mirror of
https://code.mensbeam.com/MensBeam/Arsse.git
synced 2025-01-24 20:10:34 +00:00
Basic token issuance
The auth code verification should be refactored out for efficiency and accuracy so that a client ID may be easily associated with a token.
This commit is contained in:
parent
c814ce1791
commit
a81f2897c8
1 changed files with 31 additions and 5 deletions
|
@ -21,7 +21,7 @@ class Auth extends \JKingWeb\Arsse\REST\AbstractHandler {
|
||||||
const FUNCTIONS = [
|
const FUNCTIONS = [
|
||||||
'discovery' => ['GET' => "opDiscovery"],
|
'discovery' => ['GET' => "opDiscovery"],
|
||||||
'login' => ['GET' => "opLogin", 'POST' => "opCodeVerification"],
|
'login' => ['GET' => "opLogin", 'POST' => "opCodeVerification"],
|
||||||
'issue' => ['POST' => "opIssue"],
|
'issue' => ['GET' => "opTokenVerification", 'POST' => "opIssueAccessToken"],
|
||||||
];
|
];
|
||||||
|
|
||||||
public function __construct() {
|
public function __construct() {
|
||||||
|
@ -176,12 +176,14 @@ class Auth extends \JKingWeb\Arsse\REST\AbstractHandler {
|
||||||
// check that the token exists
|
// check that the token exists
|
||||||
$token = Arsse::$db->tokenLookup("microsub.auth", $code);
|
$token = Arsse::$db->tokenLookup("microsub.auth", $code);
|
||||||
if (!$token) {
|
if (!$token) {
|
||||||
throw new ExceptionAuth("unsupported_grant_type");
|
throw new ExceptionAuth("invalid_grant");
|
||||||
}
|
}
|
||||||
$data = @json_decode($token['data'], true);
|
$data = @json_decode($token['data'], true);
|
||||||
// validate the token
|
// validate the token
|
||||||
if ($token['user'] !== $user || !is_array($data) || $data['id'] !== $id || $data['url'] !== $url) {
|
if ($token['user'] !== $user || !is_array($data)) {
|
||||||
throw new ExceptionAuth("unsupported_grant_type");
|
throw new ExceptionAuth("invalid_grant");
|
||||||
|
} elseif ($data['id'] !== $id || $data['url'] !== $url) {
|
||||||
|
throw new ExceptionAuth("invalid_client");
|
||||||
} else {
|
} else {
|
||||||
$out = ['me' => $this->buildIdentifier($req)];
|
$out = ['me' => $this->buildIdentifier($req)];
|
||||||
if ($data['type'] === "code") {
|
if ($data['type'] === "code") {
|
||||||
|
@ -191,7 +193,31 @@ class Auth extends \JKingWeb\Arsse\REST\AbstractHandler {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
protected function opIssue(string $user, ServerRequestInterface $req): ResponseInterface {
|
protected function opIssueAccessToken(string $user, ServerRequestInterface $req): ResponseInterface {
|
||||||
$post = $req->getParsedBody();
|
$post = $req->getParsedBody();
|
||||||
|
$type = $post['grant_type'] ?? "";
|
||||||
|
$me = $post['me'] ?? "";
|
||||||
|
if ($type !== "authorization_code") {
|
||||||
|
throw new ExceptionAuth("unsupported_grant_type");
|
||||||
|
} elseif ($this->buildIdentifier($req) !== $me) {
|
||||||
|
throw new ExceptionAuth("invalid_grant");
|
||||||
|
} else {
|
||||||
|
$out = $this->opCodeVerification($user, $req)->getPayload();
|
||||||
|
if (!isset($out['scope'])) {
|
||||||
|
throw new ExceptionAuth("invalid_scope");
|
||||||
|
}
|
||||||
|
// issue an access token
|
||||||
|
$tr = Arsse::$db->begin();
|
||||||
|
$token = Arsse::$db->tokenCreate($user, "microsub.access");
|
||||||
|
Arsse::$db->tokenRevoke($user, "microsub.auth", $post['code']);
|
||||||
|
$tr->commit();
|
||||||
|
$out['access_token'] = $token;
|
||||||
|
$out['token_type'] = "Bearer";
|
||||||
|
return new JsonResponse($out);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
protected function opTokenVerification(string $user, ServerRequestInterface $req): ResponseInterface {
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Add table
Reference in a new issue