TokenController::handleTokenRequest() - Code Metrics - Inspection of "Merge pull request #816 from thongredweb/fix-trans..." - redCOMPONENT-COM/redCORE - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — develop ( a2c65d...283ac2 )

by Kristijan

created 2018-02-09 14:23 UTC

TokenController::handleTokenRequest() A

↳ Parent: TokenController

Complexity

Conditions	2
Paths	2

Size

Total Lines	8
Code Lines	4

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
dl	0
loc	8
rs	9.4285
c	0
b	0
f	0
cc	2
eloc	4
nc	2
nop	2

<?php

namespace OAuth2\Controller;

use OAuth2\ResponseType\AccessTokenInterface;
use OAuth2\ClientAssertionType\ClientAssertionTypeInterface;
use OAuth2\GrantType\GrantTypeInterface;
use OAuth2\ScopeInterface;
use OAuth2\Scope;
use OAuth2\Storage\ClientInterface;
use OAuth2\RequestInterface;
use OAuth2\ResponseInterface;

/**
 * @see OAuth2\Controller\TokenControllerInterface
 */
class TokenController implements TokenControllerInterface
{
    protected $accessToken;
    protected $grantTypes;
    protected $clientAssertionType;
    protected $scopeUtil;
    protected $clientStorage;

    public function __construct(AccessTokenInterface $accessToken, ClientInterface $clientStorage, array $grantTypes = array(), ClientAssertionTypeInterface $clientAssertionType = null, ScopeInterface $scopeUtil = null)
    {
        if (is_null($clientAssertionType)) {
            foreach ($grantTypes as $grantType) {
                if (!$grantType instanceof ClientAssertionTypeInterface) {
                    throw new \InvalidArgumentException('You must supply an instance of OAuth2\ClientAssertionType\ClientAssertionTypeInterface or only use grant types which implement OAuth2\ClientAssertionType\ClientAssertionTypeInterface');
                }
            }
        }
        $this->clientAssertionType = $clientAssertionType;
        $this->accessToken = $accessToken;
        $this->clientStorage = $clientStorage;
        foreach ($grantTypes as $grantType) {
            $this->addGrantType($grantType);
        }

        if (is_null($scopeUtil)) {
            $scopeUtil = new Scope();
        }
        $this->scopeUtil = $scopeUtil;
    }

    public function handleTokenRequest(RequestInterface $request, ResponseInterface $response)
    {
        if ($token = $this->grantAccessToken($request, $response)) {
            // @see http://tools.ietf.org/html/rfc6749#section-5.1
            // server MUST disable caching in headers when tokens are involved
            $response->setStatusCode(200);
            $response->addParameters($token);
            $response->addHttpHeaders(array('Cache-Control' => 'no-store', 'Pragma' => 'no-cache'));
        }
    }

    /**
     * Grant or deny a requested access token.
     * This would be called from the "/token" endpoint as defined in the spec.
     * You can call your endpoint whatever you want.
     *
     * @param $request - RequestInterface
     * Request object to grant access token
     *
     * @throws InvalidArgumentException
     * @throws LogicException
     *
     * @see http://tools.ietf.org/html/rfc6749#section-4
     * @see http://tools.ietf.org/html/rfc6749#section-10.6
     * @see http://tools.ietf.org/html/rfc6749#section-4.1.3
     *
     * @ingroup oauth2_section_4
     */

    public function grantAccessToken(RequestInterface $request, ResponseInterface $response)
    {
        if (strtolower($request->server('REQUEST_METHOD')) != 'post') {
            $response->setError(405, 'invalid_request', 'The request method must be POST when requesting an access token', '#section-3.2');
            $response->addHttpHeaders(array('Allow' => 'POST'));

            return null;
        }

        /**
         * Determine grant type from request
         * and validate the request for that grant type
         */
        if (!$grantTypeIdentifier = $request->request('grant_type')) {
            $response->setError(400, 'invalid_request', 'The grant type was not specified in the request');

            return null;
        }

        if (!isset($this->grantTypes[$grantTypeIdentifier])) {
            /* TODO: If this is an OAuth2 supported grant type that we have chosen not to implement, throw a 501 Not Implemented instead */
            $response->setError(400, 'unsupported_grant_type', sprintf('Grant type "%s" not supported', $grantTypeIdentifier));

            return null;
        }

        $grantType = $this->grantTypes[$grantTypeIdentifier];

