/** * Get the access token * * Note that this method will only match tokens that are not expired and match the given scopes (if any). * If no token is pass, this method will return null, but if a token is given does not exist (ie. has been * deleted) or is not valid, then it will trigger an exception * * @link http://tools.ietf.org/html/rfc6750#page-5 * @param array|string|Scope[] $scopes * @return AccessToken|null * @throws InvalidAccessTokenException If given access token is invalid or expired */ public function getAccessToken(ServerRequestInterface $request, $scopes = []) { if (!($token = $this->extractAccessToken($request))) { return null; } $token = $this->accessTokenService->getToken($token); if ($token === null || !$token->isValid($scopes)) { throw new InvalidAccessTokenException('Access token has expired or has been deleted'); } return $token; }
/** * @throws OAuth2Exception (invalid_request) If no "token" is present * @throws OAuth2Exception (unsupported_token_type) If "token" is unsupported * @throws OAuth2Exception (invalid_client) If "token" was issued for another client and cannot be revoked */ public function handleRevocationRequest(ServerRequestInterface $request) : ResponseInterface { $postParams = $request->getParsedBody(); $token = $postParams['token'] ?? null; $tokenHint = $postParams['token_type_hint'] ?? null; if (null === $token || null === $tokenHint) { throw OAuth2Exception::invalidRequest('Cannot revoke a token as the "token" and/or "token_type_hint" parameters are missing'); } if ($tokenHint !== 'access_token' && $tokenHint !== 'refresh_token') { throw OAuth2Exception::unsupportedTokenType(sprintf('Authorization server does not support revocation of token of type "%s"', $tokenHint)); } if ($tokenHint === 'access_token') { $token = $this->accessTokenService->getToken((string) $token); } else { $token = $this->refreshTokenService->getToken((string) $token); } $response = new Response(); // According to spec, we should return 200 if token is invalid if (null === $token) { return $response; } // Now, we must validate the client if the token was generated against a non-public client if (null !== $token->getClient() && !$token->getClient()->isPublic()) { $requestClient = $this->getClient($request, false); if ($requestClient !== $token->getClient()) { throw OAuth2Exception::invalidClient('Token was issued for another client and cannot be revoked'); } } try { if ($tokenHint === 'access_token') { $this->accessTokenService->deleteToken($token); } else { $this->refreshTokenService->deleteToken($token); } } catch (Throwable $exception) { // According to spec (https://tools.ietf.org/html/rfc7009#section-2.2.1), we should return a server 503 // error if we cannot delete the token for any reason $response = $response->withStatus(503, 'An error occurred while trying to delete the token'); } return $response; }
public function testDoesCaseSensitiveTest() { $token = AccessToken::reconstitute(['token' => 'Token', 'owner' => $this->createMock(TokenOwnerInterface::class), 'client' => $this->createMock(Client::class), 'expiresAt' => new \DateTimeImmutable(), 'scopes' => []]); $this->tokenRepository->expects($this->once())->method('findByToken')->with('token')->will($this->returnValue($token)); $this->assertNull($this->tokenService->getToken('token')); }