AuthorizationEndpoint - Code Metrics - Inspection of "open ID" - php-guard/oauth-server - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( aebd05...0c0a9d )

by Alexandre

created 2018-01-26 16:42 UTC

AuthorizationEndpoint B

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	277
Duplicated Lines	0 %

Test Coverage

Coverage

59.38%

Importance

Changes

Metric	Value
dl	0
loc	277
ccs	76
cts	128
cp	0.5938
rs	8.3673
c	0
b	0
f	0
wmc	45

3 Methods

Rating	Name	Size	Complexity
C	checkClientRedirectUri()	52	15
B	handle()	62	7
D	verify()	118	23

How to fix Complexity

<?php
/**
 * Created by PhpStorm.
 * User: Alexandre
 * Date: 07/01/2018
 * Time: 13:57
 */

namespace OAuth2\Endpoints;


use GuzzleHttp\Psr7\Response;
use GuzzleHttp\Psr7\Uri;
use OAuth2\Config;
use OAuth2\EndpointMessages\Authorization\AuthorizationRequest;
use OAuth2\EndpointMessages\Authorization\AuthorizationResponse;
use OAuth2\EndpointMessages\Authorization\ErrorResponse;
use OAuth2\Exceptions\OAuthException;
use OAuth2\ResponseTypes\ResponseTypeInterface;
use OAuth2\Roles\ClientInterface;
use OAuth2\Roles\Clients\RegisteredClient;
use OAuth2\Roles\ResourceOwnerInterface;
use OAuth2\Storages\ClientStorageInterface;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Message\UriInterface;

class AuthorizationEndpoint extends AbstractEndpoint
{
    /**
     * https://github.com/authbucket/oauth2-php/blob/master/src/GrantType/AuthorizationCodeGrantTypeHandler.php
     *
     *
     * @param ServerRequestInterface $request
     * @param ResourceOwnerInterface $resourceOwner
     * @return ResponseInterface
     * @internal param bool|null $authorizationDecision
     * @internal param array|null $scopeRestrictedByResourceOwner
     */
    function handle(ServerRequestInterface $request, ResourceOwnerInterface $resourceOwner): ResponseInterface

    {
        /**
         * @var RegisteredClient $client
         */
        $result = $this->verify($request);
        if ($result instanceof Response) {
            return $result;
        }

        /**
         * @var RegisteredClient $client
         * @var array $responseTypes
         * @var Uri $redirectUri
         * @var array|null $scope
         * @var string|null $responseMode
         * @var bool $isInsecure
         */
        extract($result);

        $authorizationRequest = AuthorizationRequest::createFromServerRequest($request);

        try {
/*

            if (!$authorizationDecision) {
                throw new OAuthException('access_denied',
                    'The resource owner server denied the request',
                    'https://tools.ietf.org/html/rfc6749#section-4.1.1');
            }
*/
//            $scope = $scopeRestrictedByResourceOwner ? $scopeRestrictedByResourceOwner : $scope;

            $data = [];

            /**
             * @var ResponseTypeInterface $responseType
             * @var Uri $redirectUri
             */
            foreach ($responseTypes as $responseType) {
                $result = $responseType->handle($request, $resourceOwner, $client, $scope);

                $data = array_merge($data, $result);
            }
        } catch (OAuthException $e) {
            return new ErrorResponse($redirectUri, $e->getError(),
                $e->getErrorDescription(),
                $e->getErrorUri(),
                $authorizationRequest->getState());
        }

        if ($authorizationRequest->getState()) {
            $data['state'] = $authorizationRequest->getState();
        }

        if ($responseMode == ResponseTypeInterface::RESPONSE_MODE_QUERY) {
            foreach ($data as $k => $v) {
                $redirectUri = Uri::withQueryValue($redirectUri, $k, $v);
            }
        } else {
            $redirectUri = $redirectUri->withFragment(http_build_query($data));
        }

        return new AuthorizationResponse($redirectUri);
    }

    /**
     * Renvoie une réponse si une erreur survient, null sinon,  le client et la redirect_uri sont des parametres int/out
     * @param ServerRequestInterface $request
     * @return Response|array
     * @throws \Exception
     */
    protected function verify(ServerRequestInterface $request)
    {
        $authorizationRequest = AuthorizationRequest::createFromServerRequest($request);

        if (!$authorizationRequest->getClientId()) {
            return new Response(400, [], json_encode([
                'error' => 'invalid_request',
                'error_description' => 'Missing a required parameter : client_id',
                'error_uri' => 'https://tools.ietf.org/html/rfc6749#section-4.1',
            ]));
        }

        /**
         * @var ClientStorageInterface $clientStorage
         */
        $clientStorage = $this->server->getStorageRepository()->getStorage('client');

        $client = $clientStorage->get($authorizationRequest->getClientId());
        if (!$client) {
            return new Response(400, [], json_encode([
                'error' => 'invalid_request',
                'error_description' => 'Invalid parameter : client_id',
                'error_uri' => 'https://tools.ietf.org/html/rfc6749#section-4.1',
            ]));
        }
        if (!$client instanceof RegisteredClient) {

            return new Response(400, [], json_encode([
                'error' => 'invalid_request',
                'error_description' => 'Client type is not supported',
                'error_uri' => 'https://tools.ietf.org/html/rfc6749#section-4.1',
            ]));
        }

        try {
            $redirectUri = $this->checkClientRedirectUri($client, $authorizationRequest->getRedirectUri());
        } catch (\Exception $e) {
            return new Response(400, [], json_encode([
                'error' => 'invalid_request',
                'error_description' => $e->getMessage(),
                'error_uri' => 'https://tools.ietf.org/html/rfc6749#section-4.1',
            ]));
        }

        try {
            if (!$authorizationRequest->getResponseType()) {
                throw new OAuthException('invalid_request',
                    'Missing a required parameter : response_type',
                    'https://tools.ietf.org/html/rfc6749#section-4.1'
                );
            }

            if ($this->server->getConfigurationRepository()->getConfig(Config::ENFORCE_STATE) &&
                !$authorizationRequest->getState()) {
                throw new OAuthException('invalid_request',
                    'Missing a required parameter : state',
                    'https://tools.ietf.org/html/rfc6749#section-4.1'
                );
            }

            $enforceTls = $this->server->getConfigurationRepository()->getConfig(Config::ENFORCE_TLS);
            $responseMode = ResponseTypeInterface::RESPONSE_MODE_QUERY;
            $isImplicit = false;
            $isInsecure = false;
            $responseTypes = [];
            foreach (explode(' ', $authorizationRequest->getResponseType()) as $responseTypeName) {
                $responseType = $this->server->getResponseTypeRepository()->getResponseType($responseTypeName);
                if (!$responseType) {
                    throw new OAuthException('unsupported_response_type',
                        'Invalid response_type parameter',
                        'https://tools.ietf.org/html/rfc6749#section-3.1.1');
                }

                if (($enforceTls == true && !$redirectUri->getScheme() != 'https') ||
                    (is_null($enforceTls) && $responseType->requireTLS() && !$redirectUri->getScheme() != 'https')) {
                    if (is_null($enforceTls) && !$client->isTLSSupported()) {
                        $isInsecure = true;
                    } else {
                        throw new OAuthException('access_denied',
                            'Require the use of TLS for the redirect URI',
                            'https://tools.ietf.org/html/rfc6749#section-3.1.2.1');
                    }
                }

                $responseType->verifyRequest($request);
                $responseTypes[] = $responseType;

                if ($responseType->getDefaultResponseMode() == ResponseTypeInterface::RESPONSE_MODE_FRAGMENT) {
                    $responseMode = $responseType->getDefaultResponseMode();
                }

                if ($responseType->isImplicit()) {
                    $isImplicit = true;
                }
            }

            if ($isImplicit && !$client->isImplicitAllowed()) {
                throw new OAuthException('unauthorized_client',
                    'Client is not allowed to use implicit grant',
                    'https://tools.ietf.org/html/rfc6749#section-3.1.1');
            }

            $scopePolicyManager = $this->server->getScopePolicyManager();

            $scope = $scopePolicyManager->getScopeArray($client, $authorizationRequest->getScope());
            if (!$scopePolicyManager->checkScope($client, $scope)) {
                $supportedScopes = implode(', ', $scopePolicyManager->getSupportedScopes($client));
                throw new OAuthException('invalid_scope',
                    'Some of requested scopes are not supported. Scope supported : ' . $supportedScopes,
                    'https://tools.ietf.org/html/rfc6749#section-4.1');
            }