        /**
         * Retrieve the client information from the request
         * ClientAssertionTypes allow for grant types which also assert the client data
         * in which case ClientAssertion is handled in the validateRequest method
         *
         * @see OAuth2\GrantType\JWTBearer
         * @see OAuth2\GrantType\ClientCredentials
         */
        if (!$grantType instanceof ClientAssertionTypeInterface) {
            if (!$this->clientAssertionType->validateRequest($request, $response)) {
                return null;
            }
            $clientId = $this->clientAssertionType->getClientId();
        }

        /**
         * Retrieve the grant type information from the request
         * The GrantTypeInterface object handles all validation
         * If the object is an instance of ClientAssertionTypeInterface,
         * That logic is handled here as well
         */
        if (!$grantType->validateRequest($request, $response)) {
            return null;
        }

        if ($grantType instanceof ClientAssertionTypeInterface) {
            $clientId = $grantType->getClientId();
        } else {
            // validate the Client ID (if applicable)
            if (!is_null($storedClientId = $grantType->getClientId()) && $storedClientId != $clientId) {

                $response->setError(400, 'invalid_grant', sprintf('%s doesn\'t exist or is invalid for the client', $grantTypeIdentifier));

                return null;
            }
        }

        /**
         * Validate the client can use the requested grant type
         */
        if (!$this->clientStorage->checkRestrictedGrantType($clientId, $grantTypeIdentifier)) {
            $response->setError(400, 'unauthorized_client', 'The grant type is unauthorized for this client_id');

            return false;
        }

        /**
         * Validate the scope of the token
         *
         * requestedScope - the scope specified in the token request
         * availableScope - the scope associated with the grant type
         *  ex: in the case of the "Authorization Code" grant type,
         *  the scope is specified in the authorize request
         *
         * @see http://tools.ietf.org/html/rfc6749#section-3.3
         */

        $requestedScope = $this->scopeUtil->getScopeFromRequest($request);
        $availableScope = $grantType->getScope();

        if ($requestedScope) {
            // validate the requested scope
            if ($availableScope) {
                if (!$this->scopeUtil->checkScope($requestedScope, $availableScope)) {
                    $response->setError(400, 'invalid_scope', 'The scope requested is invalid for this request');

                    return null;
                }
            } else {
                // validate the client has access to this scope
                if ($clientScope = $this->clientStorage->getClientScope($clientId)) {
                    if (!$this->scopeUtil->checkScope($requestedScope, $clientScope)) {
                        $response->setError(400, 'invalid_scope', 'The scope requested is invalid for this client');

                        return false;
                    }
                } elseif (!$this->scopeUtil->scopeExists($requestedScope)) {
                    $response->setError(400, 'invalid_scope', 'An unsupported scope was requested');

                    return null;
                }
            }
        } elseif ($availableScope) {
            // use the scope associated with this grant type
            $requestedScope = $availableScope;
        } else {
            // use a globally-defined default scope
            $defaultScope = $this->scopeUtil->getDefaultScope($clientId);

            // "false" means default scopes are not allowed
            if (false === $defaultScope) {
                $response->setError(400, 'invalid_scope', 'This application requires you specify a scope parameter');

                return null;
            }

            $requestedScope = $defaultScope;
        }

        return $grantType->createAccessToken($this->accessToken, $clientId, $grantType->getUserId(), $requestedScope);
    }

    /**
     * addGrantType
     *
     * @param grantType - OAuth2\GrantTypeInterface
     * the grant type to add for the specified identifier
     * @param identifier - string
     * a string passed in as "grant_type" in the response that will call this grantType
     */

    public function addGrantType(GrantTypeInterface $grantType, $identifier = null)
    {
        if (is_null($identifier) || is_numeric($identifier)) {
            $identifier = $grantType->getQuerystringIdentifier();
        }

        $this->grantTypes[$identifier] = $grantType;
    }

    public function handleRevokeRequest(RequestInterface $request, ResponseInterface $response)
    {
        if ($this->revokeToken($request, $response)) {
            $response->setStatusCode(200);
            $response->addParameters(array('revoked' => true));
        }
    }

