wip

brendt · brendt · commit f94cfcd8698e · 2025-10-02T09:58:54.000+02:00
diff --git a/packages/auth/src/Exceptions/OAuthStateWasInvalid.php b/packages/auth/src/Exceptions/OAuthStateWasInvalid.php
@@ -0,0 +1,11 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tempest\Auth\Exceptions;
+
+use Exception;
+
+final class OAuthStateWasInvalid extends Exception implements AuthenticationException
+{
+}
diff --git a/packages/auth/src/OAuth/GenericOAuthClient.php b/packages/auth/src/OAuth/GenericOAuthClient.php
@@ -4,29 +4,57 @@
 
 namespace Tempest\Auth\OAuth;
 
+use BackedEnum;
+use Closure;
 use League\OAuth2\Client\Provider\AbstractProvider;
 use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
 use League\OAuth2\Client\Token\AccessToken;
+use Tempest\Auth\Authentication\Authenticatable;
+use Tempest\Auth\Authentication\Authenticator;
+use Tempest\Auth\Exceptions\OAuthStateWasInvalid;
 use Tempest\Auth\Exceptions\OAuthTokenCouldNotBeRetrieved;
 use Tempest\Auth\Exceptions\OAuthUserCouldNotBeRetrieved;
+use Tempest\Http\Request;
+use Tempest\Http\Session\Session;
 use Tempest\Mapper\ObjectFactory;
 use Tempest\Router\UriGenerator;
+use UnitEnum;
 
-final readonly class GenericOAuthClient implements OAuthClient
+final class GenericOAuthClient implements OAuthClient
 {
     private AbstractProvider $provider;
 
     public function __construct(
-        private(set) OAuthConfig $config,
-        private UriGenerator $uri,
-        private ObjectFactory $factory,
+        private(set) readonly OAuthConfig $config,
+        private readonly UriGenerator $uri,
+        private readonly ObjectFactory $factory,
+        private readonly Session $session,
+        private readonly Authenticator $authenticator,
         ?AbstractProvider $provider = null,
-    ) {
+    )
+    {
         $this->provider = $provider ?? $this->config->createProvider();
     }
 
+    public string $sessionKey {
+        get {
+            $tag = $this->config->tag;
+
+            $key = match (true) {
+                is_string($tag) => $tag,
+                $tag instanceof BackedEnum => $tag->value,
+                $tag instanceof UnitEnum => $tag->name,
+                default => 'default',
+            };
+
+            return "oauth:{$key}";
+        }
+    }
+
     public function getAuthorizationUrl(array $scopes = [], array $options = []): string
     {
+        $this->session->set($this->sessionKey, $this->provider->getState());
+
         return $this->provider->getAuthorizationUrl([
             'scope' => $scopes ?? $this->config->scopes,
             'redirect_uri' => $this->uri->createUri($this->config->redirectTo),
@@ -69,4 +97,19 @@ public function fetchUser(string $code): OAuthUser
             token: $this->getAccessToken($code),
         );
     }
+
+    public function authenticate(Request $request, Closure $authenticate): Authenticatable
+    {
+        if ($this->session->get($this->sessionKey) !== $request->get('state')) {
+            throw new OAuthStateWasInvalid();
+        }
+
+        $user = $this->fetchUser($request->get('code'));
+
+        $authenticable = $authenticate($user);
+
+        $this->authenticator->authenticate($authenticable);
+
+        return $authenticable;
+    }
 }
diff --git a/packages/auth/src/OAuth/OAuthClient.php b/packages/auth/src/OAuth/OAuthClient.php
@@ -4,7 +4,10 @@
 
 namespace Tempest\Auth\OAuth;
 
+use Closure;
 use League\OAuth2\Client\Token\AccessToken;
+use Tempest\Auth\Authentication\Authenticatable;
+use Tempest\Http\Request;
 
 interface OAuthClient
 {
@@ -32,4 +35,10 @@ public function getUser(AccessToken $token): OAuthUser;
      * Completes OAuth flow with code and get user information.
      */
     public function fetchUser(string $code): OAuthUser;
+
+    /**
+     * Authenticates a user based on the given oauth callback request
+     * @param Closure(\Tempest\Auth\OAuth\OAuthUser $user): Authenticatable $authenticate
+     */
+    public function authenticate(Request $request, Closure $authenticate): Authenticatable;
 }
diff --git a/packages/auth/src/OAuth/Testing/TestingOAuthClient.php b/packages/auth/src/OAuth/Testing/TestingOAuthClient.php
@@ -4,11 +4,15 @@
 
 namespace Tempest\Auth\OAuth\Testing;
 
+use Closure;
 use League\OAuth2\Client\Token\AccessToken;
 use PHPUnit\Framework\Assert;
+use Tempest\Auth\Authentication\Authenticatable;
+use Tempest\Auth\Authentication\Authenticator;
 use Tempest\Auth\OAuth\OAuthClient;
 use Tempest\Auth\OAuth\OAuthConfig;
 use Tempest\Auth\OAuth\OAuthUser;
+use Tempest\Http\Request;
 use Tempest\Router\UriGenerator;
 use Tempest\Support\Arr;
 use Tempest\Support\Random;
@@ -46,8 +50,9 @@ final class TestingOAuthClient implements OAuthClient
 
     public function __construct(
         private(set) OAuthUser $user,
-        private(set) OAuthConfig $config,
-        private UriGenerator $uri,
+        private(set) readonly OAuthConfig $config,
+        private readonly Authenticator $authenticator,
+        private readonly UriGenerator $uri,
     ) {}
 
     public function getAuthorizationUrl(array $scopes = [], array $options = []): string
@@ -115,6 +120,15 @@ public function fetchUser(string $code): OAuthUser
         return $user;
     }
 
+    public function authenticate(Request $request, Closure $authenticate): Authenticatable
+    {
+        $authenticatable = $authenticate($this->user);
+
+        $this->authenticator->authenticate($authenticatable);
+
+        return $authenticatable;
+    }
+
     /**
      * Sets the OAuth client ID.
      */
