/**
* Take the provided authorization code values and store them somewhere.
*
* This function should be the storage counterpart to getAuthCode().
*
* If storage fails for some reason, we're not currently checking for
* any sort of success/failure, so you should bail out of the script
* and provide a descriptive fail message.
*
* Required for OAuth2::GRANT_TYPE_AUTH_CODE.
*
* @param string $code
* Authorization code string to be stored.
* @param IOAuth2Client $client
* The client associated with this authorization code.
* @param mixed $data
* Application data to associate with this authorization code, such as a User object.
* @param string $redirect_uri
* Redirect URI to be stored.
* @param int $expires
* The timestamp when the authorization code will expire.
* @param string $scope
* (optional) Scopes to be stored in space-separated string.
*
* @ingroup oauth2_section_4
*/
public function createAuthCode($code_str, IOAuth2Client $client, $data, $redirect_uri, $expires, $scope = null)
{
$code_bean = $this->redbean->dispense($this->tables['code']);
$code = new Code($code_bean);
$code->code = $code_str;
$code->client_id = $client->getPublicId();
$code->data = $data;
$code->redirect_uri = $redirect_uri;
$code->expires_in = $expires;
$code->has_expired = false;
$this->redbean->store($code->getBean());
}
/**
* Store the supplied access token values to storage.
*
* We need to store access token data as we create and verify tokens.
*
* @param string $oauth_token
* The access token string to be stored.
* @param IOAuth2Client $client
* The client associated with this refresh token.
* @param mixed $data
* Application data associated with the refresh token, such as a User object.
* @param int $expires
* The timestamp when the refresh token will expire.
* @param string $scope
* (optional) Scopes to be stored in space-separated string.
*
* @ingroup oauth2_section_4
*/
public function createAccessToken($oauth_token, IOAuth2Client $client, $data, $expires, $scope = null)
{
$access_token_bean = $this->redbean->dispense($this->tables['access_token']);
$access_token = new AccessToken($access_token_bean);
$access_token->token = $oauth_token;
$access_token->client_id = $client->getPublicId();
$access_token->data = $data;
$access_token->expires_in = $expires;
$access_token->has_expired = false;
$access_token->scope = $scope;
$this->redbean->store($access_token->getBean());
}
public function checkRestrictedGrantType(IOAuth2Client $client, $grant_type)
{
if (!$client instanceof ClientInterface) {
throw new \InvalidArgumentException('Client has to implement the ClientInterface');
}
return in_array($grant_type, $client->getAllowedGrantTypes(), true);
}
protected function getRedirectUri($redirectUri, IOAuth2Client $client)
{
// Make sure a valid redirect_uri was supplied. If specified, it must match the stored URI.
// @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-3.1.2
// @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.2.1
// @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.2.2.1
// If multiple redirection URIs have been registered, or if no redirection
// URI has been registered, the client MUST include a redirection URI with
// the authorization request using the "redirect_uri" request parameter.
if (empty($redirectUri)) {
if (!$client->getRedirectUris()) {
throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_REDIRECT_URI_MISMATCH, 'No redirect URL was supplied or registered.');
}
if (count($client->getRedirectUris()) > 1) {
throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_REDIRECT_URI_MISMATCH, 'No redirect URL was supplied and more than one is registered.');
}
if ($this->getVariable(self::CONFIG_ENFORCE_INPUT_REDIRECT)) {
throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_REDIRECT_URI_MISMATCH, 'The redirect URI is mandatory and was not supplied.');
}
$redirectUri = current($client->getRedirectUris());
} else {
// Only need to validate if redirect_uri is provided on input and stored
if (!$this->validateRedirectUri($redirectUri, $client->getRedirectUris())) {
throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_REDIRECT_URI_MISMATCH, 'The redirect URI provided does not match registered URI(s).');
}
}
return $redirectUri;
}
public function createAuthCode($code, IOAuth2Client $client, $data, $redirectUri, $expires, $scope = null)
{
$token = new OAuth2AuthCode($client->getPublicId(), $code, $expires, $scope, $data, $redirectUri);
$this->authCodes[$code] = $token;
}
public function createRefreshToken($refreshToken, IOAuth2Client $client, $data, $expires, $scope = null)
{
$token = new OAuth2RefreshToken($client->getPublicId(), $refreshToken, $expires, $scope, $data);
$this->refreshToken[$refreshToken] = $token;
}
/**
* Grant access tokens for basic user credentials.
*
* Check the supplied username and password for validity.
* You can also use the $client param to do any checks required based on a client, if you need that.
* Required for OAuth2::GRANT_TYPE_USER_CREDENTIALS.
*
* @param IOAuth2Client $client Client to check.
* @param string $username Username to check.
* @param string $password Password to check.
*
* @return bool|array Returns true if the username and password are valid or false if they aren't.
* Moreover, if the username and password are valid, and you want to
* verify the scope of a user's access, return an associative array
* with the scope values as below. We'll check the scope you provide
* against the requested scope before providing an access token:
* @code
* return array(
* 'scope' => <stored scope values (space-separated string)>,
* );
* @endcode
*
* @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.3
*
* @ingroup oauth2_section_4
*/
public function checkUserCredentials(IOAuth2Client $client, $username, $password)
{
try {
$clientId = $client->getPublicId();
$sql = 'SELECT id, password FROM ' . self::TABLE_USERS . ' WHERE username = :username';
$stmt = $this->db->prepare($sql);
$stmt->bindParam(':username', $username, \PDO::PARAM_STR);
$stmt->execute();
$result = $stmt->fetch(\PDO::FETCH_ASSOC);
if (false === password_verify($password, $result['password'])) {
return false;
}
return array('scope' => '', 'data' => $result['id']);
} catch (PDOException $e) {
$this->handleException($e);
}
}
public function createAccessToken($oauth_token, IOAuth2Client $client, $data, $expires, $scope = NULL)
{
$token = new OAuth2AccessToken($client->getPublicId(), $oauth_token, $expires, $scope, $data);
$this->accessTokens[$oauth_token] = $token;
}
