OAuthModule::init() - Code Metrics - Inspection of "cleanup OAuth a bit" - fkooman/php-remote-storage - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( edfa43...30ed41 )

by François

created 2017-01-16 09:25 UTC

OAuthModule::init() B

↳ Parent: OAuthModule

Complexity

Conditions	4
Paths	1

Size

Total Lines	69
Code Lines	40

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
dl	0
loc	69
rs	8.7653
c	0
b	0
f	0
cc	4
eloc	40
nc	1
nop	1

How to fix Long Method

<?php
/**
 *  Copyright (C) 2016 SURFnet.
 *
 *  This program is free software: you can redistribute it and/or modify
 *  it under the terms of the GNU Affero General Public License as
 *  published by the Free Software Foundation, either version 3 of the
 *  License, or (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU Affero General Public License for more details.
 *
 *  You should have received a copy of the GNU Affero General Public License
 *  along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */

namespace fkooman\RemoteStorage\OAuth;

use fkooman\RemoteStorage\Http\Exception\HttpException;
use fkooman\RemoteStorage\Http\HtmlResponse;
use fkooman\RemoteStorage\Http\RedirectResponse;
use fkooman\RemoteStorage\Http\Request;
use fkooman\RemoteStorage\Http\Service;
use fkooman\RemoteStorage\Http\ServiceModuleInterface;
use fkooman\RemoteStorage\RandomInterface;
use fkooman\RemoteStorage\TplInterface;

class OAuthModule implements ServiceModuleInterface
{
    /** @var \fkooman\RemoteStorage\TplInterface */
    private $tpl;

    /** @var \fkooman\RemoteStorage\RandomInterface */
    private $random;

    /** @var TokenStorage */
    private $tokenStorage;

    public function __construct(TplInterface $tpl, RandomInterface $random, TokenStorage $tokenStorage)
    {
        $this->tpl = $tpl;
        $this->random = $random;
        $this->tokenStorage = $tokenStorage;
    }

    public function init(Service $service)
    {
        $service->get(
            '/_oauth/authorize',
            function (Request $request) {
                $this->validateRequest($request);
                $this->validateClient($request);

                // ask for approving this client/scope
                return new HtmlResponse(
                    $this->tpl->render(
                        'authorizeOAuthClient',
                        [
                            'client_id' => $request->getQueryParameter('client_id'),
                            'scope' => $request->getQueryParameter('scope'),
                            'redirect_uri' => $request->getQueryParameter('redirect_uri'),
                        ]
                    )
                );
            }
        );

        $service->post(
            '/_oauth/authorize',
            function (Request $request, array $hookData) {
                $userId = $hookData['auth'];

                $this->validateRequest($request);
                $this->validateClient($request);

                // state is OPTIONAL in remoteStorage specification
                $state = $request->getQueryParameter('state', false, null);
                $returnUriPattern = '%s#%s';

                if ('no' === $request->getPostParameter('approve')) {
                    $redirectParameters = [
                        'error' => 'access_denied',
                        'error_description' => 'user refused authorization',
                    ];
                    if (!is_null($state)) {
                        $redirectParameters['state'] = $state;
                    }
                    $redirectQuery = http_build_query($redirectParameters);

                    $redirectUri = sprintf($returnUriPattern, $request->getQueryParameter('redirect_uri'), $redirectQuery);

                    return new RedirectResponse($redirectUri, 302);
                }

                $accessToken = $this->getAccessToken(
                    $userId,
                    $request->getQueryParameter('client_id'),
                    $request->getQueryParameter('scope')
                );

                // add access_token (and optionally state) to redirect_uri
                $redirectParameters = [
                    'access_token' => $accessToken,
                ];
                if (!is_null($state)) {
                    $redirectParameters['state'] = $state;
                }
                $redirectQuery = http_build_query($redirectParameters);
                $redirectUri = sprintf($returnUriPattern, $request->getQueryParameter('redirect_uri'), $redirectQuery);

                return new RedirectResponse($redirectUri, 302);
            }
        );
    }

    private function getAccessToken($userId, $clientId, $scope)
    {
        $existingToken = $this->tokenStorage->getExistingToken(
            $userId,
            $clientId,
            $scope
        );

        if (false !== $existingToken) {
            // if the user already has an access_token for this client and
            // scope, reuse it
            $accessTokenKey = $existingToken['access_token_key'];
            $accessToken = $existingToken['access_token'];
        } else {
            // generate a new one
            $accessTokenKey = $this->random->get(8);
            $accessToken = $this->random->get(16);
            // store it
            $this->tokenStorage->store(
                $userId,
                $accessTokenKey,
                $accessToken,
                $clientId,
                $scope
            );
        }

        return sprintf('%s.%s', $accessTokenKey, $accessToken);
    }

    private function validateRequest(Request $request)
    {
        // we enforce that all parameter are set, nothing is "OPTIONAL"
        $clientId = $request->getQueryParameter('client_id');
        if (1 !== preg_match('/^[\x20-\x7E]+$/', $clientId)) {
            throw new HttpException('invalid client_id', 400);
        }

