/** @return null|mixed */
protected function getIdentity()
{
$accessToken = $this->request->getQuery('access_token', $this->request->getPost('access_token'));
if ($accessToken === null) {
return null;
}
$oAuthRequest = OAuth2RequestFactory::create($this->request);
$accessTokenData = $this->oauthServer->getAccessTokenData($oAuthRequest);
return $this->identity = $this->identityStorageAdapter->findByUsername($accessTokenData['user_id']);
}
/**
* {@inheritDoc}
*/
public function __invoke(ServerRequestInterface $request, ResponseInterface $response, callable $next)
{
try {
$oauth2request = Util::convertRequestFromPsr7($request);
if (!$this->server->verifyResourceRequest($oauth2request)) {
return Util::convertResponseToPsr7($this->server->getResponse(), $response);
}
$request = $request->withAttribute('access_token', $this->server->getAccessTokenData($oauth2request));
} catch (\Exception $ex) {
return new JsonResponse(['error' => $ex->getMessage(), 'error_description' => $ex->getMessage()], 500);
}
return $next($request, $response);
}
/**
* {@inheritDoc}
*/
public function authenticate(TokenInterface $token)
{
$oauthRequest = OAuthRequest::createFromRequest($token->request);
// Not authenticated
if (!$this->server->verifyResourceRequest($oauthRequest)) {
throw new AuthenticationException('OAuth2 authentication failed');
}
$userData = $this->server->getAccessTokenData($oauthRequest);
$user = $this->userProvider->findById($userData['user_id']);
$roles = $this->roleFinder->findRoleNamesByUserId($user->getId());
$user->setRoles($roles);
$authenticatedToken = new OAuth2UserToken($roles);
$authenticatedToken->setUser($user);
$authenticatedToken->setAuthenticated(true);
$authenticatedToken->setOAuthToken($token->getOAuthToken());
return $authenticatedToken;
}
/**
* Validates a request and takes a scope value that could result
* in a user id being put into the request if it's valid.
*
* @param HttpFoundation\Request $request
* @param string $scope
* @return null|HttpFoundation\Response
*/
public function validateRequest(HttpFoundation\Request $request, $scope)
{
$this->log->addDebug(print_r($request, true), ['namespace' => 'HackTheDinos\\Controllers\\OAuth', 'method' => 'validateRequest', 'type' => 'request', 'scope' => $scope]);
$bridgeRequest = HttpFoundationBridge\Request::createFromRequest($request);
if ($this->server->verifyResourceRequest($bridgeRequest, null, $scope)) {
//Put the userId into the request if we're validating at the user scope
if ($scope === 'user') {
$token = $this->server->getAccessTokenData($bridgeRequest);
$request->request->set('userId', $token['user_id']);
} else {
//Set the userId to 0 which should make any
//searches relying on this being valid to fail.
$request->request->set('userId', 0);
}
return null;
}
$this->log->addWarning('Failed to validate request', ['namespace' => 'HackTheDinos\\Controllers\\OAuth', 'method' => 'validateRequest', 'scope' => $scope]);
return new HttpFoundation\Response('Not Authorized', 401);
}
public function resource($path)
{
// Handle a request for an OAuth2.0 Access Token and send the response to the client
if (!$this->server->verifyResourceRequest(Request::createFromGlobals())) {
$this->server->getResponse()->send();
die;
}
$token = $this->server->getAccessTokenData(Request::createFromGlobals());
$return = array();
if (is_callable($this->resourceHandler)) {
$return = call_user_func($this->resourceHandler, $path, $token['user_id']);
}
echo json_encode($return);
}
/**
* Validates a request and takes a scope value that could result
* in a user id being put into the request if it's valid. The
* passThrough flag will allow the request to continue when it
* would otherwise fail with a 401 response.
*
* @param HttpFoundation\Request $request
* @param string $scope
* @param bool $passThrough
* @return null|HttpFoundation\Response
*/
public function validateRequest(HttpFoundation\Request $request, $scope, $passThrough = false)
{
$this->log->addDebug(print_r($request, true), ['namespace' => 'Alerts\\Controllers\\OAuth2', 'method' => 'validateRequest', 'type' => 'request', 'scope' => $scope]);
$bridgeRequest = HttpFoundationBridge\Request::createFromRequest($request);
if ($this->server->verifyResourceRequest($bridgeRequest, null, $scope)) {
//Put the user into the request if we're validating at the user scope
if ($scope === 'user') {
$token = $this->server->getAccessTokenData($bridgeRequest);
$request->request->set('user', $this->usersRepo->getById($token['user_id']));
} else {
//Set the user to null which should make any
//searches relying on this being valid to fail.
$request->request->set('user', null);
}
return null;
//If the request shouldn't hard fail. This should only have a few specific use cases.
} elseif ($passThrough) {
$this->log->addInfo('OAuth Pass Through', ['namespace' => 'Alerts\\Controllers\\OAuth2', 'method' => 'validateRequest', 'type' => 'request', 'scope' => $scope, 'passThrough' => true]);
return null;
}
$this->log->addInfo('Failed to validate request', ['namespace' => 'Alerts\\Controllers\\OAuth2', 'method' => 'validateRequest', 'scope' => $scope]);
return new HttpFoundation\Response('Not Authorized', 401);
}
/**
* Attempt to authenticate the current request.
*
* @param Request $request
* @param Response $response
* @param MvcAuthEvent $mvcAuthEvent
* @return false|Identity\IdentityInterface False on failure, IdentityInterface
* otherwise
*/
public function authenticate(Request $request, Response $response, MvcAuthEvent $mvcAuthEvent)
{
$oauth2request = new OAuth2Request($request->getQuery()->toArray(), $request->getPost()->toArray(), [], $request->getCookie() ? $request->getCookie()->getArrayCopy() : [], $request->getFiles() ? $request->getFiles()->toArray() : [], method_exists($request, 'getServer') ? $request->getServer()->toArray() : $_SERVER, $request->getContent(), $request->getHeaders()->toArray());
// Failure to validate
if (!$this->oauth2Server->verifyResourceRequest($oauth2request)) {
$oauth2Response = $this->oauth2Server->getResponse();
$status = $oauth2Response->getStatusCode();
// 401 or 403 mean invalid credentials or unauthorized scopes; report those.
if (in_array($status, [401, 403], true) && null !== $oauth2Response->getParameter('error')) {
return $this->mergeOAuth2Response($status, $response, $oauth2Response);
}
// Merge in any headers; typically sets a WWW-Authenticate header.
$this->mergeOAuth2ResponseHeaders($response, $oauth2Response->getHttpHeaders());
// Otherwise, no credentials were present at all, so we just return a guest identity.
return new Identity\GuestIdentity();
}
$token = $this->oauth2Server->getAccessTokenData($oauth2request);
$identity = new Identity\AuthenticatedIdentity($token);
$identity->setName($token['user_id']);
return $identity;
}
/**
* Attempt to authenticate the current request.
*
* @param Request $request
* @param Response $response
* @param MvcAuthEvent $mvcAuthEvent
* @return false|IdentityInterface False on failure, IdentityInterface
* otherwise
*/
public function authenticate(Request $request, Response $response, MvcAuthEvent $mvcAuthEvent)
{
$content = $request->getContent();
$oauth2request = new OAuth2Request(
$_GET,
$_POST,
array(),
$_COOKIE,
$_FILES,
$_SERVER,
$content,
$request->getHeaders()->toArray()
);
if (! $this->oauth2Server->verifyResourceRequest($oauth2request)) {
return false;
}
$token = $this->oauth2Server->getAccessTokenData($oauth2request);
$identity = new Identity\AuthenticatedIdentity($token);
$identity->setName($token['user_id']);
return $identity;
}
/**
* Listen to the authentication event
*
* @param MvcAuthEvent $mvcAuthEvent
* @return mixed
*/
public function __invoke(MvcAuthEvent $mvcAuthEvent)
{
$mvcEvent = $mvcAuthEvent->getMvcEvent();
$request = $mvcEvent->getRequest();
$response = $mvcEvent->getResponse();
if (!$request instanceof HttpRequest || $request->isOptions()) {
return;
}
$type = false;
if ($this->httpAdapter instanceof HttpAuth) {
$this->httpAdapter->setRequest($request);
$this->httpAdapter->setResponse($response);
}
$authHeader = $request->getHeader('Authorization');
if ($authHeader) {
$headerContent = trim($authHeader->getFieldValue());
// we only support headers in the format: Authorization: xxx yyyyy
if (strpos($headerContent, ' ') === false) {
$identity = new Identity\GuestIdentity();
$mvcEvent->setParam('ZF\\MvcAuth\\Identity', $identity);
return $identity;
}
list($type, $credential) = preg_split('# #', $headerContent, 2);
}
if (!$type && !in_array($request->getMethod(), $this->requestsWithoutBodies) && $request->getHeaders()->has('Content-Type') && $request->getHeaders()->get('Content-Type')->match('application/x-www-form-urlencoded') && $request->getPost('access_token')) {
$type = 'oauth2';
}
if (!$type && null !== $request->getQuery('access_token')) {
$type = 'oauth2';
}
if (!$type) {
if ($this->httpAdapter instanceof HttpAuth) {
$this->httpAdapter->challengeClient();
}
$identity = new Identity\GuestIdentity();
$mvcEvent->setParam('ZF\\MvcAuth\\Identity', $identity);
return $identity;
}
switch (strtolower($type)) {
case 'basic':
case 'digest':
if (!$this->httpAdapter instanceof HttpAuth) {
$identity = new Identity\GuestIdentity();
$mvcEvent->setParam('ZF\\MvcAuth\\Identity', $identity);
return $identity;
}
$auth = $mvcAuthEvent->getAuthenticationService();
$result = $auth->authenticate($this->httpAdapter);
$mvcAuthEvent->setAuthenticationResult($result);
if ($result->isValid()) {
$resultIdentity = $result->getIdentity();
// Pass full discovered identity to AuthenticatedIdentity object
$identity = new Identity\AuthenticatedIdentity($resultIdentity);
// But determine name separately
$name = $resultIdentity;
if (is_array($resultIdentity)) {
$name = isset($resultIdentity['username']) ? $resultIdentity['username'] : (string) $resultIdentity;
}
$identity->setName($name);
// Set in MvcEvent
$mvcEvent->setParam('ZF\\MvcAuth\\Identity', $identity);
return $identity;
}
$identity = new Identity\GuestIdentity();
$mvcEvent->setParam('ZF\\MvcAuth\\Identity', $identity);
return $identity;
case 'oauth2':
case 'bearer':
if (!$this->oauth2Server instanceof OAuth2Server) {
$identity = new Identity\GuestIdentity();
$mvcEvent->setParam('ZF\\MvcAuth\\Identity', $identity);
return $identity;
}
$content = $request->getContent();
$oauth2request = new OAuth2Request($_GET, $_POST, array(), $_COOKIE, $_FILES, $_SERVER, $content);
if ($this->oauth2Server->verifyResourceRequest($oauth2request)) {
$token = $this->oauth2Server->getAccessTokenData($oauth2request);
$identity = new Identity\AuthenticatedIdentity($token);
$identity->setName($token['user_id']);
$mvcEvent->setParam('ZF\\MvcAuth\\Identity', $identity);
return $identity;
}
$identity = new Identity\GuestIdentity();
$mvcEvent->setParam('ZF\\MvcAuth\\Identity', $identity);
return $identity;
case 'token':
throw new \Exception('zf-mvc-auth has not yet implemented a "token" authentication adapter');
}
}
/**
* @return array access token data
*/
public function getAccessTokenData()
{
if ($this->_tokenData === null) {
$this->_tokenData = $this->_server->getAccessTokenData($this->getRequest());
}
return $this->_tokenData;
}
public function getAccessToken(HttpRequest $httpRequest)
{
$oauthRequest = $this->buildRequest($httpRequest);
return $this->server->getAccessTokenData($oauthRequest);
}
