AuthCodeGrant::getIdentifier() - Code Metrics - Inspection of "Code Tidyup" - thephpleague/oauth2-server - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Pull Request — master (#953)

by Andrew

created 2018-10-13 14:28 UTC

AuthCodeGrant::getIdentifier() A

↳ Parent: AuthCodeGrant

Complexity

Conditions	1
Paths	1

Size

Total Lines

Duplication

Lines	0
Ratio	0 %

Code Coverage

Tests	2
CRAP Score	1

Importance

Changes

Metric	Value
c	0
b	0
f	0
dl	0
loc	4
ccs	2
cts	2
cp	1
rs	10
cc	1
nc	1
nop	0
crap	1

<?php
/**
 * @author      Alex Bilbie <[email protected]>
 * @copyright   Copyright (c) Alex Bilbie
 * @license     http://mit-license.org/
 *
 * @link        https://github.com/thephpleague/oauth2-server
 */

namespace League\OAuth2\Server\Grant;

use League\OAuth2\Server\Entities\ClientEntityInterface;
use League\OAuth2\Server\Entities\ScopeEntityInterface;
use League\OAuth2\Server\Entities\UserEntityInterface;
use League\OAuth2\Server\Exception\OAuthServerException;
use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
use League\OAuth2\Server\RequestEvent;
use League\OAuth2\Server\RequestTypes\AuthorizationRequest;
use League\OAuth2\Server\ResponseTypes\RedirectResponse;
use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
use Psr\Http\Message\ServerRequestInterface;

class AuthCodeGrant extends AbstractAuthorizeGrant
{
    /**
     * @var \DateInterval
     */
    private $authCodeTTL;

    /**
     * @var bool
     */
    private $enableCodeExchangeProof = false;

    /**
     * @param AuthCodeRepositoryInterface     $authCodeRepository
     * @param RefreshTokenRepositoryInterface $refreshTokenRepository
     * @param \DateInterval                   $authCodeTTL
     *
     * @throws \Exception
     */
    public function __construct(
        AuthCodeRepositoryInterface $authCodeRepository,
        RefreshTokenRepositoryInterface $refreshTokenRepository,
        \DateInterval $authCodeTTL
    ) {
        $this->setAuthCodeRepository($authCodeRepository);
        $this->setRefreshTokenRepository($refreshTokenRepository);
        $this->authCodeTTL = $authCodeTTL;
        $this->refreshTokenTTL = new \DateInterval('P1M');
    }

    public function enableCodeExchangeProof()
    {
        $this->enableCodeExchangeProof = true;
    }

    /**
     * Respond to an access token request.
     *
     * @param ServerRequestInterface $request
     * @param ResponseTypeInterface  $responseType
     * @param \DateInterval          $accessTokenTTL
     *
     * @throws OAuthServerException
     *
     * @return ResponseTypeInterface
     */
    public function respondToAccessTokenRequest(
        ServerRequestInterface $request,
        ResponseTypeInterface $responseType,
        \DateInterval $accessTokenTTL
    ) {
        // Validate request
        $client = $this->validateClient($request);
        $encryptedAuthCode = $this->getRequestParameter('code', $request, null);

        if ($encryptedAuthCode === null) {
            throw OAuthServerException::invalidRequest('code');
        }

        try {
            $authCodePayload = json_decode($this->decrypt($encryptedAuthCode));

            $this->validateAuthorizationCode($authCodePayload, $client, $request);

            $scopes = $this->scopeRepository->finalizeScopes(
                $this->getScopes($authCodePayload),
                $this->getIdentifier(),
                $client,
                $authCodePayload->user_id
            );
        } catch (\LogicException  $e) {
            throw OAuthServerException::invalidRequest('code', 'Cannot decrypt the authorization code');
        }

        // Validate code challenge
        if ($this->enableCodeExchangeProof === true) {
            $codeVerifier = $this->getRequestParameter('code_verifier', $request, null);

            if ($codeVerifier === null) {
                throw OAuthServerException::invalidRequest('code_verifier');
            }