        // XXX we also should enforce HTTPS
        $redirectUri = $request->getQueryParameter('redirect_uri');
        // XXX MUST not have "?"
        if (false === filter_var($redirectUri, FILTER_VALIDATE_URL, FILTER_FLAG_SCHEME_REQUIRED | FILTER_FLAG_HOST_REQUIRED | FILTER_FLAG_PATH_REQUIRED)) {

            throw new HttpException('invalid redirect_uri', 400);
        }
        $responseType = $request->getQueryParameter('response_type');
        if ('token' !== $responseType) {
            throw new HttpException('invalid response_type', 400);
        }
        $scope = $request->getQueryParameter('scope');
        $scopeTokens = explode(' ', $scope);
        foreach ($scopeTokens as $scopeToken) {
            if (1 !== preg_match('/^\x21|[\x23-\x5B]|[\x5D-\x7E]+$/', $scopeToken)) {
                throw new HttpException('invalid scope', 400);
            }
        }

        $state = $request->getQueryParameter('state', false, null);
        if (!is_null($state)) {
            if (1 !== preg_match('/^[\x20-\x7E]+$/', $state)) {
                throw new HttpException('invalid state', 400);
            }
        }
    }

    private function validateClient(Request $request)
    {
        $clientId = $request->getQueryParameter('client_id');
        $redirectUri = $request->getQueryParameter('redirect_uri');

        // redirectUri has to start with clientId (or be equal)
        if (0 !== strpos($redirectUri, $clientId)) {
            throw new HttpException('"redirect_uri" does not match "client_id"', 400);
        }
    }
}


