AbstractProvider::checkNonce() - Code Metrics - SocialConnect/auth - Measure and Improve Code Quality continuously with Scrutinizer

AbstractProvider::checkNonce() A
last analyzed 2020-01-29 13:21 UTC

↳ Parent: AbstractProvider

Complexity

Conditions	3
Paths	3

Size

Total Lines	13
Code Lines	7

Duplication

Lines	0
Ratio	0 %

Code Coverage

Tests	6
CRAP Score	3.1406

Importance

Changes

Metric	Value
cc	3
eloc	7
nc	3
nop	1
dl	0
loc	13
ccs	6
cts	8
cp	0.75
crap	3.1406
rs	10
c	0
b	0
f	0

<?php
/**
 * SocialConnect project
 * @author: Patsura Dmitry https://github.com/ovr <[email protected]>
 */
declare(strict_types=1);

namespace SocialConnect\OpenID;

use SocialConnect\Common\Exception\Unsupported;
use SocialConnect\OpenID\Exception\Unauthorized;
use SocialConnect\Provider\AbstractBaseProvider;
use SocialConnect\Provider\Consumer;
use SocialConnect\Provider\Exception\InvalidAccessToken;
use SocialConnect\Provider\Exception\InvalidResponse;

abstract class AbstractProvider extends AbstractBaseProvider
{
    /**
     * @return string
     */
    abstract public function getOpenIdUrl();

    /**
     * @var int
     */
    protected $version;

    /**
     * @var string
     */
    protected $loginEntrypoint;

    /**
     * @param bool $immediate
     * @return string
     */
    protected function makeAuthUrlV2($immediate)
    {
        $params = [
            'openid.ns' => 'http://specs.openid.net/auth/2.0',
            'openid.mode' => $immediate ? 'checkid_immediate' : 'checkid_setup',
            'openid.return_to' => $this->getRedirectUrl(),
            'openid.realm' => $this->getRedirectUrl()
        ];

        $params['openid.ns.sreg'] = 'http://openid.net/extensions/sreg/1.1';
        $params['openid.identity'] = $params['openid.claimed_id'] = 'http://specs.openid.net/auth/2.0/identifier_select';

        return $this->loginEntrypoint . '?' . http_build_query($params, '', '&');
    }

    /**
     * @param string $url
     * @return string
     * @throws InvalidResponse
     * @throws \Psr\Http\Client\ClientExceptionInterface
     */
    protected function discover(string $url)
    {
        $response = $this->executeRequest(
            $this->httpStack->createRequest('GET', $url)
        );

        $contentType = $response->getHeaderLine('Content-Type');
        if (strpos($contentType, 'application/xrds+xml;charset=utf-8') === false) {
            throw new InvalidResponse(
                'Unexpected Content-Type',
                $response
            );
        }

        $xml = new \SimpleXMLElement($response->getBody()->getContents());

        $this->version = 2;
        $this->loginEntrypoint = $xml->XRD->Service->URI;

        return $this->getOpenIdUrl();
    }

    /**
     * {@inheritdoc}
     */
    public function makeAuthUrl(): string
    {
        $this->discover($this->getOpenIdUrl());

        return $this->makeAuthUrlV2(false);
    }

    /**
     * @param string $identity
     * @return string
     */
    abstract protected function parseUserIdFromIdentity($identity): string;

    protected function getRequiredRequestParameter(array $requestParameters, string $key)
    {
        if (isset($requestParameters[$key])) {
            return $requestParameters[$key];
        }

        throw new Unauthorized("There is no required parameter called: '${key}'");
    }

    /**
     * @param string $nonce
     * @return int
     * @throws Unauthorized
     */
    protected function splitNonce(string $nonce): int
    {
        $result = preg_match('/(\d{4})-(\d\d)-(\d\d)T(\d\d):(\d\d):(\d\d)Z(.*)/', $nonce, $matches);
        if ($result !== 1 || count($matches) !== 8) {
            throw new Unauthorized('Unexpected nonce format');
        }

