Issues in RefreshTokenGrant.php - All Issues - Inspection of "Merge pull request #1055 from Sephster/fix-client-..." - thephpleague/oauth2-server - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( 661e1f...1f20a4 )

by Andrew

created 2019-09-26 21:38 UTC

src/Grant/RefreshTokenGrant.php (1 issue)

Labels

Bug 1

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * OAuth 2.0 Refresh token grant.
 *
 * @author      Alex Bilbie <[email protected]>
 * @copyright   Copyright (c) Alex Bilbie
 * @license     http://mit-license.org/
 *
 * @link        https://github.com/thephpleague/oauth2-server
 */

namespace League\OAuth2\Server\Grant;

use DateInterval;
use Exception;
use League\OAuth2\Server\Exception\OAuthServerException;
use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
use League\OAuth2\Server\RequestEvent;
use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
use Psr\Http\Message\ServerRequestInterface;

/**
 * Refresh token grant.
 */
class RefreshTokenGrant extends AbstractGrant
{
    /**
     * @param RefreshTokenRepositoryInterface $refreshTokenRepository
     */
    public function __construct(RefreshTokenRepositoryInterface $refreshTokenRepository)
    {
        $this->setRefreshTokenRepository($refreshTokenRepository);

        $this->refreshTokenTTL = new DateInterval('P1M');
    }

    /**
     * {@inheritdoc}
     */
    public function respondToAccessTokenRequest(
        ServerRequestInterface $request,
        ResponseTypeInterface $responseType,
        DateInterval $accessTokenTTL
    ) {
        // Validate request
        $client = $this->validateClient($request);
        $oldRefreshToken = $this->validateOldRefreshToken($request, $client->getIdentifier());
        $scopes = $this->validateScopes($this->getRequestParameter(
            'scope',
            $request,
            implode(self::SCOPE_DELIMITER_STRING, $oldRefreshToken['scopes']))
        );

        // The OAuth spec says that a refreshed access token can have the original scopes or fewer so ensure
        // the request doesn't include any new scopes
        foreach ($scopes as $scope) {
            if (in_array($scope->getIdentifier(), $oldRefreshToken['scopes'], true) === false) {
                throw OAuthServerException::invalidScope($scope->getIdentifier());
            }
        }

        // Expire old tokens
        $this->accessTokenRepository->revokeAccessToken($oldRefreshToken['access_token_id']);
        $this->refreshTokenRepository->revokeRefreshToken($oldRefreshToken['refresh_token_id']);

        // Issue and persist new access token
        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $oldRefreshToken['user_id'], $scopes);
        $this->getEmitter()->emit(new RequestEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request));
        $responseType->setAccessToken($accessToken);
/** @return stdClass|null */
function mayReturnNull() { }

function doesNotAcceptNull(stdClass $x) { }

// With potential error.
function withoutCheck() {
    $x = mayReturnNull();
    doesNotAcceptNull($x); // Potential error here.
}

// Safe - Alternative 1
function withCheck1() {
    $x = mayReturnNull();
    if ( ! $x instanceof stdClass) {
        throw new \LogicException('$x must be defined.');
    }
    doesNotAcceptNull($x);
}

// Safe - Alternative 2
function withCheck2() {
    $x = mayReturnNull();
    if ($x instanceof stdClass) {
        doesNotAcceptNull($x);
    }
}

        // Issue and persist new refresh token if given
        $refreshToken = $this->issueRefreshToken($accessToken);

        if ($refreshToken !== null) {
            $this->getEmitter()->emit(new RequestEvent(RequestEvent::REFRESH_TOKEN_ISSUED, $request));
            $responseType->setRefreshToken($refreshToken);
        }

        return $responseType;
    }

    /**
     * @param ServerRequestInterface $request
     * @param string                 $clientId
     *
     * @throws OAuthServerException
     *
     * @return array
     */
    protected function validateOldRefreshToken(ServerRequestInterface $request, $clientId)
    {
        $encryptedRefreshToken = $this->getRequestParameter('refresh_token', $request);
        if (is_null($encryptedRefreshToken)) {
            throw OAuthServerException::invalidRequest('refresh_token');
        }

        // Validate refresh token
        try {
            $refreshToken = $this->decrypt($encryptedRefreshToken);
        } catch (Exception $e) {
            throw OAuthServerException::invalidRefreshToken('Cannot decrypt the refresh token', $e);
        }

        $refreshTokenData = json_decode($refreshToken, true);
        if ($refreshTokenData['client_id'] !== $clientId) {
            $this->getEmitter()->emit(new RequestEvent(RequestEvent::REFRESH_TOKEN_CLIENT_FAILED, $request));
            throw OAuthServerException::invalidRefreshToken('Token is not linked to client');
        }

        if ($refreshTokenData['expire_time'] < time()) {
            throw OAuthServerException::invalidRefreshToken('Token has expired');
        }

        if ($this->refreshTokenRepository->isRefreshTokenRevoked($refreshTokenData['refresh_token_id']) === true) {
            throw OAuthServerException::invalidRefreshToken('Token has been revoked');
        }

        return $refreshTokenData;
    }

    /**
     * {@inheritdoc}
     */
    public function getIdentifier()
    {
        return 'refresh_token';
    }
}


