From d4f2eb4cba0858c4ef53803fef91b2ce371bef62 Mon Sep 17 00:00:00 2001 From: Fred Cox Date: Wed, 9 Aug 2017 16:29:07 +0300 Subject: [PATCH 1/2] Delete codes so they can only be used once --- src/GrantType/AuthorizationCodeGrantTypeHandler.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/GrantType/AuthorizationCodeGrantTypeHandler.php b/src/GrantType/AuthorizationCodeGrantTypeHandler.php index ae464e48..65ca207f 100644 --- a/src/GrantType/AuthorizationCodeGrantTypeHandler.php +++ b/src/GrantType/AuthorizationCodeGrantTypeHandler.php @@ -91,6 +91,9 @@ private function checkCode( ]); } + // Delete this code so it can only be used once + $codeManager->deleteModel($result); + return [$result->getUsername(), $result->getScope()]; } From b599876547883bd8cfdbc8c90e74b69f05db8d60 Mon Sep 17 00:00:00 2001 From: Fred Cox Date: Wed, 9 Aug 2017 16:29:24 +0300 Subject: [PATCH 2/2] Delete refresh tokens when used - New refresh token is issued --- .../AuthorizationCodeGrantTypeHandler.php | 6 +-- .../RefreshTokenGrantTypeHandler.php | 15 +++--- .../AuthorizationCodeGrantTypeHandlerTest.php | 11 +++-- .../RefreshTokenGrantTypeHandlerTest.php | 5 +- .../DataFixtures/ORM/CodeFixture.php | 47 +++++++++++++++++++ .../DataFixtures/ORM/RefreshTokenFixture.php | 12 +++++ 6 files changed, 82 insertions(+), 14 deletions(-) diff --git a/src/GrantType/AuthorizationCodeGrantTypeHandler.php b/src/GrantType/AuthorizationCodeGrantTypeHandler.php index 65ca207f..907a99b1 100644 --- a/src/GrantType/AuthorizationCodeGrantTypeHandler.php +++ b/src/GrantType/AuthorizationCodeGrantTypeHandler.php @@ -28,12 +28,12 @@ public function handle(Request $request) // Fetch client_id from authenticated token. $clientId = $this->checkClientId(); - // Fetch username and scope from stored code. - list($username, $scope) = $this->checkCode($request, $clientId); - // Check and set redirect_uri. $redirectUri = $this->checkRedirectUri($request, $clientId); + // Fetch username and scope from stored code. + list($username, $scope) = $this->checkCode($request, $clientId); + // Generate access_token, store to backend and set token response. $parameters = $this->tokenTypeHandlerFactory ->getTokenTypeHandler() diff --git a/src/GrantType/RefreshTokenGrantTypeHandler.php b/src/GrantType/RefreshTokenGrantTypeHandler.php index e2d8dc9b..7770ff96 100644 --- a/src/GrantType/RefreshTokenGrantTypeHandler.php +++ b/src/GrantType/RefreshTokenGrantTypeHandler.php @@ -129,9 +129,9 @@ private function checkRefreshToken( // Compare if given scope within all supported scopes. $scopeSupported = []; $scopeManager = $this->modelManagerFactory->getModelManager('scope'); - $result = $scopeManager->readModelAll(); - if ($result !== null) { - foreach ($result as $row) { + $scopeResult = $scopeManager->readModelAll(); + if ($scopeResult !== null) { + foreach ($scopeResult as $row) { $scopeSupported[] = $row->getScope(); } } @@ -144,12 +144,12 @@ private function checkRefreshToken( // Compare if given scope within all authorized scopes. $scopeAuthorized = []; $authorizeManager = $this->modelManagerFactory->getModelManager('authorize'); - $result = $authorizeManager->readModelOneBy([ + $authorizeResult = $authorizeManager->readModelOneBy([ 'clientId' => $clientId, 'username' => $username, ]); - if ($result !== null) { - $scopeAuthorized = $result->getScope(); + if ($authorizeResult !== null) { + $scopeAuthorized = $authorizeResult->getScope(); } if (array_intersect($scope, $scopeAuthorized) !== $scope) { throw new InvalidScopeException([ @@ -158,6 +158,9 @@ private function checkRefreshToken( } } + // Delete this refresh token and new one will be issued + $refreshTokenManager->deleteModel($result); + return [$username, $scope]; } } diff --git a/tests/GrantType/AuthorizationCodeGrantTypeHandlerTest.php b/tests/GrantType/AuthorizationCodeGrantTypeHandlerTest.php index 7c4cb8f0..3fd1140a 100644 --- a/tests/GrantType/AuthorizationCodeGrantTypeHandlerTest.php +++ b/tests/GrantType/AuthorizationCodeGrantTypeHandlerTest.php @@ -133,7 +133,7 @@ public function testGoodAuthCode() { $parameters = [ 'grant_type' => 'authorization_code', - 'code' => 'f0c68d250bcc729eb780a235371a9a55', + 'code' => 'f0c68d250bcc729eb780a235371a9a56', 'redirect_uri' => 'http://democlient2.com/redirect_uri', 'state' => 'f0c68d250bcc729eb780a235371a9a55', ]; @@ -144,10 +144,13 @@ public function testGoodAuthCode() $client = $this->createClient(); $crawler = $client->request('POST', '/api/oauth2/token', $parameters, [], $server); $this->assertNotNull(json_decode($client->getResponse()->getContent())); + } + public