    /**
     * Revoke a refresh or access token. Returns true on success and when tokens are invalid
     *
     * Note: invalid tokens do not cause an error response since the client
     * cannot handle such an error in a reasonable way.  Moreover, the
     * purpose of the revocation request, invalidating the particular token,
     * is already achieved.
     *
     * @param RequestInterface $request
     * @param ResponseInterface $response
     * @return bool|null
     */
    public function revokeToken(RequestInterface $request, ResponseInterface $response)
    {
        if (strtolower($request->server('REQUEST_METHOD')) != 'post') {
            $response->setError(405, 'invalid_request', 'The request method must be POST when revoking an access token', '#section-3.2');
            $response->addHttpHeaders(array('Allow' => 'POST'));

            return null;
        }

        $token_type_hint = $request->request('token_type_hint');
        if (!in_array($token_type_hint, array(null, 'access_token', 'refresh_token'), true)) {
            $response->setError(400, 'invalid_request', 'Token type hint must be either \'access_token\' or \'refresh_token\'');

            return null;
        }

        $token = $request->request('token');
        if ($token === null) {
            $response->setError(400, 'invalid_request', 'Missing token parameter to revoke');

            return null;
        }

        // @todo remove this check for v2.0
        if (!method_exists($this->accessToken, 'revokeToken')) {
            $class = get_class($this->accessToken);
            throw new \RuntimeException("AccessToken {$class} does not implement required revokeToken method");
        }

        $this->accessToken->revokeToken($token, $token_type_hint);