            // Validate code_verifier according to RFC-7636
            // @see: https://tools.ietf.org/html/rfc7636#section-4.1
            if (preg_match('/^[A-Za-z0-9-._~]{43,128}$/', $codeVerifier) !== 1) {
                throw OAuthServerException::invalidRequest(
                    'code_verifier',
                    'Code Verifier must follow the specifications of RFC-7636.'
                );
            }

            switch ($authCodePayload->code_challenge_method) {
                case 'plain':
                    if (hash_equals($codeVerifier, $authCodePayload->code_challenge) === false) {
                        throw OAuthServerException::invalidGrant('Failed to verify `code_verifier`.');
                    }

                    break;
                case 'S256':
                    if (
                        hash_equals(
                            strtr(rtrim(base64_encode(hash('sha256', $codeVerifier, true)), '='), '+/', '-_'),
                            $authCodePayload->code_challenge
                        ) === false
                    ) {
                        throw OAuthServerException::invalidGrant('Failed to verify `code_verifier`.');
                    }
                    // @codeCoverageIgnoreStart
                    break;
                default:
                    throw OAuthServerException::serverError(
                        sprintf(
                            'Unsupported code challenge method `%s`',
                            $authCodePayload->code_challenge_method
                        )
                    );
                // @codeCoverageIgnoreEnd
            }
        }

        // Issue and persist access + refresh tokens
        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $authCodePayload->user_id, $scopes);
        $refreshToken = $this->issueRefreshToken($accessToken);

        // Send events to emitter
        $this->getEmitter()->emit(new RequestEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request));
        $this->getEmitter()->emit(new RequestEvent(RequestEvent::REFRESH_TOKEN_ISSUED, $request));

        // Inject tokens into response type
        $responseType->setAccessToken($accessToken);
/** @return stdClass|null */
function mayReturnNull() { }

function doesNotAcceptNull(stdClass $x) { }

// With potential error.
function withoutCheck() {
    $x = mayReturnNull();
    doesNotAcceptNull($x); // Potential error here.
}

// Safe - Alternative 1
function withCheck1() {
    $x = mayReturnNull();
    if ( ! $x instanceof stdClass) {
        throw new \LogicException('$x must be defined.');
    }
    doesNotAcceptNull($x);
}

// Safe - Alternative 2
function withCheck2() {
    $x = mayReturnNull();
    if ($x instanceof stdClass) {
        doesNotAcceptNull($x);
    }
}
        $responseType->setRefreshToken($refreshToken);
/** @return stdClass|null */
function mayReturnNull() { }

function doesNotAcceptNull(stdClass $x) { }

// With potential error.
function withoutCheck() {
    $x = mayReturnNull();
    doesNotAcceptNull($x); // Potential error here.
}

// Safe - Alternative 1
function withCheck1() {
    $x = mayReturnNull();
    if ( ! $x instanceof stdClass) {
        throw new \LogicException('$x must be defined.');
    }
    doesNotAcceptNull($x);
}

// Safe - Alternative 2
function withCheck2() {
    $x = mayReturnNull();
    if ($x instanceof stdClass) {
        doesNotAcceptNull($x);
    }
}

        // Revoke used auth code
        $this->authCodeRepository->revokeAuthCode($authCodePayload->auth_code_id);

        return $responseType;
    }

    /**
     * Validate the authorization code.
     *
     * @param \stdClass              $authCodePayload
     * @param ClientEntityInterface  $client
     * @param ServerRequestInterface $request
     */
    private function validateAuthorizationCode(
        $authCodePayload,
        ClientEntityInterface $client,
        ServerRequestInterface $request
    ) {
        if (time() > $authCodePayload->expire_time) {
            throw OAuthServerException::invalidRequest('code', 'Authorization code has expired');
        }

        if ($this->authCodeRepository->isAuthCodeRevoked($authCodePayload->auth_code_id) === true) {
            throw OAuthServerException::invalidRequest('code', 'Authorization code has been revoked');
        }

        if ($authCodePayload->client_id !== $client->getIdentifier()) {
            throw OAuthServerException::invalidRequest('code', 'Authorization code was not issued to this client');
        }

