Authenticate the clients on requesting a token
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
parent
aa78c30666
commit
c2a21ea464
|
@ -23,7 +23,10 @@ namespace OCA\OAuth2\Controller;
|
|||
|
||||
use OC\Authentication\Token\DefaultTokenMapper;
|
||||
use OCA\OAuth2\Db\AccessTokenMapper;
|
||||
use OCA\OAuth2\Db\ClientMapper;
|
||||
use OCA\OAuth2\Exceptions\AccessTokenNotFoundException;
|
||||
use OCP\AppFramework\Controller;
|
||||
use OCP\AppFramework\Http;
|
||||
use OCP\AppFramework\Http\JSONResponse;
|
||||
use OCP\IRequest;
|
||||
use OCP\Security\ICrypto;
|
||||
|
@ -32,6 +35,8 @@ use OCP\Security\ISecureRandom;
|
|||
class OauthApiController extends Controller {
|
||||
/** @var AccessTokenMapper */
|
||||
private $accessTokenMapper;
|
||||
/** @var ClientMapper */
|
||||
private $clientMapper;
|
||||
/** @var ICrypto */
|
||||
private $crypto;
|
||||
/** @var DefaultTokenMapper */
|
||||
|
@ -44,6 +49,7 @@ class OauthApiController extends Controller {
|
|||
* @param IRequest $request
|
||||
* @param ICrypto $crypto
|
||||
* @param AccessTokenMapper $accessTokenMapper
|
||||
* @param ClientMapper $clientMapper
|
||||
* @param DefaultTokenMapper $defaultTokenMapper
|
||||
* @param ISecureRandom $secureRandom
|
||||
*/
|
||||
|
@ -51,11 +57,13 @@ class OauthApiController extends Controller {
|
|||
IRequest $request,
|
||||
ICrypto $crypto,
|
||||
AccessTokenMapper $accessTokenMapper,
|
||||
ClientMapper $clientMapper,
|
||||
DefaultTokenMapper $defaultTokenMapper,
|
||||
ISecureRandom $secureRandom) {
|
||||
parent::__construct($appName, $request);
|
||||
$this->crypto = $crypto;
|
||||
$this->accessTokenMapper = $accessTokenMapper;
|
||||
$this->clientMapper = $clientMapper;
|
||||
$this->defaultTokenMapper = $defaultTokenMapper;
|
||||
$this->secureRandom = $secureRandom;
|
||||
}
|
||||
|
@ -64,13 +72,48 @@ class OauthApiController extends Controller {
|
|||
* @PublicPage
|
||||
* @NoCSRFRequired
|
||||
*
|
||||
* @param string $grant_type
|
||||
* @param string $code
|
||||
* @param string $refresh_token
|
||||
* @param string $client_id
|
||||
* @param string $client_secret
|
||||
* @return JSONResponse
|
||||
*/
|
||||
public function getToken($code, $client_id, $client_secret) {
|
||||
$accessToken = $this->accessTokenMapper->getByCode($code);
|
||||
public function getToken($grant_type, $code, $refresh_token, $client_id, $client_secret) {
|
||||
|
||||
if ($grant_type !== 'authorization_code' && $grant_type !== 'refresh_token') {
|
||||
return new JSONResponse([
|
||||
'error' => 'invalid_grant',
|
||||
], Http::STATUS_BAD_REQUEST);
|
||||
}
|
||||
|
||||
// We handle the initial and refresh tokens the same way
|
||||
if ($grant_type === 'refresh_token' ) {
|
||||
$code = $refresh_token;
|
||||
}
|
||||
|
||||
try {
|
||||
$accessToken = $this->accessTokenMapper->getByCode($code);
|
||||
} catch (AccessTokenNotFoundException $e) {
|
||||
return new JSONResponse([
|
||||
'error' => 'invalid_request',
|
||||
], Http::STATUS_BAD_REQUEST);
|
||||
}
|
||||
|
||||
try {
|
||||
$client = $this->clientMapper->getByUid($accessToken->getClientId());
|
||||
} catch (ClientNotFoundException $e) {
|
||||
return new JSONResponse([
|
||||
'error' => 'invalid_request',
|
||||
], Http::STATUS_BAD_REQUEST);
|
||||
}
|
||||
|
||||
if ($client->getClientIdentifier() !== $client_id || $client->getSecret() !== $client_secret) {
|
||||
return new JSONResponse([
|
||||
'error' => 'invalid_client',
|
||||
], Http::STATUS_BAD_REQUEST);
|
||||
}
|
||||
|
||||
$decryptedToken = $this->crypto->decrypt($accessToken->getEncryptedToken(), $code);
|
||||
$newCode = $this->secureRandom->generate(128);
|
||||
$accessToken->setHashedCode(hash('sha512', $newCode));
|
||||
|
|
Loading…
Reference in New Issue