Merge pull request #1203 from exeba/rfc8252-compliance

Rfc8252 compliance

Author: Sephster

CHANGELOG.md

@@ -6,6 +6,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 ### Added
+- The server will now validate redirect uris according to rfc8252 (PR #1203)
 - Events emitted now include the refresh token and access token payloads (PR #1211)
 
 ### Fixed

src/Grant/AbstractGrant.php

@@ -24,6 +24,7 @@
 use League\OAuth2\Server\Entities\ScopeEntityInterface;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
+use League\OAuth2\Server\RedirectUriValidators\RedirectUriValidator;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
 use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
 use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
@@ -270,14 +271,8 @@ protected function validateRedirectUri(
         ClientEntityInterface $client,
         ServerRequestInterface $request
     ) {
-        if (\is_string($client->getRedirectUri())
-            && (\strcmp($client->getRedirectUri(), $redirectUri) !== 0)
-        ) {
-            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
-            throw OAuthServerException::invalidClient($request);
-        } elseif (\is_array($client->getRedirectUri())
-            && \in_array($redirectUri, $client->getRedirectUri(), true) === false
-        ) {
+        $validator = new RedirectUriValidator($client->getRedirectUri());
+        if (!$validator->validateRedirectUri($redirectUri)) {
             $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
             throw OAuthServerException::invalidClient($request);
         }

src/RedirectUriValidators/RedirectUriValidator.php

@@ -0,0 +1,114 @@
+<?php
+/**
+ * @author      Sebastiano Degan <[email protected]>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\RedirectUriValidators;
+
+class RedirectUriValidator implements RedirectUriValidatorInterface
+{
+    /**
+     * @var array
+     */
+    private $allowedRedirectUris;
+
+    /**
+     * New validator instance for the given uri
+     *
+     * @param string|array $allowedRedirectUris
+     */
+    public function __construct($allowedRedirectUri)
+    {
+        if (\is_string($allowedRedirectUri)) {
+            $this->allowedRedirectUris = [$allowedRedirectUri];
+        } elseif (\is_array($allowedRedirectUri)) {
+            $this->allowedRedirectUris = $allowedRedirectUri;
+        } else {
+            $this->allowedRedirectUris = [];
+        }
+    }
+
+    /**
+     * Validates the redirect uri.
+     *
+     * @param string $redirectUri
+     *
+     * @return bool Return true if valid, false otherwise
+     */
+    public function validateRedirectUri($redirectUri)
+    {
+        if ($this->isLoopbackUri($redirectUri)) {
+            return $this->matchUriExcludingPort($redirectUri);
+        }
+
+        return $this->matchExactUri($redirectUri);
+    }
+
+    /**
+     * According to section 7.3 of rfc8252, loopback uris are:
+     *   - "http://127.0.0.1:{port}/{path}" for IPv4
+     *   - "http://[::1]:{port}/{path}" for IPv6
+     *
+     * @param string $redirectUri
+     *
+     * @return bool
+     */
+    private function isLoopbackUri($redirectUri)
+    {
+        $parsedUrl = \parse_url($redirectUri);
+
+        return $parsedUrl['scheme'] === 'http'
+            && (\in_array($parsedUrl['host'], ['127.0.0.1', '[::1]'], true));
+    }
+
+    /**
+     * Find an exact match among allowed uris
+     *
+     * @param string $redirectUri
+     *
+     * @return bool Return true if an exact match is found, false otherwise
+     */
+    private function matchExactUri($redirectUri)
+    {
+        return \in_array($redirectUri, $this->allowedRedirectUris, true);
+    }
+
+    /**
+     * Find a match among allowed uris, allowing for different port numbers
+     *
+     * @param string $redirectUri
+     *
+     * @return bool Return true if a match is found, false otherwise
+     */
+    private function matchUriExcludingPort($redirectUri)
+    {
+        $parsedUrl = $this->parseUrlAndRemovePort($redirectUri);
+
+        foreach ($this->allowedRedirectUris as $allowedRedirectUri) {
+            if ($parsedUrl === $this->parseUrlAndRemovePort($allowedRedirectUri)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Parse an url like \parse_url, excluding the port
+     *
+     * @param string $url
+     *
+     * @return array
+     */
+    private function parseUrlAndRemovePort($url)
+    {
+        $parsedUrl = \parse_url($url);
+        unset($parsedUrl['port']);
+
+        return $parsedUrl;
+    }
+}

src/RedirectUriValidators/RedirectUriValidatorInterface.php

@@ -0,0 +1,22 @@
+<?php
+/**
+ * @author      Sebastiano Degan <[email protected]>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\RedirectUriValidators;
+
+interface RedirectUriValidatorInterface
+{
+    /**
+     * Validates the redirect uri.
+     *
+     * @param string $redirectUri
+     *
+     * @return bool Return true if valid, false otherwise
+     */
+    public function validateRedirectUri($redirectUri);
+}

tests/RedirectUriValidators/RedirectUriValidatorTest.php

@@ -0,0 +1,75 @@
+<?php
+
+namespace LeagueTests\RedirectUriValidators;
+
+use League\OAuth2\Server\RedirectUriValidators\RedirectUriValidator;
+use PHPUnit\Framework\TestCase;
+
+class RedirectUriValidatorTest extends TestCase
+{
+    public function testInvalidNonLoopbackUri()
+    {
+        $validator = new RedirectUriValidator([
+            'https://example.com:8443/endpoint',
+            'https://example.com/different/endpoint',
+        ]);
+
+        $invalidRedirectUri = 'https://example.com/endpoint';
+
+        $this->assertFalse(
+            $validator->validateRedirectUri($invalidRedirectUri),
+            'Non loopback URI must match in every part'
+        );
+    }
+
+    public function testValidNonLoopbackUri()
+    {
+        $validator = new RedirectUriValidator([
+            'https://example.com:8443/endpoint',
+            'https://example.com/different/endpoint',
+        ]);
+
+        $validRedirectUri = 'https://example.com:8443/endpoint';
+
+        $this->assertTrue(
+            $validator->validateRedirectUri($validRedirectUri),
+            'Redirect URI must be valid when matching in every part'
+        );
+    }
+
+    public function testInvalidLoopbackUri()
+    {
+        $validator = new RedirectUriValidator('http://127.0.0.1:8443/endpoint');
+
+        $invalidRedirectUri = 'http://127.0.0.1:8443/different/endpoint';
+
+        $this->assertFalse(
+            $validator->validateRedirectUri($invalidRedirectUri),
+            'Valid loopback redirect URI can change only the port number'
+        );
+    }
+
+    public function testValidLoopbackUri()
+    {
+        $validator = new RedirectUriValidator('http://127.0.0.1:8443/endpoint');
+
+        $validRedirectUri = 'http://127.0.0.1:8080/endpoint';
+
+        $this->assertTrue(
+            $validator->validateRedirectUri($validRedirectUri),
+            'Loopback redirect URI can change the port number'
+        );
+    }
+
+    public function testValidIpv6LoopbackUri()
+    {
+        $validator = new RedirectUriValidator('http://[::1]:8443/endpoint');
+
+        $validRedirectUri = 'http://[::1]:8080/endpoint';
+
+        $this->assertTrue(
+            $validator->validateRedirectUri($validRedirectUri),
+            'Loopback redirect URI can change the port number'
+        );
+    }
+}