Upgrade to league/oauth2-server 8.0

matt-allan · matt-allan · commit 97e3026790d9 · 2019-07-17T15:36:44.000-04:00
diff --git a/composer.json b/composer.json
@@ -26,7 +26,7 @@
         "illuminate/encryption": "~5.8.0|~5.9.0",
         "illuminate/http": "~5.8.0|~5.9.0",
         "illuminate/support": "~5.8.0|~5.9.0",
-        "league/oauth2-server": "^7.0",
+        "league/oauth2-server": "^8.0",
         "phpseclib/phpseclib": "^2.0",
         "symfony/psr-http-message-bridge": "^1.0",
         "zendframework/zend-diactoros": "^2.0"
diff --git a/src/Bridge/AccessToken.php b/src/Bridge/AccessToken.php
@@ -3,6 +3,7 @@
 namespace Laravel\Passport\Bridge;
 
 use League\OAuth2\Server\Entities\Traits\EntityTrait;
+use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Entities\Traits\AccessTokenTrait;
 use League\OAuth2\Server\Entities\Traits\TokenEntityTrait;
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
@@ -16,14 +17,17 @@ class AccessToken implements AccessTokenEntityInterface
      *
      * @param  string  $userIdentifier
      * @param  array  $scopes
+     * @param  ClientEntityInterface $client
      * @return void
      */
-    public function __construct($userIdentifier, array $scopes = [])
+    public function __construct($userIdentifier, array $scopes, ClientEntityInterface $client)
     {
         $this->setUserIdentifier($userIdentifier);
 
         foreach ($scopes as $scope) {
             $this->addScope($scope);
         }
+
+        $this->setClient($client);
     }
 }
diff --git a/src/Bridge/AccessTokenRepository.php b/src/Bridge/AccessTokenRepository.php
@@ -45,7 +45,7 @@ public function __construct(TokenRepository $tokenRepository, Dispatcher $events
      */
     public function getNewToken(ClientEntityInterface $clientEntity, array $scopes, $userIdentifier = null)
     {
-        return new AccessToken($userIdentifier, $scopes);
+        return new AccessToken($userIdentifier, $scopes, $clientEntity);
     }
 
     /**
diff --git a/src/Bridge/Client.php b/src/Bridge/Client.php
@@ -16,13 +16,15 @@ class Client implements ClientEntityInterface
      * @param  string  $identifier
      * @param  string  $name
      * @param  string  $redirectUri
+     * @param  bool    $isConfidential
      * @return void
      */
-    public function __construct($identifier, $name, $redirectUri)
+    public function __construct($identifier, $name, $redirectUri, $isConfidential = false)
     {
         $this->setIdentifier((string) $identifier);
 
         $this->name = $name;
         $this->redirectUri = explode(',', $redirectUri);
+        $this->isConfidential = $isConfidential;
     }
 }
diff --git a/src/Bridge/ClientRepository.php b/src/Bridge/ClientRepository.php
@@ -28,31 +28,32 @@ public function __construct(ClientModelRepository $clients)
     /**
      * {@inheritdoc}
      */
-    public function getClientEntity($clientIdentifier, $grantType = null,
-                                    $clientSecret = null, $mustValidateSecret = true)
+    public function getClientEntity($clientIdentifier)
     {
-        // First, we will verify that the client exists and is authorized to create personal
-        // access tokens. Generally personal access tokens are only generated by the user
-        // from the main interface. We'll only let certain clients generate the tokens.
         $record = $this->clients->findActive($clientIdentifier);
 
-        if (! $record || ! $this->handlesGrant($record, $grantType)) {
+        if (! $record) {
             return;
         }
 
-        // Once we have an existing client record we will create this actual client instance
-        // and verify the secret if necessary. If the secret is valid we will be ready to
-        // return this client instance back out to the consuming methods and finish up.
-        $client = new Client(
-            $clientIdentifier, $record->name, $record->redirect
+        return new Client(
+            $clientIdentifier, $record->name, $record->redirect, ! is_null($record->secret)
         );
+    }
 
-        if ($mustValidateSecret &&
-            ! hash_equals($record->secret, (string) $clientSecret)) {
-            return;
+    public function validateClient($clientIdentifier, $clientSecret, $grantType)
+    {
+        // First, we will verify that the client exists and is authorized to create personal
+        // access tokens. Generally personal access tokens are only generated by the user
+        // from the main interface. We'll only let certain clients generate the tokens.
+        $record = $this->clients->findActive($clientIdentifier);
+
+        if (! $record || ! $this->handlesGrant($record, $grantType)) {
+            return false;
         }
 
-        return $client;
+        // Once we have an existing client record we will verify the secret.
+        return hash_equals($record->secret, (string) $clientSecret);
     }
 
     /**
diff --git a/tests/BridgeAccessTokenRepositoryTest.php b/tests/BridgeAccessTokenRepositoryTest.php
@@ -3,7 +3,7 @@
 namespace Laravel\Passport\Tests;
 
 use Mockery as m;
-use Carbon\Carbon;
+use Carbon\CarbonImmutable;
 use PHPUnit\Framework\TestCase;
 use Laravel\Passport\Bridge\Scope;
 use Laravel\Passport\Bridge\Client;
@@ -21,7 +21,7 @@ public function tearDown()
 
     public function test_access_tokens_can_be_persisted()
     {
-        $expiration = Carbon::now();
+        $expiration = CarbonImmutable::now();
 
         $tokenRepository = m::mock(TokenRepository::class);
         $events = m::mock(Dispatcher::class);
@@ -39,13 +39,29 @@ public function test_access_tokens_can_be_persisted()
 
         $events->shouldReceive('dispatch')->once();
 
-        $accessToken = new AccessToken(2, [new Scope('scopes')]);
+        $accessToken = new AccessToken(2, [new Scope('scopes')], new Client('client-id', 'name', 'redirect'));
         $accessToken->setIdentifier(1);
         $accessToken->setExpiryDateTime($expiration);
-        $accessToken->setClient(new Client('client-id', 'name', 'redirect'));
 
         $repository = new AccessTokenRepository($tokenRepository, $events);
 
         $repository->persistNewAccessToken($accessToken);
     }
+
+    public function test_can_get_new_access_token()
+    {
+        $tokenRepository = m::mock(TokenRepository::class);
+        $events = m::mock(Dispatcher::class);
+        $repository = new AccessTokenRepository($tokenRepository, $events);
+        $client = new Client('client-id', 'name', 'redirect');
+        $scopes = [new Scope('place-orders'), new Scope('check-status')];
+        $userIdentifier = 123;
+
+        $token = $repository->getNewToken($client, $scopes, $userIdentifier);
+
+        $this->assertInstanceOf(AccessToken::class, $token);
+        $this->assertEquals($client, $token->getClient());
+        $this->assertEquals($scopes, $token->getScopes());
+        $this->assertEquals($userIdentifier, $token->getUserIdentifier());
+    }
 }
diff --git a/tests/BridgeClientRepositoryTest.php b/tests/BridgeClientRepositoryTest.php
@@ -38,93 +38,100 @@ public function tearDown()
         unset($this->clientModelRepository, $this->repository);
     }
 
-    public function test_can_get_client_for_auth_code_grant()
+    public function test_can_get_client()
     {
-        $client = $this->repository->getClientEntity(1, 'authorization_code', 'secret', true);
+        $client = $this->repository->getClientEntity(1);
 
         $this->assertInstanceOf(Client::class, $client);
-        $this->assertNull($this->repository->getClientEntity(1, 'authorization_code', 'wrong-secret', true));
-        $this->assertNull($this->repository->getClientEntity(1, 'client_credentials', 'wrong-secret', true));
+        $this->assertEquals('1', $client->getIdentifier());
+        $this->assertEquals('Client', $client->getName());
+        $this->assertEquals(['http://localhost'], $client->getRedirectUri());
+        $this->assertTrue($client->isConfidential());
     }
 
-    public function test_can_get_client_for_client_credentials_grant()
+    public function test_can_validate_client_for_auth_code_grant()
+    {
+        $this->assertTrue($this->repository->validateClient(1, 'secret', 'authorization_code'));
+        $this->assertFalse($this->repository->validateClient(1, 'wrong-secret', 'authorization_code'));
+        $this->assertFalse($this->repository->validateClient(1, 'wrong-secret', 'client_credentials'));
+    }
+
+    public function test_can_validate_client_for_client_credentials_grant()
     {
         $client = $this->clientModelRepository->findActive(1);
         $client->personal_access_client = true;
 
-        $this->assertInstanceOf(
-            Client::class,
-            $this->repository->getClientEntity(1, 'client_credentials', 'secret', true)
-        );
-        $this->assertNull($this->repository->getClientEntity(1, 'authorization_code', 'secret', true));
+        $this->assertTrue($this->repository->validateClient(1, 'secret', 'client_credentials'));
+        $this->assertFalse($this->repository->validateClient(1, 'wrong-secret', 'client_credentials'));
+        $this->assertFalse($this->repository->validateClient(1, 'secret', 'authorization_code'));
     }
 
     public function test_password_grant_is_permitted()
     {
         $client = $this->clientModelRepository->findActive(1);
         $client->password_client = true;
 
