diff --git a/lib/REST/Microsub/Auth.php b/lib/REST/Microsub/Auth.php index b1139f59..770af6a0 100644 --- a/lib/REST/Microsub/Auth.php +++ b/lib/REST/Microsub/Auth.php @@ -21,7 +21,7 @@ class Auth extends \JKingWeb\Arsse\REST\AbstractHandler { const FUNCTIONS = [ 'discovery' => ['GET' => "opDiscovery"], 'login' => ['GET' => "opLogin", 'POST' => "opCodeVerification"], - 'issue' => ['POST' => "opIssue"], + 'issue' => ['GET' => "opTokenVerification", 'POST' => "opIssueAccessToken"], ]; public function __construct() { @@ -176,12 +176,14 @@ class Auth extends \JKingWeb\Arsse\REST\AbstractHandler { // check that the token exists $token = Arsse::$db->tokenLookup("microsub.auth", $code); if (!$token) { - throw new ExceptionAuth("unsupported_grant_type"); + throw new ExceptionAuth("invalid_grant"); } $data = @json_decode($token['data'], true); // validate the token - if ($token['user'] !== $user || !is_array($data) || $data['id'] !== $id || $data['url'] !== $url) { - throw new ExceptionAuth("unsupported_grant_type"); + if ($token['user'] !== $user || !is_array($data)) { + throw new ExceptionAuth("invalid_grant"); + } elseif ($data['id'] !== $id || $data['url'] !== $url) { + throw new ExceptionAuth("invalid_client"); } else { $out = ['me' => $this->buildIdentifier($req)]; if ($data['type'] === "code") { @@ -191,7 +193,31 @@ class Auth extends \JKingWeb\Arsse\REST\AbstractHandler { } } - protected function opIssue(string $user, ServerRequestInterface $req): ResponseInterface { + protected function opIssueAccessToken(string $user, ServerRequestInterface $req): ResponseInterface { $post = $req->getParsedBody(); + $type = $post['grant_type'] ?? ""; + $me = $post['me'] ?? ""; + if ($type !== "authorization_code") { + throw new ExceptionAuth("unsupported_grant_type"); + } elseif ($this->buildIdentifier($req) !== $me) { + throw new ExceptionAuth("invalid_grant"); + } else { + $out = $this->opCodeVerification($user, $req)->getPayload(); + if (!isset($out['scope'])) { + throw new ExceptionAuth("invalid_scope"); + } + // issue an access token + $tr = Arsse::$db->begin(); + $token = Arsse::$db->tokenCreate($user, "microsub.access"); + Arsse::$db->tokenRevoke($user, "microsub.auth", $post['code']); + $tr->commit(); + $out['access_token'] = $token; + $out['token_type'] = "Bearer"; + return new JsonResponse($out); + } + } + + protected function opTokenVerification(string $user, ServerRequestInterface $req): ResponseInterface { + } }