Merge pull request FriendsOfSymfony#67 from jeffxpx/master

alanbem · alanbem · commit 17d199455fb1 · 2014-10-17T12:16:39.000+02:00
Implementation that would satisfy grant extensions that can specify a time limit on the access token (fixes FriendsOfSymfony#66)
diff --git a/lib/OAuth2/OAuth2.php b/lib/OAuth2/OAuth2.php
@@ -826,14 +826,16 @@ public function grantAccessToken(Request $request = null)
 
         // if no scope provided to check against $input['scope'] then application defaults are set
         // if no data is provided than null is set
-        $stored += array('scope' => $this->getVariable(self::CONFIG_SUPPORTED_SCOPES, null), 'data' => null);
+        $stored += array('scope' => $this->getVariable(self::CONFIG_SUPPORTED_SCOPES, null), 'data' => null,
+                         'access_token_lifetime' => $this->getVariable(self::CONFIG_ACCESS_LIFETIME),
+                         'issue_refresh_token' => true, 'refresh_token_lifetime' => $this->getVariable(self::CONFIG_REFRESH_LIFETIME));
 
         // Check scope, if provided
         if ($input["scope"] && (!isset($stored["scope"]) || !$this->checkScope($input["scope"], $stored["scope"]))) {
             throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_SCOPE, 'An unsupported scope was requested.');
         }
 
-        $token = $this->createAccessToken($client, $stored['data'], $stored['scope']);
+        $token = $this->createAccessToken($client, $stored['data'], $stored['scope'], $stored['access_token_lifetime'], $stored['issue_refresh_token'], $stored['refresh_token_lifetime']);
 
         return new Response(json_encode($token), 200, $this->getJsonHeaders());
     }
@@ -1287,19 +1289,22 @@ private function buildUri($uri, $params)
      *
      * @param IOAuth2Client $client
      * @param mixed         $data
-     * @param null          $scope
+     * @param string|null   $scope
+     * @param int|null      $access_token_lifetime How long the access token should live in seconds
+     * @param bool          $issue_refresh_token Issue a refresh tokeniIf true and the storage mechanism supports it
+     * @param int|null      $refresh_token_lifetime How long the refresh token should life in seconds
      *
      * @return array
      *
      * @see     http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-5
      *
      * @ingroup oauth2_section_5
      */
-    public function createAccessToken(IOAuth2Client $client, $data, $scope = null)
+    public function createAccessToken(IOAuth2Client $client, $data, $scope = null, $access_token_lifetime = null, $issue_refresh_token = true, $refresh_token_lifetime = null)
     {
         $token = array(
             "access_token" => $this->genAccessToken(),
-            "expires_in" => $this->getVariable(self::CONFIG_ACCESS_LIFETIME),
+            "expires_in" => ($access_token_lifetime ?: $this->getVariable(self::CONFIG_ACCESS_LIFETIME)),
             "token_type" => $this->getVariable(self::CONFIG_TOKEN_TYPE),
             "scope" => $scope,
         );
@@ -1308,18 +1313,18 @@ public function createAccessToken(IOAuth2Client $client, $data, $scope = null)
             $token["access_token"],
             $client,
             $data,
-            time() + $this->getVariable(self::CONFIG_ACCESS_LIFETIME),
+            time() + ($access_token_lifetime ?: $this->getVariable(self::CONFIG_ACCESS_LIFETIME)),
             $scope
         );
 
         // Issue a refresh token also, if we support them
-        if ($this->storage instanceof IOAuth2RefreshTokens) {
+        if ($this->storage instanceof IOAuth2RefreshTokens && $issue_refresh_token === true) {
             $token["refresh_token"] = $this->genAccessToken();
             $this->storage->createRefreshToken(
                 $token["refresh_token"],
                 $client,
                 $data,
-                time() + $this->getVariable(self::CONFIG_REFRESH_LIFETIME),
+                time() + ($refresh_token_lifetime ?: $this->getVariable(self::CONFIG_REFRESH_LIFETIME)),
                 $scope
             );
 