        } catch (OAuthException $e) {
            return new ErrorResponse($redirectUri,
                $e->getError(), $e->getErrorDescription(), $e->getErrorUri(),
                $authorizationRequest->getState());
        }

        return compact('client', 'responseTypes', 'redirectUri', 'scope', 'responseMode', 'isInsecure');
    }

    /**
     * @see https://tools.ietf.org/html/rfc6749#section-3.1.2.3
     *
     * Dynamic Configuration
     *
     *     If multiple redirection URIs have been registered, if only part of
     * the redirection URI has been registered, or if no redirection URI has
     * been registered, the client MUST include a redirection URI with the
     * authorization request using the "redirect_uri" request parameter.
     *
     * When a redirection URI is included in an authorization request, the
     * authorization server MUST compare and match the value received
     * against at least one of the registered redirection URIs (or URI
     * components) as defined in [RFC3986] Section 6, if any redirection
     * URIs were registered.  If the client registration included the full
     * redirection URI, the authorization server MUST compare the two URIs
     * using simple string comparison as defined in [RFC3986] Section 6.2.1
     *
     * @param ClientInterface|RegisteredClient $client
     * @param null|string $redirectUri
     * @return UriInterface
     * @throws \Exception
     */
    private function checkClientRedirectUri(ClientInterface $client, ?string $redirectUri) : UriInterface
    {
        if (!$redirectUri) {
''   == false // true
''   == null  // true
'ab' == false // false
'ab' == null  // false

// It is often better to use strict comparison
'' === false // false
'' === null  // false
            if ($this->server->getConfigurationRepository()->getConfig(Config::ENFORCE_REDIRECT_URI)) {
                throw new \Exception('A redirect URI must be supplied');
            }
            if (empty($client->getRedirectUris())) {
                throw new \Exception('No redirect URI was supplied or stored');
            }
            if (count($client->getRedirectUris()) > 1) {
                throw new \Exception('A redirect URI must be supplied when multiple redirect URIs are registered');
            }
            $redirectUri = new Uri($client->getRedirectUris()[0]);
        } else {
            $redirectUri = new Uri($redirectUri);
            if ($redirectUri->getFragment()) {
                throw new \Exception('The redirect URI must not contain a fragment');
            }
            if (empty($client->getRedirectUris())) {
                if ($client->requireRedirectUri()) {
                    throw new \Exception('A redirect URI must be stored');
                } else {
                    return $redirectUri;
                }
            }
            $redirectUriWithoutQuery = Uri::composeComponents(
                $redirectUri->getScheme(), $redirectUri->getAuthority(), $redirectUri->getPath(), '', '');
            $match = false;
            foreach ($client->getRedirectUris() as $registeredUri) {
                $registeredUri = new Uri($registeredUri);
                if ($registeredUri->getQuery()) {
                    if ($registeredUri->__toString() === $redirectUri->__toString()) {
                        $match = true;
                        break;
                    }
                } else {
                    if ($this->server->getConfigurationRepository()->getConfig(Config::STRICT_REDIRECT_URI_COMPARISON)) {
                        if ($registeredUri->__toString() === $redirectUri->__toString()) {
                            $match = true;
                            break;
                        }
                    } else if ($registeredUri->__toString() === $redirectUriWithoutQuery) {
                        $match = true;
                        break;
                    }
                }
            }
            if (!$match) {
                throw new \Exception('The redirect URI provided is missing or does not match');
            }
        }
        return $redirectUri;
    }
}