        // The redirect URI is required in this request
        $redirectUri = $this->getRequestParameter('redirect_uri', $request, null);
        if (empty($authCodePayload->redirect_uri) === false && $redirectUri === null) {
            throw OAuthServerException::invalidRequest('redirect_uri');
        }

        if ($authCodePayload->redirect_uri !== $redirectUri) {
            throw OAuthServerException::invalidRequest('redirect_uri', 'Invalid redirect URI');
        }
    }

    /**
     * Get scopes from the auth code payload.
     *
     * @param \stdClass $authCodePayload
     *
     * @return array
     */
    private function getScopes($authCodePayload)
    {
        $scopes = [];

        foreach ($authCodePayload->scopes as $scopeId) {
            $scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeId);

            if ($scope instanceof ScopeEntityInterface === false) {
                // @codeCoverageIgnoreStart
                throw OAuthServerException::invalidScope($scopeId);
                // @codeCoverageIgnoreEnd
            }

            $scopes[] = $scope;
        }

        return $scopes;
    }

    /**
     * Return the grant identifier that can be used in matching up requests.
     *
     * @return string
     */
    public function getIdentifier()
    {
        return 'authorization_code';
    }

    /**
     * {@inheritdoc}
     */
    public function canRespondToAuthorizationRequest(ServerRequestInterface $request)
    {
        return (
            array_key_exists('response_type', $request->getQueryParams())
            && $request->getQueryParams()['response_type'] === 'code'
            && isset($request->getQueryParams()['client_id'])
        );
    }

    /**
     * {@inheritdoc}
     */
    public function validateAuthorizationRequest(ServerRequestInterface $request)
    {
        $clientId = $this->getQueryStringParameter(
            'client_id',
            $request,
            $this->getServerParameter('PHP_AUTH_USER', $request)
        );

        if ($clientId === null) {
            throw OAuthServerException::invalidRequest('client_id');
        }

        $client = $this->clientRepository->getClientEntity(
            $clientId,
            $this->getIdentifier(),
            null,
            false
        );

        if ($client instanceof ClientEntityInterface === false) {
            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
            throw OAuthServerException::invalidClient();
        }

        $redirectUri = $this->getQueryStringParameter('redirect_uri', $request);

        if ($redirectUri !== null) {
            $this->validateRedirectUri($redirectUri, $client, $request);
        } elseif (empty($client->getRedirectUri()) ||
            (\is_array($client->getRedirectUri()) && \count($client->getRedirectUri()) !== 1)) {
            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
            throw OAuthServerException::invalidClient();
        } else {
            $redirectUri = \is_array($client->getRedirectUri())
                ? $client->getRedirectUri()[0]
                : $client->getRedirectUri();
        }

        $scopes = $this->validateScopes(
            $this->getQueryStringParameter('scope', $request, $this->defaultScope),
            $redirectUri
        );

        $stateParameter = $this->getQueryStringParameter('state', $request);

        $authorizationRequest = new AuthorizationRequest();
        $authorizationRequest->setGrantTypeId($this->getIdentifier());
        $authorizationRequest->setClient($client);
        $authorizationRequest->setRedirectUri($redirectUri);

        if ($stateParameter !== null) {
            $authorizationRequest->setState($stateParameter);
        }

        $authorizationRequest->setScopes($scopes);

        if ($this->enableCodeExchangeProof === true) {
            $codeChallenge = $this->getQueryStringParameter('code_challenge', $request);
            if ($codeChallenge === null) {
                throw OAuthServerException::invalidRequest('code_challenge');
            }

            $codeChallengeMethod = $this->getQueryStringParameter('code_challenge_method', $request, 'plain');

            if (\in_array($codeChallengeMethod, ['plain', 'S256'], true) === false) {
                throw OAuthServerException::invalidRequest(
                    'code_challenge_method',
                    'Code challenge method must be `plain` or `S256`'
                );
            }

            // Validate code_challenge according to RFC-7636
            // @see: https://tools.ietf.org/html/rfc7636#section-4.2
            if (preg_match('/^[A-Za-z0-9-._~]{43,128}$/', $codeChallenge) !== 1) {
                throw OAuthServerException::invalidRequest(
                    'code_challenged',
                    'Code challenge must follow the specifications of RFC-7636.'
                );
            }