        return true;
    }
}


1			<?php
2
3			namespace OAuth2\Controller;
4
5			use OAuth2\ResponseType\AccessTokenInterface;
6			use OAuth2\ClientAssertionType\ClientAssertionTypeInterface;
7			use OAuth2\GrantType\GrantTypeInterface;
8			use OAuth2\ScopeInterface;
9			use OAuth2\Scope;
10			use OAuth2\Storage\ClientInterface;
11			use OAuth2\RequestInterface;
12			use OAuth2\ResponseInterface;
13
14			/**
15			* @see OAuth2\Controller\TokenControllerInterface
16			*/
17			class TokenController implements TokenControllerInterface
18			{
19			protected $accessToken;
20			protected $grantTypes;
21			protected $clientAssertionType;
22			protected $scopeUtil;
23			protected $clientStorage;
24
25			public function __construct(AccessTokenInterface $accessToken, ClientInterface $clientStorage, array $grantTypes = array(), ClientAssertionTypeInterface $clientAssertionType = null, ScopeInterface $scopeUtil = null)
26			{
27			if (is_null($clientAssertionType)) {
28			foreach ($grantTypes as $grantType) {
29			if (!$grantType instanceof ClientAssertionTypeInterface) {
30			throw new \InvalidArgumentException('You must supply an instance of OAuth2\ClientAssertionType\ClientAssertionTypeInterface or only use grant types which implement OAuth2\ClientAssertionType\ClientAssertionTypeInterface');
31			}
32			}
33			}
34			$this->clientAssertionType = $clientAssertionType;
35			$this->accessToken = $accessToken;
36			$this->clientStorage = $clientStorage;
37			foreach ($grantTypes as $grantType) {
38			$this->addGrantType($grantType);
39			}
40
41			if (is_null($scopeUtil)) {
42			$scopeUtil = new Scope();
43			}
44			$this->scopeUtil = $scopeUtil;
45			}
46
47			public function handleTokenRequest(RequestInterface $request, ResponseInterface $response)
48			{
49			if ($token = $this->grantAccessToken($request, $response)) {
50			// @see http://tools.ietf.org/html/rfc6749#section-5.1
51			// server MUST disable caching in headers when tokens are involved
52			$response->setStatusCode(200);
53			$response->addParameters($token);
54			$response->addHttpHeaders(array('Cache-Control' => 'no-store', 'Pragma' => 'no-cache'));
55			}
56			}
57
58			/**
59			* Grant or deny a requested access token.
60			* This would be called from the "/token" endpoint as defined in the spec.
61			* You can call your endpoint whatever you want.
62			*
63			* @param $request - RequestInterface
64			* Request object to grant access token
65			*
66			* @throws InvalidArgumentException
67			* @throws LogicException
68			*
69			* @see http://tools.ietf.org/html/rfc6749#section-4
70			* @see http://tools.ietf.org/html/rfc6749#section-10.6
71			* @see http://tools.ietf.org/html/rfc6749#section-4.1.3
72			*
73			* @ingroup oauth2_section_4
74			*/
			0 ignored issues – show Documentation Bug introduced 2017-11-28 16:06 UTC by Report Bug Copy Issue Report The doc comment `-` at position `0` could not be parsed: Unknown type name '-' at position 0 in -. Loading history...
75			public function grantAccessToken(RequestInterface $request, ResponseInterface $response)
76			{
77			if (strtolower($request->server('REQUEST_METHOD')) != 'post') {
78			$response->setError(405, 'invalid_request', 'The request method must be POST when requesting an access token', '#section-3.2');
79			$response->addHttpHeaders(array('Allow' => 'POST'));
80
81			return null;
82			}
83
84			/**
85			* Determine grant type from request
86			* and validate the request for that grant type
87			*/
88			if (!$grantTypeIdentifier = $request->request('grant_type')) {
89			$response->setError(400, 'invalid_request', 'The grant type was not specified in the request');
90
91			return null;
92			}
93
94			if (!isset($this->grantTypes[$grantTypeIdentifier])) {
95			/* TODO: If this is an OAuth2 supported grant type that we have chosen not to implement, throw a 501 Not Implemented instead */
96			$response->setError(400, 'unsupported_grant_type', sprintf('Grant type "%s" not supported', $grantTypeIdentifier));
97
98			return null;
99			}
100
101			$grantType = $this->grantTypes[$grantTypeIdentifier];
102
103			/**
104			* Retrieve the client information from the request
105			* ClientAssertionTypes allow for grant types which also assert the client data
106			* in which case ClientAssertion is handled in the validateRequest method
107			*
108			* @see OAuth2\GrantType\JWTBearer
109			* @see OAuth2\GrantType\ClientCredentials
110			*/
111			if (!$grantType instanceof ClientAssertionTypeInterface) {
112			if (!$this->clientAssertionType->validateRequest($request, $response)) {
113			return null;
114			}
115			$clientId = $this->clientAssertionType->getClientId();
116			}
117
118			/**
119			* Retrieve the grant type information from the request
120			* The GrantTypeInterface object handles all validation
121			* If the object is an instance of ClientAssertionTypeInterface,
122			* That logic is handled here as well
123			*/
124			if (!$grantType->validateRequest($request, $response)) {
125			return null;
126			}
127
128			if ($grantType instanceof ClientAssertionTypeInterface) {
129			$clientId = $grantType->getClientId();
130			} else {
131			// validate the Client ID (if applicable)
132			if (!is_null($storedClientId = $grantType->getClientId()) && $storedClientId != $clientId) {
			0 ignored issues – show Comprehensibility Best Practice introduced 2017-11-09 09:31 UTC by Report Bug Copy Issue Report The variable `$clientId` does not seem to be defined for all execution paths leading up to this point. Loading history...
