cs\modules\OAuth2\OAuth2

Complexity

Total Complexity

56

Size/Duplication

Total Lines	554
Duplicated Lines	0 %

Importance

Changes

0

15 Methods

Rating	Name	Duplication	Size	Complexity
A	del_client()	0	14	1
C	get_token()	0	51	7
A	del_token()	0	23	3
C	add_code()	0	75	7
A	clients_list()	0	3	1
A	construct()	0	5	1
A	add_access()	0	19	3
B	add_client()	0	45	5
C	refresh_token()	0	43	7
A	get_client()	0	13	2
B	del_access()	0	29	4
A	cdb()	0	2	1
A	get_access()	0	17	4
B	get_code()	0	41	5
B	set_client()	0	25	5

<?php
/**
 * @package  OAuth2
 * @category modules
 * @author   Nazar Mokrynskyi <nazar@mokrynskyi.com>
 * @license  0BSD
 */
namespace cs\modules\OAuth2;
use
	cs\Cache\Prefix,
	cs\Config,
	cs\Request,
	cs\Session,
	cs\User,
	cs\DB\Accessor,
	cs\Singleton;

/**
 * @todo Use CRUD trait
 *
 * @method static $this instance($check = false)
 */
class OAuth2 {
	use
		Accessor,
		Singleton;
	/**
	 * @var bool
	 */
	protected $automatic_prolongation;
	/**
	 * @var int
	 */
	protected $expiration;
	/**
	 * @var Prefix
	 */
	protected $cache;
	public function construct () {
		$this->cache                  = new Prefix('OAuth2');
		$module_data                  = Config::instance()->module('OAuth2');
		$this->automatic_prolongation = $module_data->automatic_prolongation;

The property automatic_prolongation does not exist on cs\Config\Module_Properties. Since you implemented __get, consider adding a @property annotation.

		$this->expiration             = $module_data->expiration;

The property expiration does not exist on cs\Config\Module_Properties. Since you implemented __get, consider adding a @property annotation.

It seems like $module_data->expiration can also be of type false. However, the property $expiration is declared as type integer. Maybe add an additional type check?

	}
	/**
	 * Returns database index
	 *
	 * @return int
	 */
	protected function cdb () {
		return Config::instance()->module('OAuth2')->db('oauth2');
	}
	/**
	 * Add new client
	 *
	 * @param string $name
	 * @param string $domain
	 * @param int    $active
	 *
	 * @return false|string            <i>false</i> on failure, id of created client otherwise
	 */
	public function add_client ($name, $domain, $active) {
		if (
			!$domain ||
			strpos($domain, '/') !== false
		) {
			return false;
		}
		/**
		 * Generate hash in cycle, to obtain unique value
		 */
		/** @noinspection LoopWhichDoesNotLoopInspection */
		while (true) {
			$id = md5(random_bytes(1000));
			if ($this->db_prime()->qf(
				"SELECT `id`

'SELECT `id` FROM `[prefix]oauth2_clients` WHERE `id` = ''.$id.'' LIMIT 1' of type string is incompatible with the type string[] expected by parameter $query of cs\DB\_Abstract::qf().

				FROM `[prefix]oauth2_clients`
				WHERE `id` = '$id'
				LIMIT 1"
			)
			) {
				continue;
			}
			$this->db_prime()->q(
				"INSERT INTO `[prefix]oauth2_clients`
					(
						`id`,
						`secret`,
						`name`,
						`domain`,
						`active`
					) VALUES (
						'%s',
						'%s',
						'%s',
						'%s',
						'%s'
					)",
				$id,

$id of type string is incompatible with the type array expected by parameter $parameters of cs\DB\_Abstract::q().

				md5(random_bytes(1000)),
				xap($name),
				xap($domain),
				(int)(bool)$active

(int)(bool)$active of type integer is incompatible with the type array expected by parameter $parameters of cs\DB\_Abstract::q().

			);
			unset($this->cache->$id);
			return $id;
		}
	}
	/**
	 * Get client data
	 *
	 * @param string $id
	 *
	 * @return array|false
	 */
	public function get_client ($id) {
		if (!is_md5($id)) {
			return false;
		}
		return $this->cache->get(
			$id,
			function () use ($id) {
				return $this->db()->qf(
					"SELECT *

'SELECT * FROM `[prefix]oauth2_clients` WHERE `id` = '%s' LIMIT 1' of type string is incompatible with the type string[] expected by parameter $query of cs\DB\_Abstract::qf().

