1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
<?php
namespace OAuth2\GrantType;
use OAuth2\Storage\AuthorizationCodeInterface;
use OAuth2\ResponseType\AccessTokenInterface;
use OAuth2\RequestInterface;
use OAuth2\ResponseInterface;
use Exception;
/**
* @author Brent Shaffer <bshafs at gmail dot com>
*/
class AuthorizationCode implements GrantTypeInterface
{
/**
* @var AuthorizationCodeInterface
*/
protected $storage;
/**
* @var array
*/
protected $authCode;
/**
* @param AuthorizationCodeInterface $storage - REQUIRED Storage class for retrieving authorization code information
*/
public function __construct(AuthorizationCodeInterface $storage)
{
$this->storage = $storage;
}
/**
* @return string
*/
public function getQueryStringIdentifier()
{
return 'authorization_code';
}
/**
* Validate the OAuth request
*
* @param RequestInterface $request
* @param ResponseInterface $response
* @return bool
* @throws Exception
*/
public function validateRequest(RequestInterface $request, ResponseInterface $response)
{
if (!$request->request('code')) {
$response->setError(400, 'invalid_request', 'Missing parameter: "code" is required');
return false;
}
$code = $request->request('code');
if (!$authCode = $this->storage->getAuthorizationCode($code)) {
$response->setError(400, 'invalid_grant', 'Authorization code doesn\'t exist or is invalid for the client');
return false;
}
/*
* 4.1.3 - ensure that the "redirect_uri" parameter is present if the "redirect_uri" parameter was included in the initial authorization request
* @uri - http://tools.ietf.org/html/rfc6749#section-4.1.3
*/
if (isset($authCode['redirect_uri']) && $authCode['redirect_uri']) {
if (!$request->request('redirect_uri') || urldecode($request->request('redirect_uri')) != urldecode($authCode['redirect_uri'])) {
$response->setError(400, 'redirect_uri_mismatch', "The redirect URI is missing or do not match", "#section-4.1.3");
return false;
}
}
if (!isset($authCode['expires'])) {
throw new \Exception('Storage must return authcode with a value for "expires"');
}
if ($authCode["expires"] < time()) {
$response->setError(400, 'invalid_grant', "The authorization code has expired");
return false;
}
if (!isset($authCode['code'])) {
$authCode['code'] = $code; // used to expire the code after the access token is granted
}
$this->authCode = $authCode;
return true;
}
/**
* Get the client id
*
* @return mixed
*/
public function getClientId()
{
return $this->authCode['client_id'];
}
/**
* Get the scope
*
* @return string
*/
public function getScope()
{
return isset($this->authCode['scope']) ? $this->authCode['scope'] : null;
}
/**
* Get the user id
*
* @return mixed
*/
public function getUserId()
{
return isset($this->authCode['user_id']) ? $this->authCode['user_id'] : null;
}
/**
* Create access token
*
* @param AccessTokenInterface $accessToken
* @param mixed $client_id - client identifier related to the access token.
* @param mixed $user_id - user id associated with the access token
* @param string $scope - scopes to be stored in space-separated string.
* @return array
*/
public function createAccessToken(AccessTokenInterface $accessToken, $client_id, $user_id, $scope)
{
$token = $accessToken->createAccessToken($client_id, $user_id, $scope);
$this->storage->expireAuthorizationCode($this->authCode['code']);
return $token;
}
}
|