1		<?php
2		/**
3		* Created by PhpStorm.
4		* User: Alexandre
5		* Date: 07/01/2018
6		* Time: 13:57
7		*/
8
9		namespace OAuth2\Endpoints;
10
11
12		use GuzzleHttp\Psr7\Response;
13		use GuzzleHttp\Psr7\Uri;
14		use OAuth2\Config;
15		use OAuth2\EndpointMessages\Authorization\AuthorizationRequest;
16		use OAuth2\EndpointMessages\Authorization\AuthorizationResponse;
17		use OAuth2\EndpointMessages\Authorization\ErrorResponse;
18		use OAuth2\Exceptions\OAuthException;
19		use OAuth2\ResponseTypes\ResponseTypeInterface;
20		use OAuth2\Roles\ClientInterface;
21		use OAuth2\Roles\Clients\RegisteredClient;
22		use OAuth2\Roles\ResourceOwnerInterface;
23		use OAuth2\Storages\ClientStorageInterface;
24		use Psr\Http\Message\ResponseInterface;
25		use Psr\Http\Message\ServerRequestInterface;
26		use Psr\Http\Message\UriInterface;
27
28		class AuthorizationEndpoint extends AbstractEndpoint
29		{
30		/**
31		* https://github.com/authbucket/oauth2-php/blob/master/src/GrantType/AuthorizationCodeGrantTypeHandler.php
32		*
33		*
34		* @param ServerRequestInterface $request
35		* @param ResourceOwnerInterface $resourceOwner
36		* @return ResponseInterface
37		* @internal param bool\|null $authorizationDecision
38		* @internal param array\|null $scopeRestrictedByResourceOwner
39		*/
40		function handle(ServerRequestInterface $request, ResourceOwnerInterface $resourceOwner): ResponseInterface
		0 ignored issues – show Best Practice introduced 2018-01-26 16:44 UTC by Report Bug Copy Issue Report It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history...
41	4	{
42		/**
43		* @var RegisteredClient $client
44		*/
45		$result = $this->verify($request);
46		if ($result instanceof Response) {
47	4	return $result;
48	4	}
49	1
50		/**
51		* @var RegisteredClient $client
52		* @var array $responseTypes
53		* @var Uri $redirectUri
54		* @var array\|null $scope
55		* @var string\|null $responseMode
56		* @var bool $isInsecure
57		*/
58		extract($result);
59
60	3	$authorizationRequest = AuthorizationRequest::createFromServerRequest($request);
61
62	3	try {
63		/*
		0 ignored issues – show Unused Code Comprehensibility introduced 2018-01-26 16:44 UTC by Report Bug Copy Issue Report `63%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
64		if (!$authorizationDecision) {
65		throw new OAuthException('access_denied',
66	3	'The resource owner server denied the request',
67		'https://tools.ietf.org/html/rfc6749#section-4.1.1');
68		}
69		*/
70		// $scope = $scopeRestrictedByResourceOwner ? $scopeRestrictedByResourceOwner : $scope;
		0 ignored issues – show Unused Code Comprehensibility introduced 2018-01-26 16:44 UTC by Report Bug Copy Issue Report `47%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
71		$data = [];
72	3
73	3	/**
74		* @var ResponseTypeInterface $responseType
75		* @var Uri $redirectUri
76		*/
77		foreach ($responseTypes as $responseType) {
78		$result = $responseType->handle($request, $resourceOwner, $client, $scope);
79	3
80	3	$data = array_merge($data, $result);
81		}
82	3	} catch (OAuthException $e) {
83		return new ErrorResponse($redirectUri, $e->getError(),
84		$e->getErrorDescription(),
85		$e->getErrorUri(),
86		$authorizationRequest->getState());
87		}
88
89		if ($authorizationRequest->getState()) {
90		$data['state'] = $authorizationRequest->getState();
91	3	}
92
93		if ($responseMode == ResponseTypeInterface::RESPONSE_MODE_QUERY) {
94		foreach ($data as $k => $v) {
95	3	$redirectUri = Uri::withQueryValue($redirectUri, $k, $v);
96	2	}
97	2	} else {
98		$redirectUri = $redirectUri->withFragment(http_build_query($data));
99		}
100	1
101		return new AuthorizationResponse($redirectUri);
102		}
103	3
104		/**
105		* Renvoie une réponse si une erreur survient, null sinon, le client et la redirect_uri sont des parametres int/out
106		* @param ServerRequestInterface $request
107		* @return Response\|array
108		* @throws \Exception
109		*/
110		protected function verify(ServerRequestInterface $request)
111		{
112	4	$authorizationRequest = AuthorizationRequest::createFromServerRequest($request);
113
114	4	if (!$authorizationRequest->getClientId()) {
115		return new Response(400, [], json_encode([
116	4	'error' => 'invalid_request',
117		'error_description' => 'Missing a required parameter : client_id',
