Merge pull request #207 from pdsinterop/fix/refreshToken

handle token request cases for authorization_code and refresh_token differently

Author: Potherca

.config/phpcs.xml.dist

@@ -20,6 +20,13 @@
     <rule ref="PHPCompatibility"/>
     <config name="testVersion" value="8.0-"/>
 
+    <!-- Set indent for `break` to 0 so it aligns with `case` and `default` -->
+    <rule ref="PSR2">
+        <exclude name="PSR2.ControlStructures.SwitchDeclaration"/>
+        <exclude name="PSR2.ControlStructures.ElseIfDeclaration.NotAllowed"/>
+        <exclude name="PSR2.ControlStructures.ControlStructureSpacing.SpacingAfterOpenBrace"/>
+    </rule>
+
     <!-- Include the whole PSR-12 standard -->
     <rule ref="PSR12">
         <!-- Until things have been cleaned up a bit, these violations are allowed -->

init.sh

@@ -9,3 +9,4 @@ php console.php config:system:set trusted_domains 3 --value=thirdparty
 # set 'tester' and 'https://tester' as allowed clients for the test suite to run
 php console.php user:setting alice solid allowedClients '["f5d1278e8109edd94e1e4197e04873b9", "2e5cddcf0f663544e98982931e6cc5a6"]'
 echo configured
+mkdir -p /var/www/html/data/files_trashbin/versions

solid/appinfo/info.xml

@@ -16,6 +16,9 @@ When you do this, the Solid App can store data in your Nextcloud account through
     <author mail="[email protected]" >Auke van Slooten</author>
     <namespace>Solid</namespace>
     <category>integration</category>
+    <types>
+        <authentication/>
+    </types>
     <bugs>https://github.com/pdsinterop/solid-nextcloud/issues</bugs>
     <dependencies>
         <nextcloud min-version="28" max-version="30"/>

solid/lib/AppInfo/Application.php

@@ -10,21 +10,31 @@
 use OCA\Solid\Service\SolidWebhookService;
 use OCA\Solid\Db\SolidWebhookMapper;
 use OCA\Solid\Middleware\SolidCorsMiddleware;
+use OCA\Solid\ClientAuth;
 
 use OCP\AppFramework\App;
 use OCP\AppFramework\Bootstrap\IBootContext;
 use OCP\AppFramework\Bootstrap\IBootstrap;
 use OCP\AppFramework\Bootstrap\IRegistrationContext;
 use OCP\IDBConnection;
+use OCP\IRequest;
+use OCP\Server;
 
 class Application extends App implements IBootstrap {
     public const APP_ID = 'solid';
-	public static $userSubDomainsEnabled;
+    public static $userSubDomainsEnabled;
 
     /**
      * @param array $urlParams
      */
     public function __construct(array $urlParams = []) {
+        $request = \OCP\Server::get(\OCP\IRequest::class);
+        $rawPathInfo = $request->getRawPathInfo();
+
+        if ($rawPathInfo == '/apps/solid/token') {
+            $backend = new \OCA\Solid\ClientAuth();
+            \OC::$server->getUserManager()->registerBackend($backend);
+        }
         parent::__construct(self::APP_ID, $urlParams);
     }
 

solid/lib/ClientAuth.php

@@ -0,0 +1,62 @@
+<?php
+	/* 
+		IMPORTANT WARNING!
+
+		This class is a user backend that accepts 'all'.
+		Any user, and password is currently accepted as true.
+		
+		The reason this is here is that Solid clients will use basic
+		authentication to do a POST request to the token endpoint,
+		where the actual authorization happens.
+
+		The security for this user backend lies in the fact that it
+		is only activated for the token endpoint in the Solid app. 
+
+		In /lib/AppInfo/Application.php there is a check for the
+		token endpoint before this thing activates.
+				
+		It is completely unsuitable as an actual user backend in the
+		normal sense of the word.
+		
+		It is here to allow the token requests with basic
+		authentication requests to pass to us.
+	*/
+
+	namespace OCA\Solid;
+
+	use OCP\User\Backend\ABackend;
+	use OCP\User\Backend\ICheckPasswordBackend;
+	
+	/**
+	 * @package OCA\Solid
+	 */
+	class ClientAuth extends ABackend implements ICheckPasswordBackend {
+		public function __construct() {
+		}
+
+		public function checkPassword(string $username, string $password) {
+			return true;
+		}
+
+		public function getBackendName() {
+			return "Solid";
+		}
+		public function deleteUser($uid) {
+			return false;
+		}
+		public function getUsers($search = "", $limit = null, $offset = null, $callback = null) {
+			return [];
+		}
+		public function userExists($uid) {
+			return true;
+		}
+		public function getDisplayName($uid) {
+			return "Solid client";
+		}
+		public function getDisplayNames($search = "", $limit = null, $offset = null) {
+			return [];
+		}
+		public function hasUserListings() {
+			return false;
+		}
+	}

