Issues in AbstractProvider.php - New Issues - Inspection of "[OAuth2] Provider: improve generateState #32" - SocialConnect/auth - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( 4778d8...c5c7c0 )

by Дмитрий

created 2017-08-26 17:37 UTC

src/OAuth2/AbstractProvider.php (1 issue)

Showing only issues like (Show All)

Check for loose comparison of booleans.

Best Practice Bug Major

Dmitry Patsura 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * SocialConnect project
 * @author: Patsura Dmitry https://github.com/ovr <[email protected]>
 */

namespace SocialConnect\OAuth2;

use InvalidArgumentException;
use SocialConnect\OAuth2\Exception\InvalidState;
use SocialConnect\OAuth2\Exception\Unauthorized;
use SocialConnect\OAuth2\Exception\UnknownAuthorization;
use SocialConnect\OAuth2\Exception\UnknownState;
use SocialConnect\Provider\AbstractBaseProvider;
use SocialConnect\Provider\Exception\InvalidAccessToken;
use SocialConnect\Provider\Exception\InvalidResponse;
use SocialConnect\Common\Http\Client\Client;

abstract class AbstractProvider extends AbstractBaseProvider
{
    /**
     * HTTP method for access token request
     *
     * @var string
     */
    protected $requestHttpMethod = Client::POST;

    /**
     * @return string
     */
    abstract public function getAuthorizeUri();

    /**
     * @return string
     */
    abstract public function getRequestTokenUri();

    /**
     * Default parameters for auth url, can be redeclared inside implementation of the Provider
     *
     * @return array
     */
    public function getAuthUrlParameters()
    {
        return [
            'client_id' => $this->consumer->getKey(),
            'redirect_uri' => $this->getRedirectUrl(),
            'response_type' => 'code',
        ];
    }

    /**
     * 16 bytes / 128 bit / 16 symbols / 32 symbols in hex
     */
    const STATE_BYTES = 16;

    /**
     * @return string
     */
    protected function generateState()
    {
        if (function_exists('random_bytes')) {
            return bin2hex(random_bytes(self::STATE_BYTES));
        }

        if (function_exists('openssl_random_pseudo_bytes')) {
            $bytes = openssl_random_pseudo_bytes(self::STATE_BYTES, $strongSource);
            if (!$strongSource) {
$a = canBeFalseAndNull();

// Instead of
if ( ! $a) { }

// Better use one of the explicit versions:
if ($a !== null) { }
if ($a !== false) { }
if ($a !== null && $a !== false) { }
                trigger_error(
                    'openssl was unable to use a strong source of entropy. ' .
                    'Consider updating your system libraries, or ensuring ' .
                    'you have more available entropy.',
                    E_USER_WARNING
                );
            }

            return bin2hex($bytes);
        }

        trigger_error(
            'You do not have a safe source of random data available. ' .
            'Install either the openssl extension, or paragonie/random_compat. ' .
            'Falling back to an insecure random source.',
            E_USER_WARNING
        );

        return md5(
            time() . mt_rand()
        );
    }

    /**
     * @return string
     */
    public function makeAuthUrl()
    {
        $urlParameters = $this->getAuthUrlParameters();

        $this->session->set(
            'oauth2_state',
            $urlParameters['state'] = $this->generateState()
        );

        if (count($this->scope) > 0) {
            $urlParameters['scope'] = $this->getScopeInline();
        }

        if (count($this->fields) > 0) {
            $urlParameters['fields'] = $this->getFieldsInline();
        }

        return $this->getAuthorizeUri() . '?' . http_build_query($urlParameters);
    }

    /**
     * Parse access token from response's $body
     *
     * @param string|bool $body
     * @return AccessToken
     * @throws InvalidAccessToken
     */
    public function parseToken($body)
    {
        if (empty($body)) {
            throw new InvalidAccessToken('Provider response with empty body');
        }

        parse_str($body, $token);

        if (!is_array($token) || !isset($token['access_token'])) {
            throw new InvalidAccessToken('Provider API returned an unexpected response');
        }

        return new AccessToken($token);
    }

    /**
     * @param string $code
     * @return \SocialConnect\Common\Http\Request
     */
    protected function makeAccessTokenRequest($code)
    {
        $parameters = [
            'client_id' => $this->consumer->getKey(),
            'client_secret' => $this->consumer->getSecret(),
            'code' => $code,
            'grant_type' => 'authorization_code',
            'redirect_uri' => $this->getRedirectUrl()
        ];

        return new \SocialConnect\Common\Http\Request(
            $this->getRequestTokenUri(),
            $parameters,
            $this->requestHttpMethod,
            [
                'Content-Type' => 'application/x-www-form-urlencoded'
            ]
        );
    }

