Changeset View
Changeset View
Standalone View
Standalone View
src/applications/oauthserver/PhabricatorOAuthServer.php
Show All 23 Lines | |||||
* generating @{class:PhabricatorOAuthServerAuthorizationCode}s | * generating @{class:PhabricatorOAuthServerAuthorizationCode}s | ||||
* @task token Validating @{class:PhabricatorOAuthServerAuthorizationCode}s | * @task token Validating @{class:PhabricatorOAuthServerAuthorizationCode}s | ||||
* and generating @{class:PhabricatorOAuthServerAccessToken}s | * and generating @{class:PhabricatorOAuthServerAccessToken}s | ||||
* @task internal Internals | * @task internal Internals | ||||
*/ | */ | ||||
final class PhabricatorOAuthServer extends Phobject { | final class PhabricatorOAuthServer extends Phobject { | ||||
const AUTHORIZATION_CODE_TIMEOUT = 300; | const AUTHORIZATION_CODE_TIMEOUT = 300; | ||||
const ACCESS_TOKEN_TIMEOUT = 3600; | |||||
private $user; | private $user; | ||||
private $client; | private $client; | ||||
private function getUser() { | private function getUser() { | ||||
if (!$this->user) { | if (!$this->user) { | ||||
throw new PhutilInvalidStateException('setUser'); | throw new PhutilInvalidStateException('setUser'); | ||||
} | } | ||||
▲ Show 20 Lines • Show All 112 Lines • ▼ Show 20 Lines | public function validateAuthorizationCode( | ||||
$created_time = $test_code->getDateCreated(); | $created_time = $test_code->getDateCreated(); | ||||
$must_be_used_by = $created_time + self::AUTHORIZATION_CODE_TIMEOUT; | $must_be_used_by = $created_time + self::AUTHORIZATION_CODE_TIMEOUT; | ||||
return (time() < $must_be_used_by); | return (time() < $must_be_used_by); | ||||
} | } | ||||
/** | /** | ||||
* @task token | * @task token | ||||
*/ | */ | ||||
public function validateAccessToken( | public function authorizeToken( | ||||
PhabricatorOAuthServerAccessToken $token, | PhabricatorOAuthServerAccessToken $token) { | ||||
$required_scope) { | |||||
$user_phid = $token->getUserPHID(); | |||||
$created_time = $token->getDateCreated(); | $client_phid = $token->getClientPHID(); | ||||
$must_be_used_by = $created_time + self::ACCESS_TOKEN_TIMEOUT; | |||||
$expired = time() > $must_be_used_by; | |||||
$authorization = id(new PhabricatorOAuthClientAuthorization()) | |||||
->loadOneWhere( | |||||
'userPHID = %s AND clientPHID = %s', | |||||
$token->getUserPHID(), | |||||
$token->getClientPHID()); | |||||
$authorization = id(new PhabricatorOAuthClientAuthorizationQuery()) | |||||
->setViewer(PhabricatorUser::getOmnipotentUser()) | |||||
->withUserPHIDs(array($user_phid)) | |||||
->withClientPHIDs(array($client_phid)) | |||||
->executeOne(); | |||||
if (!$authorization) { | if (!$authorization) { | ||||
return false; | return null; | ||||
} | |||||
$token_scope = $authorization->getScope(); | |||||
if (!isset($token_scope[$required_scope])) { | |||||
return false; | |||||
} | } | ||||
$valid = true; | // TODO: This should probably be reworked; expiration should be an | ||||
if ($expired) { | // exclusive property of the token. For now, this logic reads: tokens for | ||||
$valid = false; | // authorizations with "offline_access" never expire. | ||||
// check if the scope includes "offline_access", which makes the | |||||
// token valid despite being expired | $is_expired = $token->isExpired(); | ||||
if (isset( | if ($is_expired) { | ||||
$token_scope[PhabricatorOAuthServerScope::SCOPE_OFFLINE_ACCESS])) { | $offline_access = PhabricatorOAuthServerScope::SCOPE_OFFLINE_ACCESS; | ||||
$valid = true; | $authorization_scope = $authorization->getScope(); | ||||
if (empty($authorization_scope[$offline_access])) { | |||||
return null; | |||||
} | } | ||||
} | } | ||||
return $valid; | return $authorization; | ||||
} | } | ||||
/** | /** | ||||
* See http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-3.1.2 | * See http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-3.1.2 | ||||
* for details on what makes a given redirect URI "valid". | * for details on what makes a given redirect URI "valid". | ||||
*/ | */ | ||||
public function validateRedirectURI(PhutilURI $uri) { | public function validateRedirectURI(PhutilURI $uri) { | ||||
if (!PhabricatorEnv::isValidRemoteURIForLink($uri)) { | if (!PhabricatorEnv::isValidRemoteURIForLink($uri)) { | ||||
▲ Show 20 Lines • Show All 71 Lines • Show Last 20 Lines |