					FROM `[prefix]oauth2_clients`
					WHERE `id`	= '%s'
					LIMIT 1",
					$id
				);
			}
		);
	}
	/**
	 * Set client data
	 *
	 * @param string $id
	 * @param string $secret
	 * @param string $name
	 * @param string $domain
	 * @param int    $active
	 *
	 * @return bool
	 */
	public function set_client ($id, $secret, $name, $domain, $active) {
		if (
			!is_md5($id) ||
			!is_md5($secret) ||
			!$domain ||
			strpos($domain, '/') !== false
		) {
			return false;
		}
		$result = $this->db_prime()->q(
			"UPDATE `[prefix]oauth2_clients`
			SET
				`secret`		= '%s',
				`name`			= '%s',
				`domain`		= '%s',
				`active`		= '%s'
			WHERE `id` = '%s'",
			$secret,

$secret of type string is incompatible with the type array expected by parameter $parameters of cs\DB\_Abstract::q().

			xap($name),
			xap($domain),
			(int)(bool)$active,

(int)(bool)$active of type integer is incompatible with the type array expected by parameter $parameters of cs\DB\_Abstract::q().

			$id
		);
		unset($this->cache->$id);
		return !!$result;
	}
	/**
	 * Delete client
	 *
	 * @param string $id
	 *
	 * @return bool
	 */
	public function del_client ($id) {
		$result = $this->db_prime()->q(
			[
				"DELETE FROM `[prefix]oauth2_clients`
				WHERE `id` = '%s'",
				"DELETE FROM `[prefix]oauth2_clients_grant_access`
				WHERE `id`	= '%s'",
				"DELETE FROM `[prefix]oauth2_clients_sessions`
				WHERE `id`	= '%s'"
			],
			$id

$id of type string is incompatible with the type array expected by parameter $parameters of cs\DB\_Abstract::q().

		);
		unset($this->cache->{'/'});
		return !!$result;
	}
	/**
	 * Get clients list in form of associative array
	 *
	 * @return array|false
	 */
	public function clients_list () {
		return $this->db()->qfa(
			'SELECT *

'SELECT * FROM `[prefix]oauth2_clients`' of type string is incompatible with the type string[] expected by parameter $query of cs\DB\_Abstract::qfa().

			FROM `[prefix]oauth2_clients`'
		);
	}
	/**
	 * Grant access for specified client
	 *
	 * @param string $client
	 *
	 * @return bool
	 */
	public function add_access ($client) {
		$User = User::instance();
		if (!$User->user() || !$this->get_client($client)) {
			return false;
		}
		$result = $this->db_prime()->q(
			"INSERT IGNORE INTO `[prefix]oauth2_clients_grant_access`
				(
					`id`,
					`user`
				) VALUES (
					'%s',
					'%s'
				)",
			$client,

$client of type string is incompatible with the type array expected by parameter $parameters of cs\DB\_Abstract::q().

			$User->id

$User->id of type integer is incompatible with the type array expected by parameter $parameters of cs\DB\_Abstract::q().

		);
		unset($this->cache->{"grant_access/$User->id"});
		return $result;
	}
	/**
	 * Check granted access for specified client
	 *
	 * @param string   $client
	 * @param bool|int $user If not specified - current user assumed
	 *
	 * @return bool
	 */
	public function get_access ($client, $user = false) {
		$user = (int)$user ?: User::instance()->id;
		if ($user == User::GUEST_ID) {
			return false;
		}
		$clients = $this->cache->get(
			"grant_access/$user",
			function () use ($user) {
				return $this->db()->qfas(
					"SELECT `id`

'SELECT `id` FROM `[prefix]oauth2_clients_grant_access` WHERE `user` = '%s'' of type string is incompatible with the type string[] expected by parameter $query of cs\DB\_Abstract::qfas().

					FROM `[prefix]oauth2_clients_grant_access`
					WHERE `user`	= '%s'",
					$user

$user of type integer is incompatible with the type string[] expected by parameter $query of cs\DB\_Abstract::qfas().

				);
			}
		);
		return $clients ? in_array($client, $clients) : false;
	}
	/**
	 * Deny access for specified client/
	 *
	 * @param string   $client If '' - access for all clients will be denied
	 * @param bool|int $user   If not specified - current user assumed
	 *
	 * @return bool
	 */
	public function del_access ($client = '', $user = false) {
		$user = (int)$user ?: User::instance()->id;
		if ($user == User::GUEST_ID) {
			return false;
		}
		$result = $client ? $this->db_prime()->q(
			[
				"DELETE FROM `[prefix]oauth2_clients_grant_access`
				WHERE
					`user`	= $user AND
					`id`	= '%s'",
				"DELETE FROM `[prefix]oauth2_clients_sessions`
				WHERE
					`user`	= $user AND
					`id`	= '%s'"
			],
			$client

$client of type string is incompatible with the type array expected by parameter $parameters of cs\DB\_Abstract::q().