            $authorizationRequest->setCodeChallenge($codeChallenge);
            $authorizationRequest->setCodeChallengeMethod($codeChallengeMethod);
        }

        return $authorizationRequest;
    }

    /**
     * {@inheritdoc}
     */
    public function completeAuthorizationRequest(AuthorizationRequest $authorizationRequest)
    {
        if ($authorizationRequest->getUser() instanceof UserEntityInterface === false) {
            throw new \LogicException('An instance of UserEntityInterface should be set on the AuthorizationRequest');
        }

        $finalRedirectUri = $authorizationRequest->getRedirectUri()
                          ?? $this->getClientRedirectUri($authorizationRequest);

        // The user approved the client, redirect them back with an auth code
        if ($authorizationRequest->isAuthorizationApproved() === true) {
            $authCode = $this->issueAuthCode(
                $this->authCodeTTL,
                $authorizationRequest->getClient(),
                $authorizationRequest->getUser()->getIdentifier(),
                $authorizationRequest->getRedirectUri(),
                $authorizationRequest->getScopes()
            );

            $payload = [
                'client_id'             => $authCode->getClient()->getIdentifier(),
                'redirect_uri'          => $authCode->getRedirectUri(),
                'auth_code_id'          => $authCode->getIdentifier(),
                'scopes'                => $authCode->getScopes(),
                'user_id'               => $authCode->getUserIdentifier(),
                'expire_time'           => (new \DateTime())->add($this->authCodeTTL)->format('U'),
                'code_challenge'        => $authorizationRequest->getCodeChallenge(),
                'code_challenge_method' => $authorizationRequest->getCodeChallengeMethod(),
            ];

            $response = new RedirectResponse();
            $response->setRedirectUri(
                $this->makeRedirectUri(
                    $finalRedirectUri,
                    [
                        'code'  => $this->encrypt(
                            json_encode(
                                $payload
                            )
                        ),
                        'state' => $authorizationRequest->getState(),
                    ]
                )
            );

            return $response;
        }

        // The user denied the client, redirect them back with an error
        throw OAuthServerException::accessDenied(
            'The user denied the request',
            $this->makeRedirectUri(
                $finalRedirectUri,
                [
                    'state' => $authorizationRequest->getState(),
                ]
            )
        );
    }

    /**
     * Get the client redirect URI if not set in the request.
     *
     * @param AuthorizationRequest $authorizationRequest
     *
     * @return string
     */
    private function getClientRedirectUri(AuthorizationRequest $authorizationRequest)
    {
        return \is_array($authorizationRequest->getClient()->getRedirectUri())
                ? $authorizationRequest->getClient()->getRedirectUri()[0]
                : $authorizationRequest->getClient()->getRedirectUri();
    }
}


