Complex classes like AuthCodeGrant often do a lot of different things. To break such a class down, we need to identify a cohesive component within that class. A common approach to find such a component is to look for fields/methods that share the same prefixes, or suffixes. You can also have a look at the cohesion graph to spot any un-connected, or weakly-connected components.
Once you have determined the fields that belong together, you can apply the Extract Class refactoring. If the component makes sense as a sub-class, Extract Subclass is also a candidate, and is often faster.
While breaking up the class, it is a good idea to analyze how other classes use AuthCodeGrant, and based on these observations, apply Extract Interface, too.
1 | <?php |
||
23 | class AuthCodeGrant extends AbstractAuthorizeGrant |
||
24 | { |
||
25 | /** |
||
26 | * @var \DateInterval |
||
27 | */ |
||
28 | private $authCodeTTL; |
||
29 | |||
30 | /** |
||
31 | * @var bool |
||
32 | */ |
||
33 | private $enableCodeExchangeProof = false; |
||
34 | |||
35 | /** |
||
36 | * @param AuthCodeRepositoryInterface $authCodeRepository |
||
37 | * @param RefreshTokenRepositoryInterface $refreshTokenRepository |
||
38 | * @param \DateInterval $authCodeTTL |
||
39 | * |
||
40 | * @throws \Exception |
||
41 | */ |
||
42 | 41 | public function __construct( |
|
43 | AuthCodeRepositoryInterface $authCodeRepository, |
||
44 | RefreshTokenRepositoryInterface $refreshTokenRepository, |
||
45 | \DateInterval $authCodeTTL |
||
46 | ) { |
||
47 | 41 | $this->setAuthCodeRepository($authCodeRepository); |
|
48 | 41 | $this->setRefreshTokenRepository($refreshTokenRepository); |
|
49 | 41 | $this->authCodeTTL = $authCodeTTL; |
|
50 | 41 | $this->refreshTokenTTL = new \DateInterval('P1M'); |
|
51 | 41 | } |
|
52 | |||
53 | 13 | public function enableCodeExchangeProof() |
|
54 | { |
||
55 | 13 | $this->enableCodeExchangeProof = true; |
|
56 | 13 | } |
|
57 | |||
58 | /** |
||
59 | * Respond to an access token request. |
||
60 | * |
||
61 | * @param ServerRequestInterface $request |
||
62 | * @param ResponseTypeInterface $responseType |
||
63 | * @param \DateInterval $accessTokenTTL |
||
64 | * |
||
65 | * @throws OAuthServerException |
||
66 | * |
||
67 | * @return ResponseTypeInterface |
||
68 | */ |
||
69 | 18 | public function respondToAccessTokenRequest( |
|
70 | ServerRequestInterface $request, |
||
71 | ResponseTypeInterface $responseType, |
||
72 | \DateInterval $accessTokenTTL |
||
73 | ) { |
||
74 | // Validate request |
||
75 | 18 | $client = $this->validateClient($request); |
|
76 | 18 | $encryptedAuthCode = $this->getRequestParameter('code', $request, null); |
|
77 | |||
78 | 18 | if ($encryptedAuthCode === null) { |
|
79 | 1 | throw OAuthServerException::invalidRequest('code'); |
|
80 | } |
||
81 | |||
82 | try { |
||
83 | 17 | $authCodePayload = json_decode($this->decrypt($encryptedAuthCode)); |
|
84 | |||
85 | 16 | $this->validateAuthorizationCode($authCodePayload, $client, $request); |
|
86 | |||
87 | 11 | $scopes = $this->scopeRepository->finalizeScopes( |
|
88 | 11 | $this->validateScopes($authCodePayload->scopes), |
|
89 | 11 | $this->getIdentifier(), |
|
90 | 11 | $client, |
|
91 | 11 | $authCodePayload->user_id |
|
92 | ); |
||
93 | 6 | } catch (\LogicException $e) { |
|
94 | 1 | throw OAuthServerException::invalidRequest('code', 'Cannot decrypt the authorization code'); |
|
95 | } |
||
96 | |||
97 | // Validate code challenge |
||
98 | 11 | if ($this->enableCodeExchangeProof === true) { |
|
99 | 7 | $codeVerifier = $this->getRequestParameter('code_verifier', $request, null); |
|
100 | |||
101 | 7 | if ($codeVerifier === null) { |
|
102 | 1 | throw OAuthServerException::invalidRequest('code_verifier'); |
|
103 | } |
||
104 | |||
105 | // Validate code_verifier according to RFC-7636 |
||
106 | // @see: https://tools.ietf.org/html/rfc7636#section-4.1 |
||
107 | 6 | if (preg_match('/^[A-Za-z0-9-._~]{43,128}$/', $codeVerifier) !== 1) { |
|
108 | 3 | throw OAuthServerException::invalidRequest( |
|
109 | 3 | 'code_verifier', |
|
110 | 3 | 'Code Verifier must follow the specifications of RFC-7636.' |
|
111 | ); |
||
112 | } |
||
113 | |||
114 | 3 | switch ($authCodePayload->code_challenge_method) { |
|
115 | 3 | case 'plain': |
|
116 | 2 | if (hash_equals($codeVerifier, $authCodePayload->code_challenge) === false) { |
|
117 | 1 | throw OAuthServerException::invalidGrant('Failed to verify `code_verifier`.'); |