        list(,$year, $month, $day, $hour, $min, $sec) = $matches;

        try {
            $timestamp = new \DateTime();
            $timestamp->setDate((int) $year, (int) $month, (int) $day);
            $timestamp->setTime((int) $hour, (int) $min, (int) $sec);
        } catch (\Throwable $e) {
            throw new Unauthorized('Timestamp from nonce is not valid', $e->getCode(), $e);
        }

        return $timestamp->getTimestamp();
    }

    /**
     * @param string $nonce
     * @return void
     * @throws Unauthorized
     */
    protected function checkNonce(string $nonce): void
    {
        $stamp = $this->splitNonce($nonce);

        $skew = 60;
        $now = time();

        if ($stamp <= $now - $skew) {
            throw new Unauthorized("Timestamp from nonce is earlier then time() - {$skew}s");
        }

        if ($stamp >= $now + $skew) {
            throw new Unauthorized("Timestamp from nonce is older then time() + {$skew}s");
        }
    }

    /**
     * @link http://openid.net/specs/openid-authentication-2_0.html#verification
     *
     * @param array $requestParameters
     * @return AccessToken
     * @throws InvalidAccessToken
     * @throws InvalidResponse
     * @throws Unauthorized
     * @throws \Psr\Http\Client\ClientExceptionInterface
     */
    public function getAccessTokenByRequestParameters(array $requestParameters)
    {
        $nonce = $this->getRequiredRequestParameter($requestParameters, 'openid_response_nonce');
        $this->checkNonce($nonce);

        $params = [
            'openid.assoc_handle' => $this->getRequiredRequestParameter($requestParameters, 'openid_assoc_handle'),
            'openid.signed' => $this->getRequiredRequestParameter($requestParameters, 'openid_signed'),
            'openid.sig' => $this->getRequiredRequestParameter($requestParameters, 'openid_sig'),
            'openid.ns' => $this->getRequiredRequestParameter($requestParameters, 'openid_ns'),
            'openid.op_endpoint' => $requestParameters['openid_op_endpoint'],
            'openid.claimed_id' => $requestParameters['openid_claimed_id'],
            'openid.identity' => $requestParameters['openid_identity'],
            'openid.return_to' => $this->getRedirectUrl(),
            'openid.response_nonce' => $nonce,
            'openid.mode' => 'check_authentication'
        ];

        if (isset($requestParameters['openid_claimed_id'])) {
            $claimedId = $requestParameters['openid_claimed_id'];
        } else {
            $claimedId = $requestParameters['openid_identity'];
        }

        $this->discover($claimedId);

        $response = $this->executeRequest(
            $this->httpStack->createRequest('POST', $this->loginEntrypoint)
                ->withHeader('Content-Type', 'application/x-www-form-urlencoded')
                ->withBody($this->httpStack->createStream(http_build_query($params, '', '&')))
        );

        $content = $response->getBody()->getContents();
        if (preg_match('/is_valid\s*:\s*true/i', $content)) {
            return new AccessToken(
                $requestParameters['openid_identity'],
                $this->parseUserIdFromIdentity(
                    $requestParameters['openid_identity']
                )
            );
        }

        throw new InvalidAccessToken;
    }

    /**
     * {@inheritDoc}
     */
    protected function createConsumer(array $parameters): Consumer
    {
        return new Consumer(
            $this->getRequiredStringParameter('applicationId', $parameters),
            ''
        );
    }

    /**
     * {@inheritDoc}
     */
    public function createAccessToken(array $information)
    {
        throw new Unsupported('It\'s usefull to use this method for OpenID, are you sure?');
    }
}