		) : $this->db_prime()->q(
			[
				"DELETE FROM `[prefix]oauth2_clients_grant_access`
				WHERE
					`user`	= $user",
				"DELETE FROM `[prefix]oauth2_clients_sessions`
				WHERE
					`user`	= $user"
			]
		);
		unset($this->cache->{"grant_access/$user"});
		return $result;
	}
	/**
	 * Adds new code for specified client, code is used to obtain token
	 *
	 * @param string $client
	 * @param string $response_type 'code' or 'token'
	 * @param string $redirect_uri
	 *
	 * @return false|string                    <i>false</i> on failure or code for token access otherwise
	 */
	public function add_code ($client, $response_type, $redirect_uri = '') {
		$Session = Session::instance();
		$client  = $this->get_client($client);
		if (
			!$client ||

The condition $client is always false.

			!$Session->user() ||
			!$this->get_access($client['id'])
		) {
			return false;
		}
		$Request                        = Request::instance();
		$user_agent                     = $Request->header('user-agent');
		$current_session                = $Session->get_id();
		$Request->headers['user-agent'] = "OAuth2-$client[name]-$client[id]";
		$Session->add($Session->get_user(), false);
		$new_session                    = $Session->get_id();
		$Request->headers['user-agent'] = $user_agent;
		$Session->load($current_session);
		unset($user_agent, $current_session);
		/** @noinspection LoopWhichDoesNotLoopInspection */
		while (true) {
			$access_token  = md5(random_bytes(1000));
			$refresh_token = md5($access_token.random_bytes(1000));
			$code          = md5($refresh_token.random_bytes(1000));
			if ($this->db_prime()->qf(
				"SELECT `id`
				FROM `[prefix]oauth2_clients_sessions`
				WHERE
					`access_token`	= '$access_token' OR
					`refresh_token`	= '$refresh_token' OR
					`code`			= '$code'
				LIMIT 1"
			)
			) {
				continue;
			}
			$result = $this->db_prime()->q(
				"INSERT INTO `[prefix]oauth2_clients_sessions`
					(
						`id`,
						`user`,
						`session`,
						`created`,
						`expire`,
						`access_token`,
						`refresh_token`,
						`code`,
						`type`,
						`redirect_uri`
					) VALUES (
						'%s',
						'%s',
						'%s',
						'%s',
						'%s',
						'%s',
						'%s',
						'%s',
						'%s',
						'%s'
					)",
				$client['id'],
				$Session->get_user(),
				$new_session,
				time(),
				time() + $this->expiration,
				$access_token,
				$refresh_token,
				$code,
				$response_type,
				md5($redirect_uri)
			);
			return $result ? $code : false;
		}
		return false;
	}
	/**
	 * Get code data (tokens)
	 *
	 * @param string $code
	 * @param string $client Client id
	 * @param string $secret Client secret
	 * @param string $redirect_uri
	 *
	 * @return array|false                    <i>false</i> on failure, otherwise array
	 *                                        ['access_token' => md5, 'refresh_token' => md5, 'expires_in' => seconds, 'token_type' => 'bearer']<br>
	 *                                        <i>expires_in</i> may be negative
	 */
	public function get_code ($code, $client, $secret, $redirect_uri = '') {
		$client = $this->get_client($client);
		if (!is_md5($code) || !$client || $client['secret'] != $secret) {

The condition $client is always false.

			return false;
		}
		$data = $this->db_prime()->qf(
			"SELECT
				`access_token`,
				`refresh_token`,
				`expire`,
				`user`
			FROM `[prefix]oauth2_clients_sessions`
			WHERE
				`id`			= '%s' AND
				`code`			= '%s' AND
				`redirect_uri`	= '%s'
			LIMIT 1",
			$client['id'],
			$code,
			md5($redirect_uri)
		);
		if (!$data) {
			return false;
		}
		$this->db_prime()->q(
			"UPDATE `[prefix]oauth2_clients_sessions`
			SET `code` = ''
			WHERE
				`id`			= '%s' AND
				`code`			= '%s' AND
				`redirect_uri`	= '%s'",
			$client['id'],
			$code,
			md5($redirect_uri)
		);
		return [
			'access_token'  => $data['access_token'],
			'refresh_token' => $data['refresh_token'],
			'expires_in'    => $data['expire'] - time(),
			'token_type'    => 'bearer',
			'user_id'       => $data['user']
		];
	}
	/**
	 * Get token data
	 *
	 * @param string $access_token
	 *
	 * @return array|false                    <i>false</i> on failure, array ['user' => id, 'session' => id, 'expire' => unix time, 'type' => 'code'|'token']
	 */
	public function get_token ($access_token) {
		if (!is_md5($access_token)) {
			return false;
		}
		$Cache = $this->cache;
		$data  = $Cache->get(
			"tokens/$access_token",
			function () use ($access_token) {
				return $this->db()->qf(
					"SELECT

'SELECT `id` AS `client_id`, `user`, `session`, `expire`, `type` FROM `[prefix]oauth2_clients_sessions` WHERE `access_token` = '%s' LIMIT 1' of type string is incompatible with the type string[] expected by parameter $query of cs\DB\_Abstract::qf().

