131 lines
4.6 KiB
PHP
131 lines
4.6 KiB
PHP
<?php
|
|
|
|
namespace OAuth2\TokenType;
|
|
|
|
use OAuth2\RequestInterface;
|
|
use OAuth2\ResponseInterface;
|
|
|
|
/**
|
|
*
|
|
*/
|
|
class Bearer implements TokenTypeInterface
|
|
{
|
|
private $config;
|
|
|
|
public function __construct(array $config = array())
|
|
{
|
|
$this->config = array_merge(array(
|
|
'token_param_name' => 'access_token',
|
|
'token_bearer_header_name' => 'Bearer',
|
|
), $config);
|
|
}
|
|
|
|
public function getTokenType()
|
|
{
|
|
return 'Bearer';
|
|
}
|
|
|
|
/**
|
|
* Check if the request has supplied token
|
|
*
|
|
* @see https://github.com/bshaffer/oauth2-server-php/issues/349#issuecomment-37993588
|
|
*/
|
|
public function requestHasToken(RequestInterface $request)
|
|
{
|
|
$headers = $request->headers('AUTHORIZATION');
|
|
|
|
// check the header, then the querystring, then the request body
|
|
return !empty($headers) || (bool) ($request->request($this->config['token_param_name'])) || (bool) ($request->query($this->config['token_param_name']));
|
|
}
|
|
|
|
/**
|
|
* This is a convenience function that can be used to get the token, which can then
|
|
* be passed to getAccessTokenData(). The constraints specified by the draft are
|
|
* attempted to be adheared to in this method.
|
|
*
|
|
* As per the Bearer spec (draft 8, section 2) - there are three ways for a client
|
|
* to specify the bearer token, in order of preference: Authorization Header,
|
|
* POST and GET.
|
|
*
|
|
* NB: Resource servers MUST accept tokens via the Authorization scheme
|
|
* (http://tools.ietf.org/html/rfc6750#section-2).
|
|
*
|
|
* @todo Should we enforce TLS/SSL in this function?
|
|
*
|
|
* @see http://tools.ietf.org/html/rfc6750#section-2.1
|
|
* @see http://tools.ietf.org/html/rfc6750#section-2.2
|
|
* @see http://tools.ietf.org/html/rfc6750#section-2.3
|
|
*
|
|
* Old Android version bug (at least with version 2.2)
|
|
* @see http://code.google.com/p/android/issues/detail?id=6684
|
|
*
|
|
*/
|
|
public function getAccessTokenParameter(RequestInterface $request, ResponseInterface $response)
|
|
{
|
|
$headers = $request->headers('AUTHORIZATION');
|
|
|
|
/**
|
|
* Ensure more than one method is not used for including an
|
|
* access token
|
|
*
|
|
* @see http://tools.ietf.org/html/rfc6750#section-3.1
|
|
*/
|
|
$methodsUsed = !empty($headers) + (bool) ($request->query($this->config['token_param_name'])) + (bool) ($request->request($this->config['token_param_name']));
|
|
if ($methodsUsed > 1) {
|
|
$response->setError(400, 'invalid_request', 'Only one method may be used to authenticate at a time (Auth header, GET or POST)');
|
|
|
|
return null;
|
|
}
|
|
|
|
/**
|
|
* If no authentication is provided, set the status code
|
|
* to 401 and return no other error information
|
|
*
|
|
* @see http://tools.ietf.org/html/rfc6750#section-3.1
|
|
*/
|
|
if ($methodsUsed == 0) {
|
|
$response->setStatusCode(401);
|
|
|
|
return null;
|
|
}
|
|
|
|
// HEADER: Get the access token from the header
|
|
if (!empty($headers)) {
|
|
if (!preg_match('/' . $this->config['token_bearer_header_name'] . '\s(\S+)/i', $headers, $matches)) {
|
|
$response->setError(400, 'invalid_request', 'Malformed auth header');
|
|
|
|
return null;
|
|
}
|
|
|
|
return $matches[1];
|
|
}
|
|
|
|
if ($request->request($this->config['token_param_name'])) {
|
|
// // POST: Get the token from POST data
|
|
if (!in_array(strtolower($request->server('REQUEST_METHOD')), array('post', 'put'))) {
|
|
$response->setError(400, 'invalid_request', 'When putting the token in the body, the method must be POST or PUT', '#section-2.2');
|
|
|
|
return null;
|
|
}
|
|
|
|
$contentType = $request->server('CONTENT_TYPE');
|
|
if (false !== $pos = strpos($contentType, ';')) {
|
|
$contentType = substr($contentType, 0, $pos);
|
|
}
|
|
|
|
if ($contentType !== null && $contentType != 'application/x-www-form-urlencoded') {
|
|
// IETF specifies content-type. NB: Not all webservers populate this _SERVER variable
|
|
// @see http://tools.ietf.org/html/rfc6750#section-2.2
|
|
$response->setError(400, 'invalid_request', 'The content type for POST requests must be "application/x-www-form-urlencoded"');
|
|
|
|
return null;
|
|
}
|
|
|
|
return $request->request($this->config['token_param_name']);
|
|
}
|
|
|
|
// GET method
|
|
return $request->query($this->config['token_param_name']);
|
|
}
|
|
}
|