Edit File: BearerTokenValidator.php
<?php /** * @author Alex Bilbie <hello@alexbilbie.com> * @copyright Copyright (c) Alex Bilbie * @license http://mit-license.org/ * * @link https://github.com/thephpleague/oauth2-server */ namespace League\OAuth2\Server\AuthorizationValidators; use DateTimeZone; use Lcobucci\Clock\SystemClock; use Lcobucci\JWT\Configuration; use Lcobucci\JWT\Signer\Key\InMemory; use Lcobucci\JWT\Signer\Rsa\Sha256; use Lcobucci\JWT\Validation\Constraint\LooseValidAt; use Lcobucci\JWT\Validation\Constraint\SignedWith; use Lcobucci\JWT\Validation\RequiredConstraintsViolated; use League\OAuth2\Server\CryptKey; use League\OAuth2\Server\CryptTrait; use League\OAuth2\Server\Exception\OAuthServerException; use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface; use Psr\Http\Message\ServerRequestInterface; class BearerTokenValidator implements AuthorizationValidatorInterface { use CryptTrait; /** * @var AccessTokenRepositoryInterface */ private $accessTokenRepository; /** * @var CryptKey */ protected $publicKey; /** * @var Configuration */ private $jwtConfiguration; /** * @var \DateInterval|null */ private $jwtValidAtDateLeeway; /** * @param AccessTokenRepositoryInterface $accessTokenRepository * @param \DateInterval|null $jwtValidAtDateLeeway */ public function __construct(AccessTokenRepositoryInterface $accessTokenRepository, \DateInterval $jwtValidAtDateLeeway = null) { $this->accessTokenRepository = $accessTokenRepository; $this->jwtValidAtDateLeeway = $jwtValidAtDateLeeway; } /** * Set the public key * * @param CryptKey $key */ public function setPublicKey(CryptKey $key) { $this->publicKey = $key; $this->initJwtConfiguration(); } /** * Initialise the JWT configuration. */ private function initJwtConfiguration() { $this->jwtConfiguration = Configuration::forSymmetricSigner( new Sha256(), InMemory::plainText('empty', 'empty') ); $clock = new SystemClock(new DateTimeZone(\date_default_timezone_get())); $this->jwtConfiguration->setValidationConstraints( new LooseValidAt($clock, $this->jwtValidAtDateLeeway), new SignedWith( new Sha256(), InMemory::plainText($this->publicKey->getKeyContents(), $this->publicKey->getPassPhrase() ?? '') ) ); } /** * {@inheritdoc} */ public function validateAuthorization(ServerRequestInterface $request) { if ($request->hasHeader('authorization') === false) { throw OAuthServerException::accessDenied('Missing "Authorization" header'); } $header = $request->getHeader('authorization'); $jwt = \trim((string) \preg_replace('/^\s*Bearer\s/', '', $header[0])); try { // Attempt to parse the JWT $token = $this->jwtConfiguration->parser()->parse($jwt); } catch (\Lcobucci\JWT\Exception $exception) { throw OAuthServerException::accessDenied($exception->getMessage(), null, $exception); } try { // Attempt to validate the JWT $constraints = $this->jwtConfiguration->validationConstraints(); $this->jwtConfiguration->validator()->assert($token, ...$constraints); } catch (RequiredConstraintsViolated $exception) { throw OAuthServerException::accessDenied('Access token could not be verified', null, $exception); } $claims = $token->claims(); // Check if token has been revoked if ($this->accessTokenRepository->isAccessTokenRevoked($claims->get('jti'))) { throw OAuthServerException::accessDenied('Access token has been revoked'); } // Return the request with additional attributes return $request ->withAttribute('oauth_access_token_id', $claims->get('jti')) ->withAttribute('oauth_client_id', $this->convertSingleRecordAudToString($claims->get('aud'))) ->withAttribute('oauth_user_id', $claims->get('sub')) ->withAttribute('oauth_scopes', $claims->get('scopes')); } /** * Convert single record arrays into strings to ensure backwards compatibility between v4 and v3.x of lcobucci/jwt * * @param mixed $aud * * @return array|string */ private function convertSingleRecordAudToString($aud) { return \is_array($aud) && \count($aud) === 1 ? $aud[0] : $aud; } }
Back to File Manager