Differential D15593 Diff 37613 src/applications/oauthserver/PhabricatorOAuthServer.php

Changeset View

Standalone View

src/applications/oauthserver/PhabricatorOAuthServer.php

Show All 23 Lines
* generating @{class:PhabricatorOAuthServerAuthorizationCode}s		* generating @{class:PhabricatorOAuthServerAuthorizationCode}s
* @task token Validating @{class:PhabricatorOAuthServerAuthorizationCode}s		* @task token Validating @{class:PhabricatorOAuthServerAuthorizationCode}s
* and generating @{class:PhabricatorOAuthServerAccessToken}s		* and generating @{class:PhabricatorOAuthServerAccessToken}s
* @task internal Internals		* @task internal Internals
*/		*/
final class PhabricatorOAuthServer extends Phobject {		final class PhabricatorOAuthServer extends Phobject {

const AUTHORIZATION_CODE_TIMEOUT = 300;		const AUTHORIZATION_CODE_TIMEOUT = 300;
const ACCESS_TOKEN_TIMEOUT = 3600;

private $user;		private $user;
private $client;		private $client;

private function getUser() {		private function getUser() {
if (!$this->user) {		if (!$this->user) {
throw new PhutilInvalidStateException('setUser');		throw new PhutilInvalidStateException('setUser');
}		}
▲ Show 20 Lines • Show All 112 Lines • ▼ Show 20 Lines	public function validateAuthorizationCode(
$created_time = $test_code->getDateCreated();		$created_time = $test_code->getDateCreated();
$must_be_used_by = $created_time + self::AUTHORIZATION_CODE_TIMEOUT;		$must_be_used_by = $created_time + self::AUTHORIZATION_CODE_TIMEOUT;
return (time() < $must_be_used_by);		return (time() < $must_be_used_by);
}		}

/**		/**
* @task token		* @task token
*/		*/
public function validateAccessToken(		public function authorizeToken(
PhabricatorOAuthServerAccessToken $token,		PhabricatorOAuthServerAccessToken $token) {
$required_scope) {
		$user_phid = $token->getUserPHID();
$created_time = $token->getDateCreated();		$client_phid = $token->getClientPHID();
$must_be_used_by = $created_time + self::ACCESS_TOKEN_TIMEOUT;
$expired = time() > $must_be_used_by;
$authorization = id(new PhabricatorOAuthClientAuthorization())
->loadOneWhere(
'userPHID = %s AND clientPHID = %s',
$token->getUserPHID(),
$token->getClientPHID());

		$authorization = id(new PhabricatorOAuthClientAuthorizationQuery())
		->setViewer(PhabricatorUser::getOmnipotentUser())
		->withUserPHIDs(array($user_phid))
		->withClientPHIDs(array($client_phid))
		->executeOne();
if (!$authorization) {		if (!$authorization) {
return false;		return null;
}
$token_scope = $authorization->getScope();
if (!isset($token_scope[$required_scope])) {
return false;
}		}

$valid = true;		// TODO: This should probably be reworked; expiration should be an
if ($expired) {		// exclusive property of the token. For now, this logic reads: tokens for
$valid = false;		// authorizations with "offline_access" never expire.
// check if the scope includes "offline_access", which makes the
// token valid despite being expired		$is_expired = $token->isExpired();
if (isset(		if ($is_expired) {
$token_scope[PhabricatorOAuthServerScope::SCOPE_OFFLINE_ACCESS])) {		$offline_access = PhabricatorOAuthServerScope::SCOPE_OFFLINE_ACCESS;
$valid = true;		$authorization_scope = $authorization->getScope();
		if (empty($authorization_scope[$offline_access])) {
		return null;
}		}
}		}

return $valid;		return $authorization;
}		}

/**		/**
* See http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-3.1.2		* See http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-3.1.2
* for details on what makes a given redirect URI "valid".		* for details on what makes a given redirect URI "valid".
*/		*/
public function validateRedirectURI(PhutilURI $uri) {		public function validateRedirectURI(PhutilURI $uri) {
if (!PhabricatorEnv::isValidRemoteURIForLink($uri)) {		if (!PhabricatorEnv::isValidRemoteURIForLink($uri)) {
▲ Show 20 Lines • Show All 71 Lines • Show Last 20 Lines