-        $this->assertInstanceOf(Client::class, $this->repository->getClientEntity(1, 'password', 'secret'));
+        $this->assertTrue($this->repository->validateClient(1, 'secret', 'password'));
     }
 
     public function test_password_grant_is_prevented()
     {
-        $this->assertNull($this->repository->getClientEntity(1, 'password', 'secret'));
+        $this->assertFalse($this->repository->validateClient(1, 'secret', 'password'));
     }
 
     public function test_authorization_code_grant_is_permitted()
     {
-        $this->assertInstanceOf(Client::class, $this->repository->getClientEntity(1, 'authorization_code', 'secret'));
+        $this->assertTrue($this->repository->validateClient(1, 'secret', 'authorization_code'));
     }
 
     public function test_authorization_code_grant_is_prevented()
     {
         $client = $this->clientModelRepository->findActive(1);
         $client->password_client = true;
 
-        $this->assertNull($this->repository->getClientEntity(1, 'authorization_code', 'secret'));
+        $this->assertFalse($this->repository->validateClient(1, 'secret', 'authorization_code'));
     }
 
     public function test_personal_access_grant_is_permitted()
     {
         $client = $this->clientModelRepository->findActive(1);
         $client->personal_access_client = true;
 
-        $this->assertInstanceOf(Client::class, $this->repository->getClientEntity(1, 'personal_access', 'secret'));
+        $this->assertTrue($this->repository->validateClient(1, 'secret', 'personal_access'));
     }
 
     public function test_personal_access_grant_is_prevented()
     {
-        $this->assertNull($this->repository->getClientEntity(1, 'personal_access', 'secret'));
+        $this->assertFalse($this->repository->validateClient(1, 'secret', 'personal_access'));
     }
 
     public function test_client_credentials_grant_is_permitted()
     {
-        $this->assertInstanceOf(Client::class, $this->repository->getClientEntity(1, 'client_credentials', 'secret'));
+        $this->assertTrue($this->repository->validateClient(1, 'secret', 'client_credentials'));
     }
 
     public function test_client_credentials_grant_is_prevented()
     {
         $client = $this->clientModelRepository->findActive(1);
         $client->secret = null;
 
-        $this->assertNull($this->repository->getClientEntity(1, 'client_credentials', 'secret'));
+        $this->assertFalse($this->repository->validateClient(1, 'secret', 'client_credentials'));
     }
 
     public function test_grant_types_allows_request()
     {
         $client = $this->clientModelRepository->findActive(1);
         $client->grant_types = ['client_credentials'];
 
-        $this->assertInstanceOf(Client::class, $this->repository->getClientEntity(1, 'client_credentials', 'secret'));
+        $this->assertTrue($this->repository->validateClient(1, 'secret', 'client_credentials'));
     }
 
     public function test_grant_types_disallows_request()
     {
         $client = $this->clientModelRepository->findActive(1);
         $client->grant_types = ['client_credentials'];
 