						`id` AS `client_id`,
						`user`,
						`session`,
						`expire`,
						`type`
					FROM `[prefix]oauth2_clients_sessions`
					WHERE
						`access_token`	= '%s'
					LIMIT 1",
					$access_token
				);
			}
		);
		if ($data) {
			if ($data['expire'] < time()) {
				return false;
			}
			if (!$this->get_access($data['client_id'], $data['user'])) {
				$this->db_prime()->q(
					"DELETE FROM `[prefix]oauth2_clients_sessions`
					WHERE `access_token` = '%s'",
					$access_token

$access_token of type string is incompatible with the type array expected by parameter $parameters of cs\DB\_Abstract::q().

				);
				unset($Cache->{"tokens/$access_token"});
				$data = false;
				/**
				 * Automatic prolongation of tokens' expiration time if configured
				 */
			} elseif ($this->automatic_prolongation && $data['expire'] < time() - $this->expiration * Config::instance()->core['update_ratio'] / 100) {
				$data['expire'] = time() + $this->expiration;
				$this->db_prime()->q(
					"UPDATE `[prefix]oauth2_clients_sessions`
					SET `expire` = '%s'
					WHERE `access_token`	= '%s'",
					$data['expire'],
					$access_token
				);
				$Cache->{"tokens/$access_token"} = $data;
			}
		}
		return $data;
	}
	/**
	 * Del token data (invalidate token)
	 *
	 * @param string $access_token
	 *
	 * @return bool
	 */
	public function del_token ($access_token) {
		if (!is_md5($access_token)) {
			return false;
		}
		$session = $this->db_prime()->qfs(
			"SELECT `session`

'SELECT `session` FROM `[prefix]oauth2_clients_sessions` WHERE `access_token` = '%s' LIMIT 1' of type string is incompatible with the type string[] expected by parameter $query of cs\DB\_Abstract::qfs().

			FROM `[prefix]oauth2_clients_sessions`
			WHERE
				`access_token`	= '%s'
			LIMIT 1",
			$access_token
		);
		if ($this->db_prime()->q(
			"DELETE FROM `[prefix]oauth2_clients_sessions`
			WHERE `access_token`	= '%s'",
			$access_token

$access_token of type string is incompatible with the type array expected by parameter $parameters of cs\DB\_Abstract::q().

		)
		) {
			unset($this->cache->{"tokens/$access_token"});
			Session::instance()->del($session);

It seems like $session can also be of type false; however, parameter $session_id of cs\Session::del() does only seem to accept null|string, maybe add an additional type check?

			return true;
		}
		return false;
	}
	/**
	 * Get new access_token with refresh_token
	 *
	 * @param string $refresh_token
	 * @param string $client Client id
	 * @param string $secret Client secret
	 *
	 * @return array|false <i>false</i> on failure, otherwise array ['access_token' => md5, 'refresh_token' => md5, 'expires_in' => seconds, 'token_type' =>
	 *                     'bearer']
	 */
	public function refresh_token ($refresh_token, $client, $secret) {
		$client = $this->get_client($client);
		if (!is_md5($refresh_token) || !$client || $client['secret'] != $secret) {

The condition $client is always false.

			return false;
		}
		$data = $this->db_prime()->qf(
			"SELECT
				`user`,
				`access_token`,
				`session`
			FROM `[prefix]oauth2_clients_sessions`
			WHERE
				`id`			= '%s' AND
				`refresh_token`	= '%s'
			LIMIT 1",
			$client['id'],
			$refresh_token
		);
		if (!$data) {
			return false;
		}
		$this->db_prime()->q(
			"DELETE FROM `[prefix]oauth2_clients_sessions`
			WHERE
				`id`			= '%s' AND
				`refresh_token`	= '%s'",
			$client['id'],
			$refresh_token
		);
		unset($this->cache->{"tokens/$data[access_token]"});
		$Session = Session::instance();
		$id      = $Session->load($data['session']);
		if ($id != $data['user']) {
			return false;
		}
		$Session->add($id);
		$code = $this->add_code($client['id'], 'code');
		if (!$code) {
			return false;
		}
		$result = $this->get_code($code, $client['id'], $client['secret']);
		$Session->del();
		return $result;
	}
}