|
1
|
|
|
<?php namespace Nord\Lumen\OAuth2; |
|
2
|
|
|
|
|
3
|
|
|
use League\OAuth2\Server\Grant\AuthCodeGrant; |
|
4
|
|
|
use Nord\Lumen\OAuth2\Contracts\OAuth2Service as OAuth2ServiceContract; |
|
5
|
|
|
use League\OAuth2\Server\AuthorizationServer; |
|
6
|
|
|
use League\OAuth2\Server\ResourceServer; |
|
7
|
|
|
|
|
8
|
|
|
class OAuth2Service implements OAuth2ServiceContract |
|
9
|
|
|
{ |
|
10
|
|
|
|
|
11
|
|
|
/** |
|
12
|
|
|
* @var AuthorizationServer |
|
13
|
|
|
*/ |
|
14
|
|
|
private $authorizationServer; |
|
15
|
|
|
|
|
16
|
|
|
/** |
|
17
|
|
|
* @var ResourceServer |
|
18
|
|
|
*/ |
|
19
|
|
|
private $resourceServer; |
|
20
|
|
|
|
|
21
|
|
|
|
|
22
|
|
|
/** |
|
23
|
|
|
* OAuth2Server constructor. |
|
24
|
|
|
* |
|
25
|
|
|
* @param AuthorizationServer $authorizationServer |
|
26
|
|
|
* @param ResourceServer $resourceServer |
|
27
|
|
|
*/ |
|
28
|
|
|
public function __construct(AuthorizationServer $authorizationServer, ResourceServer $resourceServer) |
|
29
|
|
|
{ |
|
30
|
|
|
$this->authorizationServer = $authorizationServer; |
|
31
|
|
|
$this->resourceServer = $resourceServer; |
|
32
|
|
|
} |
|
33
|
|
|
|
|
34
|
|
|
|
|
35
|
|
|
/** |
|
36
|
|
|
* @return array |
|
37
|
|
|
* @throws \League\OAuth2\Server\Exception\InvalidRequestException |
|
38
|
|
|
* @throws \League\OAuth2\Server\Exception\UnsupportedGrantTypeException |
|
39
|
|
|
*/ |
|
40
|
|
|
public function issueAccessToken() |
|
41
|
|
|
{ |
|
42
|
|
|
return $this->authorizationServer->issueAccessToken(); |
|
43
|
|
|
} |
|
44
|
|
|
|
|
45
|
|
|
|
|
46
|
|
|
/** |
|
47
|
|
|
* @param bool $headersOnly |
|
48
|
|
|
* @param null|string $accessToken |
|
49
|
|
|
* |
|
50
|
|
|
* @return bool |
|
51
|
|
|
* @throws \League\OAuth2\Server\Exception\AccessDeniedException |
|
52
|
|
|
*/ |
|
53
|
|
|
public function validateAccessToken($headersOnly = true, $accessToken = null) |
|
54
|
|
|
{ |
|
55
|
|
|
return $this->resourceServer->isValidRequest($headersOnly, $accessToken); |
|
|
|
|
|
|
56
|
|
|
} |
|
57
|
|
|
|
|
58
|
|
|
|
|
59
|
|
|
/** |
|
60
|
|
|
* @return string |
|
61
|
|
|
*/ |
|
62
|
|
|
public function getResourceOwnerId() |
|
63
|
|
|
{ |
|
64
|
|
|
// TODO: Calling validateAccessToken is kind of a hack, but it is necessary in order to load the access token. |
|
65
|
|
|
$this->validateAccessToken(); |
|
66
|
|
|
|
|
67
|
|
|
return $this->resourceServer->getAccessToken()->getSession()->getOwnerId(); |
|
68
|
|
|
} |
|
69
|
|
|
|
|
70
|
|
|
|
|
71
|
|
|
/** |
|
72
|
|
|
* @return string |
|
73
|
|
|
*/ |
|
74
|
|
|
public function getResourceOwnerType() |
|
75
|
|
|
{ |
|
76
|
|
|
// TODO: Calling validateAccessToken is kind of a hack, but it is necessary in order to load the access token. |
|
77
|
|
|
$this->validateAccessToken(); |
|
78
|
|
|
|
|
79
|
|
|
return $this->resourceServer->getAccessToken()->getSession()->getOwnerType(); |
|
80
|
|
|
} |
|
81
|
|
|
|
|
82
|
|
|
|
|
83
|
|
|
/** |
|
84
|
|
|
* @return string |
|
85
|
|
|
*/ |
|
86
|
|
|
public function getClientId() |
|
87
|
|
|
{ |
|
88
|
|
|
// TODO: Calling validateAccessToken is kind of a hack, but it is necessary in order to load the access token. |
|
89
|
|
|
$this->validateAccessToken(); |
|
90
|
|
|
|
|
91
|
|
|
return $this->resourceServer->getAccessToken()->getSession()->getClient()->getId(); |
|
92
|
|
|
} |
|
93
|
|
|
|
|
94
|
|
|
/** |
|
95
|
|
|
* Check authorize parameters |
|
96
|
|
|
* |
|
97
|
|
|
* @return array Authorize request parameters |
|
98
|
|
|
* @throws \League\OAuth2\Server\Exception\InvalidRequestException |
|
99
|
|
|
* @throws \League\OAuth2\Server\Exception\InvalidClientException |
|
100
|
|
|
* @throws \League\OAuth2\Server\Exception\UnsupportedResponseTypeException |
|
101
|
|
|
*/ |
|
102
|
|
|
public function checkAuthorizeParams() |
|
103
|
|
|
{ |
|
104
|
|
|
if ($this->authorizationServer->hasGrantType('authorization_code')) { |
|
105
|
|
|
/** @var AuthCodeGrant $authGrant */ |
|
106
|
|
|
$authGrant = $this->authorizationServer->getGrantType('authorization_code'); |
|
107
|
|
|
return $authGrant->checkAuthorizeParams(); |
|
108
|
|
|
} |
|
109
|
|
|
|
|
110
|
|
|
return []; |
|
111
|
|
|
} |
|
112
|
|
|
|
|
113
|
|
|
/** |
|
114
|
|
|
* Parse a new authorize request |
|
115
|
|
|
* |
|
116
|
|
|
* @param string $type The session owner's type |
|
117
|
|
|
* @param string $typeId The session owner's ID |
|
118
|
|
|
* @param array $authParams The authorize request $_GET parameters |
|
119
|
|
|
* |
|
120
|
|
|
* @return string |
|
121
|
|
|
*/ |
|
122
|
|
|
public function newAuthorizeRequest($type, $typeId, $authParams = []) |
|
123
|
|
|
{ |
|
124
|
|
|
if ($this->authorizationServer->hasGrantType('authorization_code')) { |
|
125
|
|
|
/** @var AuthCodeGrant $authGrant */ |
|
126
|
|
|
$authGrant = $this->authorizationServer->getGrantType('authorization_code'); |
|
127
|
|
|
return $authGrant->newAuthorizeRequest($type, $typeId, $authParams); |
|
128
|
|
|
} |
|
129
|
|
|
|
|
130
|
|
|
return ''; |
|
131
|
|
|
} |
|
132
|
|
|
} |
|
133
|
|
|
|
nordsoftware /
lumen-oauth2
This check looks at variables that have been passed in as parameters and are passed out again to other methods.
If the outgoing method call has stricter type requirements than the method itself, an issue is raised.
An additional type check may prevent trouble.