public function testDoesCaseSensitiveTest()
 {
     $token = new AccessToken();
     $token->setToken('Token');
     $this->tokenRepository->expects($this->once())->method('findByToken')->with('token')->will($this->returnValue($token));
     $this->assertNull($this->tokenService->getToken('token'));
 }
 /**
  * Get the access token
  *
  * Note that this method will only match tokens that are not expired and match the given scopes (if any).
  * If no token is pass, this method will return null, but if a token is given does not exist (ie. has been
  * deleted) or is not valid, then it will trigger an exception
  *
  * @link   http://tools.ietf.org/html/rfc6750#page-5
  * @param  ServerRequestInterface $request
  * @param  array                  $scopes
  * @return AccessToken|null
  * @throws Exception\InvalidAccessTokenException If given access token is invalid or expired
  */
 public function getAccessToken(ServerRequestInterface $request, $scopes = [])
 {
     if (!($token = $this->extractAccessToken($request))) {
         return null;
     }
     $token = $this->accessTokenService->getToken($token);
     if ($token === null || !$token->isValid($scopes)) {
         throw new InvalidAccessTokenException('Access token has expired or has been deleted');
     }
     return $token;
 }
 /**
  * {@inheritDoc}
  * @throws OAuth2Exception
  */
 public function createTokenResponse(ServerRequestInterface $request, Client $client = null, TokenOwnerInterface $owner = null) : ResponseInterface
 {
     $postParams = $request->getParsedBody();
     $code = $postParams['code'] ?? null;
     if (null === $code) {
         throw OAuth2Exception::invalidRequest('Could not find the authorization code in the request');
     }
     /* @var \ZfrOAuth2\Server\Entity\AuthorizationCode  $authorizationCode */
     $authorizationCode = $this->authorizationCodeService->getToken($code);
     if (null === $authorizationCode || $authorizationCode->isExpired()) {
         throw OAuth2Exception::invalidGrant('Authorization code cannot be found or is expired');
     }
     $clientId = $postParams['client_id'] ?? null;
     if ($authorizationCode->getClient()->getId() !== $clientId) {
         throw OAuth2Exception::invalidRequest('Authorization code\'s client does not match with the one that created the authorization code');
     }
     // If owner is null, we reuse the same as the authorization code
     $owner = $owner ?: $authorizationCode->getOwner();
     // Everything is okey, let's start the token generation!
     $scopes = $authorizationCode->getScopes();
     // reuse the scopes from the authorization code
     $accessToken = new AccessToken();
     $this->populateToken($accessToken, $client, $owner, $scopes);
     $accessToken = $this->accessTokenService->createToken($accessToken);
     // Before generating a refresh token, we must make sure the authorization server supports this grant
     $refreshToken = null;
     if ($this->authorizationServer->hasGrant(RefreshTokenGrant::GRANT_TYPE)) {
         $refreshToken = new RefreshToken();
         $this->populateToken($refreshToken, $client, $owner, $scopes);
         $refreshToken = $this->refreshTokenService->createToken($refreshToken);
     }
     return $this->prepareTokenResponse($accessToken, $refreshToken);
 }
 /**
  * {@inheritDoc}
  */
 public function createTokenResponse(ServerRequestInterface $request, Client $client = null, TokenOwnerInterface $owner = null) : ResponseInterface
 {
     $postParams = $request->getParsedBody();
     $refreshToken = $postParams['refresh_token'] ?? null;
     if (null === $refreshToken) {
         throw OAuth2Exception::invalidRequest('Refresh token is missing');
     }
     // We can fetch the actual token, and validate it
     /** @var RefreshToken $refreshToken */
     $refreshToken = $this->refreshTokenService->getToken($refreshToken);
     if (null === $refreshToken || $refreshToken->isExpired()) {
         throw OAuth2Exception::invalidGrant('Refresh token is expired');
     }
     // We can now create a new access token! First, we need to make some checks on the asked scopes,
     // because according to the spec, a refresh token can create an access token with an equal or lesser
     // scope, but not more
     $scopes = $postParams['scope'] ?? $refreshToken->getScopes();
     if (!$refreshToken->matchScopes($scopes)) {
         throw OAuth2Exception::invalidScope('The scope of the new access token exceeds the scope(s) of the refresh token');
     }
     $owner = $refreshToken->getOwner();
     $accessToken = new AccessToken();
     $this->populateToken($accessToken, $client, $owner, $scopes);
     /** @var AccessToken $accessToken */
     $accessToken = $this->accessTokenService->createToken($accessToken);
     // We may want to revoke the old refresh token
     if ($this->rotateRefreshTokens) {
         $this->refreshTokenService->deleteToken($refreshToken);
         $refreshToken = new RefreshToken();
         $this->populateToken($refreshToken, $client, $owner, $scopes);
         $refreshToken = $this->refreshTokenService->createToken($refreshToken);
     }
     // We can generate the response!
     return $this->prepareTokenResponse($accessToken, $refreshToken, true);
 }
 /**
  * @param  ServerRequestInterface $request
  * @return ResponseInterface
  * @throws OAuth2Exception If no "token" is present
  */
 public function handleRevocationRequest(ServerRequestInterface $request) : ResponseInterface
 {
     $postParams = $request->getParsedBody();
     $token = $postParams['token'] ?? null;
     $tokenHint = $postParams['token_type_hint'] ?? null;
     if (null === $token || null === $tokenHint) {
         throw OAuth2Exception::invalidRequest('Cannot revoke a token as the "token" and/or "token_type_hint" parameters are missing');
     }
     if ($tokenHint !== 'access_token' && $tokenHint !== 'refresh_token') {
         throw OAuth2Exception::unsupportedTokenType(sprintf('Authorization server does not support revocation of token of type "%s"', $tokenHint));
     }
     if ($tokenHint === 'access_token') {
         $token = $this->accessTokenService->getToken($token);
     } else {
         $token = $this->refreshTokenService->getToken($token);
     }
     $response = new Response();
     // According to spec, we should return 200 if token is invalid
     if (null === $token) {
         return $response;
     }
     // Now, we must validate the client if the token was generated against a non-public client
     if (null !== $token->getClient() && !$token->getClient()->isPublic()) {
         $requestClient = $this->getClient($request, false);
         if ($requestClient !== $token->getClient()) {
             throw OAuth2Exception::invalidClient('Token was issued for another client and cannot be revoked');
         }
     }
     try {
         if ($tokenHint === 'access_token') {
             $this->accessTokenService->deleteToken($token);
         } else {
             $this->refreshTokenService->deleteToken($token);
         }
     } catch (\Exception $exception) {
         // According to spec (https://tools.ietf.org/html/rfc7009#section-2.2.1), we should return a server 503
         // error if we cannot delete the token for any reason
         $response = $response->withStatus(503, 'An error occurred while trying to delete the token');
     }
     return $response;
 }