(), |
|
134
|
|
|
$authorization->getResponseParameters() |
|
135
|
|
|
); |
|
136
|
|
|
foreach ($authorization->getResponseHeaders() as $k => $v) { |
|
137
|
|
|
$response = $response->withHeader($k, $v); |
|
138
|
|
|
} |
|
139
|
|
|
|
|
140
|
|
|
return $response; |
|
141
|
|
|
} |
|
142
|
|
|
|
|
143
|
|
|
protected function throwOAuth2Error(AuthorizationRequest $authorization, string $error, string $errorDescription) |
|
144
|
|
|
{ |
|
145
|
|
|
$params = $authorization->getResponseParameters(); |
|
146
|
|
|
if (null === $authorization->getResponseMode() || null === $authorization->getRedirectUri()) { |
|
147
|
|
|
throw new OAuth2Error(400, $error, $errorDescription); |
|
148
|
|
|
} |
|
149
|
|
|
$params += [ |
|
150
|
|
|
'response_mode' => $authorization->getResponseMode(), |
|
151
|
|
|
'redirect_uri' => $authorization->getRedirectUri(), |
|
152
|
|
|
]; |
|
153
|
|
|
|
|
154
|
|
|
throw new OAuth2Error(303, $error, $errorDescription, $params); |
|
155
|
|
|
} |
|
156
|
|
|
} |
|
157
|
|
|
|
OAuth2-Framework /
oauth2-framework
Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it.
The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production.
This check looks for comments that seem to be mostly valid code and reports them.