Add main auth code validation

cicnavi · cicnavi · commit 94af021664af · 2025-09-18T15:40:27.000+02:00
diff --git a/src/Factories/CryptKeyFactory.php b/src/Factories/CryptKeyFactory.php
@@ -22,7 +22,7 @@ public function buildPrivateKey(): CryptKey
         return new CryptKey(
             $this->moduleConfig->getProtocolPrivateKeyPath(),
             $this->moduleConfig->getProtocolPrivateKeyPassPhrase(),
-            false, // TODO mivanci Return to true
+            true,
         );
     }
 
diff --git a/src/Server/Grants/PreAuthCodeGrant.php b/src/Server/Grants/PreAuthCodeGrant.php
@@ -142,22 +142,9 @@ public function respondToAccessTokenRequest(
             throw OidcServerException::invalidGrant('Invalid pre-authorized code.');
         }
 
-        if (!$preAuthorizedCode->isVciPreAuthorized()) {
-            $this->loggerService->error(
-                'Pre-authorized code is not pre-authorized. Value was: ' . $preAuthorizedCodeId,
-            );
-            throw OidcServerException::invalidGrant('Pre-authorized code is not pre-authorized.');
-        }
-
-        if ($preAuthorizedCode->isRevoked()) {
-            $this->loggerService->error('Pre-authorized code is revoked. Value was: ' . $preAuthorizedCodeId);
-            throw OidcServerException::invalidGrant('Pre-authorized code is revoked.');
-        }
-
         $client = $preAuthorizedCode->getClient();
 
-        // TODO validate code
-        // $this->validateAuthorizationCode($preAuthorizedCode, $client, $request);
+        $this->validateAuthorizationCode($preAuthorizedCode, $client, $request, $preAuthorizedCode);
 
         // Validate Transaction Code.
         if (($preAuthorizedCodeTxCode = $preAuthorizedCode->getTxCode()) !== null) {
@@ -200,7 +187,6 @@ public function respondToAccessTokenRequest(
         /** @var ?array $authorizationDetails */
         $authorizationDetails = $resultBag->get(AuthorizationDetailsRule::class)?->getValue();
 
-        // TODO mivanci add flow, authorization details, bound client_id and redirect_uri to access token.
         // Issue and persist new access token
         $accessToken = $this->issueAccessToken(
             $accessTokenTTL,
@@ -238,6 +224,34 @@ protected function validateAuthorizationCode(
         ServerRequestInterface $request,
         AuthCodeEntity $storedAuthCodeEntity,
     ): void {
+        $this->loggerService->debug('PreAuthCodeGrant::validateAuthorizationCode');
+
+        if (!$storedAuthCodeEntity->isVciPreAuthorized()) {
+            $this->loggerService->error(
+                'Pre-authorized code is not pre-authorized. ID was: ',
+                ['preAuthCodeId' => $storedAuthCodeEntity->getIdentifier()],
+            );
+            throw OidcServerException::invalidGrant('Pre-authorized code is not pre-authorized.');
+        }
+
+        if ($storedAuthCodeEntity->getExpiryDateTime()->getTimestamp() < time()) {
+            $this->loggerService->error(
+                'Pre-authorized code is expired. ID was: ',
+                ['preAuthCodeId' => $storedAuthCodeEntity->getIdentifier()],
+            );
+
+            throw OidcServerException::invalidGrant('Pre-authorized code is expired.');
+        }
+
+        if ($storedAuthCodeEntity->isRevoked()) {
+            $this->loggerService->error(
+                'Pre-authorized code is revoked. ID was: ',
+                ['preAuthCodeId' => $storedAuthCodeEntity->getIdentifier()],
+            );
+            throw OidcServerException::invalidGrant('Pre-authorized code is revoked.');
+        }
+
+        $this->loggerService->debug('PreAuthCodeGrant::validateAuthorizationCode passed.');
     }
 
     /**
diff --git a/src/Services/OpMetadataService.php b/src/Services/OpMetadataService.php
@@ -50,7 +50,6 @@ private function initMetadata(): void
         $this->metadata[ClaimsEnum::EndSessionEndpoint->value] =
         $this->moduleConfig->getModuleUrl(RoutesEnum::EndSession->value);
         $this->metadata[ClaimsEnum::JwksUri->value] = $this->moduleConfig->getModuleUrl(RoutesEnum::Jwks->value);
-        // TODO mivanci Resolve supported scopes from ScopeRepository (also include those from VCI).
         $this->metadata[ClaimsEnum::ScopesSupported->value] = array_keys($this->moduleConfig->getScopes());
         $this->metadata[ClaimsEnum::ResponseTypesSupported->value] = ['code', 'token', 'id_token', 'id_token token'];
         $this->metadata[ClaimsEnum::SubjectTypesSupported->value] = ['public'];

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ public function buildPrivateKey(): CryptKey`
`22`	`22`	`return new CryptKey(`
`23`	`23`	`$this->moduleConfig->getProtocolPrivateKeyPath(),`
`24`	`24`	`$this->moduleConfig->getProtocolPrivateKeyPassPhrase(),`
`25`		`- false, // TODO mivanci Return to true`
	`25`	`+ true,`
`26`	`26`	`);`
`27`	`27`	`}`
`28`	`28`