public function processRequest()
{
$request = $this->getRequest();
$grant_type = $request->getStr('grant_type');
$code = $request->getStr('code');
$redirect_uri = $request->getStr('redirect_uri');
$client_phid = $request->getStr('client_id');
$client_secret = $request->getStr('client_secret');
$response = new PhabricatorOAuthResponse();
$server = new PhabricatorOAuthServer();
if ($grant_type != 'authorization_code') {
$response->setError('unsupported_grant_type');
$response->setErrorDescription(pht('Only %s %s is supported.', 'grant_type', 'authorization_code'));
return $response;
}
if (!$code) {
$response->setError('invalid_request');
$response->setErrorDescription(pht('Required parameter code missing.'));
return $response;
}
if (!$client_phid) {
$response->setError('invalid_request');
$response->setErrorDescription(pht('Required parameter %s missing.', 'client_id'));
return $response;
}
if (!$client_secret) {
$response->setError('invalid_request');
$response->setErrorDescription(pht('Required parameter %s missing.', 'client_secret'));
return $response;
}
// one giant try / catch around all the exciting database stuff so we
// can return a 'server_error' response if something goes wrong!
try {
$auth_code = id(new PhabricatorOAuthServerAuthorizationCode())->loadOneWhere('code = %s', $code);
if (!$auth_code) {
$response->setError('invalid_grant');
$response->setErrorDescription(pht('Authorization code %d not found.', $code));
return $response;
}
// if we have an auth code redirect URI, there must be a redirect_uri
// in the request and it must match the auth code redirect uri *exactly*
$auth_code_redirect_uri = $auth_code->getRedirectURI();
if ($auth_code_redirect_uri) {
$auth_code_redirect_uri = new PhutilURI($auth_code_redirect_uri);
$redirect_uri = new PhutilURI($redirect_uri);
if (!$redirect_uri->getDomain() || $redirect_uri != $auth_code_redirect_uri) {
$response->setError('invalid_grant');
$response->setErrorDescription(pht('Redirect URI in request must exactly match redirect URI ' . 'from authorization code.'));
return $response;
}
} else {
if ($redirect_uri) {
$response->setError('invalid_grant');
$response->setErrorDescription(pht('Redirect URI in request and no redirect URI in authorization ' . 'code. The two must exactly match.'));
return $response;
}
}
$client = id(new PhabricatorOAuthServerClient())->loadOneWhere('phid = %s', $client_phid);
if (!$client) {
$response->setError('invalid_client');
$response->setErrorDescription(pht('Client with %s %d not found.', 'client_id', $client_phid));
return $response;
}
$server->setClient($client);
$user_phid = $auth_code->getUserPHID();
$user = id(new PhabricatorUser())->loadOneWhere('phid = %s', $user_phid);
if (!$user) {
$response->setError('invalid_grant');
$response->setErrorDescription(pht('User with PHID %d not found.', $user_phid));
return $response;
}
$server->setUser($user);
$test_code = new PhabricatorOAuthServerAuthorizationCode();
$test_code->setClientSecret($client_secret);
$test_code->setClientPHID($client_phid);
$is_good_code = $server->validateAuthorizationCode($auth_code, $test_code);
if (!$is_good_code) {
$response->setError('invalid_grant');
$response->setErrorDescription(pht('Invalid authorization code %d.', $code));
return $response;
}
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
$access_token = $server->generateAccessToken();
$auth_code->delete();
unset($unguarded);
$result = array('access_token' => $access_token->getToken(), 'token_type' => 'Bearer', 'expires_in' => PhabricatorOAuthServer::ACCESS_TOKEN_TIMEOUT);
return $response->setContent($result);
} catch (Exception $e) {
$response->setError('server_error');
$response->setErrorDescription(pht('The authorization server encountered an unexpected condition ' . 'which prevented it from fulfilling the request.'));
return $response;
}
}
/**
* @task token
*/
public function validateAuthorizationCode(PhabricatorOAuthServerAuthorizationCode $test_code, PhabricatorOAuthServerAuthorizationCode $valid_code)
{
// check that all the meta data matches
if ($test_code->getClientPHID() != $valid_code->getClientPHID()) {
return false;
}
if ($test_code->getClientSecret() != $valid_code->getClientSecret()) {
return false;
}
// check that the authorization code hasn't timed out
$created_time = $test_code->getDateCreated();
$must_be_used_by = $created_time + self::AUTHORIZATION_CODE_TIMEOUT;
return time() < $must_be_used_by;
}
public function handleRequest(AphrontRequest $request)
{
$grant_type = $request->getStr('grant_type');
$code = $request->getStr('code');
$redirect_uri = $request->getStr('redirect_uri');
$response = new PhabricatorOAuthResponse();
$server = new PhabricatorOAuthServer();
$client_id_parameter = $request->getStr('client_id');
$client_id_header = idx($_SERVER, 'PHP_AUTH_USER');
if (strlen($client_id_parameter) && strlen($client_id_header)) {
if ($client_id_parameter !== $client_id_header) {
throw new Exception(pht('Request included a client_id parameter and an "Authorization" ' . 'header with a username, but the values "%s" and "%s") disagree. ' . 'The values must match.', $client_id_parameter, $client_id_header));
}
}
$client_secret_parameter = $request->getStr('client_secret');
$client_secret_header = idx($_SERVER, 'PHP_AUTH_PW');
if (strlen($client_secret_parameter)) {
// If the `client_secret` parameter is present, prefer parameters.
$client_phid = $client_id_parameter;
$client_secret = $client_secret_parameter;
} else {
// Otherwise, read values from the "Authorization" header.
$client_phid = $client_id_header;
$client_secret = $client_secret_header;
}
if ($grant_type != 'authorization_code') {
$response->setError('unsupported_grant_type');
$response->setErrorDescription(pht('Only %s %s is supported.', 'grant_type', 'authorization_code'));
return $response;
}
if (!$code) {
$response->setError('invalid_request');
$response->setErrorDescription(pht('Required parameter code missing.'));
return $response;
}
if (!$client_phid) {
$response->setError('invalid_request');
$response->setErrorDescription(pht('Required parameter %s missing.', 'client_id'));
return $response;
}
if (!$client_secret) {
$response->setError('invalid_request');
$response->setErrorDescription(pht('Required parameter %s missing.', 'client_secret'));
return $response;
}
// one giant try / catch around all the exciting database stuff so we
// can return a 'server_error' response if something goes wrong!
try {
$auth_code = id(new PhabricatorOAuthServerAuthorizationCode())->loadOneWhere('code = %s', $code);
if (!$auth_code) {
$response->setError('invalid_grant');
$response->setErrorDescription(pht('Authorization code %s not found.', $code));
return $response;
}
// if we have an auth code redirect URI, there must be a redirect_uri
// in the request and it must match the auth code redirect uri *exactly*
$auth_code_redirect_uri = $auth_code->getRedirectURI();
if ($auth_code_redirect_uri) {
$auth_code_redirect_uri = new PhutilURI($auth_code_redirect_uri);
$redirect_uri = new PhutilURI($redirect_uri);
if (!$redirect_uri->getDomain() || $redirect_uri != $auth_code_redirect_uri) {
$response->setError('invalid_grant');
$response->setErrorDescription(pht('Redirect URI in request must exactly match redirect URI ' . 'from authorization code.'));
return $response;
}
} else {
if ($redirect_uri) {
$response->setError('invalid_grant');
$response->setErrorDescription(pht('Redirect URI in request and no redirect URI in authorization ' . 'code. The two must exactly match.'));
return $response;
}
}
$client = id(new PhabricatorOAuthServerClient())->loadOneWhere('phid = %s', $client_phid);
if (!$client) {
$response->setError('invalid_client');
$response->setErrorDescription(pht('Client with %s %s not found.', 'client_id', $client_phid));
return $response;
}
if ($client->getIsDisabled()) {
$response->setError('invalid_client');
$response->setErrorDescription(pht('OAuth application "%s" has been disabled.', $client->getName()));
return $response;
}
$server->setClient($client);
$user_phid = $auth_code->getUserPHID();
$user = id(new PhabricatorUser())->loadOneWhere('phid = %s', $user_phid);
if (!$user) {
$response->setError('invalid_grant');
$response->setErrorDescription(pht('User with PHID %s not found.', $user_phid));
return $response;
}
$server->setUser($user);
$test_code = new PhabricatorOAuthServerAuthorizationCode();
$test_code->setClientSecret($client_secret);
$test_code->setClientPHID($client_phid);
$is_good_code = $server->validateAuthorizationCode($auth_code, $test_code);
if (!$is_good_code) {
$response->setError('invalid_grant');
$response->setErrorDescription(pht('Invalid authorization code %s.', $code));
return $response;
}
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
$access_token = $server->generateAccessToken();
$auth_code->delete();
unset($unguarded);
$result = array('access_token' => $access_token->getToken(), 'token_type' => 'Bearer');
return $response->setContent($result);
} catch (Exception $e) {
$response->setError('server_error');
$response->setErrorDescription(pht('The authorization server encountered an unexpected condition ' . 'which prevented it from fulfilling the request.'));
return $response;
}
}
