public function __construct($bypassPaths = array(), $bypassAuth = false) { $this->useOAuth2 = API_USE_OAUTH; if ($this->useOAuth2) { $this->initOAth2(); // Don't check for authorization when requesting a token or docs $temp = explode('/', trim($_SERVER['REQUEST_URI'], '/')); $lastPath = str_replace($_SERVER['QUERY_STRING'], '', $temp[count($temp) - 1]); $lastPath = str_replace('?', '', $lastPath); if ($bypassAuth == false && $lastPath != 'authorize' && $lastPath != 'docs') { $continue = true; foreach ($bypassPaths as $path) { if ($lastPath == $path) { $continue = false; } } if ($continue) { // Check for a valid token if (!$this->oauthServer->verifyResourceRequest(\OAuth2\Request::createFromGlobals())) { // Not authorized! $this->oauthServer->getResponse()->send(); die; } } } } }
/** * Execute this middleware. * * @param ServerRequestInterface $request The PSR7 request. * @param ResponseInterface $response The PSR7 response. * @param callable $next The Next middleware. * * @return ResponseInterface */ public function __invoke(ServerRequestInterface $request, ResponseInterface $response, callable $next) { $oauth2Request = RequestBridge::toOAuth2($request); foreach ($this->scopes as $scope) { if ($this->server->verifyResourceRequest($oauth2Request, null, $scope)) { $this->container['token'] = $this->server->getResourceController()->getToken(); return $next($request, $response); } } return ResponseBridge::fromOAuth2($this->server->getResponse()); }
/** * Helper method to verify a resource request, allowing return early on success cases * * @param array $scopes Scopes required for authorization * * @return boolean True if the request is verified, otherwise false */ private function verify(array $scopes = [null]) { foreach ($scopes as $scope) { if (is_array($scope)) { $scope = implode(' ', $scope); } if ($this->server->verifyResourceRequest(MessageBridge::newOauth2Request($this->app->request()), null, $scope)) { return true; } } return false; }
/** * {@inheritDoc} */ public function __invoke(ServerRequestInterface $request, ResponseInterface $response, callable $next) { try { $oauth2request = Util::convertRequestFromPsr7($request); if (!$this->server->verifyResourceRequest($oauth2request)) { return Util::convertResponseToPsr7($this->server->getResponse(), $response); } $request = $request->withAttribute('access_token', $this->server->getAccessTokenData($oauth2request)); } catch (\Exception $ex) { return new JsonResponse(['error' => $ex->getMessage(), 'error_description' => $ex->getMessage()], 500); } return $next($request, $response); }
/** * @param Route $route * @throws \Slim\Exception\Stop */ private function checkAuth(Route $route) { $request = OAuth2\Request::createFromGlobals(); $scopeRequired = []; if ($route->isSecure()) { $scopeRequired = 'admin'; } if (!$this->oauth->verifyResourceRequest($request, NULL, $scopeRequired)) { $response = $this->oauth->getResponse(); $this->app->response()->status($response->getStatusCode()); $response->send(); $this->app->stop(); } }
/** * Test resource (/oauth/resource) */ public function resourceAction() { // Handle a request for an OAuth2.0 Access Token and send the response to the client if (!$this->server->verifyResourceRequest($this->getOAuth2Request())) { $response = $this->server->getResponse(); $parameters = $response->getParameters(); $errorUri = isset($parameters['error_uri']) ? $parameters['error_uri'] : null; return new ApiProblemResponse(new ApiProblem($response->getStatusCode(), $parameters['error_description'], $errorUri, $parameters['error'])); } $httpResponse = $this->getResponse(); $httpResponse->setStatusCode(200); $httpResponse->getHeaders()->addHeaders(array('Content-type' => 'application/json')); $httpResponse->setContent(json_encode(array('success' => true, 'message' => 'You accessed my APIs!'))); return $httpResponse; }
protected function authorize() { $authorized = false; if ($this->server->verifyResourceRequest(OAuth2Request::createFromGlobals())) { // authorized $authorized = true; } else { $request = $this->getRequest(); $token = $request->getPost('token', false); if ($token) { $authorized = $this->isGoogleAuthorized($token); } } return $authorized ? true : false; }
