Merge branch 'master' into psr-event-dispatcher

eugene-borovov · eugene-borovov · commit 1f75b46547c0 · 2021-04-20T00:23:24.000+07:00
# Conflicts:
#	composer.json
#	src/Grant/AuthCodeGrant.php
#	src/Grant/ClientCredentialsGrant.php
#	src/Grant/PasswordGrant.php
#	src/Grant/RefreshTokenGrant.php
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,8 +5,12 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Added
+- Events emitted now include the refresh token and access token payloads (PR #1211)
+
 ### Fixed
 - The server will now only recognise and handle an authorization header if the value of the header is non-empty. This is to circumvent issues where some common frameworks set this header even if no value is present (PR #1170)
+- Added type validation for redirect uri, client ID, client secret, scopes, auth code, state, username, and password inputs (PR #1210)
 
 ## [8.2.4] - released 2020-12-10
 ### Fixed
diff --git a/composer.json b/composer.json
@@ -6,7 +6,7 @@
     "require": {
         "php": "^7.2 || ^8.0",
         "ext-openssl": "*",
-        "lcobucci/jwt": "^3.4 || ^4.0",
+        "lcobucci/jwt": "^3.4 || ~4.0.0",
         "psr/event-dispatcher": "^1.0",
         "psr/http-message": "^1.0.1",
         "defuse/php-encryption": "^2.2.1",
diff --git a/src/Grant/AbstractGrant.php b/src/Grant/AbstractGrant.php
@@ -191,6 +191,10 @@ protected function validateClient(ServerRequestInterface $request)
         $redirectUri = $this->getRequestParameter('redirect_uri', $request, null);
 
         if ($redirectUri !== null) {
+            if (!\is_string($redirectUri)) {
+                throw OAuthServerException::invalidRequest('redirect_uri');
+            }
+
             $this->validateRedirectUri($redirectUri, $client, $request);
         }
 
@@ -238,12 +242,16 @@ protected function getClientCredentials(ServerRequestInterface $request)
 
         $clientId = $this->getRequestParameter('client_id', $request, $basicAuthUser);
 
-        if (\is_null($clientId)) {
+        if (!\is_string($clientId)) {
             throw OAuthServerException::invalidRequest('client_id');
         }
 
         $clientSecret = $this->getRequestParameter('client_secret', $request, $basicAuthPassword);
 
+        if ($clientSecret !== null && !\is_string($clientSecret)) {
+            throw OAuthServerException::invalidRequest('client_secret');
+        }
+
         return [$clientId, $clientSecret];
     }
 
@@ -287,10 +295,16 @@ protected function validateRedirectUri(
      */
     public function validateScopes($scopes, $redirectUri = null)
     {
-        if (!\is_array($scopes)) {
+        if ($scopes === null) {
+            $scopes = [];
+        } elseif (\is_string($scopes)) {
             $scopes = $this->convertScopesQueryStringToArray($scopes);
         }
 
+        if (!\is_array($scopes)) {
+            throw OAuthServerException::invalidRequest('scope');
+        }
+
         $validScopes = [];
 
         foreach ($scopes as $scopeItem) {
@@ -313,7 +327,7 @@ public function validateScopes($scopes, $redirectUri = null)
      *
      * @return array
      */
-    private function convertScopesQueryStringToArray($scopes)
+    private function convertScopesQueryStringToArray(string $scopes)
     {
         return \array_filter(\explode(self::SCOPE_DELIMITER_STRING, \trim($scopes)), function ($scope) {
             return !empty($scope);
diff --git a/src/Grant/AuthCodeGrant.php b/src/Grant/AuthCodeGrant.php
@@ -108,7 +108,7 @@ public function respondToAccessTokenRequest(
 
         $encryptedAuthCode = $this->getRequestParameter('code', $request, null);
 
-        if ($encryptedAuthCode === null) {
+        if (!\is_string($encryptedAuthCode)) {
             throw OAuthServerException::invalidRequest('code');
         }
 