118		'error_uri' => 'https://tools.ietf.org/html/rfc6749#section-4.1',
119		]));
120		}
121
122		/**
123		* @var ClientStorageInterface $clientStorage
124	4	*/
125		$clientStorage = $this->server->getStorageRepository()->getStorage('client');
126
127		$client = $clientStorage->get($authorizationRequest->getClientId());
128		if (!$client) {
129		return new Response(400, [], json_encode([
130		'error' => 'invalid_request',
131		'error_description' => 'Invalid parameter : client_id',
132		'error_uri' => 'https://tools.ietf.org/html/rfc6749#section-4.1',
133		]));
134		}
135	4	if (!$client instanceof RegisteredClient) {
		0 ignored issues – show introduced 2018-01-26 16:44 UTC by Report Bug Copy Issue Report The condition `! $client instanceof OAu...lients\RegisteredClient` can never be `true`. Loading history...
136		return new Response(400, [], json_encode([
137	4	'error' => 'invalid_request',
138	4	'error_description' => 'Client type is not supported',
139		'error_uri' => 'https://tools.ietf.org/html/rfc6749#section-4.1',
140		]));
141		}
142
143		try {
144		$redirectUri = $this->checkClientRedirectUri($client, $authorizationRequest->getRedirectUri());
145	4	} catch (\Exception $e) {
146		return new Response(400, [], json_encode([
147		'error' => 'invalid_request',
148		'error_description' => $e->getMessage(),
149		'error_uri' => 'https://tools.ietf.org/html/rfc6749#section-4.1',
150		]));
151		}
152
153		try {
154	4	if (!$authorizationRequest->getResponseType()) {
155		throw new OAuthException('invalid_request',
156		'Missing a required parameter : response_type',
157		'https://tools.ietf.org/html/rfc6749#section-4.1'
158		);
159		}
160
161		if ($this->server->getConfigurationRepository()->getConfig(Config::ENFORCE_STATE) &&
162		!$authorizationRequest->getState()) {
163		throw new OAuthException('invalid_request',
164	4	'Missing a required parameter : state',
165		'https://tools.ietf.org/html/rfc6749#section-4.1'
166		);
167		}
168
169		$enforceTls = $this->server->getConfigurationRepository()->getConfig(Config::ENFORCE_TLS);
170		$responseMode = ResponseTypeInterface::RESPONSE_MODE_QUERY;
171	4	$isImplicit = false;
172	4	$isInsecure = false;
173		$responseTypes = [];
174		foreach (explode(' ', $authorizationRequest->getResponseType()) as $responseTypeName) {
175		$responseType = $this->server->getResponseTypeRepository()->getResponseType($responseTypeName);
176		if (!$responseType) {
177		throw new OAuthException('unsupported_response_type',
178		'Invalid response_type parameter',
179	4	'https://tools.ietf.org/html/rfc6749#section-3.1.1');
180	4	}
181	4
182	4	if (($enforceTls == true && !$redirectUri->getScheme() != 'https') \|\|
183	4	(is_null($enforceTls) && $responseType->requireTLS() && !$redirectUri->getScheme() != 'https')) {
184	4	if (is_null($enforceTls) && !$client->isTLSSupported()) {
185	4	$isInsecure = true;
186	4	} else {
187	1	throw new OAuthException('access_denied',
188	1	'Require the use of TLS for the redirect URI',
189	1	'https://tools.ietf.org/html/rfc6749#section-3.1.2.1');
190		}
191		}
192	3
193	3	$responseType->verifyRequest($request);
194	3	$responseTypes[] = $responseType;
195	3
196		if ($responseType->getDefaultResponseMode() == ResponseTypeInterface::RESPONSE_MODE_FRAGMENT) {
197		$responseMode = $responseType->getDefaultResponseMode();
198		}
199
200		if ($responseType->isImplicit()) {
201		$isImplicit = true;
202		}
203	3	}
204	3
205		if ($isImplicit && !$client->isImplicitAllowed()) {
206	3	throw new OAuthException('unauthorized_client',
207	1	'Client is not allowed to use implicit grant',
208		'https://tools.ietf.org/html/rfc6749#section-3.1.1');
209		}
210	3
211	3	$scopePolicyManager = $this->server->getScopePolicyManager();
212
213		$scope = $scopePolicyManager->getScopeArray($client, $authorizationRequest->getScope());
214		if (!$scopePolicyManager->checkScope($client, $scope)) {
215	3	$supportedScopes = implode(', ', $scopePolicyManager->getSupportedScopes($client));
216		throw new OAuthException('invalid_scope',
217		'Some of requested scopes are not supported. Scope supported : ' . $supportedScopes,
218		'https://tools.ietf.org/html/rfc6749#section-4.1');
219		}
220
221	3	} catch (OAuthException $e) {
222		return new ErrorResponse($redirectUri,