1		<?php
2		/**
3		* @author Alex Bilbie <[email protected]>
4		* @copyright Copyright (c) Alex Bilbie
5		* @license http://mit-license.org/
6		*
7		* @link https://github.com/thephpleague/oauth2-server
8		*/
9
10		namespace League\OAuth2\Server\Grant;
11
12		use League\OAuth2\Server\Entities\ClientEntityInterface;
13		use League\OAuth2\Server\Entities\ScopeEntityInterface;
14		use League\OAuth2\Server\Entities\UserEntityInterface;
15		use League\OAuth2\Server\Exception\OAuthServerException;
16		use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
17		use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
18		use League\OAuth2\Server\RequestEvent;
19		use League\OAuth2\Server\RequestTypes\AuthorizationRequest;
20		use League\OAuth2\Server\ResponseTypes\RedirectResponse;
21		use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
22		use Psr\Http\Message\ServerRequestInterface;
23
24		class AuthCodeGrant extends AbstractAuthorizeGrant
25		{
26		/**
27		* @var \DateInterval
28		*/
29		private $authCodeTTL;
30
31		/**
32		* @var bool
33		*/
34		private $enableCodeExchangeProof = false;
35
36		/**
37		* @param AuthCodeRepositoryInterface $authCodeRepository
38		* @param RefreshTokenRepositoryInterface $refreshTokenRepository
39		* @param \DateInterval $authCodeTTL
40		*
41		* @throws \Exception
42		*/
43	41	public function __construct(
44		AuthCodeRepositoryInterface $authCodeRepository,
45		RefreshTokenRepositoryInterface $refreshTokenRepository,
46		\DateInterval $authCodeTTL
47		) {
48	41	$this->setAuthCodeRepository($authCodeRepository);
49	41	$this->setRefreshTokenRepository($refreshTokenRepository);
50	41	$this->authCodeTTL = $authCodeTTL;
51	41	$this->refreshTokenTTL = new \DateInterval('P1M');
52	41	}
53
54	13	public function enableCodeExchangeProof()
55		{
56	13	$this->enableCodeExchangeProof = true;
57	13	}
58
59		/**
60		* Respond to an access token request.
61		*
62		* @param ServerRequestInterface $request
63		* @param ResponseTypeInterface $responseType
64		* @param \DateInterval $accessTokenTTL
65		*
66		* @throws OAuthServerException
67		*
68		* @return ResponseTypeInterface
69		*/
70	18	public function respondToAccessTokenRequest(
71		ServerRequestInterface $request,
72		ResponseTypeInterface $responseType,
73		\DateInterval $accessTokenTTL
74		) {
75		// Validate request
76	18	$client = $this->validateClient($request);
77	18	$encryptedAuthCode = $this->getRequestParameter('code', $request, null);
78
79	18	if ($encryptedAuthCode === null) {
80	1	throw OAuthServerException::invalidRequest('code');
81		}
82
83		try {
84	17	$authCodePayload = json_decode($this->decrypt($encryptedAuthCode));
85
86	16	$this->validateAuthorizationCode($authCodePayload, $client, $request);
87
88	11	$scopes = $this->scopeRepository->finalizeScopes(
89	11	$this->getScopes($authCodePayload),
90	11	$this->getIdentifier(),
91	11	$client,
92	11	$authCodePayload->user_id
93		);
94	6	} catch (\LogicException $e) {
95	1	throw OAuthServerException::invalidRequest('code', 'Cannot decrypt the authorization code');
96		}
97
98		// Validate code challenge
99	11	if ($this->enableCodeExchangeProof === true) {
100	7	$codeVerifier = $this->getRequestParameter('code_verifier', $request, null);
101
102	7	if ($codeVerifier === null) {
103	1	throw OAuthServerException::invalidRequest('code_verifier');
104		}
105
106		// Validate code_verifier according to RFC-7636
107		// @see: https://tools.ietf.org/html/rfc7636#section-4.1
108	6	if (preg_match('/^[A-Za-z0-9-._~]{43,128}$/', $codeVerifier) !== 1) {
109	3	throw OAuthServerException::invalidRequest(
110	3	'code_verifier',
111	3	'Code Verifier must follow the specifications of RFC-7636.'
112		);
113		}
114
115	3	switch ($authCodePayload->code_challenge_method) {
116	3	case 'plain':
117	2	if (hash_equals($codeVerifier, $authCodePayload->code_challenge) === false) {
118	1	throw OAuthServerException::invalidGrant('Failed to verify `code_verifier`.');
119		}
120
