diogo/indieauth
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Corrected some more type issues

Browse Source
This commit is contained in:
Barnaby Walters 2021-06-15 01:03:11 +02:00
parent 896f661a7f
commit 7a64366d56
2 changed files with 14 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/Server.php
View File

@ -108,10 +108,13 @@ class Server {
protected LoggerInterface $logger; protected LoggerInterface $logger;
/** @var callable */
protected $httpGetWithEffectiveUrl; protected $httpGetWithEffectiveUrl;
/** @var callable */
protected $handleAuthenticationRequestCallback; protected $handleAuthenticationRequestCallback;
/** @var callable */
protected $handleNonIndieAuthRequest; protected $handleNonIndieAuthRequest;
protected string $exceptionTemplatePath; protected string $exceptionTemplatePath;
@ -397,7 +400,7 @@ class Server {
return new Response(200, [ return new Response(200, [
'content-type' => 'application/json', 'content-type' => 'application/json',
'cache-control' => 'no-store', 'cache-control' => 'no-store',
], json_encode(array_filter($tokenData, function ($k) { ], json_encode(array_filter($tokenData, function (string $k) {
// Prevent codes exchanged at the authorization endpoint from returning any information other than // Prevent codes exchanged at the authorization endpoint from returning any information other than
// me and profile. // me and profile.
return in_array($k, ['me', 'profile']); return in_array($k, ['me', 'profile']);
@ -438,7 +441,8 @@ class Server {
// How most errors are handled depends on whether or not the request has a valid redirect_uri. In // How most errors are handled depends on whether or not the request has a valid redirect_uri. In
// order to know that, we need to also validate, fetch and parse the client_id. // order to know that, we need to also validate, fetch and parse the client_id.
// If the request lacks a hash, or if the provided hash was invalid, perform the validation. // If the request lacks a hash, or if the provided hash was invalid, perform the validation.
if (!array_key_exists(self::HASH_QUERY_STRING_KEY, $queryParams) || !hash_equals(hashAuthorizationRequestParameters($request, $this->secret), $queryParams[self::HASH_QUERY_STRING_KEY])) { $currentRequestHash = hashAuthorizationRequestParameters($request, $this->secret);
if (is_null($currentRequestHash) or !hash_equals($currentRequestHash, $queryParams[self::HASH_QUERY_STRING_KEY])) {
// All we need to know at this stage is whether the redirect_uri is valid. If it // All we need to know at this stage is whether the redirect_uri is valid. If it
// sufficiently matches the client_id, we dont (yet) need to fetch the client_id. // sufficiently matches the client_id, we dont (yet) need to fetch the client_id.
if (!urlComponentsMatch($queryParams['client_id'], $queryParams['redirect_uri'], [PHP_URL_SCHEME, PHP_URL_HOST, PHP_URL_PORT])) { if (!urlComponentsMatch($queryParams['client_id'], $queryParams['redirect_uri'], [PHP_URL_SCHEME, PHP_URL_HOST, PHP_URL_PORT])) {
@ -557,7 +561,7 @@ class Server {
} }
$expectedHash = hashAuthorizationRequestParameters($request, $this->secret); $expectedHash = hashAuthorizationRequestParameters($request, $this->secret);
if (!hash_equals($expectedHash, $queryParams[self::HASH_QUERY_STRING_KEY])) { if (is_null($expectedHash) or !hash_equals($expectedHash, $queryParams[self::HASH_QUERY_STRING_KEY])) {
$this->logger->warning("The hash provided in the URL was invalid!", [ $this->logger->warning("The hash provided in the URL was invalid!", [
'expected' => $expectedHash, 'expected' => $expectedHash,
'actual' => $queryParams[self::HASH_QUERY_STRING_KEY] 'actual' => $queryParams[self::HASH_QUERY_STRING_KEY]
@ -754,7 +758,7 @@ class Server {
], json_encode(array_merge([ ], json_encode(array_merge([
// Ensure that the token_type key is present, if tokenStorage doesnt include it. // Ensure that the token_type key is present, if tokenStorage doesnt include it.
'token_type' => 'Bearer' 'token_type' => 'Bearer'
], array_filter($tokenData, function ($k) { ], array_filter($tokenData, function (string $k) {
// We should be able to trust the return data from tokenStorage, but theres no harm in // We should be able to trust the return data from tokenStorage, but theres no harm in
// preventing code_challenges from leaking, per OAuth2. // preventing code_challenges from leaking, per OAuth2.
return !in_array($k, ['code_challenge', 'code_challenge_method']); return !in_array($k, ['code_challenge', 'code_challenge_method']);