diff --git a/tests/OAuth2/Tests/Fixtures/OAuth2GrantExtensionLifetimeStub.php b/tests/OAuth2/Tests/Fixtures/OAuth2GrantExtensionLifetimeStub.php
@@ -0,0 +1,53 @@
+<?php
+
+namespace OAuth2\Tests\Fixtures;
+
+use OAuth2\OAuth2;
+use OAuth2\IOAuth2GrantExtension;
+use OAuth2\OAuth2ServerException;
+use OAuth2\Model\IOAuth2Client;
+
+class OAuth2GrantExtensionLifetimeStub extends OAuth2StorageStub implements IOAuth2GrantExtension
+{
+    protected $facebookIds = array();
+
+    public function checkGrantExtension(IOAuth2Client $client, $uri, array $inputData, array $authHeaders)
+    {
+        if ('http://company.com/fb_access_token_time_limited' !== $uri) {
+            throw new OAuth2ServerException(OAuth2::HTTP_BAD_REQUEST, OAuth2::ERROR_UNSUPPORTED_GRANT_TYPE);
+        }
+
+        if (!isset($inputData['fb_access_token'])) {
+            return false;
+        }
+
+        $fbAccessToken = $inputData['fb_access_token'];
+        $fbId = $this->getFacebookIdFromFacebookAccessToken($fbAccessToken);
+
+        if (!isset($this->facebookIds[$fbId])) {
+            return false;
+        }
+
+        return array(
+            'data' => array('user_id' => $fbId),
+            'access_token_lifetime' => 86400,
+            'issue_refresh_token' => false
+        );
+    }
+
+    public function addFacebookId($id)
+    {
+        $this->facebookIds[$id] = $id;
+    }
+
+    /**
+     * Let's assume a fb access token looks like "something_fbid"
+     *
+     * In real life, we would verify the access token is valid, and get the facebook_id of the
+     * user via GET http://graph.facebook.com/me
+     */
+    protected function getFacebookIdFromFacebookAccessToken($fbAccessToken)
+    {
+        return substr($fbAccessToken, strpos($fbAccessToken, '_') + 1);
+    }
+}
diff --git a/tests/OAuth2Test.php b/tests/OAuth2Test.php
@@ -567,6 +567,43 @@ public function testGrantAccessTokenWithGrantExtension()
         $this->assertRegExp('{"access_token":"[^"]+","expires_in":3600,"token_type":"bearer"}', $response->getContent());
     }
 
+    /**
+     * Tests OAuth2->grantAccessToken() with extension with limited timeframe
+     */
+    public function testGrantAccessTokenWithGrantExtensionLimitedLifetime()
+    {
+        $clientId = 'cid';
+        $clientSecret = 'csecret';
+        $grantType = 'http://company.com/fb_access_token_time_limited';
+        $fbId = '35';
+        $fbAccessToken = 'da4b9237bacccd_35';
+
+        $stub = new \OAuth2\Tests\Fixtures\OAuth2GrantExtensionLifetimeStub();
+        $stub->addClient(new OAuth2Client($clientId, $clientSecret));
+        $stub->setAllowedGrantTypes(array($grantType));
+        $stub->addFacebookId($fbId);
+        $oauth2 = new OAuth2($stub);
+
+        $response = $oauth2->grantAccessToken(new Request(array(
+            'grant_type' => $grantType,
+            'client_id' => $clientId,
+            'client_secret' => $clientSecret,
+            'fb_access_token' => $fbAccessToken,
+        )));
+
+        $this->assertSame(array(
+            'content-type' => array('application/json'),
+            'cache-control' => array('no-store, private'),
+            'pragma' => array('no-cache'),
+        ), array_diff_key(
+            $response->headers->all(),
+            array('date' => null)
+        ));
+
+        $this->assertRegExp('{"access_token":"[^"]+","expires_in":86400,"token_type":"bearer"}', $response->getContent());
+    }
+
+
     /**
      * Tests OAuth2->getAuthorizeParams()
      */