121	1	break;
122	1	case 'S256':
123		if (
124	1	hash_equals(
125	1	strtr(rtrim(base64_encode(hash('sha256', $codeVerifier, true)), '='), '+/', '-_'),
126	1	$authCodePayload->code_challenge
127	1	) === false
128		) {
129		throw OAuthServerException::invalidGrant('Failed to verify `code_verifier`.');
130		}
131		// @codeCoverageIgnoreStart
132		break;
133		default:
134		throw OAuthServerException::serverError(
135		sprintf(
136		'Unsupported code challenge method `%s`',
137		$authCodePayload->code_challenge_method
138		)
139		);
140		// @codeCoverageIgnoreEnd
141		}
142		}
143
144		// Issue and persist access + refresh tokens
145	6	$accessToken = $this->issueAccessToken($accessTokenTTL, $client, $authCodePayload->user_id, $scopes);
146	6	$refreshToken = $this->issueRefreshToken($accessToken);
147
148		// Send events to emitter
149	4	$this->getEmitter()->emit(new RequestEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request));
150	4	$this->getEmitter()->emit(new RequestEvent(RequestEvent::REFRESH_TOKEN_ISSUED, $request));
151
152		// Inject tokens into response type
153	4	$responseType->setAccessToken($accessToken);
		0 ignored issues – show Bug introduced 2016-06-17 09:35 UTC by Report Bug Copy Issue Report It seems like `$accessToken` defined by `$this->issueAccessToken(...load->user_id, $scopes)` on line `145` can be `null`; however, `League\OAuth2\Server\Res...rface::setAccessToken()` does not accept `null`, maybe add an additional type check? Unless you are absolutely sure that the expression can never be null because of other conditions, we strongly recommend to add an additional type check to your code: /** @return stdClass\|null */ function mayReturnNull() { } function doesNotAcceptNull(stdClass $x) { } // With potential error. function withoutCheck() { $x = mayReturnNull(); doesNotAcceptNull($x); // Potential error here. } // Safe - Alternative 1 function withCheck1() { $x = mayReturnNull(); if ( ! $x instanceof stdClass) { throw new \LogicException('$x must be defined.'); } doesNotAcceptNull($x); } // Safe - Alternative 2 function withCheck2() { $x = mayReturnNull(); if ($x instanceof stdClass) { doesNotAcceptNull($x); } } Loading history...
154	4	$responseType->setRefreshToken($refreshToken);
		0 ignored issues – show Bug introduced 2016-06-19 22:10 UTC by Report Bug Copy Issue Report It seems like `$refreshToken` defined by `$this->issueRefreshToken($accessToken)` on line `146` can be `null`; however, `League\OAuth2\Server\Res...face::setRefreshToken()` does not accept `null`, maybe add an additional type check? Unless you are absolutely sure that the expression can never be null because of other conditions, we strongly recommend to add an additional type check to your code: /** @return stdClass\|null */ function mayReturnNull() { } function doesNotAcceptNull(stdClass $x) { } // With potential error. function withoutCheck() { $x = mayReturnNull(); doesNotAcceptNull($x); // Potential error here. } // Safe - Alternative 1 function withCheck1() { $x = mayReturnNull(); if ( ! $x instanceof stdClass) { throw new \LogicException('$x must be defined.'); } doesNotAcceptNull($x); } // Safe - Alternative 2 function withCheck2() { $x = mayReturnNull(); if ($x instanceof stdClass) { doesNotAcceptNull($x); } } Loading history...
155
156		// Revoke used auth code
157	4	$this->authCodeRepository->revokeAuthCode($authCodePayload->auth_code_id);
158
159	4	return $responseType;
160		}
161
162		/**
163		* Validate the authorization code.
164		*
165		* @param \stdClass $authCodePayload
166		* @param ClientEntityInterface $client
167		* @param ServerRequestInterface $request
168		*/
169	16	private function validateAuthorizationCode(
170		$authCodePayload,
171		ClientEntityInterface $client,
172		ServerRequestInterface $request
173		) {
174	16	if (time() > $authCodePayload->expire_time) {
175	1	throw OAuthServerException::invalidRequest('code', 'Authorization code has expired');
176		}