function testGoodAuthCodeClientPost() + { $parameters = [ 'grant_type' => 'authorization_code', - 'code' => 'f0c68d250bcc729eb780a235371a9a55', + 'code' => 'f0c68d250bcc729eb780a235371a9a57', 'redirect_uri' => 'http://democlient2.com/redirect_uri', 'client_id' => 'http://democlient2.com/', 'client_secret' => 'demosecret2', @@ -164,7 +167,7 @@ public function testGoodAuthCodeNoPassedRedirectUri() { $parameters = [ 'grant_type' => 'authorization_code', - 'code' => 'f0c68d250bcc729eb780a235371a9a55', + 'code' => 'f0c68d250bcc729eb780a235371a9a58', 'client_id' => 'http://democlient2.com/', 'client_secret' => 'demosecret2', 'state' => 'f0c68d250bcc729eb780a235371a9a55', @@ -180,7 +183,7 @@ public function testGoodAuthCodeNoStoredRedirectUri() { $parameters = [ 'grant_type' => 'authorization_code', - 'code' => '08fb55e26c84f8cb060b7803bc177af8', + 'code' => '08fb55e26c84f8cb060b7803bc177af9', 'redirect_uri' => 'http://democlient4.com/redirect_uri', 'client_id' => 'http://democlient4.com/', 'client_secret' => 'demosecret4', diff --git a/tests/GrantType/RefreshTokenGrantTypeHandlerTest.php b/tests/GrantType/RefreshTokenGrantTypeHandlerTest.php index 5085591e..6f90a759 100644 --- a/tests/GrantType/RefreshTokenGrantTypeHandlerTest.php +++ b/tests/GrantType/RefreshTokenGrantTypeHandlerTest.php @@ -163,10 +163,13 @@ public function testGoodRefreshToken() $crawler = $client->request('POST', '/api/oauth2/token', $parameters, [], $server); $this->assertSame(200, $client->getResponse()->getStatusCode()); $this->assertNotNull(json_decode($client->getResponse()->getContent())); + } + public function testGoodRefreshTokenDefaultScope() + { $parameters = [ 'grant_type' => 'refresh_token', - 'refresh_token' => '288b5ea8e75d2b24368a79ed5ed9593b', + 'refresh_token' => '288b5ea8e75d2b24368a79ed5ed9593c', ]; $server = [ 'PHP_AUTH_USER' => 'http://democlient3.com/', diff --git a/tests/TestBundle/DataFixtures/ORM/CodeFixture.php b/tests/TestBundle/DataFixtures/ORM/CodeFixture.php index c658e9d0..d2f4a02d 100644 --- a/tests/TestBundle/DataFixtures/ORM/CodeFixture.php +++ b/tests/TestBundle/DataFixtures/ORM/CodeFixture.php @@ -31,6 +31,42 @@ public function load(ObjectManager $manager) ]); $manager->persist($model); + $model = new Code(); + $model->setCode('f0c68d250bcc729eb780a235371a9a56') + ->setClientId('http://democlient2.com/') + ->setUsername('demousername2') + ->setRedirectUri('http://democlient2.com/redirect_uri') + ->setExpires(new \DateTime('+10 minutes')) + ->setScope([ + 'demoscope1', + 'demoscope2', + ]); + $manager->persist($model); + + $model = new Code(); + $model->setCode('f0c68d250bcc729eb780a235371a9a57') + ->setClientId('http://democlient2.com/') + ->setUsername('demousername2') + ->setRedirectUri('http://democlient2.com/redirect_uri') + ->setExpires(new \DateTime('+10 minutes')) + ->setScope([ + 'demoscope1', + 'demoscope2', + ]); + $manager->persist($model); + + $model = new Code(); + $model->setCode('f0c68d250bcc729eb780a235371a9a58') + ->setClientId('http://democlient2.com/') + ->setUsername('demousername2') + ->setRedirectUri('http://democlient2.com/redirect_uri') + ->setExpires(new \DateTime('+10 minutes')) + ->setScope([ + 'demoscope1', + 'demoscope2', + ]); + $manager->persist($model); + $model = new Code(); $model->setCode('1e5aa97ddaf4b0228dfb4223010d4417') ->setClientId('http://democlient1.com/') @@ -53,6 +89,17 @@ public function load(ObjectManager $manager) ]); $manager->persist($model); + $model = new Code(); + $model->setCode('08fb55e26c84f8cb060b7803bc177af9') + ->setClientId('http://democlient4.com/') + ->setUsername('demousername4') + ->setRedirectUri('http://democlient4.com/redirect_uri') + ->setExpires(new \DateTime('+10 minutes')) + ->setScope([ + 'demoscope1', + ]); + $manager->persist($model); + $manager->flush(); } } diff --git a/tests/TestBundle/DataFixtures/ORM/RefreshTokenFixture.php b/tests/TestBundle/DataFixtures/ORM/RefreshTokenFixture.php index 03ceb790..f1c52c0a 100644 --- a/tests/TestBundle/DataFixtures/ORM/RefreshTokenFixture.php +++ b/tests/TestBundle/DataFixtures/ORM/RefreshTokenFixture.php @@ -52,6 +52,18 @@ public function load(ObjectManager $manager) ]); $manager->persist($model); + $model = new RefreshToken(); + $model->setRefreshToken('288b5ea8e75d2b24368a79ed5ed9593c') + ->setClientId('http://democlient3.com/') + ->setUsername('demousername3') + ->setExpires(new \DateTime('+1 days')) + ->setScope([ + 'demoscope1', + 'demoscope2', + 'demoscope3', + ]); + $manager->persist($model); + $manager->flush(); } }