Store serialized access token as string

This change modifies Doctrine's column schema for the serialized
access token so it's stored as a string, not as an "array".

This doesn't change any actual data in the database, but changes the
set- and getSerializedAccesstoken() methods which now expect a string
instead of an array.

This change also improves test coverage of the Authorization class.

Author: robertlemke

Classes/Authorization.php

@@ -15,6 +15,7 @@
 
 use Doctrine\ORM\Mapping as ORM;
 use Exception;
+use JsonException;
 use League\OAuth2\Client\Token\AccessToken;
 use League\OAuth2\Client\Token\AccessTokenInterface;
 use Neos\Flow\Annotations as Flow;
@@ -64,8 +65,8 @@ class Authorization
     protected $scope;
 
     /**
-     * @var array
-     * @ORM\Column(type="json_array", nullable = true)
+     * @var string
+     * @ORM\Column(nullable = true, type = "text")
      */
     protected $serializedAccessToken;
 
@@ -98,9 +99,11 @@ public static function generateAuthorizationIdForAuthorizationCodeGrant(string $
     {
         try {
             return $serviceType . '-' . $serviceName . '-' . Uuid::uuid4()->toString();
+        // @codeCoverageIgnoreStart
         } catch (Exception $e) {
             throw new OAuthClientException(sprintf('Failed generating authorization id for %s %s', $serviceName, $clientId), 1597311416, $e);
         }
+        // @codeCoverageIgnoreEnd
     }
 
     /**
@@ -183,35 +186,43 @@ public function setScope(string $scope): void
     }
 
     /**
-     * @return array
+     * @return string
      */
-    public function getSerializedAccessToken(): array
+    public function getSerializedAccessToken(): string
     {
-        return $this->serializedAccessToken ?? [];
+        return $this->serializedAccessToken ?? '';
     }
 
     /**
-     * @param array $serializedAccessToken
+     * @param string $serializedAccessToken
      */
-    public function setSerializedAccessToken(array $serializedAccessToken): void
+    public function setSerializedAccessToken(string $serializedAccessToken): void
     {
         $this->serializedAccessToken = $serializedAccessToken;
     }
 
     /**
      * @param AccessTokenInterface $accessToken
      * @return void
+     * @throws JsonException
      */
     public function setAccessToken(AccessTokenInterface $accessToken): void
     {
-        $this->serializedAccessToken = $accessToken->jsonSerialize();
+        $this->serializedAccessToken = json_encode($accessToken, JSON_THROW_ON_ERROR, 512);
     }
 
     /**
      * @return AccessToken
      */
     public function getAccessToken(): ?AccessToken
     {
-        return !empty($this->serializedAccessToken) ? new AccessToken($this->serializedAccessToken) : null;
+        try {
+            if (!empty($this->serializedAccessToken)) {
+                $unserializedAccessToken = json_decode($this->serializedAccessToken, true, 512, JSON_THROW_ON_ERROR);
+                return new AccessToken($unserializedAccessToken);
+            }
+        } catch (JsonException $e) {
+        }
+        return null;
     }
 }

Migrations/Mysql/Version20201012142627.php

@@ -0,0 +1,48 @@
+<?php
+namespace Neos\Flow\Persistence\Doctrine\Migrations;
+
+use Doctrine\DBAL\Exception;
+use Doctrine\Migrations\AbstractMigration;
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\DBAL\Migrations\AbortMigrationException;
+
+/**
+ * Adjust column type for serialized access token
+ */
+class Version20201012142627 extends AbstractMigration
+{
+
+    /**
+     * @return string
+     */
+    public function getDescription(): string
+    {
+        return 'Adjust column type for serialized access token';
+    }
+
+    /**
+     * @param Schema $schema
+     * @return void
+     * @throws AbortMigrationException
+     * @throws Exception
+     */
+    public function up(Schema $schema): void
+    {
+        $this->abortIf($this->connection->getDatabasePlatform()->getName() !== 'mysql', 'Migration can only be executed safely on "mysql".');
+
+        $this->addSql('ALTER TABLE flownative_oauth2_client_authorization CHANGE serializedaccesstoken serializedaccesstoken LONGTEXT DEFAULT NULL');
+    }
+
+    /**
+     * @param Schema $schema
+     * @return void
+     * @throws AbortMigrationException
+     * @throws Exception
+     */
+    public function down(Schema $schema): void
+    {
+        $this->abortIf($this->connection->getDatabasePlatform()->getName() !== 'mysql', 'Migration can only be executed safely on "mysql".');
+
+        $this->addSql('ALTER TABLE flownative_oauth2_client_authorization CHANGE serializedaccesstoken serializedaccesstoken LONGTEXT CHARACTER SET utf8mb4 DEFAULT NULL COLLATE `utf8mb4_unicode_ci` COMMENT \'(DC2Type:json_array)\'');
+    }
+}