1		<?php
2		/**
3		* SocialConnect project
4		* @author: Patsura Dmitry https://github.com/ovr <[email protected]>
5		*/
6		declare(strict_types=1);
7
8		namespace SocialConnect\OpenID;
9
10		use SocialConnect\Common\Exception\Unsupported;
11		use SocialConnect\OpenID\Exception\Unauthorized;
12		use SocialConnect\Provider\AbstractBaseProvider;
13		use SocialConnect\Provider\Consumer;
14		use SocialConnect\Provider\Exception\InvalidAccessToken;
15		use SocialConnect\Provider\Exception\InvalidResponse;
16
17		abstract class AbstractProvider extends AbstractBaseProvider
18		{
19		/**
20		* @return string
21		*/
22		abstract public function getOpenIdUrl();
23
24		/**
25		* @var int
26		*/
27		protected $version;
28
29		/**
30		* @var string
31		*/
32		protected $loginEntrypoint;
33
34		/**
35		* @param bool $immediate
36		* @return string
37		*/
38	1	protected function makeAuthUrlV2($immediate)
39		{
40		$params = [
41	1	'openid.ns' => 'http://specs.openid.net/auth/2.0',
42	1	'openid.mode' => $immediate ? 'checkid_immediate' : 'checkid_setup',
43	1	'openid.return_to' => $this->getRedirectUrl(),
44	1	'openid.realm' => $this->getRedirectUrl()
45		];
46
47	1	$params['openid.ns.sreg'] = 'http://openid.net/extensions/sreg/1.1';
48	1	$params['openid.identity'] = $params['openid.claimed_id'] = 'http://specs.openid.net/auth/2.0/identifier_select';
49
50	1	return $this->loginEntrypoint . '?' . http_build_query($params, '', '&');
51		}
52
53		/**
54		* @param string $url
55		* @return string
56		* @throws InvalidResponse
57		* @throws \Psr\Http\Client\ClientExceptionInterface
58		*/
59	2	protected function discover(string $url)
60		{
61	2	$response = $this->executeRequest(
62	2	$this->httpStack->createRequest('GET', $url)
63		);
64
65	2	$contentType = $response->getHeaderLine('Content-Type');
66	2	if (strpos($contentType, 'application/xrds+xml;charset=utf-8') === false) {
67		throw new InvalidResponse(
68		'Unexpected Content-Type',
69		$response
70		);
71		}
72
73	2	$xml = new \SimpleXMLElement($response->getBody()->getContents());
74
75	2	$this->version = 2;
76	2	$this->loginEntrypoint = $xml->XRD->Service->URI;
77
78	2	return $this->getOpenIdUrl();
79		}
80
81		/**
82		* {@inheritdoc}
83		*/
84	1	public function makeAuthUrl(): string
85		{
86	1	$this->discover($this->getOpenIdUrl());
87
88	1	return $this->makeAuthUrlV2(false);
89		}
90
91		/**
92		* @param string $identity
93		* @return string
94		*/
95		abstract protected function parseUserIdFromIdentity($identity): string;
96
97	1	protected function getRequiredRequestParameter(array $requestParameters, string $key)
98		{
99	1	if (isset($requestParameters[$key])) {
100	1	return $requestParameters[$key];
101		}
102
103		throw new Unauthorized("There is no required parameter called: '${key}'");
104		}
105
106		/**
107		* @param string $nonce
108		* @return int
109		* @throws Unauthorized
110		*/
111	1	protected function splitNonce(string $nonce): int
112		{
113	1	$result = preg_match('/(\d{4})-(\d\d)-(\d\d)T(\d\d):(\d\d):(\d\d)Z(.*)/', $nonce, $matches);
114	1	if ($result !== 1 \|\| count($matches) !== 8) {
115		throw new Unauthorized('Unexpected nonce format');
116		}
117
118	1	list(,$year, $month, $day, $hour, $min, $sec) = $matches;
119
120		try {
121	1	$timestamp = new \DateTime();
122	1	$timestamp->setDate((int) $year, (int) $month, (int) $day);
123	1	$timestamp->setTime((int) $hour, (int) $min, (int) $sec);
124		} catch (\Throwable $e) {
125		throw new Unauthorized('Timestamp from nonce is not valid', $e->getCode(), $e);
126		}
127
128	1	return $timestamp->getTimestamp();
129		}
130
131		/**
132		* @param string $nonce
133		* @return void
134		* @throws Unauthorized
135		*/
136	1	protected function checkNonce(string $nonce): void
137		{
138	1	$stamp = $this->splitNonce($nonce);
139
140	1	$skew = 60;
141	1	$now = time();
142
143	1	if ($stamp <= $now - $skew) {
144		throw new Unauthorized("Timestamp from nonce is earlier then time() - {$skew}s");
145		}
146
147	1	if ($stamp >= $now + $skew) {
148		throw new Unauthorized("Timestamp from nonce is older then time() + {$skew}s");
149		}
150	1	}
151
152		/**
153		* @link http://openid.net/specs/openid-authentication-2_0.html#verification
154		*
155		* @param array $requestParameters
156		* @return AccessToken
157		* @throws InvalidAccessToken
158		* @throws InvalidResponse
159		* @throws Unauthorized
160		* @throws \Psr\Http\Client\ClientExceptionInterface
161		*/
162	1	public function getAccessTokenByRequestParameters(array $requestParameters)
163		{
164	1	$nonce = $this->getRequiredRequestParameter($requestParameters, 'openid_response_nonce');
165	1	$this->checkNonce($nonce);
166
167		$params = [
168	1	'openid.assoc_handle' => $this->getRequiredRequestParameter($requestParameters, 'openid_assoc_handle'),
169	1	'openid.signed' => $this->getRequiredRequestParameter($requestParameters, 'openid_signed'),
170	1	'openid.sig' => $this->getRequiredRequestParameter($requestParameters, 'openid_sig'),
171	1	'openid.ns' => $this->getRequiredRequestParameter($requestParameters, 'openid_ns'),
172	1	'openid.op_endpoint' => $requestParameters['openid_op_endpoint'],
173	1	'openid.claimed_id' => $requestParameters['openid_claimed_id'],
174	1	'openid.identity' => $requestParameters['openid_identity'],
175	1	'openid.return_to' => $this->getRedirectUrl(),
176	1	'openid.response_nonce' => $nonce,
177	1	'openid.mode' => 'check_authentication'
178		];
179
180	1	if (isset($requestParameters['openid_claimed_id'])) {
181	1	$claimedId = $requestParameters['openid_claimed_id'];
182		} else {
183		$claimedId = $requestParameters['openid_identity'];
184		}
185
186	1	$this->discover($claimedId);
187
188	1	$response = $this->executeRequest(
189	1	$this->httpStack->createRequest('POST', $this->loginEntrypoint)
190	1	->withHeader('Content-Type', 'application/x-www-form-urlencoded')
191	1	->withBody($this->httpStack->createStream(http_build_query($params, '', '&')))
192		);
193
194	1	$content = $response->getBody()->getContents();
195	1	if (preg_match('/is_valid\s:\strue/i', $content)) {
196	1	return new AccessToken(
197	1	$requestParameters['openid_identity'],
198	1	$this->parseUserIdFromIdentity(
199	1	$requestParameters['openid_identity']
200		)
201		);
202		}
203
204		throw new InvalidAccessToken;
205		}
206
207		/**
208		* {@inheritDoc}
209		*/
210	7	protected function createConsumer(array $parameters): Consumer
211		{
212	7	return new Consumer(
213	7	$this->getRequiredStringParameter('applicationId', $parameters),
214	7	''
215		);
216		}
217
218		/**
219		* {@inheritDoc}
220		*/
221		public function createAccessToken(array $information)
222		{
223		throw new Unsupported('It\'s usefull to use this method for OpenID, are you sure?');
224		}
225		}
226

SocialConnect / auth

AbstractProvider::checkNonce() A last analyzed 2020-01-29 13:21 UTC

Complexity

Size

Duplication

Code Coverage

Importance

Duplication Side-by-Side

Filter issues like

AbstractProvider::checkNonce() A
last analyzed 2020-01-29 13:21 UTC