/**
* Get the access token
*
* Note that this method will only match tokens that are not expired and match the given scopes (if any).
* If no token is pass, this method will return null, but if a token is given does not exist (ie. has been
* deleted) or is not valid, then it will trigger an exception
*
* @link http://tools.ietf.org/html/rfc6750#page-5
* @param array|string|Scope[] $scopes
* @return AccessToken|null
* @throws InvalidAccessTokenException If given access token is invalid or expired
*/
public function getAccessToken(ServerRequestInterface $request, $scopes = [])
{
if (!($token = $this->extractAccessToken($request))) {
return null;
}
$token = $this->accessTokenService->getToken($token);
if ($token === null || !$token->isValid($scopes)) {
throw new InvalidAccessTokenException('Access token has expired or has been deleted');
}
return $token;
}
/**
* @throws OAuth2Exception (invalid_request) If no "token" is present
* @throws OAuth2Exception (unsupported_token_type) If "token" is unsupported
* @throws OAuth2Exception (invalid_client) If "token" was issued for another client and cannot be revoked
*/
public function handleRevocationRequest(ServerRequestInterface $request) : ResponseInterface
{
$postParams = $request->getParsedBody();
$token = $postParams['token'] ?? null;
$tokenHint = $postParams['token_type_hint'] ?? null;
if (null === $token || null === $tokenHint) {
throw OAuth2Exception::invalidRequest('Cannot revoke a token as the "token" and/or "token_type_hint" parameters are missing');
}
if ($tokenHint !== 'access_token' && $tokenHint !== 'refresh_token') {
throw OAuth2Exception::unsupportedTokenType(sprintf('Authorization server does not support revocation of token of type "%s"', $tokenHint));
}
if ($tokenHint === 'access_token') {
$token = $this->accessTokenService->getToken((string) $token);
} else {
$token = $this->refreshTokenService->getToken((string) $token);
}
$response = new Response();
// According to spec, we should return 200 if token is invalid
if (null === $token) {
return $response;
}
// Now, we must validate the client if the token was generated against a non-public client
if (null !== $token->getClient() && !$token->getClient()->isPublic()) {
$requestClient = $this->getClient($request, false);
if ($requestClient !== $token->getClient()) {
throw OAuth2Exception::invalidClient('Token was issued for another client and cannot be revoked');
}
}
try {
if ($tokenHint === 'access_token') {
$this->accessTokenService->deleteToken($token);
} else {
$this->refreshTokenService->deleteToken($token);
}
} catch (Throwable $exception) {
// According to spec (https://tools.ietf.org/html/rfc7009#section-2.2.1), we should return a server 503
// error if we cannot delete the token for any reason
$response = $response->withStatus(503, 'An error occurred while trying to delete the token');
}
return $response;
}
public function testDoesCaseSensitiveTest()
{
$token = AccessToken::reconstitute(['token' => 'Token', 'owner' => $this->createMock(TokenOwnerInterface::class), 'client' => $this->createMock(Client::class), 'expiresAt' => new \DateTimeImmutable(), 'scopes' => []]);
$this->tokenRepository->expects($this->once())->method('findByToken')->with('token')->will($this->returnValue($token));
$this->assertNull($this->tokenService->getToken('token'));
}