-        $this->assertNull($this->repository->getClientEntity(1, 'authorization_code', 'secret'));
+        $this->assertFalse($this->repository->validateClient(1, 'secret', 'authorization_code'));
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@`
`3`	`3`	`namespace Laravel\Passport\Bridge;`
`4`	`4`
`5`	`5`	`use League\OAuth2\Server\Entities\Traits\EntityTrait;`
	`6`	`+use League\OAuth2\Server\Entities\ClientEntityInterface;`
`6`	`7`	`use League\OAuth2\Server\Entities\Traits\AccessTokenTrait;`
`7`	`8`	`use League\OAuth2\Server\Entities\Traits\TokenEntityTrait;`
`8`	`9`	`use League\OAuth2\Server\Entities\AccessTokenEntityInterface;`
`@@ -16,14 +17,17 @@ class AccessToken implements AccessTokenEntityInterface`
`16`	`17`	`*`
`17`	`18`	`* @param string $userIdentifier`
`18`	`19`	`* @param array $scopes`
	`20`	`+ * @param ClientEntityInterface $client`
`19`	`21`	`* @return void`
`20`	`22`	`*/`
`21`		`- public function __construct($userIdentifier, array $scopes = [])`
	`23`	`+ public function __construct($userIdentifier, array $scopes, ClientEntityInterface $client)`
`22`	`24`	`{`
`23`	`25`	`$this->setUserIdentifier($userIdentifier);`
`24`	`26`
`25`	`27`	`foreach ($scopes as $scope) {`
`26`	`28`	`$this->addScope($scope);`
`27`	`29`	`}`
	`30`	`+`
	`31`	`+ $this->setClient($client);`
`28`	`32`	`}`
`29`	`33`	`}`
Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@ public function __construct(TokenRepository $tokenRepository, Dispatcher $events`
`45`	`45`	`*/`
`46`	`46`	`public function getNewToken(ClientEntityInterface $clientEntity, array $scopes, $userIdentifier = null)`
`47`	`47`	`{`
`48`		`- return new AccessToken($userIdentifier, $scopes);`
	`48`	`+ return new AccessToken($userIdentifier, $scopes, $clientEntity);`
`49`	`49`	`}`
`50`	`50`
`51`	`51`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -16,13 +16,15 @@ class Client implements ClientEntityInterface`
`16`	`16`	`* @param string $identifier`
`17`	`17`	`* @param string $name`
`18`	`18`	`* @param string $redirectUri`
	`19`	`+ * @param bool $isConfidential`
`19`	`20`	`* @return void`
`20`	`21`	`*/`
`21`		`- public function __construct($identifier, $name, $redirectUri)`
	`22`	`+ public function __construct($identifier, $name, $redirectUri, $isConfidential = false)`
`22`	`23`	`{`
`23`	`24`	`$this->setIdentifier((string) $identifier);`
`24`	`25`
`25`	`26`	`$this->name = $name;`
`26`	`27`	`$this->redirectUri = explode(',', $redirectUri);`
	`28`	`+ $this->isConfidential = $isConfidential;`
`27`	`29`	`}`
`28`	`30`	`}`
Original file line number	Diff line number	Diff line change
`@@ -38,93 +38,100 @@ public function tearDown()`
`38`	`38`	`unset($this->clientModelRepository, $this->repository);`
`39`	`39`	`}`
`40`	`40`
`41`		`- public function test_can_get_client_for_auth_code_grant()`
	`41`	`+ public function test_can_get_client()`
`42`	`42`	`{`
`43`		`- $client = $this->repository->getClientEntity(1, 'authorization_code', 'secret', true);`
	`43`	`+ $client = $this->repository->getClientEntity(1);`
`44`	`44`
`45`	`45`	`$this->assertInstanceOf(Client::class, $client);`
`46`		`- $this->assertNull($this->repository->getClientEntity(1, 'authorization_code', 'wrong-secret', true));`
`47`		`- $this->assertNull($this->repository->getClientEntity(1, 'client_credentials', 'wrong-secret', true));`
	`46`	`+ $this->assertEquals('1', $client->getIdentifier());`
	`47`	`+ $this->assertEquals('Client', $client->getName());`
	`48`	`+ $this->assertEquals(['http://localhost'], $client->getRedirectUri());`
	`49`	`+ $this->assertTrue($client->isConfidential());`
`48`	`50`	`}`
`49`	`51`
`50`		`- public function test_can_get_client_for_client_credentials_grant()`
	`52`	`+ public function test_can_validate_client_for_auth_code_grant()`
	`53`	`+ {`
	`54`	`+ $this->assertTrue($this->repository->validateClient(1, 'secret', 'authorization_code'));`
	`55`	`+ $this->assertFalse($this->repository->validateClient(1, 'wrong-secret', 'authorization_code'));`
	`56`	`+ $this->assertFalse($this->repository->validateClient(1, 'wrong-secret', 'client_credentials'));`
	`57`	`+ }`
	`58`	`+`
	`59`	`+ public function test_can_validate_client_for_client_credentials_grant()`
`51`	`60`	`{`
`52`	`61`	`$client = $this->clientModelRepository->findActive(1);`
`53`	`62`	`$client->personal_access_client = true;`
`54`	`63`
`55`		`- $this->assertInstanceOf(`
`56`		`- Client::class,`
`57`		`- $this->repository->getClientEntity(1, 'client_credentials', 'secret', true)`