223	3	$e->getError(), $e->getErrorDescription(), $e->getErrorUri(),
224	3	$authorizationRequest->getState());
225		}
226
227		return compact('client', 'responseTypes', 'redirectUri', 'scope', 'responseMode', 'isInsecure');
228	3	}
229
230		/**
231	1	* @see https://tools.ietf.org/html/rfc6749#section-3.1.2.3
232	1	*
233	1	* Dynamic Configuration
234	1	*
235		* If multiple redirection URIs have been registered, if only part of
236		* the redirection URI has been registered, or if no redirection URI has
237	3	* been registered, the client MUST include a redirection URI with the
238		* authorization request using the "redirect_uri" request parameter.
239		*
240		* When a redirection URI is included in an authorization request, the
241		* authorization server MUST compare and match the value received
242		* against at least one of the registered redirection URIs (or URI
243		* components) as defined in [RFC3986] Section 6, if any redirection
244		* URIs were registered. If the client registration included the full
245		* redirection URI, the authorization server MUST compare the two URIs
246		* using simple string comparison as defined in [RFC3986] Section 6.2.1
247		*
248		* @param ClientInterface\|RegisteredClient $client
249		* @param null\|string $redirectUri
250		* @return UriInterface
251		* @throws \Exception
252		*/
253		private function checkClientRedirectUri(ClientInterface $client, ?string $redirectUri) : UriInterface
254		{
255		if (!$redirectUri) {
		0 ignored issues – show Bug Best Practice introduced 2018-01-23 09:18 UTC by Report Bug Copy Issue Report The expression `$redirectUri` of type `null\|string` is loosely compared to `false`; this is ambiguous if the string can be empty. You might want to explicitly use `=== null` instead. In PHP, under loose comparison (like `==`, or `!=`, or `switch` conditions), values of different types might be equal. For `string` values, the empty string `''` is a special case, in particular the following results might be unexpected: '' == false // true '' == null // true 'ab' == false // false 'ab' == null // false // It is often better to use strict comparison '' === false // false '' === null // false Loading history...
256		if ($this->server->getConfigurationRepository()->getConfig(Config::ENFORCE_REDIRECT_URI)) {
257		throw new \Exception('A redirect URI must be supplied');
258		}
259		if (empty($client->getRedirectUris())) {
260		throw new \Exception('No redirect URI was supplied or stored');
261		}
262		if (count($client->getRedirectUris()) > 1) {
263	4	throw new \Exception('A redirect URI must be supplied when multiple redirect URIs are registered');
264		}
265	4	$redirectUri = new Uri($client->getRedirectUris()[0]);
266		} else {
267		$redirectUri = new Uri($redirectUri);
268		if ($redirectUri->getFragment()) {
269		throw new \Exception('The redirect URI must not contain a fragment');
270		}
271		if (empty($client->getRedirectUris())) {
272		if ($client->requireRedirectUri()) {
273		throw new \Exception('A redirect URI must be stored');
274		} else {
275		return $redirectUri;
276		}
277	4	}
278	4	$redirectUriWithoutQuery = Uri::composeComponents(
279		$redirectUri->getScheme(), $redirectUri->getAuthority(), $redirectUri->getPath(), '', '');
280		$match = false;
281	4	foreach ($client->getRedirectUris() as $registeredUri) {
282		$registeredUri = new Uri($registeredUri);
283		if ($registeredUri->getQuery()) {
284		if ($registeredUri->__toString() === $redirectUri->__toString()) {
285		$match = true;
286		break;
287		}
288	4	} else {
289	4	if ($this->server->getConfigurationRepository()->getConfig(Config::STRICT_REDIRECT_URI_COMPARISON)) {
290	4	if ($registeredUri->__toString() === $redirectUri->__toString()) {
291	4	$match = true;
292	4	break;
293	4	}
294		} else if ($registeredUri->__toString() === $redirectUriWithoutQuery) {
295		$match = true;
296		break;
297		}
298		}
299	4	}
300	4	if (!$match) {
301	4	throw new \Exception('The redirect URI provided is missing or does not match');
302	4	}
303		}
304		return $redirectUri;
305		}
306		}

php-guard / oauth-server

Push — master ( aebd05...0c0a9d )

AuthorizationEndpoint B

Complexity

Size/Duplication

Test Coverage

Importance

3 Methods

How to fix Complexity

Complex Class

Duplication Side-by-Side

Filter issues like