1		<?php
2		/**
3		* OAuth 2.0 Refresh token grant.
4		*
5		* @author Alex Bilbie <[email protected]>
6		* @copyright Copyright (c) Alex Bilbie
7		* @license http://mit-license.org/
8		*
9		* @link https://github.com/thephpleague/oauth2-server
10		*/
11
12		namespace League\OAuth2\Server\Grant;
13
14		use DateInterval;
15		use Exception;
16		use League\OAuth2\Server\Exception\OAuthServerException;
17		use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
18		use League\OAuth2\Server\RequestEvent;
19		use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
20		use Psr\Http\Message\ServerRequestInterface;
21
22		/**
23		* Refresh token grant.
24		*/
25		class RefreshTokenGrant extends AbstractGrant
26		{
27		/**
28		* @param RefreshTokenRepositoryInterface $refreshTokenRepository
29		*/
30	10	public function __construct(RefreshTokenRepositoryInterface $refreshTokenRepository)
31		{
32	10	$this->setRefreshTokenRepository($refreshTokenRepository);
33
34	10	$this->refreshTokenTTL = new DateInterval('P1M');
35	10	}
36
37		/**
38		* {@inheritdoc}
39		*/
40	9	public function respondToAccessTokenRequest(
41		ServerRequestInterface $request,
42		ResponseTypeInterface $responseType,
43		DateInterval $accessTokenTTL
44		) {
45		// Validate request
46	9	$client = $this->validateClient($request);
47	9	$oldRefreshToken = $this->validateOldRefreshToken($request, $client->getIdentifier());
48	4	$scopes = $this->validateScopes($this->getRequestParameter(
49	4	'scope',
50	4	$request,
51	4	implode(self::SCOPE_DELIMITER_STRING, $oldRefreshToken['scopes']))
52		);
53
54		// The OAuth spec says that a refreshed access token can have the original scopes or fewer so ensure
55		// the request doesn't include any new scopes
56	4	foreach ($scopes as $scope) {
57	4	if (in_array($scope->getIdentifier(), $oldRefreshToken['scopes'], true) === false) {
58	4	throw OAuthServerException::invalidScope($scope->getIdentifier());
59		}
60		}
61
62		// Expire old tokens
63	3	$this->accessTokenRepository->revokeAccessToken($oldRefreshToken['access_token_id']);
64	3	$this->refreshTokenRepository->revokeRefreshToken($oldRefreshToken['refresh_token_id']);
65
66		// Issue and persist new access token
67	3	$accessToken = $this->issueAccessToken($accessTokenTTL, $client, $oldRefreshToken['user_id'], $scopes);
68	3	$this->getEmitter()->emit(new RequestEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request));
69	3	$responseType->setAccessToken($accessToken);
		0 ignored issues – show Bug introduced 2016-06-17 09:35 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$accessToken` defined by `$this->issueAccessToken(...en['user_id'], $scopes)` on line `67` can be `null`; however, `League\OAuth2\Server\Res...rface::setAccessToken()` does not accept `null`, maybe add an additional type check? Unless you are absolutely sure that the expression can never be null because of other conditions, we strongly recommend to add an additional type check to your code: /** @return stdClass\|null */ function mayReturnNull() { } function doesNotAcceptNull(stdClass $x) { } // With potential error. function withoutCheck() { $x = mayReturnNull(); doesNotAcceptNull($x); // Potential error here. } // Safe - Alternative 1 function withCheck1() { $x = mayReturnNull(); if ( ! $x instanceof stdClass) { throw new \LogicException('$x must be defined.'); } doesNotAcceptNull($x); } // Safe - Alternative 2 function withCheck2() { $x = mayReturnNull(); if ($x instanceof stdClass) { doesNotAcceptNull($x); } } Loading history...
70
71		// Issue and persist new refresh token if given
72	3	$refreshToken = $this->issueRefreshToken($accessToken);
73
74	3	if ($refreshToken !== null) {
75	2	$this->getEmitter()->emit(new RequestEvent(RequestEvent::REFRESH_TOKEN_ISSUED, $request));
76	2	$responseType->setRefreshToken($refreshToken);
77		}
78
79	3	return $responseType;
80		}
81
82		/**
83		* @param ServerRequestInterface $request
84		* @param string $clientId
85		*
86		* @throws OAuthServerException
87		*
88		* @return array
89		*/
90	9	protected function validateOldRefreshToken(ServerRequestInterface $request, $clientId)
91		{
92	9	$encryptedRefreshToken = $this->getRequestParameter('refresh_token', $request);
93	9	if (is_null($encryptedRefreshToken)) {
94	1	throw OAuthServerException::invalidRequest('refresh_token');
95		}
96
97		// Validate refresh token
98		try {
99	8	$refreshToken = $this->decrypt($encryptedRefreshToken);
100	1	} catch (Exception $e) {
101	1	throw OAuthServerException::invalidRefreshToken('Cannot decrypt the refresh token', $e);
102		}
103
104	7	$refreshTokenData = json_decode($refreshToken, true);
105	7	if ($refreshTokenData['client_id'] !== $clientId) {
106	1	$this->getEmitter()->emit(new RequestEvent(RequestEvent::REFRESH_TOKEN_CLIENT_FAILED, $request));
107	1	throw OAuthServerException::invalidRefreshToken('Token is not linked to client');
108		}
109
110	6	if ($refreshTokenData['expire_time'] < time()) {
111	1	throw OAuthServerException::invalidRefreshToken('Token has expired');
112		}
113
114	5	if ($this->refreshTokenRepository->isRefreshTokenRevoked($refreshTokenData['refresh_token_id']) === true) {
115	1	throw OAuthServerException::invalidRefreshToken('Token has been revoked');
116		}
117
118	4	return $refreshTokenData;
119		}
120
121		/**
122		* {@inheritdoc}
123		*/
124	10	public function getIdentifier()
125		{
126	10	return 'refresh_token';
127		}
128		}
129

thephpleague / oauth2-server

Push — master ( 661e1f...1f20a4 )

src/Grant/RefreshTokenGrant.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like