tempest-framework/packages/auth/src/OAuth/IsOauthProvider.php at 7904749f5b4dffe98a76182fbb4b689da58258f2 · gturpin-dev/tempest-framework · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
<?php

declare(strict_types=1);

namespace Tempest\Auth\OAuth;

use GuzzleHttp\Exception\GuzzleException;
use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
use League\OAuth2\Client\Provider\GenericProvider;
use Tempest\Auth\OAuth\DataObjects\AccessToken;
use Tempest\Auth\OAuth\DataObjects\OAuthUserData;
use Tempest\Auth\OAuth\Exceptions\OAuthException;
use Tempest\Http\Session\Session;

use function Tempest\Support\str;

trait IsOauthProvider
{
    // TODO : Should be #[Inject] property, but can't resolve chain in Initializers yet
    public function __construct(
        private readonly Session $session,
    ) {}

    private GenericProvider $internalProvider;

    public protected(set) string $clientId;
    public protected(set) string $clientSecret;
    public protected(set) string $redirectUri;
    public protected(set) array $defaultScopes;
    public protected(set) string $authorizeEndpoint;
    public protected(set) string $accessTokenEndpoint;
    public protected(set) string $userDataEndpoint;
    public protected(set) string $stateSessionSlug;

    /**
     * @param array<string> $defaultScopes
     */
    protected function configureInternalProvider(
        string $clientId,
        string $clientSecret,
        string $redirectUri,
        array $defaultScopes,
        string $authorizeEndpoint,
        string $accessTokenEndpoint,
        string $userDataEndpoint,
        string $stateSessionSlug = 'oauth-state',
    ): static {
        $this->clientId = $clientId;
        $this->clientSecret = $clientSecret;
        $this->redirectUri = $redirectUri;
        $this->defaultScopes = $defaultScopes;
        $this->authorizeEndpoint = $authorizeEndpoint;
        $this->accessTokenEndpoint = $accessTokenEndpoint;
        $this->userDataEndpoint = $userDataEndpoint;
        $this->stateSessionSlug = $stateSessionSlug;

        $this->internalProvider = new GenericProvider([
            'clientId' => $this->clientId,
            'clientSecret' => $this->clientSecret,
            'redirectUri' => $this->redirectUri,
            'urlAuthorize' => $this->authorizeEndpoint,
            'urlAccessToken' => $this->accessTokenEndpoint,
            'urlResourceOwnerDetails' => $this->userDataEndpoint,
        ]);

        return $this;
    }

    /**
     * @param array<string, mixed>|null $additionalParameters Additional parameters to include in the authorization URL.
     * @param array<string>|null $scopes Scopes to request. If null, the default scopes will be used.
     * @param string|null $state A state parameter to include in the authorization URL. If null, a random state will be generated.
     */
    public function generateAuthorizationUrl(
        array $additionalParameters = [],
        ?array $scopes = null,
        ?string $state = null,
        ?string $scopeSeparator = ' ',
    ): string {
        $scopes ??= $this->defaultScopes;
        $state ??= $this->generateState();

        $this->session->flash($this->stateSessionSlug, $state);

        return $this->internalProvider->getAuthorizationUrl([
            'scope' => implode($scopeSeparator, $scopes),
            'state' => $state,
            ...$additionalParameters,
        ]);
    }

    /**
     * @param array<string, mixed>|null $additionalParameters Additional parameters to include in the request.
     */
    public function generateAccessToken(
        string $code,
        array $additionalParameters = [],
    ): AccessToken {
        try {
            $token = $this->internalProvider->getAccessToken(
                grant: 'authorization_code',
                options: [
                    'code' => $code,
                    ...$additionalParameters,
                ],
            );

            return AccessToken::fromLeagueAccessToken($token);
        } catch (GuzzleException|IdentityProviderException $e) {
            throw new OAuthException('Failed to get access token: ' . $e->getMessage(), previous: $e);
        }
    }

    public function fetchUserDataFromToken(
        AccessToken $accessToken,
    ): OAuthUserData {
        try {
            return $this->createUserDataFromResponse(
                $this->internalProvider->getResourceOwner($accessToken->toLeagueAccessToken())->toArray(),
            );
        } catch (GuzzleException|IdentityProviderException $e) {
            throw new OAuthException('Failed to get user data: ' . $e->getMessage(), previous: $e);
        }
    }

    protected function generateState(): string
    {
        return str()->random(40)->toString();
    }

    /**
     * @param array<string, mixed> $userData The raw user data array returned by the OAuth provider.
     */
    protected function createUserDataFromResponse(array $userData): OAuthUserData
    {
        return OAuthUserData::from($userData);
    }
}