Started implementing token exchange, tests

This commit is contained in:
Barnaby Walters 2021-06-10 18:23:21 +02:00
parent 9fc7299232
commit c3b4e5ec5b
3 changed files with 41 additions and 2 deletions

View File

@ -196,6 +196,14 @@ class Server {
} }
// Check that the supplied code_verifier hashes to the stored code_challenge // Check that the supplied code_verifier hashes to the stored code_challenge
// TODO: support method = plain as well as S256.
if (!hash_equals($token->getData()['code_challenge'], generatePKCECodeChallenge($bodyParams['code_verifier']))) {
$this->logger->error("The provided code_verifier did not hash to the stored code_challenge");
return new Response(400, ['content-type' => 'application/json'], json_encode([
'error' => 'invalid_grant',
'error_description' => 'The provided credentials were not valid.'
]));
}
// If everything checked out, return {"me": "https://example.com"} response // If everything checked out, return {"me": "https://example.com"} response
// (a response containing any additional information must contain a valid scope value, and // (a response containing any additional information must contain a valid scope value, and
@ -444,6 +452,37 @@ class Server {
'error_description' => 'The following required parameters were missing or empty: ' . join(', ', $missingRequiredParameters) 'error_description' => 'The following required parameters were missing or empty: ' . join(', ', $missingRequiredParameters)
])); ]));
} }
// Attempt to internally exchange the provided auth code for an access token.
$token = $this->tokenStorage->exchangeAuthCodeForAccessToken($bodyParams['code']);
if (is_null($token)) {
$this->logger->error('Attempting to exchange an auth code for a token resulted in null.', $bodyParams);
return new Response(400, ['content-type' => 'application/json'], json_encode([
'error' => 'invalid_grant',
'error_description' => 'The provided credentials were not valid.'
]));
}
// Verify that it was issued for the same client_id and redirect_uri
if ($token->getData()['client_id'] !== $bodyParams['client_id']
|| $token->getData()['redirect_uri'] !== $bodyParams['redirect_uri']) {
$this->logger->error("The provided client_id and/or redirect_uri did not match those stored in the token.");
return new Response(400, ['content-type' => 'application/json'], json_encode([
'error' => 'invalid_grant',
'error_description' => 'The provided credentials were not valid.'
]));
}
// Check that the supplied code_verifier hashes to the stored code_challenge
// TODO: support method = plain as well as S256.
if (!hash_equals($token->getData()['code_challenge'], generatePKCECodeChallenge($bodyParams['code_verifier']))) {
$this->logger->error("The provided code_verifier did not hash to the stored code_challenge");
return new Response(400, ['content-type' => 'application/json'], json_encode([
'error' => 'invalid_grant',
'error_description' => 'The provided credentials were not valid.'
]));
}
} }
return new Response(400, ['content-type' => 'application/json'], json_encode([ return new Response(400, ['content-type' => 'application/json'], json_encode([

View File

@ -86,7 +86,7 @@ class FilesystemJsonStorage implements TokenStorageInterface, LoggerAwareInterfa
if ($data['exchanged_at'] ?? false) { return null; } if ($data['exchanged_at'] ?? false) { return null; }
// Make sure the auth code isnt expired. // Make sure the auth code isnt expired.
if (($data['valid_until'] ?? 0) < time()) { return null; }echo 'h'; if (($data['valid_until'] ?? 0) < time()) { return null; }
// If the access token is valid, mark it as redeemed and set a new expiry time. // If the access token is valid, mark it as redeemed and set a new expiry time.
$data['exchanged_at'] = time(); $data['exchanged_at'] = time();

View File

@ -560,7 +560,7 @@ EOT
$authEndpointJson = json_decode((string) $authEndpointResponse->getBody(), true); $authEndpointJson = json_decode((string) $authEndpointResponse->getBody(), true);
$this->assertEquals('invalid_grant', $authEndpointJson['error']); $this->assertEquals('invalid_grant', $authEndpointJson['error']);
$tokenEndpointResponse = $s->handleAuthorizationEndpointRequest($req); $tokenEndpointResponse = $s->handleTokenEndpointRequest($req);
$this->assertEquals(400, $tokenEndpointResponse->getStatusCode()); $this->assertEquals(400, $tokenEndpointResponse->getStatusCode());
$tokenEndpointJson = json_decode((string) $tokenEndpointResponse->getBody(), true); $tokenEndpointJson = json_decode((string) $tokenEndpointResponse->getBody(), true);
$this->assertEquals('invalid_grant', $tokenEndpointJson['error']); $this->assertEquals('invalid_grant', $tokenEndpointJson['error']);