From a81f2897c8c27033709121082ae4f4dc19b0939b Mon Sep 17 00:00:00 2001
From: "J. King" <jking@jkingweb.ca>
Date: Sat, 14 Sep 2019 23:05:30 -0400
Subject: [PATCH] Basic token issuance

The auth code verification should be refactored out for efficiency and
accuracy so that a client ID may be easily associated with a token.
---
 lib/REST/Microsub/Auth.php | 36 +++++++++++++++++++++++++++++++-----
 1 file changed, 31 insertions(+), 5 deletions(-)

diff --git a/lib/REST/Microsub/Auth.php b/lib/REST/Microsub/Auth.php
index b1139f59..770af6a0 100644
--- a/lib/REST/Microsub/Auth.php
+++ b/lib/REST/Microsub/Auth.php
@@ -21,7 +21,7 @@ class Auth extends \JKingWeb\Arsse\REST\AbstractHandler {
     const FUNCTIONS = [
         'discovery' => ['GET' => "opDiscovery"],
         'login'     => ['GET' => "opLogin", 'POST' => "opCodeVerification"],
-        'issue'     => ['POST' => "opIssue"],
+        'issue'     => ['GET' => "opTokenVerification", 'POST' => "opIssueAccessToken"],
     ];
 
     public function __construct() {
@@ -176,12 +176,14 @@ class Auth extends \JKingWeb\Arsse\REST\AbstractHandler {
         // check that the token exists
         $token = Arsse::$db->tokenLookup("microsub.auth", $code);
         if (!$token) {
-            throw new ExceptionAuth("unsupported_grant_type");
+            throw new ExceptionAuth("invalid_grant");
         }
         $data = @json_decode($token['data'], true);
         // validate the token
-        if ($token['user'] !== $user || !is_array($data) || $data['id'] !== $id || $data['url'] !== $url) {
-            throw new ExceptionAuth("unsupported_grant_type");
+        if ($token['user'] !== $user || !is_array($data)) {
+            throw new ExceptionAuth("invalid_grant");
+        } elseif ($data['id'] !== $id || $data['url'] !== $url) {
+            throw new ExceptionAuth("invalid_client");
         } else {
             $out = ['me' => $this->buildIdentifier($req)];
             if ($data['type'] === "code") {
@@ -191,7 +193,31 @@ class Auth extends \JKingWeb\Arsse\REST\AbstractHandler {
         }
     }
 
-    protected function opIssue(string $user, ServerRequestInterface $req): ResponseInterface {
+    protected function opIssueAccessToken(string $user, ServerRequestInterface $req): ResponseInterface {
         $post = $req->getParsedBody();
+        $type = $post['grant_type'] ?? "";
+        $me = $post['me'] ?? "";
+        if ($type !== "authorization_code") {
+            throw new ExceptionAuth("unsupported_grant_type");
+        } elseif ($this->buildIdentifier($req) !== $me) {
+            throw new ExceptionAuth("invalid_grant");
+        } else {
+            $out = $this->opCodeVerification($user, $req)->getPayload();
+            if (!isset($out['scope'])) {
+                throw new ExceptionAuth("invalid_scope");
+            }
+            // issue an access token
+            $tr = Arsse::$db->begin();
+            $token = Arsse::$db->tokenCreate($user, "microsub.access");
+            Arsse::$db->tokenRevoke($user, "microsub.auth", $post['code']);
+            $tr->commit();
+            $out['access_token'] = $token;
+            $out['token_type'] = "Bearer";
+            return new JsonResponse($out);
+        }
+    }
+
+    protected function opTokenVerification(string $user, ServerRequestInterface $req): ResponseInterface {
+        
     }
 }