Remove OAuth client secret from Authorization records

robertlemke · robertlemke · commit c5b1f5ce985b · 2020-10-12T18:15:22.000+02:00
Remove the client secret from the Authorization table – for now at
least. We don't need to store the client secret, because if OAuth is
used with client credentials flow, the client secret is likely
available somewhere lese (for example via a setting or an application
specific storage) and when authorization code flow is used, the secret
is only needed when authorization is started and does not have to be
stored.

We may need the client secret for refreshing a token, but this is not
correctly implemented at this time, so we may need to solved this at
a later point in time.
diff --git a/Classes/Authorization.php b/Classes/Authorization.php
@@ -48,12 +48,6 @@ class Authorization
      */
     protected $clientId;
 
-    /**
-     * @var string
-     * @ORM\Column(nullable = true, length=5000)
-     */
-    protected $clientSecret;
-
     /**
      * @var string
      */
@@ -144,22 +138,6 @@ public function getClientId(): string
         return $this->clientId;
     }
 
-    /**
-     * @param string $clientSecret
-     */
-    public function setClientSecret(string $clientSecret): void
-    {
-        $this->clientSecret = $clientSecret;
-    }
-
-    /**
-     * @return string
-     */
-    public function getClientSecret(): string
-    {
-        return $this->clientSecret;
-    }
-
     /**
      * @return string
      */
@@ -204,11 +182,17 @@ public function setSerializedAccessToken(string $serializedAccessToken): void
     /**
      * @param AccessTokenInterface $accessToken
      * @return void
-     * @throws JsonException
+     * @throws \InvalidArgumentException
      */
     public function setAccessToken(AccessTokenInterface $accessToken): void
     {
-        $this->serializedAccessToken = json_encode($accessToken, JSON_THROW_ON_ERROR, 512);
+        try {
+            $this->serializedAccessToken = json_encode($accessToken, JSON_THROW_ON_ERROR, 512);
+            // @codeCoverageIgnoreStart
+        } catch (JsonException $e) {
+            throw new \InvalidArgumentException('Failed serializing the given access token', 1602515717);
+            // @codeCoverageIgnoreEnd
+        }
     }
 
     /**
diff --git a/Classes/OAuthClient.php b/Classes/OAuthClient.php
@@ -8,10 +8,8 @@
 use GuzzleHttp\Exception\GuzzleException;
 use GuzzleHttp\Psr7\Response;
 use GuzzleHttp\Psr7\Uri;
-use InvalidArgumentException;
 use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
 use League\OAuth2\Client\Provider\GenericProvider;
-use League\OAuth2\Client\Token\AccessTokenInterface;
 use League\OAuth2\Client\Tool\RequestFactory;
 use Neos\Cache\Exception;
 use Neos\Cache\Frontend\VariableFrontend;
diff --git a/Migrations/Mysql/Version20201012151008.php b/Migrations/Mysql/Version20201012151008.php
@@ -0,0 +1,46 @@
+<?php
+namespace Neos\Flow\Persistence\Doctrine\Migrations;
+
+use Doctrine\DBAL\Exception;
+use Doctrine\Migrations\AbstractMigration;
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\DBAL\Migrations\AbortMigrationException;
+
+/**
+ * Drop the client secret field in Authorization
+ */
+class Version20201012151008 extends AbstractMigration
+{
+
+    /**
+     * @return string
+     */
+    public function getDescription(): string
+    {
+        return 'Drop the client secret field in Authorization';
+    }
+
+    /**
+     * @param Schema $schema
+     * @return void
+     * @throws AbortMigrationException|Exception
+     */
+    public function up(Schema $schema): void
+    {
+        $this->abortIf($this->connection->getDatabasePlatform()->getName() !== 'mysql', 'Migration can only be executed safely on "mysql".');
+
+        $this->addSql('ALTER TABLE flownative_oauth2_client_authorization DROP clientsecret');
+    }
+
+    /**
+     * @param Schema $schema
+     * @return void
+     * @throws AbortMigrationException|Exception
+     */
+    public function down(Schema $schema): void
+    {
+        $this->abortIf($this->connection->getDatabasePlatform()->getName() !== 'mysql', 'Migration can only be executed safely on "mysql".');
+
+        $this->addSql('ALTER TABLE flownative_oauth2_client_authorization ADD clientsecret VARCHAR(5000) CHARACTER SET utf8mb4 DEFAULT NULL COLLATE `utf8mb4_unicode_ci`');
+    }
+}
diff --git a/Tests/Unit/AuthorizationTest.php b/Tests/Unit/AuthorizationTest.php
@@ -14,7 +14,6 @@
  */
 
 use Exception;
-use JsonException;
 use League\OAuth2\Client\Token\AccessToken;
 use Neos\Flow\Tests\UnitTestCase;
 use Neos\Flow\Utility\Algorithms;
@@ -58,7 +57,6 @@ public function constructSetsAuthorizationParameters(string $authorizationId, st
 
     /**
      * @test
-     * @throws JsonException
      * @throws Exception
      */
     public function getAccessTokenReturnsClonedObject(): void
@@ -75,7 +73,6 @@ public function getAccessTokenReturnsClonedObject(): void
 
     /**
      * @test
-     * @throws JsonException
      * @throws Exception
      */
     public function getSerializedAccessTokenReturnsCorrectJsonString(): void
@@ -91,7 +88,6 @@ public function getSerializedAccessTokenReturnsCorrectJsonString(): void
 
     /**
      * @test
-     * @throws JsonException
      * @throws Exception
      */
     public function getAccessTokenReturnsPreviouslySetSerializedToken(): void
