Oauth2 server (Vagrant + apache2 + posgresql + php-fpm + symfony)

It currently support PHP5.4 ad PHP5.5, for support of PHP5.6, we're waiting for Doctrine2.5 to be released

Please read and check this Readme from times to times so that to not waste time later wondering how to do things which are already explained here

if something is wrong or missing: tell me, if you don't tell me I have no way to improve it =)

we use vagrant to create the dev environnement
apache2 to provide the web server
postgresql for the database
php-fpm as the php interpreter
symfony + doctrine for the base Framework
DoctrineMigration to create database migration (should be simpler than Phinx)
FOSOAuthServerBundle to provide the Oauth2 endpoint
FOSUserBundle to provide user authentication

for windows user you can have a nfs using this plugin

vagrant plugin install vagrant-winnfsd

Create the vagrant machine

vagrant up

Usage

Initiate database

in the vagrant machine (in directory /vagrant ) run:

php app/console  doctrine:migrations:migrate

Create a client

in the vagrant machine (in directory /vagrant ) run: (in case you want to use the grant type password)

php app/console acme:oauth-server:client:create \
--grant-type="password" \
--grant-type="refresh_token" \
--grant-type="token" \
--client-type="backend"

The client-type parameter is optional, the given value is used to specified the type of the client we create. This is a walk around as we cannot use the "scopes" feature provided by oauth2. In the bundle we use, this feature is not available from the client.

it will return you:

Added a new client with public id CLIENT_ID, secret CLIENT_SECRET

Create a new end user

Through the console

php app/console fos:user:create vagrant vagrant@vagrant.com vagrant

Through an API call

echo '
{
    "email": "TEST@EXAMPLE.COM" ,
    "username" : "USER_NAME",
    "plain_password" : "PLAIN_TEXT_PASSWORD"
}
' |  http POST http://127.0.0.1:8089/app_dev.php/users

or

echo '
{
    "phone_number": "1234567" ,
    "username" : "USER_NAME",
    "plain_password" : "PLAIN_TEXT_PASSWORD"
}
' |  http POST http://127.0.0.1:8089/app_dev.php/users

or

echo '
{
    "email": "TEST@EXAMPLE.COM" ,
    "phone_number": "1234567" ,
    "username" : "USER_NAME",
    "plain_password" : "PLAIN_TEXT_PASSWORD"
}
' |  http POST http://127.0.0.1:8089/app_dev.php/users

if everything is made correctly you should get back this

HTTP/1.1 202 Accepted
Cache-Control: no-cache
Content-Type: application/json
Date: XXX
Server: XXXX
Transfer-Encoding: chunked

{
    "id": 42
}

once it's done you then need to activate the user with this API call

http PUT http://127.0.0.1:8089/app_dev.php/users/{id}/confirmation-token/{confirmationToken}

if the user is correctly activate you will receive a 201 Created status code

if the data are posted are not correct a 400 status code will be returned, containing a JSON array of error message like this:

[

    {
        "message": "bst.phone_and_email.missing", 
        "property_path": ""
    }, 

    {
        "message": "fos_user.username.short", 
        "property_path": "username"

    }, 

    {
        "message": "fos_user.password.blank", 
        "property_path": "plainPassword"
    }
]

each error has two fields :

message: the error code, it's a pre-defined string constant, made to be somewhat human-readable
property: if empty, it concerns the full form, if not, it contains the field concerned by the error message

possible value for message:

bst.phone_and_email.missing : the user has input neither phone nor email
fos_user.email.already_used : the email is already taken (it also check case-insensitive and all rules that apply to consider two emails identical)
fos_user.username.already_used : the username is already taken (it also check case-insensitive and Unicode trick to obtain the same visual string to avoid user impersonnation)
bst.phonenumber.already_used : phone number already used.
fos_user.email.short: the email is too short
fos_user.email.long: the email is too long
fos_user.username.short: the email is too short (currently 2 characters)
fos_user.username.long: the email is too long (currently 255 characters)
bst.phonenumber.short : phone number too short ( < 3)
bst.phonenumber.long : phone number too long ( > 20)
bst.phonenumber.space: phone number contains space characters
bst.phonenumber.format: phone number does not match the format (contains letters this kind of thing)
fos_user.password.blank: the password has not been precised by user.
fos_user.password.short: the password is too short ( < 3 characters)

Note:

In order to avoid a user getting "locked" in the following situation:

the user register using phone A
before getting the validation code, the user closes the App AND for some reason never get the validation phone

which would result in the user's email or phone number being marked as used by the system but enable to be used by the user. In order to avoid that, if you register twice with the same credentials, without activitating the first time, the system will accept the second registration and delete the first one.

Backend API calls

These API calls can only be executed by an user connected through a "backend" type client. All these calls will throw access denied exception if the current user is not allowed to perform them.

POST /admin/users - Create a new user
PUT /admin/users/{id} - Edit an user
PUT /admin/users/{id}/roles - Edit the roles of an user
GET /admin/users/{id} - Get one user information
PATCH /admin/users/{id}/disable - Disable an user