Tests/Unit/AuthorizationTest.php

@@ -13,6 +13,8 @@
  * source code.
  */
 
+use Exception;
+use JsonException;
 use League\OAuth2\Client\Token\AccessToken;
 use Neos\Flow\Tests\UnitTestCase;
 use Neos\Flow\Utility\Algorithms;
@@ -29,37 +31,41 @@ public function correctConstructorArguments(): array
                 '3d47f0eafd6a8b49e32b55103d817b6e4ef489e7',
                 'myService',
                 'ac36cGG4d2Cef1DeuevA7T1u7V4WOUI14',
-                'CMc4EHfyMPLw}Tua%rnyxCnrTWMuX3',
                 'authorization_code',
                 'profile oidc'
             ]
         ];
     }
 
     /**
-     * @param string $expectedAuthorizationId
+     * @param string $authorizationId
      * @param string $serviceName
      * @param string $clientId
-     * @param string $clientSecret
      * @param string $grantType
      * @param string $scope
      * @test
      * @dataProvider correctConstructorArguments
      */
-    public function constructSetsAuthorizationIdentifier(string $expectedAuthorizationId, string $serviceName, string $clientId, string $clientSecret, string $grantType, string $scope): void
+    public function constructSetsAuthorizationParameters(string $authorizationId, string $serviceName, string $clientId, string $grantType, string $scope): void
     {
-        $authorization = new Authorization($serviceName, $clientId, $grantType, $scope);
-        self::assertSame($expectedAuthorizationId, $authorization->getAuthorizationId());
+        $authorization = new Authorization($authorizationId, $serviceName, $clientId, $grantType, $scope);
+        self::assertSame($authorizationId, $authorization->getAuthorizationId());
+        self::assertSame($serviceName, $authorization->getServiceName());
+        self::assertSame($clientId, $authorization->getClientId());
+        self::assertSame($grantType, $authorization->getGrantType());
+        self::assertSame($scope, $authorization->getScope());
     }
 
     /**
      * @test
+     * @throws JsonException
+     * @throws Exception
      */
     public function getAccessTokenReturnsClonedObject(): void
     {
         $accessToken = $this->createValidAccessToken();
 
-        $authorization = new Authorization('service', 'clientId',Authorization::GRANT_AUTHORIZATION_CODE, 'profile');
+        $authorization = new Authorization('3d47f0eafd6a8b49e32b55103d817b6e4ef489e7', 'service', 'clientId',Authorization::GRANT_AUTHORIZATION_CODE, 'profile');
         $authorization->setAccessToken($accessToken);
         $retrievedAccessToken = $authorization->getAccessToken();
 
@@ -69,52 +75,110 @@ public function getAccessTokenReturnsClonedObject(): void
 
     /**
      * @test
+     * @throws JsonException
+     * @throws Exception
      */
     public function getSerializedAccessTokenReturnsCorrectJsonString(): void
     {
         $accessToken = $this->createValidAccessToken();
 
-        $authorization = new Authorization('service', 'clientId',  Authorization::GRANT_AUTHORIZATION_CODE, '');
+        $authorization = new Authorization('3d47f0eafd6a8b49e32b55103d817b6e4ef489e7', 'service', 'clientId',  Authorization::GRANT_AUTHORIZATION_CODE, '');
         $authorization->setAccessToken($accessToken);
 
-        $secondAccessToken = new AccessToken($authorization->getSerializedAccessToken());
+        $secondAccessToken = new AccessToken(json_decode($authorization->getSerializedAccessToken(), true, 512, JSON_THROW_ON_ERROR));
         $this->assertEquals($accessToken, $secondAccessToken);
     }
 
     /**
      * @test
+     * @throws JsonException
+     * @throws Exception
      */
     public function getAccessTokenReturnsPreviouslySetSerializedToken(): void
     {
         $accessToken = $this->createValidAccessToken();
 
-        $authorization = new Authorization('service', 'clientId', Authorization::GRANT_AUTHORIZATION_CODE, '');
-        $authorization->setSerializedAccessToken($accessToken->jsonSerialize());
+        $authorization = new Authorization('3d47f0eafd6a8b49e32b55103d817b6e4ef489e7', 'service', 'clientId', Authorization::GRANT_AUTHORIZATION_CODE, '');
+        $authorization->setSerializedAccessToken(json_encode($accessToken, JSON_THROW_ON_ERROR, 512));
 
-        $secondAccessToken = new AccessToken($authorization->getSerializedAccessToken());
+        $secondAccessToken = new AccessToken(json_decode($authorization->getSerializedAccessToken(), true, 512, JSON_THROW_ON_ERROR));
         $this->assertEquals($accessToken, $secondAccessToken);
     }
 
     /**
      * @test
      */
-    public function calculateAuthorizationIdReturnsSha1(): void
+    public function generateAuthorizationIdForClientCredentialsGrantReturnsSha1(): void
     {
-        $authorizationId = Authorization::calculateAuthorizationId(
-            'oidc_test', 'ac36cGG4d2Cef1DeuevA7T1u7V4WOUI14', 'oidc profile', 'authorization_code'
+        $authorizationId = Authorization::generateAuthorizationIdForClientCredentialsGrant(
+            'oidc_test', 'ac36cGG4d2Cef1DeuevA7T1u7V4WOUI14', 'CMc4EHfyMPLw}Tua%rnyxCnrTWMuX3', 'oidc profile'
         );
-        self::assertSame('21de19f789834af6edff3346e8d9449fcd0d4dae', $authorizationId);
+        self::assertSame('bd55b7bc1b40d6342789c74fcc1900877b3966f4656c5d6a1c0a9111a1da02365ba9f00fcb1d058629446f7ec83d02166b0a8c271cbf1374467e7f294bb4b784', $authorizationId);
+    }
+
+    /**
+     * @test
+     * @throws OAuthClientException
+     *
+     * @see https://github.com/flownative/flow-oauth2-client/issues/13
+     */
+    public function generateAuthorizationIdForAuthorizationCodeGrantReturnsRandomIdentifiers(): void
+    {
+        $firstAuthorizationId = Authorization::generateAuthorizationIdForAuthorizationCodeGrant(
+            'oidc_test', 'test', 'ac36cGG4d2Cef1DeuevA7T1u7V4WOUI14'
+        );
+
+        self::assertStringStartsWith('oidc_test-test-', $firstAuthorizationId);
+        self::assertStringMatchesFormat('oidc_test-test-%x%x%x%x%x%x%x%x-%x%x%x%x-%x%x%x%x-%x%x%x%x-%x%x%x%x%x%x%x%x%x%x%x%x', $firstAuthorizationId);
+
+        $secondAuthorizationId = Authorization::generateAuthorizationIdForAuthorizationCodeGrant(
+            'oidc_test', 'test', 'ac36cGG4d2Cef1DeuevA7T1u7V4WOUI14'
+        );
+
+        self::assertStringStartsWith('oidc_test-test-', $secondAuthorizationId);
+        self::assertStringMatchesFormat('oidc_test-test-%x%x%x%x%x%x%x%x-%x%x%x%x-%x%x%x%x-%x%x%x%x-%x%x%x%x%x%x%x%x%x%x%x%x', $secondAuthorizationId);
+
+        self::assertNotSame($firstAuthorizationId, $secondAuthorizationId);
+    }
+
+    /**
+     * @test
+     */
+    public function getAccessTokenReturnsNullIfNoTokenWasSet(): void
+    {
+        $authorization = new Authorization('3d47f0eafd6a8b49e32b55103d817b6e4ef489e7', 'service', 'clientId', Authorization::GRANT_AUTHORIZATION_CODE, '');
+        self::assertNull($authorization->getAccessToken());
+    }
+
+    /**
+     * @test
+     */
+    public function getAccessTokenReturnsNullIfTokenCouldNotBeUnserialized(): void
+    {
+        $authorization = new Authorization('3d47f0eafd6a8b49e32b55103d817b6e4ef489e7', 'service', 'clientId', Authorization::GRANT_AUTHORIZATION_CODE, '');
+        $authorization->setSerializedAccessToken('invalid json syntax');
+        self::assertNull($authorization->getAccessToken());
+    }
+
+    /**
+     * @test
+     */
+    public function getScopeReturnsScope(): void
+    {
+        $authorization = new Authorization('3d47f0eafd6a8b49e32b55103d817b6e4ef489e7', 'service', 'clientId', Authorization::GRANT_AUTHORIZATION_CODE, '');
+        $authorization->setScope('some-custom-scope');
+        self::assertSame('some-custom-scope', $authorization->getScope());
     }
 
     /**
      * @return AccessToken
+     * @throws Exception
      */
     private function createValidAccessToken(): AccessToken
     {
-        $accessToken = new AccessToken([
+        return new AccessToken([
             'access_token' => Algorithms::generateRandomToken(500),
             'expires' => time() + 3600
         ]);
-        return $accessToken;
     }
 }