From ee743514f8b63f6cb90b3a8df476b808f22cc936 Mon Sep 17 00:00:00 2001 From: Mike Macgirvin Date: Fri, 30 Dec 2022 20:13:33 +1100 Subject: [PATCH 1/2] remove redundant oauth server options --- Code/Identity/OAuth2Server.php | 2 ++ Code/Module/Authorize.php | 6 ------ Code/Module/Token.php | 7 ------- include/api_auth.php | 16 ++++++---------- 4 files changed, 8 insertions(+), 23 deletions(-) diff --git a/Code/Identity/OAuth2Server.php b/Code/Identity/OAuth2Server.php index 86e59450c..d759689cb 100644 --- a/Code/Identity/OAuth2Server.php +++ b/Code/Identity/OAuth2Server.php @@ -33,8 +33,10 @@ class OAuth2Server extends Server // Need to use OpenID\GrantType to return id_token // (see:https://github.com/bshaffer/oauth2-server-php/issues/443) $this->addGrantType(new AuthorizationCode($storage)); + // Add the "Refresh Token" grant type $this->addGrantType(new RefreshToken($storage)); + $keyStorage = new Memory([ 'keys' => [ 'public_key' => get_config('system', 'pubkey'), diff --git a/Code/Module/Authorize.php b/Code/Module/Authorize.php index e0c1c5dbd..c5c99437e 100644 --- a/Code/Module/Authorize.php +++ b/Code/Module/Authorize.php @@ -58,12 +58,6 @@ class Authorize extends Controller $storage = new OAuth2Storage(DBA::$dba->db); $server = new OAuth2Server($storage); - // Add the "Client Credentials" grant type (it is the simplest of the grant types) - $server->addGrantType(new GrantType\ClientCredentials($storage)); - // Add the "Authorization Code" grant type (this is where the oauth magic happens) - $server->addGrantType(new GrantType\AuthorizationCode($storage)); - // Add the "Refresh Token" grant type - $server->addGrantType(new GrantType\RefreshToken($storage)); // TODO: The automatic client registration protocol below should adhere more // closely to "OAuth 2.0 Dynamic Client Registration Protocol" defined diff --git a/Code/Module/Token.php b/Code/Module/Token.php index ea760267c..c625d035c 100644 --- a/Code/Module/Token.php +++ b/Code/Module/Token.php @@ -40,13 +40,6 @@ class Token extends Controller $storage = new OAuth2Storage(DBA::$dba->db); $server = new OAuth2Server($storage); - // Add the "Client Credentials" grant type (it is the simplest of the grant types) - $server->addGrantType(new GrantType\ClientCredentials($storage)); - // Add the "Authorization Code" grant type (this is where the oauth magic happens) - $server->addGrantType(new GrantType\AuthorizationCode($storage)); - // Add the "Refresh Token" grant type - $server->addGrantType(new GrantType\RefreshToken($storage)); - $request = Request::createFromGlobals(); $response = $server->handleTokenRequest($request); $response->send(); diff --git a/include/api_auth.php b/include/api_auth.php index 0fc09a9ad..e92f35a14 100644 --- a/include/api_auth.php +++ b/include/api_auth.php @@ -16,14 +16,14 @@ require_once('include/security.php'); /** * API Login via basic-auth, OpenWebAuth, or OAuth2 + * This function returns true or exits with a 401 and WWW-Authenticate header. + * @noinspection PhpInconsistentReturnPointsInspection */ function api_login() { $record = null; - $remote_auth = false; - $sigblock = null; if (array_key_exists('REDIRECT_REMOTE_USER', $_SERVER) && (! array_key_exists('HTTP_AUTHORIZATION', $_SERVER))) { $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER['REDIRECT_REMOTE_USER']; @@ -35,12 +35,6 @@ function api_login() // OAuth 2.0 $storage = new OAuth2Storage(DBA::$dba->db); $server = new OAuth2Server($storage); - // Add the "Client Credentials" grant type (it is the simplest of the grant types) - $server->addGrantType(new GrantType\ClientCredentials($storage)); - // Add the "Authorization Code" grant type (this is where the oauth magic happens) - $server->addGrantType(new GrantType\AuthorizationCode($storage)); - // Add the "Refresh Token" grant type - $server->addGrantType(new GrantType\RefreshToken($storage)); $request = Request::createFromGlobals(); if ($server->verifyResourceRequest($request)) { @@ -69,11 +63,13 @@ function api_login() authenticate_success($x[0], false, true, false, true, true); $_SESSION['allow_api'] = true; Hook::call('logged_in', App::$user); - return; + return true; } } } catch (Exception $e) { + // Just log the exception. Most of the time it will be because + // a different identity mechanism is being used and no oauth2 parameters were found. logger($e->getMessage()); } @@ -132,7 +128,6 @@ function api_login() } } - // process normal login request if (isset($_SERVER['PHP_AUTH_USER']) && (! $record)) { @@ -158,6 +153,7 @@ function api_login() log_failed_login('API login failure'); retry_basic_auth(); } + } From e7fd93f3a2e1bd258d7a0de759c9392de5a0a7da Mon Sep 17 00:00:00 2001 From: Mike Macgirvin Date: Sat, 31 Dec 2022 05:41:02 +1100 Subject: [PATCH 2/2] cleanup --- Code/Module/Authorize.php | 6 +----- include/api_auth.php | 2 -- 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/Code/Module/Authorize.php b/Code/Module/Authorize.php index c5c99437e..05a940f42 100644 --- a/Code/Module/Authorize.php +++ b/Code/Module/Authorize.php @@ -2,16 +2,13 @@ namespace Code\Module; -use App; use DBA; use Code\Lib\Channel; use Code\Web\Controller; use Code\Identity\OAuth2Server; use Code\Identity\OAuth2Storage; -use OAuth2\GrantType\RefreshToken; use OAuth2\Request; use OAuth2\Response; -use OAuth2\GrantType; use Code\Render\Theme; @@ -36,7 +33,7 @@ class Authorize extends Controller $link = (($app['url']) ? '' . $app['name'] . ' ' : $app['name']); - $o = replace_macros(Theme::get_template('oauth_authorize.tpl'), [ + return replace_macros(Theme::get_template('oauth_authorize.tpl'), [ '$title' => t('Authorize'), '$authorize' => sprintf(t('Do you authorize the app %s to access your channel data?'), $link), '$app' => $app, @@ -46,7 +43,6 @@ class Authorize extends Controller '$redirect_uri' => (x($_REQUEST, 'redirect_uri') ? $_REQUEST['redirect_uri'] : ''), '$state' => (x($_REQUEST, 'state') ? $_REQUEST['state'] : ''), ]); - return $o; } } diff --git a/include/api_auth.php b/include/api_auth.php index e92f35a14..9c214d170 100644 --- a/include/api_auth.php +++ b/include/api_auth.php @@ -1,7 +1,6 @@