solid/lib/Controller/ServerController.php

@@ -105,7 +105,14 @@ private function getKeys() {
 	}
 
 	private function createAuthServerConfig() {
-		$clientId = isset($_GET['client_id']) ? $_GET['client_id'] : null;
+		$clientId = null;
+		if (isset($_GET['client_id'])) {
+			$clientId = $_GET['client_id'];
+		} else if (isset($_POST['client_id'])) {
+			if (isset($_POST['refresh_token'])) { // FIXME: Why does the test suite break without this?
+				$clientId = $_POST['client_id'];
+			}
+		}
 		$client = $this->getClient($clientId);
 		$keys = $this->getKeys();
 		try {
@@ -316,7 +323,25 @@ public function session() {
 	 */
 	public function token() {
 		$request = \Laminas\Diactoros\ServerRequestFactory::fromGlobals($_SERVER, $_GET, $_POST, $_COOKIE, $_FILES);
-		$code = $request->getParsedBody()['code'];
+		$grantType = $request->getParsedBody()['grant_type'];
+		switch ($grantType) {
+			case "authorization_code":
+				$code = $request->getParsedBody()['code'];
+				// FIXME: not sure if decoding this here is the way to go.
+				// FIXME: because this is a public page, the nonce from the session is not available here.
+				$codeInfo = $this->tokenGenerator->getCodeInfo($code);
+				$userId = $codeInfo['user_id'];
+			break;
+			case "refresh_token":
+				$refreshToken = $request->getParsedBody()['refresh_token'];
+				$tokenInfo = $this->tokenGenerator->getCodeInfo($refreshToken); // FIXME: getCodeInfo should be named 'decrypt' or 'getInfo'?
+				$userId = $tokenInfo['user_id'];
+			break;
+			default:
+				$userId = false;
+			break;
+		}
+
 		$clientId = $request->getParsedBody()['client_id'];
 
 		$httpDpop = $request->getServerParams()['HTTP_DPOP'];
@@ -325,17 +350,16 @@ public function token() {
 		$server	= new \Pdsinterop\Solid\Auth\Server($this->authServerFactory, $this->authServerConfig, $response);
 		$response = $server->respondToAccessTokenRequest($request);
 
-		// FIXME: not sure if decoding this here is the way to go.
-		// FIXME: because this is a public page, the nonce from the session is not available here.
-		$codeInfo = $this->tokenGenerator->getCodeInfo($code);
-		$response = $this->tokenGenerator->addIdTokenToResponse(
-            $response,
-			$clientId,
-			$codeInfo['user_id'],
-			($_SESSION['nonce'] ?? ''),
-			$this->config->getPrivateKey(),
-			$httpDpop
-		);
+		if ($userId) {
+			$response = $this->tokenGenerator->addIdTokenToResponse(
+				$response,
+				$clientId,
+				$userId,
+				($_SESSION['nonce'] ?? ''),
+				$this->config->getPrivateKey(),
+				$httpDpop
+			);
+		}
 
 		return $this->respond($response); // ->addHeader('Access-Control-Allow-Origin', '*');
 	}
@@ -380,14 +404,7 @@ public function register() {
 		$clientData = $this->config->saveClientRegistration($origin, $clientData);
 		$registration = array(
 			'client_id' => $clientData['client_id'],
-			/*
-				 FIXME: returning client_secret will trigger calls with basic auth to us. To get this to work, we need this patch:
-				// File /var/www/vhosts/solid-nextcloud/site/www/lib/base.php not changed so no update needed
-				//	($request->getRawPathInfo() !== '/apps/oauth2/api/v1/token') &&
-				//	($request->getRawPathInfo() !== '/apps/solid/token')
-			*/
-			// 'client_secret' => $clientData['client_secret'], // FIXME: Returning this means we need to patch Nextcloud to accept tokens on calls to
-
+			'client_secret' => $clientData['client_secret'],
 			'registration_client_uri' => $this->urlGenerator->getAbsoluteURL($this->urlGenerator->linkToRoute("solid.server.registeredClient", array("clientId" => $clientData['client_id']))),
 			'client_id_issued_at' => $clientData['client_id_issued_at'],
 			'redirect_uris' => $clientData['redirect_uris'],

solid/tests/Integration/AppTest.php

@@ -5,7 +5,6 @@
 use OCP\AppFramework\App;
 use Test\TestCase;
 
-
 /**
  * This test shows how to make a small Integration Test. Query your class
  * directly from the container, only pass in mocks if needed and run your tests

solid/tests/Unit/Controller/ServerControllerTest.php

@@ -16,7 +16,6 @@
 use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
 
-
 function file_get_contents($filename)
 {
 	if ($filename === 'php://input') {