`58`		`- );`
`59`		`- $this->assertNull($this->repository->getClientEntity(1, 'authorization_code', 'secret', true));`
	`64`	`+ $this->assertTrue($this->repository->validateClient(1, 'secret', 'client_credentials'));`
	`65`	`+ $this->assertFalse($this->repository->validateClient(1, 'wrong-secret', 'client_credentials'));`
	`66`	`+ $this->assertFalse($this->repository->validateClient(1, 'secret', 'authorization_code'));`
`60`	`67`	`}`
`61`	`68`
`62`	`69`	`public function test_password_grant_is_permitted()`
`63`	`70`	`{`
`64`	`71`	`$client = $this->clientModelRepository->findActive(1);`
`65`	`72`	`$client->password_client = true;`
`66`	`73`
`67`		`- $this->assertInstanceOf(Client::class, $this->repository->getClientEntity(1, 'password', 'secret'));`
	`74`	`+ $this->assertTrue($this->repository->validateClient(1, 'secret', 'password'));`
`68`	`75`	`}`
`69`	`76`
`70`	`77`	`public function test_password_grant_is_prevented()`
`71`	`78`	`{`
`72`		`- $this->assertNull($this->repository->getClientEntity(1, 'password', 'secret'));`
	`79`	`+ $this->assertFalse($this->repository->validateClient(1, 'secret', 'password'));`
`73`	`80`	`}`
`74`	`81`
`75`	`82`	`public function test_authorization_code_grant_is_permitted()`
`76`	`83`	`{`
`77`		`- $this->assertInstanceOf(Client::class, $this->repository->getClientEntity(1, 'authorization_code', 'secret'));`
	`84`	`+ $this->assertTrue($this->repository->validateClient(1, 'secret', 'authorization_code'));`
`78`	`85`	`}`
`79`	`86`
`80`	`87`	`public function test_authorization_code_grant_is_prevented()`
`81`	`88`	`{`
`82`	`89`	`$client = $this->clientModelRepository->findActive(1);`
`83`	`90`	`$client->password_client = true;`
`84`	`91`
`85`		`- $this->assertNull($this->repository->getClientEntity(1, 'authorization_code', 'secret'));`
	`92`	`+ $this->assertFalse($this->repository->validateClient(1, 'secret', 'authorization_code'));`
`86`	`93`	`}`
`87`	`94`
`88`	`95`	`public function test_personal_access_grant_is_permitted()`
`89`	`96`	`{`
`90`	`97`	`$client = $this->clientModelRepository->findActive(1);`
`91`	`98`	`$client->personal_access_client = true;`
`92`	`99`
`93`		`- $this->assertInstanceOf(Client::class, $this->repository->getClientEntity(1, 'personal_access', 'secret'));`
	`100`	`+ $this->assertTrue($this->repository->validateClient(1, 'secret', 'personal_access'));`
`94`	`101`	`}`
`95`	`102`
`96`	`103`	`public function test_personal_access_grant_is_prevented()`
`97`	`104`	`{`
`98`		`- $this->assertNull($this->repository->getClientEntity(1, 'personal_access', 'secret'));`
	`105`	`+ $this->assertFalse($this->repository->validateClient(1, 'secret', 'personal_access'));`
`99`	`106`	`}`
`100`	`107`
`101`	`108`	`public function test_client_credentials_grant_is_permitted()`
`102`	`109`	`{`
`103`		`- $this->assertInstanceOf(Client::class, $this->repository->getClientEntity(1, 'client_credentials', 'secret'));`
	`110`	`+ $this->assertTrue($this->repository->validateClient(1, 'secret', 'client_credentials'));`
`104`	`111`	`}`
`105`	`112`
`106`	`113`	`public function test_client_credentials_grant_is_prevented()`
`107`	`114`	`{`
`108`	`115`	`$client = $this->clientModelRepository->findActive(1);`
`109`	`116`	`$client->secret = null;`
`110`	`117`
`111`		`- $this->assertNull($this->repository->getClientEntity(1, 'client_credentials', 'secret'));`
	`118`	`+ $this->assertFalse($this->repository->validateClient(1, 'secret', 'client_credentials'));`
`112`	`119`	`}`
`113`	`120`
`114`	`121`	`public function test_grant_types_allows_request()`
`115`	`122`	`{`
`116`	`123`	`$client = $this->clientModelRepository->findActive(1);`
`117`	`124`	`$client->grant_types = ['client_credentials'];`
`118`	`125`
`119`		`- $this->assertInstanceOf(Client::class, $this->repository->getClientEntity(1, 'client_credentials', 'secret'));`
	`126`	`+ $this->assertTrue($this->repository->validateClient(1, 'secret', 'client_credentials'));`
`120`	`127`	`}`
`121`	`128`
`122`	`129`	`public function test_grant_types_disallows_request()`
`123`	`130`	`{`
`124`	`131`	`$client = $this->clientModelRepository->findActive(1);`
`125`	`132`	`$client->grant_types = ['client_credentials'];`
`126`	`133`
`127`		`- $this->assertNull($this->repository->getClientEntity(1, 'authorization_code', 'secret'));`
	`134`	`+ $this->assertFalse($this->repository->validateClient(1, 'secret', 'authorization_code'));`
`128`	`135`	`}`
`129`	`136`	`}`
`130`	`137`