    /**
     * @param string $code
     * @return AccessToken
     * @throws InvalidResponse
     */
    public function getAccessToken($code)
    {
        if (!is_string($code)) {
            throw new InvalidArgumentException('Parameter $code must be a string');
        }

        $response = $this->httpClient->fromRequest(
            $this->makeAccessTokenRequest($code)
        );

        if (!$response->isSuccess()) {
            throw new InvalidResponse(
                'API response with error code',
                $response
            );
        }

        $body = $response->getBody();
        return $this->parseToken($body);
    }

    /**
     * @param array $parameters
     * @return AccessToken
     * @throws \SocialConnect\OAuth2\Exception\InvalidState
     * @throws \SocialConnect\OAuth2\Exception\UnknownState
     * @throws \SocialConnect\OAuth2\Exception\UnknownAuthorization
     */
    public function getAccessTokenByRequestParameters(array $parameters)
    {
        $state = $this->session->get('oauth2_state');
        if (!$state) {
            throw new UnknownAuthorization();
        }

        if (isset($parameters['error']) && $parameters['error'] === 'access_denied') {
            throw new Unauthorized();
        }

        if (!isset($parameters['state'])) {
            throw new UnknownState();
        }

        if ($state !== $parameters['state']) {
            throw new InvalidState();
        }

        if (!isset($parameters['code'])) {
            throw new Unauthorized('Unknown code');
        }