177
178	15	if ($this->authCodeRepository->isAuthCodeRevoked($authCodePayload->auth_code_id) === true) {
179	1	throw OAuthServerException::invalidRequest('code', 'Authorization code has been revoked');
180		}
181
182	14	if ($authCodePayload->client_id !== $client->getIdentifier()) {
183	1	throw OAuthServerException::invalidRequest('code', 'Authorization code was not issued to this client');
184		}
185
186		// The redirect URI is required in this request
187	13	$redirectUri = $this->getRequestParameter('redirect_uri', $request, null);
188	13	if (empty($authCodePayload->redirect_uri) === false && $redirectUri === null) {
189	1	throw OAuthServerException::invalidRequest('redirect_uri');
190		}
191
192	12	if ($authCodePayload->redirect_uri !== $redirectUri) {
193	1	throw OAuthServerException::invalidRequest('redirect_uri', 'Invalid redirect URI');
194		}
195	11	}
196
197		/**
198		* Get scopes from the auth code payload.
199		*
200		* @param \stdClass $authCodePayload
201		*
202		* @return array
203		*/
204	11	private function getScopes($authCodePayload)
205		{
206	11	$scopes = [];
207
208	11	foreach ($authCodePayload->scopes as $scopeId) {
209	11	$scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeId);
210
211	11	if ($scope instanceof ScopeEntityInterface === false) {
212		// @codeCoverageIgnoreStart
213		throw OAuthServerException::invalidScope($scopeId);
214		// @codeCoverageIgnoreEnd
215		}
216
217	11	$scopes[] = $scope;
218		}
219
220	11	return $scopes;
221		}
222
223		/**
224		* Return the grant identifier that can be used in matching up requests.
225		*
226		* @return string
227		*/
228	33	public function getIdentifier()
229		{
230	33	return 'authorization_code';
231		}
232
233		/**
234		* {@inheritdoc}
235		*/
236	3	public function canRespondToAuthorizationRequest(ServerRequestInterface $request)
237		{
238		return (
239	3	array_key_exists('response_type', $request->getQueryParams())
240	3	&& $request->getQueryParams()['response_type'] === 'code'
241	3	&& isset($request->getQueryParams()['client_id'])
242		);
243		}
244
245		/**
246		* {@inheritdoc}
247		*/
248	14	public function validateAuthorizationRequest(ServerRequestInterface $request)
249		{
250	14	$clientId = $this->getQueryStringParameter(
251	14	'client_id',
252	14	$request,
253	14	$this->getServerParameter('PHP_AUTH_USER', $request)
254		);
255
256	14	if ($clientId === null) {
257	1	throw OAuthServerException::invalidRequest('client_id');
258		}
259
260	13	$client = $this->clientRepository->getClientEntity(
261	13	$clientId,
262	13	$this->getIdentifier(),
263	13	null,
264	13	false
265		);
266
267	13	if ($client instanceof ClientEntityInterface === false) {
268	1	$this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
269	1	throw OAuthServerException::invalidClient();
270		}
271
272	12	$redirectUri = $this->getQueryStringParameter('redirect_uri', $request);
273
274	12	if ($redirectUri !== null) {
275	10	$this->validateRedirectUri($redirectUri, $client, $request);
276	2	} elseif (empty($client->getRedirectUri()) \|\|
277	2	(\is_array($client->getRedirectUri()) && \count($client->getRedirectUri()) !== 1)) {
278	1	$this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
279	1	throw OAuthServerException::invalidClient();
280		} else {
281	1	$redirectUri = \is_array($client->getRedirectUri())
282		? $client->getRedirectUri()[0]
283	1	: $client->getRedirectUri();
284		}
285
286	9	$scopes = $this->validateScopes(
287	9	$this->getQueryStringParameter('scope', $request, $this->defaultScope),
288	9	$redirectUri
289		);
290
291	9	$stateParameter = $this->getQueryStringParameter('state', $request);
292
293	9	$authorizationRequest = new AuthorizationRequest();
294	9	$authorizationRequest->setGrantTypeId($this->getIdentifier());
295	9	$authorizationRequest->setClient($client);
296	9	$authorizationRequest->setRedirectUri($redirectUri);
297
298	9	if ($stateParameter !== null) {
299		$authorizationRequest->setState($stateParameter);