public function verifyResourceRequest(\OAuth2\RequestInterface $request = null, \OAuth2\ResponseInterface $response = null, $scope = null) { if ($request === null) { $request = $this->module->getRequest(); } return parent::verifyResourceRequest($request, $response, $scope); }
/** * {@inheritDoc} */ public function authenticate(TokenInterface $token) { $oauthRequest = OAuthRequest::createFromRequest($token->request); // Not authenticated if (!$this->server->verifyResourceRequest($oauthRequest)) { throw new AuthenticationException('OAuth2 authentication failed'); } $userData = $this->server->getAccessTokenData($oauthRequest); $user = $this->userProvider->findById($userData['user_id']); $roles = $this->roleFinder->findRoleNamesByUserId($user->getId()); $user->setRoles($roles); $authenticatedToken = new OAuth2UserToken($roles); $authenticatedToken->setUser($user); $authenticatedToken->setAuthenticated(true); $authenticatedToken->setOAuthToken($token->getOAuthToken()); return $authenticatedToken; }
/** * Validates a request and takes a scope value that could result * in a user id being put into the request if it's valid. * * @param HttpFoundation\Request $request * @param string $scope * @return null|HttpFoundation\Response */ public function validateRequest(HttpFoundation\Request $request, $scope) { $this->log->addDebug(print_r($request, true), ['namespace' => 'HackTheDinos\\Controllers\\OAuth', 'method' => 'validateRequest', 'type' => 'request', 'scope' => $scope]); $bridgeRequest = HttpFoundationBridge\Request::createFromRequest($request); if ($this->server->verifyResourceRequest($bridgeRequest, null, $scope)) { //Put the userId into the request if we're validating at the user scope if ($scope === 'user') { $token = $this->server->getAccessTokenData($bridgeRequest); $request->request->set('userId', $token['user_id']); } else { //Set the userId to 0 which should make any //searches relying on this being valid to fail. $request->request->set('userId', 0); } return null; } $this->log->addWarning('Failed to validate request', ['namespace' => 'HackTheDinos\\Controllers\\OAuth', 'method' => 'validateRequest', 'scope' => $scope]); return new HttpFoundation\Response('Not Authorized', 401); }
public function testAccessResourceWithJwtAccessTokenUsingSecondaryStorage() { // add the test parameters in memory $server = $this->getTestServer(); $request = TestRequest::createPost(array('grant_type' => 'client_credentials', 'client_id' => 'Test Client ID', 'client_secret' => 'TestSecret')); $server->handleTokenRequest($request, $response = new Response()); $this->assertNotNull($JwtAccessToken = $response->getParameter('access_token')); // make a call to the resource server using the crypto token $request = TestRequest::createPost(array('access_token' => $JwtAccessToken)); // create a resource server with the "memory" storage from the grant server $resourceServer = new Server($server->getStorage('client_credentials')); $this->assertTrue($resourceServer->verifyResourceRequest($request)); }
public function resource($path) { // Handle a request for an OAuth2.0 Access Token and send the response to the client if (!$this->server->verifyResourceRequest(Request::createFromGlobals())) { $this->server->getResponse()->send(); die; } $token = $this->server->getAccessTokenData(Request::createFromGlobals()); $return = array(); if (is_callable($this->resourceHandler)) { $return = call_user_func($this->resourceHandler, $path, $token['user_id']); } echo json_encode($return); }
/** * Validates a request and takes a scope value that could result * in a user id being put into the request if it's valid. The * passThrough flag will allow the request to continue when it * would otherwise fail with a 401 response. * * @param HttpFoundation\Request $request * @param string $scope * @param bool $passThrough * @return null|HttpFoundation\Response */ public function validateRequest(HttpFoundation\Request $request, $scope, $passThrough = false) { $this->log->addDebug(print_r($request, true), ['namespace' => 'Alerts\\Controllers\\OAuth2', 'method' => 'validateRequest', 'type' => 'request', 'scope' => $scope]); $bridgeRequest = HttpFoundationBridge\Request::createFromRequest($request); if ($this->server->verifyResourceRequest($bridgeRequest, null, $scope)) { //Put the user into the request if we're validating at the user scope if ($scope === 'user') { $token = $this->server->getAccessTokenData($bridgeRequest); $request->request->set('user', $this->usersRepo->getById($token['user_id'])); } else { //Set the user to null which should make any //searches relying on this being valid to fail. $request->request->set('user', null); } return null; //If the request shouldn't hard fail. This should only have a few specific use cases. } elseif ($passThrough) { $this->log->addInfo('OAuth Pass Through', ['namespace' => 'Alerts\\Controllers\\OAuth2', 'method' => 'validateRequest', 'type' => 'request', 'scope' => $scope, 'passThrough' => true]); return null; } $this->log->addInfo('Failed to validate request', ['namespace' => 'Alerts\\Controllers\\OAuth2', 'method' => 'validateRequest', 'scope' => $scope]); return new HttpFoundation\Response('Not Authorized', 401); }
/** * Method executed when the dispatch event is triggered * * @param MvcEvent $e * @return void */ public static function onDispatch(MvcEvent $e) { if ($e->getRequest() instanceof \Zend\Console\Request) { return; } if ($e->getRouteMatch()->getMatchedRouteName() == 'login' || $e->getRouteMatch()->getMatchedRouteName() == 'users') { return; } $sm = $e->getApplication()->getServiceManager(); $usersTable = $sm->get('Users\\Model\\UsersTable'); $storage = new Pdo($usersTable->adapter->getDriver()->getConnection()->getConnectionParameters()); $server = new Server($storage); if (!$server->verifyResourceRequest(Request::createFromGlobals())) { $model = new JsonModel(array('errorCode' => $server->getResponse()->getStatusCode(), 'errorMsg' => $server->getResponse()->getStatusText())); $response = $e->getResponse(); $response->setContent($model->serialize()); $response->getHeaders()->addHeaderLine('Content-Type', 'application/json'); $response->setStatusCode($server->getResponse()->getStatusCode()); return $response; } }
/** * Attempt to authenticate the current request. * * @param Request $request * @param Response $response * @param MvcAuthEvent $mvcAuthEvent * @return false|Identity\IdentityInterface False on failure, IdentityInterface * otherwise */ public function authenticate(Request $request, Response $response, MvcAuthEvent $mvcAuthEvent) { $oauth2request = new OAuth2Request($request->getQuery()->toArray(), $request->getPost()->toArray(), [], $request->getCookie() ? $request->getCookie()->getArrayCopy() : [], $request->getFiles() ? $request->getFiles()->toArray() : [], method_exists($request, 'getServer') ? $request->getServer()->toArray() : $_SERVER, $request->getContent(), $request->getHeaders()->toArray()); // Failure to validate if (!$this->oauth2Server->verifyResourceRequest($oauth2request)) { $oauth2Response = $this->oauth2Server->getResponse(); $status = $oauth2Response->getStatusCode(); // 401 or 403 mean invalid credentials or unauthorized scopes; report those. if (in_array($status, [401, 403], true) && null !== $oauth2Response->getParameter('error')) { return $this->mergeOAuth2Response($status, $response, $oauth2Response); } // Merge in any headers; typically sets a WWW-Authenticate header. $this->mergeOAuth2ResponseHeaders($response, $oauth2Response->getHttpHeaders()); // Otherwise, no credentials were present at all, so we just return a guest identity. return new Identity\GuestIdentity(); } $token = $this->oauth2Server->getAccessTokenData($oauth2request); $identity = new Identity\AuthenticatedIdentity($token); $identity->setName($token['user_id']); return $identity; }
/** * Attempt to authenticate the current request. * * @param Request $request * @param Response $response * @param MvcAuthEvent $mvcAuthEvent * @return false|IdentityInterface False on failure, IdentityInterface * otherwise */ public function authenticate(Request $request, Response $response, MvcAuthEvent $mvcAuthEvent) { $content = $request->getContent(); $oauth2request = new OAuth2Request( $_GET, $_POST, array(), $_COOKIE, $_FILES, $_SERVER, $content, $request->getHeaders()->toArray() ); if (! $this->oauth2Server->verifyResourceRequest($oauth2request)) { return false; } $token = $this->oauth2Server->getAccessTokenData($oauth2request); $identity = new Identity\AuthenticatedIdentity($token); $identity->setName($token['user_id']); return $identity; }