        return $this->getAccessToken($parameters['code']);
    }
}


1		<?php
2		/**
3		* SocialConnect project
4		* @author: Patsura Dmitry https://github.com/ovr <[email protected]>
5		*/
6
7		namespace SocialConnect\OAuth2;
8
9		use InvalidArgumentException;
10		use SocialConnect\OAuth2\Exception\InvalidState;
11		use SocialConnect\OAuth2\Exception\Unauthorized;
12		use SocialConnect\OAuth2\Exception\UnknownAuthorization;
13		use SocialConnect\OAuth2\Exception\UnknownState;
14		use SocialConnect\Provider\AbstractBaseProvider;
15		use SocialConnect\Provider\Exception\InvalidAccessToken;
16		use SocialConnect\Provider\Exception\InvalidResponse;
17		use SocialConnect\Common\Http\Client\Client;
18
19		abstract class AbstractProvider extends AbstractBaseProvider
20		{
21		/**
22		* HTTP method for access token request
23		*
24		* @var string
25		*/
26		protected $requestHttpMethod = Client::POST;
27
28		/**
29		* @return string
30		*/
31		abstract public function getAuthorizeUri();
32
33		/**
34		* @return string
35		*/
36		abstract public function getRequestTokenUri();
37
38		/**
39		* Default parameters for auth url, can be redeclared inside implementation of the Provider
40		*
41		* @return array
42		*/
43	18	public function getAuthUrlParameters()
44		{
45		return [
46	18	'client_id' => $this->consumer->getKey(),
47	18	'redirect_uri' => $this->getRedirectUrl(),
48	18	'response_type' => 'code',
49	18	];
50		}
51
52		/**
53		* 16 bytes / 128 bit / 16 symbols / 32 symbols in hex
54		*/
55		const STATE_BYTES = 16;
56
57		/**
58		* @return string
59		*/
60	36	protected function generateState()
61		{
62	36	if (function_exists('random_bytes')) {
63		return bin2hex(random_bytes(self::STATE_BYTES));
64		}
65
66	36	if (function_exists('openssl_random_pseudo_bytes')) {
67	36	$bytes = openssl_random_pseudo_bytes(self::STATE_BYTES, $strongSource);
68	36	if (!$strongSource) {
		0 ignored issues – show Bug Best Practice introduced 2017-08-26 17:38 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$strongSource` of type `boolean\|null` is loosely compared to `false`; this is ambiguous if the boolean can be false. You might want to explicitly use `!== null` instead. If an expression can have both `false`, and `null` as possible values. It is generally a good practice to always use strict comparison to clearly distinguish between those two values. $a = canBeFalseAndNull(); // Instead of if ( ! $a) { } // Better use one of the explicit versions: if ($a !== null) { } if ($a !== false) { } if ($a !== null && $a !== false) { } Loading history...
69		trigger_error(
70		'openssl was unable to use a strong source of entropy. ' .
71		'Consider updating your system libraries, or ensuring ' .
72		'you have more available entropy.',
73		E_USER_WARNING
74		);
75		}
76
77	36	return bin2hex($bytes);
78		}
79
80		trigger_error(
81		'You do not have a safe source of random data available. ' .
82		'Install either the openssl extension, or paragonie/random_compat. ' .
83		'Falling back to an insecure random source.',
84		E_USER_WARNING
85		);
86
87		return md5(
88		time() . mt_rand()
89		);
90		}
91
92		/**
93		* @return string
94		*/
95	18	public function makeAuthUrl()
96		{
97	18	$urlParameters = $this->getAuthUrlParameters();
98
99	18	$this->session->set(
100	18	'oauth2_state',
101	18	$urlParameters['state'] = $this->generateState()
102	18	);
103
104	18	if (count($this->scope) > 0) {
105		$urlParameters['scope'] = $this->getScopeInline();
106		}
107
108	18	if (count($this->fields) > 0) {
109		$urlParameters['fields'] = $this->getFieldsInline();
110		}
111
112	18	return $this->getAuthorizeUri() . '?' . http_build_query($urlParameters);
113		}
114
115		/**
116		* Parse access token from response's $body
117		*
118		* @param string\|bool $body
119		* @return AccessToken
120		* @throws InvalidAccessToken
121		*/
122	3	public function parseToken($body)
123		{
124	3	if (empty($body)) {
125		throw new InvalidAccessToken('Provider response with empty body');
126		}
127
128	3	parse_str($body, $token);
129
130	3	if (!is_array($token) \|\| !isset($token['access_token'])) {
131	2	throw new InvalidAccessToken('Provider API returned an unexpected response');
132		}
133
134	1	return new AccessToken($token);
135		}
136
137		/**
138		* @param string $code
139		* @return \SocialConnect\Common\Http\Request
140		*/
141	19	protected function makeAccessTokenRequest($code)
142		{
143		$parameters = [
144	19	'client_id' => $this->consumer->getKey(),
145	19	'client_secret' => $this->consumer->getSecret(),
146	19	'code' => $code,
147	19	'grant_type' => 'authorization_code',
148	19	'redirect_uri' => $this->getRedirectUrl()
149	19	];
150
151	19	return new \SocialConnect\Common\Http\Request(
152	19	$this->getRequestTokenUri(),
153	19	$parameters,
154	19	$this->requestHttpMethod,
155		[
156		'Content-Type' => 'application/x-www-form-urlencoded'
157	19	]
158	19	);
159		}
160
161		/**
162		* @param string $code
163		* @return AccessToken
164		* @throws InvalidResponse
165		*/
166	36	public function getAccessToken($code)
167		{
168	36	if (!is_string($code)) {
169	18	throw new InvalidArgumentException('Parameter $code must be a string');
170		}
171
172	18	$response = $this->httpClient->fromRequest(
173	18	$this->makeAccessTokenRequest($code)
174	18	);
175
176	18	if (!$response->isSuccess()) {
177	18	throw new InvalidResponse(
178	18	'API response with error code',
179		$response
180	18	);
181		}
182
183		$body = $response->getBody();
184		return $this->parseToken($body);
185		}
186
187		/**
188		* @param array $parameters
189		* @return AccessToken
190		* @throws \SocialConnect\OAuth2\Exception\InvalidState
191		* @throws \SocialConnect\OAuth2\Exception\UnknownState
192		* @throws \SocialConnect\OAuth2\Exception\UnknownAuthorization
193		*/
194	18	public function getAccessTokenByRequestParameters(array $parameters)
195		{
196	18	$state = $this->session->get('oauth2_state');
197	18	if (!$state) {
198		throw new UnknownAuthorization();
199		}
200
201	18	if (isset($parameters['error']) && $parameters['error'] === 'access_denied') {
202	18	throw new Unauthorized();
203		}
204
205		if (!isset($parameters['state'])) {
206		throw new UnknownState();
207		}
208
209		if ($state !== $parameters['state']) {
210		throw new InvalidState();
211		}
212
213		if (!isset($parameters['code'])) {
214		throw new Unauthorized('Unknown code');
215		}
216
217		return $this->getAccessToken($parameters['code']);
218		}
219		}
220

SocialConnect / auth

Push — master ( 4778d8...c5c7c0 )

src/OAuth2/AbstractProvider.php (1 issue)

Showing only issues like (Show All)

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like