@@ -262,6 +262,10 @@ public function validateAuthorizationRequest(ServerRequestInterface $request)
         $redirectUri = $this->getQueryStringParameter('redirect_uri', $request);
 
         if ($redirectUri !== null) {
+            if (!\is_string($redirectUri)) {
+                throw OAuthServerException::invalidRequest('redirect_uri');
+            }
+
             $this->validateRedirectUri($redirectUri, $client, $request);
         } elseif (empty($client->getRedirectUri()) ||
             (\is_array($client->getRedirectUri()) && \count($client->getRedirectUri()) !== 1)) {
diff --git a/src/Grant/ImplicitGrant.php b/src/Grant/ImplicitGrant.php
@@ -120,7 +120,7 @@ public function validateAuthorizationRequest(ServerRequestInterface $request)
             $this->getServerParameter('PHP_AUTH_USER', $request)
         );
 
-        if (\is_null($clientId)) {
+        if (!\is_string($clientId)) {
             throw OAuthServerException::invalidRequest('client_id');
         }
 
@@ -129,6 +129,10 @@ public function validateAuthorizationRequest(ServerRequestInterface $request)
         $redirectUri = $this->getQueryStringParameter('redirect_uri', $request);
 
         if ($redirectUri !== null) {
+            if (!\is_string($redirectUri)) {
+                throw OAuthServerException::invalidRequest('redirect_uri');
+            }
+
             $this->validateRedirectUri($redirectUri, $client, $request);
         } elseif (\is_array($client->getRedirectUri()) && \count($client->getRedirectUri()) !== 1
             || empty($client->getRedirectUri())) {
@@ -147,6 +151,10 @@ public function validateAuthorizationRequest(ServerRequestInterface $request)
 
         $stateParameter = $this->getQueryStringParameter('state', $request);
 
+        if ($stateParameter !== null && !\is_string($stateParameter)) {
+            throw OAuthServerException::invalidRequest('state');
+        }
+
         $authorizationRequest = new AuthorizationRequest();
         $authorizationRequest->setGrantTypeId($this->getIdentifier());
         $authorizationRequest->setClient($client);
diff --git a/src/Grant/PasswordGrant.php b/src/Grant/PasswordGrant.php
@@ -86,13 +86,13 @@ protected function validateUser(ServerRequestInterface $request, ClientEntityInt
     {
         $username = $this->getRequestParameter('username', $request);
 
-        if (\is_null($username)) {
+        if (!\is_string($username)) {
             throw OAuthServerException::invalidRequest('username');
         }
 
         $password = $this->getRequestParameter('password', $request);
 
-        if (\is_null($password)) {
+        if (!\is_string($password)) {
             throw OAuthServerException::invalidRequest('password');
         }
 
diff --git a/src/Grant/RefreshTokenGrant.php b/src/Grant/RefreshTokenGrant.php
@@ -94,7 +94,7 @@ public function respondToAccessTokenRequest(
     protected function validateOldRefreshToken(ServerRequestInterface $request, $clientId)
     {
         $encryptedRefreshToken = $this->getRequestParameter('refresh_token', $request);
-        if (\is_null($encryptedRefreshToken)) {
+        if (!\is_string($encryptedRefreshToken)) {
             throw OAuthServerException::invalidRequest('refresh_token');
         }
 
diff --git a/tests/Grant/AbstractGrantTest.php b/tests/Grant/AbstractGrantTest.php
@@ -89,6 +89,70 @@ public function testHttpBasicNoColon()
         $this->assertSame([null, null], $basicAuthMethod->invoke($grantMock, $serverRequest));
     }
 
+    public function testGetClientCredentialsClientIdNotAString()
+    {
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+
+        /** @var AbstractGrant $grantMock */
+        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
+        $grantMock->setClientRepository($clientRepositoryMock);
+
+        $abstractGrantReflection = new \ReflectionClass($grantMock);
+
+        $serverRequest = new ServerRequest(
+            [],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [],
+            [],
+            [
+                'client_id'     => ['not', 'a', 'string'],
+                'client_secret' => 'client_secret',
+            ]
+        );
+        $getClientCredentialsMethod = $abstractGrantReflection->getMethod('getClientCredentials');
+        $getClientCredentialsMethod->setAccessible(true);
+
+        $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
+
+        $getClientCredentialsMethod->invoke($grantMock, $serverRequest, true, true);
+    }
+
+    public function testGetClientCredentialsClientSecretNotAString()
+    {
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+
+        /** @var AbstractGrant $grantMock */
+        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
+        $grantMock->setClientRepository($clientRepositoryMock);
+
+        $abstractGrantReflection = new \ReflectionClass($grantMock);
+
+        $serverRequest = new ServerRequest(
+            [],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [],
+            [],
+            [
+                'client_id'     => 'client_id',
+                'client_secret' => ['not', 'a', 'string'],
+            ]
+        );
+        $getClientCredentialsMethod = $abstractGrantReflection->getMethod('getClientCredentials');
+        $getClientCredentialsMethod->setAccessible(true);
+
+        $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
+
+        $getClientCredentialsMethod->invoke($grantMock, $serverRequest, true, true);
+    }
+
     public function testValidateClientPublic()
     {
         $client = new ClientEntity();
@@ -261,6 +325,32 @@ public function testValidateClientInvalidRedirectUriArray()
         $validateClientMethod->invoke($grantMock, $serverRequest, true, true);
     }
 