300		}
301
302	9	$authorizationRequest->setScopes($scopes);
303
304	9	if ($this->enableCodeExchangeProof === true) {
305	6	$codeChallenge = $this->getQueryStringParameter('code_challenge', $request);
306	6	if ($codeChallenge === null) {
307	1	throw OAuthServerException::invalidRequest('code_challenge');
308		}
309
310	5	$codeChallengeMethod = $this->getQueryStringParameter('code_challenge_method', $request, 'plain');
311
312	5	if (\in_array($codeChallengeMethod, ['plain', 'S256'], true) === false) {
313	1	throw OAuthServerException::invalidRequest(
314	1	'code_challenge_method',
315	1	'Code challenge method must be `plain` or `S256`'
316		);
317		}
318
319		// Validate code_challenge according to RFC-7636
320		// @see: https://tools.ietf.org/html/rfc7636#section-4.2
321	4	if (preg_match('/^[A-Za-z0-9-._~]{43,128}$/', $codeChallenge) !== 1) {
322	3	throw OAuthServerException::invalidRequest(
323	3	'code_challenged',
324	3	'Code challenge must follow the specifications of RFC-7636.'
325		);
326		}
327
328	1	$authorizationRequest->setCodeChallenge($codeChallenge);
329	1	$authorizationRequest->setCodeChallengeMethod($codeChallengeMethod);
330		}
331
332	4	return $authorizationRequest;
333		}
334
335		/**
336		* {@inheritdoc}
337		*/
338	7	public function completeAuthorizationRequest(AuthorizationRequest $authorizationRequest)
339		{
340	7	if ($authorizationRequest->getUser() instanceof UserEntityInterface === false) {
341	1	throw new \LogicException('An instance of UserEntityInterface should be set on the AuthorizationRequest');
342		}
343
344	6	$finalRedirectUri = $authorizationRequest->getRedirectUri()
345	6	?? $this->getClientRedirectUri($authorizationRequest);
346
347		// The user approved the client, redirect them back with an auth code
348	6	if ($authorizationRequest->isAuthorizationApproved() === true) {
349	5	$authCode = $this->issueAuthCode(
350	5	$this->authCodeTTL,
351	5	$authorizationRequest->getClient(),
352	5	$authorizationRequest->getUser()->getIdentifier(),
353	5	$authorizationRequest->getRedirectUri(),
354	5	$authorizationRequest->getScopes()
355		);
356
357		$payload = [
358	3	'client_id' => $authCode->getClient()->getIdentifier(),
359	3	'redirect_uri' => $authCode->getRedirectUri(),
360	3	'auth_code_id' => $authCode->getIdentifier(),
361	3	'scopes' => $authCode->getScopes(),
362	3	'user_id' => $authCode->getUserIdentifier(),
363	3	'expire_time' => (new \DateTime())->add($this->authCodeTTL)->format('U'),
364	3	'code_challenge' => $authorizationRequest->getCodeChallenge(),
365	3	'code_challenge_method' => $authorizationRequest->getCodeChallengeMethod(),
366		];
367
368	3	$response = new RedirectResponse();
369	3	$response->setRedirectUri(
370	3	$this->makeRedirectUri(
371	3	$finalRedirectUri,
372		[
373	3	'code' => $this->encrypt(
374	3	json_encode(
375	3	$payload
376		)
377		),
378	3	'state' => $authorizationRequest->getState(),
379		]
380		)
381		);
382
383	3	return $response;
384		}
385
386		// The user denied the client, redirect them back with an error
387	1	throw OAuthServerException::accessDenied(
388	1	'The user denied the request',
389	1	$this->makeRedirectUri(
390	1	$finalRedirectUri,
391		[
392	1	'state' => $authorizationRequest->getState(),
393		]
394		)
395		);
396		}
397
398		/**
399		* Get the client redirect URI if not set in the request.
400		*
401		* @param AuthorizationRequest $authorizationRequest
402		*
403		* @return string
404		*/
405	6	private function getClientRedirectUri(AuthorizationRequest $authorizationRequest)
406		{
407	6	return \is_array($authorizationRequest->getClient()->getRedirectUri())
408		? $authorizationRequest->getClient()->getRedirectUri()[0]
409	6	: $authorizationRequest->getClient()->getRedirectUri();
410		}
411		}
412

thephpleague / oauth2-server

Pull Request — master (#953)

AuthCodeGrant::getIdentifier() A

Complexity

Size

Duplication

Code Coverage

Importance

Duplication Side-by-Side

Filter issues like