Compare commits
2 commits
f6346e3f25
...
31c54b966a
| Author | SHA1 | Date | |
|---|---|---|---|
| 31c54b966a | |||
| 1149341cc9 |
1 changed files with 74 additions and 13 deletions
|
|
@ -378,8 +378,20 @@ final class OAuth2Routes extends RouteHandler {
|
|||
return $info;
|
||||
}
|
||||
|
||||
#[HttpPost('/oauth2/authorise-device')]
|
||||
public function postAuthoriseDevice($response, $request) {
|
||||
#[HttpGet('/oauth2/device/verify')]
|
||||
public function getDeviceVerify() {
|
||||
return 'TODO: make this page';
|
||||
}
|
||||
|
||||
#[HttpPost('/oauth2/device/verify')]
|
||||
public function postDeviceVerify() {
|
||||
return [
|
||||
'TODO' => 'make this endpoint',
|
||||
];
|
||||
}
|
||||
|
||||
#[HttpPost('/oauth2/device/authorise')]
|
||||
public function postDeviceAuthorise($response, $request) {
|
||||
$response->setHeader('Cache-Control', 'no-store');
|
||||
|
||||
if(!$request->isFormContent()) {
|
||||
|
|
@ -396,9 +408,8 @@ final class OAuth2Routes extends RouteHandler {
|
|||
$clientSecret = $authzHeader[1] ?? '';
|
||||
} elseif($authzHeader[0] !== '') {
|
||||
$response->setStatusCode(401);
|
||||
$message = 'You must use the Basic method for Authorization parameters.';
|
||||
$response->setHeader('WWW-Authenticate', "Basic realm=\"{$message}\"");
|
||||
return self::error('invalid_client', $message);
|
||||
$response->setHeader('WWW-Authenticate', 'Basic');
|
||||
return self::error('invalid_client', 'You must use the Basic method for Authorization parameters.');
|
||||
} else {
|
||||
$clientId = (string)$content->getParam('client_id');
|
||||
$clientSecret = '';
|
||||
|
|
@ -408,15 +419,22 @@ final class OAuth2Routes extends RouteHandler {
|
|||
try {
|
||||
$appInfo = $appsData->getAppInfo(clientId: $clientId, deleted: false);
|
||||
} catch(RuntimeException $ex) {
|
||||
$response->setStatusCode(400);
|
||||
return self::error('invalid_client', 'No application has been registered with this client id.');
|
||||
if($authzHeader[0] === '') {
|
||||
$response->setStatusCode(400);
|
||||
} else {
|
||||
$response->setStatusCode(401);
|
||||
$response->setHeader('WWW-Authenticate', 'Basic');
|
||||
}
|
||||
|
||||
return self::error('invalid_client', 'No application has been registered with this client ID.');
|
||||
}
|
||||
|
||||
$appAuthenticated = false;
|
||||
if($clientSecret !== '') {
|
||||
// TODO: rate limiting
|
||||
if(!$appInfo->verifyClientSecret($clientSecret)) {
|
||||
$response->setStatusCode(400);
|
||||
$response->setStatusCode(401);
|
||||
$response->setHeader('WWW-Authenticate', 'Basic');
|
||||
return self::error('invalid_client', 'Provided client secret is not correct for this application.');
|
||||
}
|
||||
}
|
||||
|
|
@ -492,9 +510,8 @@ final class OAuth2Routes extends RouteHandler {
|
|||
$clientSecret = $authzHeader[1] ?? '';
|
||||
} elseif($authzHeader[0] !== '') {
|
||||
$response->setStatusCode(401);
|
||||
$message = 'You must either use the Basic method for Authorization or use the client_id and client_secret parameters.';
|
||||
$response->setHeader('WWW-Authenticate', "Basic realm=\"{$message}\"");
|
||||
return self::error('invalid_client', $message);
|
||||
$response->setHeader('WWW-Authenticate', 'Basic');
|
||||
return self::error('invalid_client', 'You must either use the Basic method for Authorization or use the client_id and client_secret parameters.');
|
||||
} else {
|
||||
$clientId = (string)$content->getParam('client_id');
|
||||
$clientSecret = (string)$content->getParam('client_secret');
|
||||
|
|
@ -504,7 +521,13 @@ final class OAuth2Routes extends RouteHandler {
|
|||
try {
|
||||
$appInfo = $appsData->getAppInfo(clientId: $clientId, deleted: false);
|
||||
} catch(RuntimeException $ex) {
|
||||
$response->setStatusCode(400);
|
||||
if($authzHeader[0] === '') {
|
||||
$response->setStatusCode(400);
|
||||
} else {
|
||||
$response->setStatusCode(401);
|
||||
$response->setHeader('WWW-Authenticate', 'Basic');
|
||||
}
|
||||
|
||||
return self::error('invalid_client', 'No application has been registered with this client id.');
|
||||
}
|
||||
|
||||
|
|
@ -513,7 +536,13 @@ final class OAuth2Routes extends RouteHandler {
|
|||
// TODO: rate limiting
|
||||
$appAuthenticated = $appInfo->verifyClientSecret($clientSecret);
|
||||
if(!$appAuthenticated) {
|
||||
$response->setStatusCode(400);
|
||||
if($authzHeader[0] === '') {
|
||||
$response->setStatusCode(400);
|
||||
} else {
|
||||
$response->setStatusCode(401);
|
||||
$response->setHeader('WWW-Authenticate', 'Basic');
|
||||
}
|
||||
|
||||
return self::error('invalid_client', 'Provided client secret is not correct for this application.');
|
||||
}
|
||||
}
|
||||
|
|
@ -724,4 +753,36 @@ final class OAuth2Routes extends RouteHandler {
|
|||
|
||||
return $result;
|
||||
}
|
||||
|
||||
// this is a temporary endpoint so i can actually use access tokens for something already
|
||||
#[HttpGet('/oauth2/check_token_do_not_rely_on_this_existing_in_a_year')]
|
||||
public function postIntrospect($response, $request) {
|
||||
$authzHeader = explode(' ', (string)$request->getHeaderLine('Authorization'));
|
||||
if($authzHeader[0] !== 'Bearer' || count($authzHeader) < 2) {
|
||||
$response->setStatusCode(401);
|
||||
$response->setHeader('WWW-Authenticate', 'Bearer');
|
||||
return ['success' => false];
|
||||
}
|
||||
|
||||
try {
|
||||
$tokenInfo = $this->oauth2Ctx->getTokensData()->getAccessInfo($authzHeader[1], OAuth2TokensData::ACCESS_BY_TOKEN);
|
||||
} catch(RuntimeException $ex) {
|
||||
$response->setStatusCode(401);
|
||||
$response->setHeader('WWW-Authenticate', 'Bearer');
|
||||
return ['success' => false];
|
||||
}
|
||||
|
||||
if($tokenInfo->hasExpired()) {
|
||||
$response->setStatusCode(401);
|
||||
$response->setHeader('WWW-Authenticate', 'Bearer');
|
||||
return ['success' => false];
|
||||
}
|
||||
|
||||
return [
|
||||
'success' => true,
|
||||
'user_id' => $tokenInfo->getUserId(),
|
||||
'scope' => $tokenInfo->getScopes(),
|
||||
'expires_in' => $tokenInfo->getRemainingLifetime(),
|
||||
];
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue