Merge branch 'master' into rfc8252-compliance

Author: Sephster

.github/dependabot.yml

@@ -0,0 +1,12 @@
+version: 2
+updates:
+- package-ecosystem: composer
+  directory: "/"
+  schedule:
+    interval: daily
+    time: "11:00"
+  open-pull-requests-limit: 10
+  ignore:
+  - dependency-name: league/event
+    versions:
+    - 3.0.0

.gitignore

@@ -1,6 +1,7 @@
 /vendor
 /composer.lock
 phpunit.xml
+.phpunit.result.cache
 .idea
 /examples/vendor
 examples/public.key

CHANGELOG.md

@@ -6,10 +6,12 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 ### Added
-The server will now validate redirect uris according to rfc8252 (PR #1203)
+- The server will now validate redirect uris according to rfc8252 (PR #1203)
+- Events emitted now include the refresh token and access token payloads (PR #1211)
 
 ### Fixed
 - The server will now only recognise and handle an authorization header if the value of the header is non-empty. This is to circumvent issues where some common frameworks set this header even if no value is present (PR #1170)
+- Added type validation for redirect uri, client ID, client secret, scopes, auth code, state, username, and password inputs (PR #1210)
 
 ## [8.2.4] - released 2020-12-10
 ### Fixed

composer.json

@@ -7,7 +7,7 @@
         "php": "^7.2 || ^8.0",
         "ext-openssl": "*",
         "league/event": "^2.2",
-        "lcobucci/jwt": "^3.4 || ^4.0",
+        "lcobucci/jwt": "^3.4 || ~4.0.0",
         "psr/http-message": "^1.0.1",
         "defuse/php-encryption": "^2.2.1",
         "ext-json": "*"

src/AuthorizationValidators/BearerTokenValidator.php

@@ -12,12 +12,9 @@
 use DateTimeZone;
 use Lcobucci\Clock\SystemClock;
 use Lcobucci\JWT\Configuration;
-use Lcobucci\JWT\Encoding\CannotDecodeContent;
 use Lcobucci\JWT\Signer\Key\InMemory;
 use Lcobucci\JWT\Signer\Key\LocalFileReference;
 use Lcobucci\JWT\Signer\Rsa\Sha256;
-use Lcobucci\JWT\Token\InvalidTokenStructure;
-use Lcobucci\JWT\Token\UnsupportedHeaderFound;
 use Lcobucci\JWT\Validation\Constraint\SignedWith;
 use Lcobucci\JWT\Validation\Constraint\ValidAt;
 use Lcobucci\JWT\Validation\RequiredConstraintsViolated;
@@ -95,18 +92,18 @@ public function validateAuthorization(ServerRequestInterface $request)
         $jwt = \trim((string) \preg_replace('/^(?:\s+)?Bearer\s/', '', $header[0]));
 
         try {
-            // Attempt to parse and validate the JWT
+            // Attempt to parse the JWT
             $token = $this->jwtConfiguration->parser()->parse($jwt);
+        } catch (\Lcobucci\JWT\Exception $exception) {
+            throw OAuthServerException::accessDenied($exception->getMessage(), null, $exception);
+        }
 
+        try {
+            // Attempt to validate the JWT
             $constraints = $this->jwtConfiguration->validationConstraints();
-
-            try {
-                $this->jwtConfiguration->validator()->assert($token, ...$constraints);
-            } catch (RequiredConstraintsViolated $exception) {
-                throw OAuthServerException::accessDenied('Access token could not be verified');
-            }
-        } catch (CannotDecodeContent | InvalidTokenStructure | UnsupportedHeaderFound $exception) {
-            throw OAuthServerException::accessDenied($exception->getMessage(), null, $exception);
+            $this->jwtConfiguration->validator()->assert($token, ...$constraints);
+        } catch (RequiredConstraintsViolated $exception) {
+            throw OAuthServerException::accessDenied('Access token could not be verified');
         }
 
         $claims = $token->claims();

src/Grant/AbstractGrant.php

@@ -192,6 +192,10 @@ protected function validateClient(ServerRequestInterface $request)
         $redirectUri = $this->getRequestParameter('redirect_uri', $request, null);
 
         if ($redirectUri !== null) {
+            if (!\is_string($redirectUri)) {
+                throw OAuthServerException::invalidRequest('redirect_uri');
+            }
+
             $this->validateRedirectUri($redirectUri, $client, $request);
         }
 
@@ -239,12 +243,16 @@ protected function getClientCredentials(ServerRequestInterface $request)
 
         $clientId = $this->getRequestParameter('client_id', $request, $basicAuthUser);
 
-        if (\is_null($clientId)) {
+        if (!\is_string($clientId)) {
             throw OAuthServerException::invalidRequest('client_id');
         }
 
         $clientSecret = $this->getRequestParameter('client_secret', $request, $basicAuthPassword);
 
+        if ($clientSecret !== null && !\is_string($clientSecret)) {
+            throw OAuthServerException::invalidRequest('client_secret');
+        }
+
         return [$clientId, $clientSecret];
     }
 
@@ -282,10 +290,16 @@ protected function validateRedirectUri(
      */
     public function validateScopes($scopes, $redirectUri = null)
     {
-        if (!\is_array($scopes)) {
+        if ($scopes === null) {
+            $scopes = [];
+        } elseif (\is_string($scopes)) {
             $scopes = $this->convertScopesQueryStringToArray($scopes);
         }
 
+        if (!\is_array($scopes)) {
+            throw OAuthServerException::invalidRequest('scope');
+        }
+
         $validScopes = [];
 
         foreach ($scopes as $scopeItem) {
@@ -308,7 +322,7 @@ public function validateScopes($scopes, $redirectUri = null)
      *
      * @return array
      */
-    private function convertScopesQueryStringToArray($scopes)
+    private function convertScopesQueryStringToArray(string $scopes)
     {
         return \array_filter(\explode(self::SCOPE_DELIMITER_STRING, \trim($scopes)), function ($scope) {
             return !empty($scope);

src/Grant/AuthCodeGrant.php

@@ -20,7 +20,9 @@
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
 use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
+use League\OAuth2\Server\RequestAccessTokenEvent;
 use League\OAuth2\Server\RequestEvent;
+use League\OAuth2\Server\RequestRefreshTokenEvent;
 use League\OAuth2\Server\RequestTypes\AuthorizationRequest;
 use League\OAuth2\Server\ResponseTypes\RedirectResponse;
 use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
@@ -106,7 +108,7 @@ public function respondToAccessTokenRequest(
 
         $encryptedAuthCode = $this->getRequestParameter('code', $request, null);
 
-        if ($encryptedAuthCode === null) {
+        if (!\is_string($encryptedAuthCode)) {
             throw OAuthServerException::invalidRequest('code');
         }
 
@@ -162,14 +164,14 @@ public function respondToAccessTokenRequest(
 
         // Issue and persist new access token
         $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $authCodePayload->user_id, $scopes);
-        $this->getEmitter()->emit(new RequestEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request));
+        $this->getEmitter()->emit(new RequestAccessTokenEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request, $accessToken));
         $responseType->setAccessToken($accessToken);
 
         // Issue and persist new refresh token if given
         $refreshToken = $this->issueRefreshToken($accessToken);
 
         if ($refreshToken !== null) {
-            $this->getEmitter()->emit(new RequestEvent(RequestEvent::REFRESH_TOKEN_ISSUED, $request));
+            $this->getEmitter()->emit(new RequestRefreshTokenEvent(RequestEvent::REFRESH_TOKEN_ISSUED, $request, $refreshToken));
             $responseType->setRefreshToken($refreshToken);
         }
 
@@ -260,6 +262,10 @@ public function validateAuthorizationRequest(ServerRequestInterface $request)
         $redirectUri = $this->getQueryStringParameter('redirect_uri', $request);
 
         if ($redirectUri !== null) {
+            if (!\is_string($redirectUri)) {
+                throw OAuthServerException::invalidRequest('redirect_uri');
+            }
+
             $this->validateRedirectUri($redirectUri, $client, $request);
         } elseif (empty($client->getRedirectUri()) ||
             (\is_array($client->getRedirectUri()) && \count($client->getRedirectUri()) !== 1)) {

src/Grant/ClientCredentialsGrant.php

@@ -13,6 +13,7 @@
 
 use DateInterval;
 use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\RequestAccessTokenEvent;
 use League\OAuth2\Server\RequestEvent;
 use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
 use Psr\Http\Message\ServerRequestInterface;
@@ -52,7 +53,7 @@ public function respondToAccessTokenRequest(
         $accessToken = $this->issueAccessToken($accessTokenTTL, $client, null, $finalizedScopes);
 
         // Send event to emitter
-        $this->getEmitter()->emit(new RequestEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request));
+        $this->getEmitter()->emit(new RequestAccessTokenEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request, $accessToken));
 
         // Inject access token into response type
         $responseType->setAccessToken($accessToken);

src/Grant/ImplicitGrant.php

@@ -120,7 +120,7 @@ public function validateAuthorizationRequest(ServerRequestInterface $request)
             $this->getServerParameter('PHP_AUTH_USER', $request)
         );
 
-        if (\is_null($clientId)) {
+        if (!\is_string($clientId)) {
             throw OAuthServerException::invalidRequest('client_id');
         }
 
@@ -129,6 +129,10 @@ public function validateAuthorizationRequest(ServerRequestInterface $request)
         $redirectUri = $this->getQueryStringParameter('redirect_uri', $request);
 
         if ($redirectUri !== null) {
+            if (!\is_string($redirectUri)) {
+                throw OAuthServerException::invalidRequest('redirect_uri');
+            }
+
             $this->validateRedirectUri($redirectUri, $client, $request);
         } elseif (\is_array($client->getRedirectUri()) && \count($client->getRedirectUri()) !== 1
             || empty($client->getRedirectUri())) {
@@ -147,6 +151,10 @@ public function validateAuthorizationRequest(ServerRequestInterface $request)
 
         $stateParameter = $this->getQueryStringParameter('state', $request);
 
+        if ($stateParameter !== null && !\is_string($stateParameter)) {
+            throw OAuthServerException::invalidRequest('state');
+        }
+
         $authorizationRequest = new AuthorizationRequest();
         $authorizationRequest->setGrantTypeId($this->getIdentifier());
         $authorizationRequest->setClient($client);

src/Grant/PasswordGrant.php

@@ -17,7 +17,9 @@
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
 use League\OAuth2\Server\Repositories\UserRepositoryInterface;
+use League\OAuth2\Server\RequestAccessTokenEvent;
 use League\OAuth2\Server\RequestEvent;
+use League\OAuth2\Server\RequestRefreshTokenEvent;
 use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
 use Psr\Http\Message\ServerRequestInterface;
 
@@ -58,14 +60,14 @@ public function respondToAccessTokenRequest(
 
         // Issue and persist new access token
         $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $user->getIdentifier(), $finalizedScopes);
-        $this->getEmitter()->emit(new RequestEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request));
+        $this->getEmitter()->emit(new RequestAccessTokenEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request, $accessToken));
         $responseType->setAccessToken($accessToken);
 
         // Issue and persist new refresh token if given
         $refreshToken = $this->issueRefreshToken($accessToken);
 
         if ($refreshToken !== null) {
-            $this->getEmitter()->emit(new RequestEvent(RequestEvent::REFRESH_TOKEN_ISSUED, $request));
+            $this->getEmitter()->emit(new RequestRefreshTokenEvent(RequestEvent::REFRESH_TOKEN_ISSUED, $request, $refreshToken));
             $responseType->setRefreshToken($refreshToken);
         }
 
@@ -84,13 +86,13 @@ protected function validateUser(ServerRequestInterface $request, ClientEntityInt
     {
         $username = $this->getRequestParameter('username', $request);
 
-        if (\is_null($username)) {
+        if (!\is_string($username)) {
             throw OAuthServerException::invalidRequest('username');
         }
 
         $password = $this->getRequestParameter('password', $request);
 
-        if (\is_null($password)) {
+        if (!\is_string($password)) {
             throw OAuthServerException::invalidRequest('password');
         }