133			$response->setError(400, 'invalid_grant', sprintf('%s doesn\'t exist or is invalid for the client', $grantTypeIdentifier));
134
135			return null;
136			}
137			}
138
139			/**
140			* Validate the client can use the requested grant type
141			*/
142			if (!$this->clientStorage->checkRestrictedGrantType($clientId, $grantTypeIdentifier)) {
143			$response->setError(400, 'unauthorized_client', 'The grant type is unauthorized for this client_id');
144
145			return false;
146			}
147
148			/**
149			* Validate the scope of the token
150			*
151			* requestedScope - the scope specified in the token request
152			* availableScope - the scope associated with the grant type
153			* ex: in the case of the "Authorization Code" grant type,
154			* the scope is specified in the authorize request
155			*
156			* @see http://tools.ietf.org/html/rfc6749#section-3.3
157			*/
158
159			$requestedScope = $this->scopeUtil->getScopeFromRequest($request);
160			$availableScope = $grantType->getScope();
161
162			if ($requestedScope) {
163			// validate the requested scope
164			if ($availableScope) {
165			if (!$this->scopeUtil->checkScope($requestedScope, $availableScope)) {
166			$response->setError(400, 'invalid_scope', 'The scope requested is invalid for this request');
167
168			return null;
169			}
170			} else {
171			// validate the client has access to this scope
172			if ($clientScope = $this->clientStorage->getClientScope($clientId)) {
173			if (!$this->scopeUtil->checkScope($requestedScope, $clientScope)) {
174			$response->setError(400, 'invalid_scope', 'The scope requested is invalid for this client');
175
176			return false;
177			}
178			} elseif (!$this->scopeUtil->scopeExists($requestedScope)) {
179			$response->setError(400, 'invalid_scope', 'An unsupported scope was requested');
180
181			return null;
182			}
183			}
184			} elseif ($availableScope) {
185			// use the scope associated with this grant type
186			$requestedScope = $availableScope;
187			} else {
188			// use a globally-defined default scope
189			$defaultScope = $this->scopeUtil->getDefaultScope($clientId);
190
191			// "false" means default scopes are not allowed
192			if (false === $defaultScope) {
193			$response->setError(400, 'invalid_scope', 'This application requires you specify a scope parameter');
194
195			return null;
196			}
197
198			$requestedScope = $defaultScope;
199			}
200
201			return $grantType->createAccessToken($this->accessToken, $clientId, $grantType->getUserId(), $requestedScope);
202			}
203
204			/**
205			* addGrantType
206			*
207			* @param grantType - OAuth2\GrantTypeInterface
208			* the grant type to add for the specified identifier
209			* @param identifier - string
210			* a string passed in as "grant_type" in the response that will call this grantType
211			*/
			0 ignored issues – show Documentation Bug introduced 2017-11-28 16:06 UTC by Report Bug Copy Issue Report The doc comment `-` at position `0` could not be parsed: Unknown type name '-' at position 0 in -. Loading history...
212			public function addGrantType(GrantTypeInterface $grantType, $identifier = null)
213			{
214			if (is_null($identifier) \|\| is_numeric($identifier)) {
215			$identifier = $grantType->getQuerystringIdentifier();
216			}
217
218			$this->grantTypes[$identifier] = $grantType;
219			}
220
221			public function handleRevokeRequest(RequestInterface $request, ResponseInterface $response)
222			{
223			if ($this->revokeToken($request, $response)) {
224			$response->setStatusCode(200);
225			$response->addParameters(array('revoked' => true));
226			}
227			}
228
229			/**
230			* Revoke a refresh or access token. Returns true on success and when tokens are invalid
231			*
232			* Note: invalid tokens do not cause an error response since the client
233			* cannot handle such an error in a reasonable way. Moreover, the
234			* purpose of the revocation request, invalidating the particular token,
235			* is already achieved.
236			*
237			* @param RequestInterface $request
238			* @param ResponseInterface $response
239			* @return bool\|null
240			*/
241			public function revokeToken(RequestInterface $request, ResponseInterface $response)
242			{
243			if (strtolower($request->server('REQUEST_METHOD')) != 'post') {
244			$response->setError(405, 'invalid_request', 'The request method must be POST when revoking an access token', '#section-3.2');
245			$response->addHttpHeaders(array('Allow' => 'POST'));
246
247			return null;
248			}
249
250			$token_type_hint = $request->request('token_type_hint');
251			if (!in_array($token_type_hint, array(null, 'access_token', 'refresh_token'), true)) {
252			$response->setError(400, 'invalid_request', 'Token type hint must be either \'access_token\' or \'refresh_token\'');
253
254			return null;
255			}
256
257			$token = $request->request('token');
258			if ($token === null) {
259			$response->setError(400, 'invalid_request', 'Missing token parameter to revoke');
260
261			return null;
262			}
263
264			// @todo remove this check for v2.0
265			if (!method_exists($this->accessToken, 'revokeToken')) {
266			$class = get_class($this->accessToken);
267			throw new \RuntimeException("AccessToken {$class} does not implement required revokeToken method");
268			}
269
270			$this->accessToken->revokeToken($token, $token_type_hint);
271
272			return true;
273			}
274			}
275

redCOMPONENT-COM / redCORE

Push — develop ( a2c65d...283ac2 )

TokenController::handleTokenRequest() A

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like