1		<?php
2		/**
3		* Copyright (C) 2016 SURFnet.
4		*
5		* This program is free software: you can redistribute it and/or modify
6		* it under the terms of the GNU Affero General Public License as
7		* published by the Free Software Foundation, either version 3 of the
8		* License, or (at your option) any later version.
9		*
10		* This program is distributed in the hope that it will be useful,
11		* but WITHOUT ANY WARRANTY; without even the implied warranty of
12		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13		* GNU Affero General Public License for more details.
14		*
15		* You should have received a copy of the GNU Affero General Public License
16		* along with this program. If not, see <http://www.gnu.org/licenses/>.
17		*/
18
19		namespace fkooman\RemoteStorage\OAuth;
20
21		use fkooman\RemoteStorage\Http\Exception\HttpException;
22		use fkooman\RemoteStorage\Http\HtmlResponse;
23		use fkooman\RemoteStorage\Http\RedirectResponse;
24		use fkooman\RemoteStorage\Http\Request;
25		use fkooman\RemoteStorage\Http\Service;
26		use fkooman\RemoteStorage\Http\ServiceModuleInterface;
27		use fkooman\RemoteStorage\RandomInterface;
28		use fkooman\RemoteStorage\TplInterface;
29
30		class OAuthModule implements ServiceModuleInterface
31		{
32		/** @var \fkooman\RemoteStorage\TplInterface */
33		private $tpl;
34
35		/** @var \fkooman\RemoteStorage\RandomInterface */
36		private $random;
37
38		/** @var TokenStorage */
39		private $tokenStorage;
40
41		public function __construct(TplInterface $tpl, RandomInterface $random, TokenStorage $tokenStorage)
42		{
43		$this->tpl = $tpl;
44		$this->random = $random;
45		$this->tokenStorage = $tokenStorage;
46		}
47
48		public function init(Service $service)
49		{
50		$service->get(
51		'/_oauth/authorize',
52		function (Request $request) {
53		$this->validateRequest($request);
54		$this->validateClient($request);
55
56		// ask for approving this client/scope
57		return new HtmlResponse(
58		$this->tpl->render(
59		'authorizeOAuthClient',
60		[
61		'client_id' => $request->getQueryParameter('client_id'),
62		'scope' => $request->getQueryParameter('scope'),
63		'redirect_uri' => $request->getQueryParameter('redirect_uri'),
64		]
65		)
66		);
67		}
68		);
69
70		$service->post(
71		'/_oauth/authorize',
72		function (Request $request, array $hookData) {
73		$userId = $hookData['auth'];
74
75		$this->validateRequest($request);
76		$this->validateClient($request);
77
78		// state is OPTIONAL in remoteStorage specification
79		$state = $request->getQueryParameter('state', false, null);
80		$returnUriPattern = '%s#%s';
81
82		if ('no' === $request->getPostParameter('approve')) {
83		$redirectParameters = [
84		'error' => 'access_denied',
85		'error_description' => 'user refused authorization',
86		];
87		if (!is_null($state)) {
88		$redirectParameters['state'] = $state;
89		}
90		$redirectQuery = http_build_query($redirectParameters);
91
92		$redirectUri = sprintf($returnUriPattern, $request->getQueryParameter('redirect_uri'), $redirectQuery);
93
94		return new RedirectResponse($redirectUri, 302);
95		}
96
97		$accessToken = $this->getAccessToken(
98		$userId,
99		$request->getQueryParameter('client_id'),
100		$request->getQueryParameter('scope')
101		);
102
103		// add access_token (and optionally state) to redirect_uri
104		$redirectParameters = [
105		'access_token' => $accessToken,
106		];
107		if (!is_null($state)) {
108		$redirectParameters['state'] = $state;
109		}
110		$redirectQuery = http_build_query($redirectParameters);
111		$redirectUri = sprintf($returnUriPattern, $request->getQueryParameter('redirect_uri'), $redirectQuery);
112
113		return new RedirectResponse($redirectUri, 302);
114		}
115		);
116		}
117
118		private function getAccessToken($userId, $clientId, $scope)
119		{
120		$existingToken = $this->tokenStorage->getExistingToken(
121		$userId,
122		$clientId,
123		$scope
124		);
125
126		if (false !== $existingToken) {
127		// if the user already has an access_token for this client and
128		// scope, reuse it
129		$accessTokenKey = $existingToken['access_token_key'];
130		$accessToken = $existingToken['access_token'];
131		} else {
132		// generate a new one
133		$accessTokenKey = $this->random->get(8);
134		$accessToken = $this->random->get(16);
135		// store it
136		$this->tokenStorage->store(
137		$userId,
138		$accessTokenKey,
139		$accessToken,
140		$clientId,
141		$scope
142		);
143		}
144
145		return sprintf('%s.%s', $accessTokenKey, $accessToken);
146		}
147
148		private function validateRequest(Request $request)
149		{
150		// we enforce that all parameter are set, nothing is "OPTIONAL"
151		$clientId = $request->getQueryParameter('client_id');
152		if (1 !== preg_match('/^[\x20-\x7E]+$/', $clientId)) {
153		throw new HttpException('invalid client_id', 400);
154		}
155
156		// XXX we also should enforce HTTPS
157		$redirectUri = $request->getQueryParameter('redirect_uri');
158		// XXX MUST not have "?"
159	View Code Duplication	if (false === filter_var($redirectUri, FILTER_VALIDATE_URL, FILTER_FLAG_SCHEME_REQUIRED \| FILTER_FLAG_HOST_REQUIRED \| FILTER_FLAG_PATH_REQUIRED)) {
		0 ignored issues – show Duplication introduced 2017-01-13 10:38 UTC by Report Bug Copy Issue Report This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
160		throw new HttpException('invalid redirect_uri', 400);
161		}
162		$responseType = $request->getQueryParameter('response_type');
163		if ('token' !== $responseType) {
164		throw new HttpException('invalid response_type', 400);
165		}
166		$scope = $request->getQueryParameter('scope');
167		$scopeTokens = explode(' ', $scope);
168		foreach ($scopeTokens as $scopeToken) {
169		if (1 !== preg_match('/^\x21\|[\x23-\x5B]\|[\x5D-\x7E]+$/', $scopeToken)) {
170		throw new HttpException('invalid scope', 400);
171		}
172		}
173
174		$state = $request->getQueryParameter('state', false, null);
175		if (!is_null($state)) {
176		if (1 !== preg_match('/^[\x20-\x7E]+$/', $state)) {
177		throw new HttpException('invalid state', 400);
178		}
179		}
180		}
181
182		private function validateClient(Request $request)
183		{
184		$clientId = $request->getQueryParameter('client_id');
185		$redirectUri = $request->getQueryParameter('redirect_uri');
186
187		// redirectUri has to start with clientId (or be equal)
188		if (0 !== strpos($redirectUri, $clientId)) {
189		throw new HttpException('"redirect_uri" does not match "client_id"', 400);
190		}
191		}
192		}
193

fkooman / php-remote-storage

GitHub Access Token became invalid

Push — master ( edfa43...30ed41 )

OAuthModule::init() B

Complexity

Size

Duplication

Importance

How to fix Long Method

Long Method

Duplication Side-by-Side

Filter issues like