/** * Access verification method. * * API access will be denied when this method returns false * * @return boolean true when api access is allowed; false otherwise */ public function __isAllowed() { return self::$server->verifyResourceRequest(static::$request); }
/** * Listen to the authentication event * * @param MvcAuthEvent $mvcAuthEvent * @return mixed */ public function __invoke(MvcAuthEvent $mvcAuthEvent) { $mvcEvent = $mvcAuthEvent->getMvcEvent(); $request = $mvcEvent->getRequest(); $response = $mvcEvent->getResponse(); if (!$request instanceof HttpRequest || $request->isOptions()) { return; } $type = false; if ($this->httpAdapter instanceof HttpAuth) { $this->httpAdapter->setRequest($request); $this->httpAdapter->setResponse($response); } $authHeader = $request->getHeader('Authorization'); if ($authHeader) { $headerContent = trim($authHeader->getFieldValue()); // we only support headers in the format: Authorization: xxx yyyyy if (strpos($headerContent, ' ') === false) { $identity = new Identity\GuestIdentity(); $mvcEvent->setParam('ZF\\MvcAuth\\Identity', $identity); return $identity; } list($type, $credential) = preg_split('# #', $headerContent, 2); } if (!$type && !in_array($request->getMethod(), $this->requestsWithoutBodies) && $request->getHeaders()->has('Content-Type') && $request->getHeaders()->get('Content-Type')->match('application/x-www-form-urlencoded') && $request->getPost('access_token')) { $type = 'oauth2'; } if (!$type && null !== $request->getQuery('access_token')) { $type = 'oauth2'; } if (!$type) { if ($this->httpAdapter instanceof HttpAuth) { $this->httpAdapter->challengeClient(); } $identity = new Identity\GuestIdentity(); $mvcEvent->setParam('ZF\\MvcAuth\\Identity', $identity); return $identity; } switch (strtolower($type)) { case 'basic': case 'digest': if (!$this->httpAdapter instanceof HttpAuth) { $identity = new Identity\GuestIdentity(); $mvcEvent->setParam('ZF\\MvcAuth\\Identity', $identity); return $identity; } $auth = $mvcAuthEvent->getAuthenticationService(); $result = $auth->authenticate($this->httpAdapter); $mvcAuthEvent->setAuthenticationResult($result); if ($result->isValid()) { $resultIdentity = $result->getIdentity(); // Pass full discovered identity to AuthenticatedIdentity object $identity = new Identity\AuthenticatedIdentity($resultIdentity); // But determine name separately $name = $resultIdentity; if (is_array($resultIdentity)) { $name = isset($resultIdentity['username']) ? $resultIdentity['username'] : (string) $resultIdentity; } $identity->setName($name); // Set in MvcEvent $mvcEvent->setParam('ZF\\MvcAuth\\Identity', $identity); return $identity; } $identity = new Identity\GuestIdentity(); $mvcEvent->setParam('ZF\\MvcAuth\\Identity', $identity); return $identity; case 'oauth2': case 'bearer': if (!$this->oauth2Server instanceof OAuth2Server) { $identity = new Identity\GuestIdentity(); $mvcEvent->setParam('ZF\\MvcAuth\\Identity', $identity); return $identity; } $content = $request->getContent(); $oauth2request = new OAuth2Request($_GET, $_POST, array(), $_COOKIE, $_FILES, $_SERVER, $content); if ($this->oauth2Server->verifyResourceRequest($oauth2request)) { $token = $this->oauth2Server->getAccessTokenData($oauth2request); $identity = new Identity\AuthenticatedIdentity($token); $identity->setName($token['user_id']); $mvcEvent->setParam('ZF\\MvcAuth\\Identity', $identity); return $identity; } $identity = new Identity\GuestIdentity(); $mvcEvent->setParam('ZF\\MvcAuth\\Identity', $identity); return $identity; case 'token': throw new \Exception('zf-mvc-auth has not yet implemented a "token" authentication adapter'); } }
public function verifyResourceRequest(HttpRequest $httpRequest) { $oauthRequest = $this->buildRequest($httpRequest); $this->server->verifyResourceRequest($oauthRequest, null); return $this->buildResponse($this->determineFormat($httpRequest), new HttpResponse(), $this->server->getResponse()); }