12
src/functions.php
View File

@ -46,7 +46,7 @@ function hashAuthorizationRequestParameters(ServerRequestInterface $request, str
$hashedParameters = $hashedParameters ?? ['client_id', 'redirect_uri', 'code_challenge', 'code_challenge_method']; $hashedParameters = $hashedParameters ?? ['client_id', 'redirect_uri', 'code_challenge', 'code_challenge_method'];
$algo = $algo ?? 'sha256'; $algo = $algo ?? 'sha256';
$queryParams = $request->getQueryParams() ?? []; $queryParams = $request->getQueryParams();
$data = ''; $data = '';
foreach ($hashedParameters as $key) { foreach ($hashedParameters as $key) {
if (!array_key_exists($key, $queryParams)) { if (!array_key_exists($key, $queryParams)) {
@ -57,25 +57,25 @@ function hashAuthorizationRequestParameters(ServerRequestInterface $request, str
return hash_hmac($algo, $data, $secret); return hash_hmac($algo, $data, $secret);
} }
function isIndieAuthAuthorizationCodeRedeemingRequest(ServerRequestInterface $request) { function isIndieAuthAuthorizationCodeRedeemingRequest(ServerRequestInterface $request): bool {
return strtolower($request->getMethod()) == 'post' return strtolower($request->getMethod()) == 'post'
&& array_key_exists('grant_type', $request->getParsedBody() ?? []) && array_key_exists('grant_type', $request->getParsedBody() ?? [])
&& $request->getParsedBody()['grant_type'] == 'authorization_code'; && $request->getParsedBody()['grant_type'] == 'authorization_code';
} }
function isIndieAuthAuthorizationRequest(ServerRequestInterface $request, $permittedMethods=['get']) { function isIndieAuthAuthorizationRequest(ServerRequestInterface $request, array $permittedMethods=['get']): bool {
return in_array(strtolower($request->getMethod()), array_map('strtolower', $permittedMethods)) return in_array(strtolower($request->getMethod()), array_map('strtolower', $permittedMethods))
&& array_key_exists('response_type', $request->getQueryParams() ?? []) && array_key_exists('response_type', $request->getQueryParams() ?? [])
&& $request->getQueryParams()['response_type'] == 'code'; && $request->getQueryParams()['response_type'] == 'code';
} }
function isAuthorizationApprovalRequest(ServerRequestInterface $request) { function isAuthorizationApprovalRequest(ServerRequestInterface $request): bool {
return strtolower($request->getMethod()) == 'post' return strtolower($request->getMethod()) == 'post'
&& array_key_exists('taproot_indieauth_action', $request->getParsedBody() ?? []) && array_key_exists('taproot_indieauth_action', $request->getParsedBody() ?? [])
&& $request->getParsedBody()[Server::APPROVE_ACTION_KEY] == Server::APPROVE_ACTION_VALUE; && $request->getParsedBody()[Server::APPROVE_ACTION_KEY] == Server::APPROVE_ACTION_VALUE;
} }
function buildQueryString(array $parameters) { function buildQueryString(array $parameters): string {
$qs = []; $qs = [];
foreach ($parameters as $k => $v) { foreach ($parameters as $k => $v) {
$qs[] = urlencode($k) . '=' . urlencode($v); $qs[] = urlencode($k) . '=' . urlencode($v);
@ -83,7 +83,7 @@ function buildQueryString(array $parameters) {
return join('&', $qs); return join('&', $qs);
} }
function urlComponentsMatch($url1, $url2, ?array $components=null): bool { function urlComponentsMatch(string $url1, string $url2, ?array $components=null): bool {
$validComponents = [PHP_URL_HOST, PHP_URL_PASS, PHP_URL_PATH, PHP_URL_PORT, PHP_URL_USER, PHP_URL_QUERY, PHP_URL_SCHEME, PHP_URL_FRAGMENT]; $validComponents = [PHP_URL_HOST, PHP_URL_PASS, PHP_URL_PATH, PHP_URL_PORT, PHP_URL_USER, PHP_URL_QUERY, PHP_URL_SCHEME, PHP_URL_FRAGMENT];
$components = $components ?? $validComponents; $components = $components ?? $validComponents;