|
118 | } |
||
119 | |||
120 | 1 | break; |
|
121 | 1 | case 'S256': |
|
122 | if ( |
||
123 | 1 | hash_equals( |
|
124 | 1 | strtr(rtrim(base64_encode(hash('sha256', $codeVerifier, true)), '='), '+/', '-_'), |
|
125 | 1 | $authCodePayload->code_challenge |
|
126 | 1 | ) === false |
|
127 | ) { |
||
128 | throw OAuthServerException::invalidGrant('Failed to verify `code_verifier`.'); |
||
129 | } |
||
130 | // @codeCoverageIgnoreStart |
||
131 | break; |
||
132 | default: |
||
133 | throw OAuthServerException::serverError( |
||
134 | sprintf( |
||
135 | 'Unsupported code challenge method `%s`', |
||
136 | $authCodePayload->code_challenge_method |
||
137 | ) |
||
138 | ); |
||
139 | // @codeCoverageIgnoreEnd |
||
140 | } |
||
141 | } |
||
142 | |||
143 | // Issue and persist access + refresh tokens |
||
144 | 6 | $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $authCodePayload->user_id, $scopes); |
|
145 | 6 | $refreshToken = $this->issueRefreshToken($accessToken); |
|
146 | |||
147 | // Send events to emitter |
||
148 | 4 | $this->getEmitter()->emit(new RequestEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request)); |
|
149 | 4 | $this->getEmitter()->emit(new RequestEvent(RequestEvent::REFRESH_TOKEN_ISSUED, $request)); |
|
150 | |||
151 | // Inject tokens into response type |
||
152 | 4 | $responseType->setAccessToken($accessToken); |
|
|
|||
153 | 4 | $responseType->setRefreshToken($refreshToken); |
|
154 | |||
155 | // Revoke used auth code |
||
156 | 4 | $this->authCodeRepository->revokeAuthCode($authCodePayload->auth_code_id); |
|
157 | |||
158 | 4 | return $responseType; |
|
159 | } |
||
160 | |||
161 | /** |
||
162 | * Validate the authorization code. |
||
163 | * |
||
164 | * @param \stdClass $authCodePayload |
||
165 | * @param ClientEntityInterface $client |
||
166 | * @param ServerRequestInterface $request |
||
167 | */ |
||
168 | 16 | private function validateAuthorizationCode( |
|
169 | $authCodePayload, |
||
170 | ClientEntityInterface $client, |
||
171 | ServerRequestInterface $request |
||
172 | ) { |
||
173 | 16 | if (time() > $authCodePayload->expire_time) { |
|
174 | 1 | throw OAuthServerException::invalidRequest('code', 'Authorization code has expired'); |
|
175 | } |
||
176 | |||
177 | 15 | if ($this->authCodeRepository->isAuthCodeRevoked($authCodePayload->auth_code_id) === true) { |
|
178 | 1 | throw OAuthServerException::invalidRequest('code', 'Authorization code has been revoked'); |
|
179 | } |
||
180 | |||
181 | 14 | if ($authCodePayload->client_id !== $client->getIdentifier()) { |
|
182 | 1 | throw OAuthServerException::invalidRequest('code', 'Authorization code was not issued to this client'); |
|
183 | } |
||
184 | |||
185 | // The redirect URI is required in this request |
||
186 | 13 | $redirectUri = $this->getRequestParameter('redirect_uri', $request, null); |
|
187 | 13 | if (empty($authCodePayload->redirect_uri) === false && $redirectUri === null) { |
|
188 | 1 | throw OAuthServerException::invalidRequest('redirect_uri'); |
|
189 | } |
||
190 | |||
191 | 12 | if ($authCodePayload->redirect_uri !== $redirectUri) { |
|
192 | 1 | throw OAuthServerException::invalidRequest('redirect_uri', 'Invalid redirect URI'); |
|
193 | } |
||
194 | 11 | } |
|
195 | |||
196 | /** |
||
197 | * Return the grant identifier that can be used in matching up requests. |
||
198 | * |
||
199 | * @return string |
||
200 | */ |
||
201 | 33 | public function getIdentifier() |
|
205 | |||
206 | /** |
||
207 | * {@inheritdoc} |
||
208 | */ |
||
209 | 3 | public function canRespondToAuthorizationRequest(ServerRequestInterface $request) |
|
217 | |||
218 | /** |
||
219 | * {@inheritdoc} |
||
220 | */ |
||
221 | 14 | public function validateAuthorizationRequest(ServerRequestInterface $request) |
|
307 | |||
308 | /** |
||
309 | * {@inheritdoc} |
||
310 | */ |
||
311 | 7 | public function completeAuthorizationRequest(AuthorizationRequest $authorizationRequest) |
|
370 | |||
371 | /** |
||
372 | * Get the client redirect URI if not set in the request. |
||
373 | * |
||
374 | * @param AuthorizationRequest $authorizationRequest |
||
375 | * |
||
376 | * @return string |
||
377 | */ |
||
378 | 6 | private function getClientRedirectUri(AuthorizationRequest $authorizationRequest) |
|
384 | } |
||
385 |
Unless you are absolutely sure that the expression can never be null because of other conditions, we strongly recommend to add an additional type check to your code: