public static function generateAccessToken($clientID)
{
$refresh = new Token();
$refresh->code = static::generateEntropy();
$refresh->type = 2;
$refresh->client_id = $clientID;
$refresh->expiry = time() + Config::get("oauth2-sp::oauth2.access_lifetime");
$refresh->save();
$r = new Token();
$r->code = static::generateEntropy();
$r->type = 1;
$r->client_id = $clientID;
$r->refresh = $refresh->code;
$r->expiry = time() + Config::get("oauth2-sp::oauth2.access_lifetime");
$r->save();
return $r;
}
public function grantAccessToken($params = array())
{
if (empty($params['grant_type'])) {
return Event::until("oauth2.error.json", array("", "400:invalid_request"));
}
if (!isset($params['scope'])) {
$params['scope'] = "";
}
/* if (!in_array($params['scope'], OAuth2\Models\Scope::listScopes())) {
return Event::until("oauth2.error.json",array("","400:invalid_request"));
} */
// Find the user
$userData = $this->getClientCredentials();
if (!$userData) {
return Event::until("oauth2.error.json", array("", "400:invalid_client"));
}
// Poll the user auth system to see if the client is there
$client = Event::until("oauth2.login." . $userData[0], array($userData[1], $userData[2]));
if (empty($client) || !$client instanceof OAuth2\Models\Client) {
if (!empty($client) && $client instanceof Response) {
return $client;
} else {
return Event::until("oauth2.error.json", array("", "400:invalid_client"));
}
}
$requestedScopes = array();
$scopes = explode(" ", $params['scope']);
foreach ($scopes as $v) {
$scopeName = urldecode($v);
if (!empty($scopeName)) {
$s = OAuth2\Models\Scope::where("name", "=", $scopeName)->first();
if (!$s) {
return Event::until("oauth2.error.json", array("", "400:invalid_scope"));
}
$requestedScopes[] = $s;
}
}
$clientScopes = $client->scopes()->get();
foreach ($requestedScopes as $v) {
if (!empty($v)) {
foreach ($clientScopes as $clientScope) {
if ($v->id == $clientScope->id) {
continue 2;
}
}
return Event::until("oauth2.error.json", array("", "400:invalid_scope"));
}
}
// We have a valid client and request. Do the granting
switch ($params['grant_type']) {
case "authorization_code":
if (empty($params['code']) || empty($params['redirect_uri'])) {
return Event::until("oauth2.error.json", array("", "400:invalid_request"));
}
$token = OAuth2\Models\Token::where("code", "=", $params['code'])->where("type", "=", 3)->where("client_id", "=", $client->id)->first();
if (!$token) {
return Event::until("oauth2.error.json", array("", "400:invalid_grant"));
}
if (empty($params['redirect_uri'])) {
$params['redirect_uri'] = $client->redirect;
}
if (substr($params['redirect_uri'], 0, strlen($client->redirect)) !== $client->redirect) {
return Event::until("oauth2.error.json", array("", "400:invalid_request"));
}
if ($token->hasExpired()) {
return Event::until("oauth2.error.json", array("", "400:expired_token"));
}
switch (Config::get("oauth2-sp::oauth2.mode", "flexible")) {
case "strict":
$tokenScopes = 0;
$totalScopes = 0;
foreach ($token->scopes()->get() as $v) {
$totalScopes++;
foreach ($requestedScopes as $vR) {
if ($v->id == $vR->id) {
$tokenScopes++;
continue 2;
}
}
// DAFUQ! Someone tried to cheat with the tokens!
return Event::until("oauth2.error.json", array("", "400:invalid_request"));
}
if ($tokenScopes != $totalScopes) {
return Event::until("oauth2.error.json", array("", "400:invalid_request"));
}
break;
case "dynamic":
$tokenScopes = 0;
$totalScopes = 0;
foreach ($token->scopes()->get() as $v) {
$totalScopes++;
foreach ($requestedScopes as $vR) {
if ($v->id == $vR->id) {
$tokenScopes++;
continue 2;
}
}
// DAFUQ! Someone tried to cheat with the tokens!
return Event::until("oauth2.error.json", array("", "400:invalid_request"));
}
break;
default:
// The scope the person gave is basically irrelevant
$requestedScopes = array();
foreach ($token->scopes()->get() as $v) {
$requestedScopes[] = $v;
}
}
$token->delete();
break;
case "password":
// Implicitely done already through oauth2.login event call.
if (empty($userData[2])) {
return Event::until("oauth2.error.json", array("", "400:invalid_request"));
}
break;
case "assertion":
// Not implemented yet
return Event::until("oauth2.error.json", array("", "400:invalid_request"));
break;
case "refresh_token":
if (empty($params['refresh_token'])) {
return Event::until("oauth2.error.json", array("", "400:invalid_request"));
}
$token = OAuth2\Models\Token::where("code", "=", $params['refresh_token'])->where("type", "=", 2)->where("client_id", "=", $client->id)->first();
if (!$token) {
return Event::until("oauth2.error.json", array("", "400:invalid_request"));
}
$oldToken = OAuth2\Models\Token::where("refresh", "=", $token->code)->first();
// Increase the expiry of the old token
switch (Config::get("oauth2-sp::oauth2.mode", "flexible")) {
case "strict":
$tokenScopes = 0;
$totalScopes = 0;
foreach ($oldToken->scopes()->get() as $v) {
$totalScopes++;
foreach ($requestedScopes as $vR) {
if ($v->id == $vR->id) {
$tokenScopes++;
continue 2;
}
}
// DAFUQ! Someone tried to cheat with the tokens!
return Event::until("oauth2.error.json", array("", "400:invalid_request"));
}
if ($tokenScopes != $totalScopes) {
return Event::until("oauth2.error.json", array("", "400:invalid_request"));
}
$oldToken->scopes()->delete();
foreach ($requestedScopes as $rS) {
$oldToken->scopes()->attach($rS->id);
}
$oldToken->expiry = time() + 86400;
$oldToken->save();
return $oldToken->printToken();
break;
case "dynamic":
$tokenScopes = 0;
$totalScopes = 0;
foreach ($oldToken->scopes()->get() as $v) {
$totalScopes++;
foreach ($requestedScopes as $vR) {
if ($v->id == $vR->id) {
$tokenScopes++;
continue 2;
}
}
// DAFUQ! Someone tried to cheat with the tokens!
return Event::until("oauth2.error.json", array("", "400:invalid_request"));
}
$oldToken->scopes()->delete();
foreach ($requestedScopes as $rS) {
$oldToken->scopes()->attach($rS->id);
}
$oldToken->expiry = time() + 86400;
$oldToken->save();
return $oldToken->printToken();
break;
default:
$oldToken->expiry = time() + 86400;
$oldToken->save();
return $oldToken->printToken();
}
break;
case "none":
return Event::until("oauth2.error.json", array("", "400:invalid_request"));
break;
default:
return Event::until("oauth2.error.json", array("", "400:invalid_request"));
}
// We have dealt with all the errors. Generate & return token...
$t = OAuth2\Models\Token::generateAccessToken($client->id, $params['scope']);
foreach ($requestedScopes as $rS) {
$t->scopes()->attach($rS->id);
}
if (Config::get("oauth2-sp::oauth2.always_redirect")) {
// @pratikshya's feature request from forums.laravel.io
// Set the config string to true to always redirect rather than to print
// This is contrary to RFC, so disabled by default!
return Event::until("oauth2.redirect: token", array($params['redirect_uri'], $params, $t));
}
return $t->printToken();
}