+    public function testValidateClientMalformedRedirectUri()
+    {
+        $client = new ClientEntity();
+        $client->setRedirectUri('http://foo/bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        /** @var AbstractGrant $grantMock */
+        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
+        $grantMock->setClientRepository($clientRepositoryMock);
+
+        $abstractGrantReflection = new \ReflectionClass($grantMock);
+
+        $serverRequest = (new ServerRequest())->withParsedBody([
+            'client_id'    => 'foo',
+            'redirect_uri' => ['not', 'a', 'string'],
+        ]);
+
+        $validateClientMethod = $abstractGrantReflection->getMethod('validateClient');
+        $validateClientMethod->setAccessible(true);
+
+        $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
+
+        $validateClientMethod->invoke($grantMock, $serverRequest, true, true);
+    }
+
     public function testValidateClientBadClient()
     {
         $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
diff --git a/tests/Grant/AuthCodeGrantTest.php b/tests/Grant/AuthCodeGrantTest.php
@@ -1112,6 +1112,44 @@ public function testRespondToAccessTokenRequestWithRefreshTokenInsteadOfAuthCode
         }
     }
 
+    public function testRespondToAccessTokenRequestWithAuthCodeNotAString()
+    {
+        $client = new ClientEntity();
+        $client->setRedirectUri('http://foo/bar');
+
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $grant = new AuthCodeGrant(
+            $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(),
+            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
+            new DateInterval('PT10M')
+        );
+
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setEncryptionKey($this->cryptStub->getKey());
+
+        $request = new ServerRequest(
+            [],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [],
+            [],
+            [
+                'grant_type'   => 'authorization_code',
+                'client_id'    => 'foo',
+                'redirect_uri' => 'http://foo/bar',
+                'code'         => ['not', 'a', 'string'],
+            ]
+        );
+
+        $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
+        $grant->respondToAccessTokenRequest($request, new StubResponseType(), new DateInterval('PT10M'));
+    }
+
     public function testRespondToAccessTokenRequestExpiredCode()
     {
         $client = new ClientEntity();

Original file line number	Diff line number	Diff line change
`@@ -86,13 +86,13 @@ protected function validateUser(ServerRequestInterface $request, ClientEntityInt`
`86`	`86`	`{`
`87`	`87`	`$username = $this->getRequestParameter('username', $request);`
`88`	`88`
`89`		`- if (\is_null($username)) {`
	`89`	`+ if (!\is_string($username)) {`
`90`	`90`	`throw OAuthServerException::invalidRequest('username');`
`91`	`91`	`}`
`92`	`92`
`93`	`93`	`$password = $this->getRequestParameter('password', $request);`
`94`	`94`
`95`		`- if (\is_null($password)) {`
	`95`	`+ if (!\is_string($password)) {`
`96`	`96`	`throw OAuthServerException::invalidRequest('password');`
`97`	`97`	`}`
`98`	`98`
Original file line number	Diff line number	Diff line change
`@@ -94,7 +94,7 @@ public function respondToAccessTokenRequest(`
`94`	`94`	`protected function validateOldRefreshToken(ServerRequestInterface $request, $clientId)`
`95`	`95`	`{`
`96`	`96`	`$encryptedRefreshToken = $this->getRequestParameter('refresh_token', $request);`
`97`		`- if (\is_null($encryptedRefreshToken)) {`
	`97`	`+ if (!\is_string($encryptedRefreshToken)) {`
`98`	`98`	`throw OAuthServerException::invalidRequest('refresh_token');`
`99`	`99`	`}`
`100`	`100`