vendor/league/oauth2-server/src/AuthorizationValidators/BearerTokenValidator.php line 122

Open in your IDE?
  1. <?php
  2. /**
  3.  * @author      Alex Bilbie <hello@alexbilbie.com>
  4.  * @copyright   Copyright (c) Alex Bilbie
  5.  * @license     http://mit-license.org/
  6.  *
  7.  * @link        https://github.com/thephpleague/oauth2-server
  8.  */
  10. namespace League\OAuth2\Server\AuthorizationValidators;
  12. use DateTimeZone;
  13. use Lcobucci\Clock\SystemClock;
  14. use Lcobucci\JWT\Configuration;
  15. use Lcobucci\JWT\Signer\Key\InMemory;
  16. use Lcobucci\JWT\Signer\Rsa\Sha256;
  17. use Lcobucci\JWT\Validation\Constraint\LooseValidAt;
  18. use Lcobucci\JWT\Validation\Constraint\SignedWith;
  19. use Lcobucci\JWT\Validation\RequiredConstraintsViolated;
  20. use League\OAuth2\Server\CryptKey;
  21. use League\OAuth2\Server\CryptTrait;
  22. use League\OAuth2\Server\Exception\OAuthServerException;
  23. use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
  24. use Psr\Http\Message\ServerRequestInterface;
  26. class BearerTokenValidator implements AuthorizationValidatorInterface
  27. {
  28.     use CryptTrait;
  30.     /**
  31.      * @var AccessTokenRepositoryInterface
  32.      */
  33.     private $accessTokenRepository;
  35.     /**
  36.      * @var CryptKey
  37.      */
  38.     protected $publicKey;
  40.     /**
  41.      * @var Configuration
  42.      */
  43.     private $jwtConfiguration;
  45.     /**
  46.      * @var \DateInterval|null
  47.      */
  48.     private $jwtValidAtDateLeeway;
  50.     /**
  51.      * @param AccessTokenRepositoryInterface $accessTokenRepository
  52.      * @param \DateInterval|null             $jwtValidAtDateLeeway
  53.      */
  54.     public function __construct(AccessTokenRepositoryInterface $accessTokenRepository\DateInterval $jwtValidAtDateLeeway null)
  55.     {
  56.         $this->accessTokenRepository $accessTokenRepository;
  57.         $this->jwtValidAtDateLeeway $jwtValidAtDateLeeway;
  58.     }
  60.     /**
  61.      * Set the public key
  62.      *
  63.      * @param CryptKey $key
  64.      */
  65.     public function setPublicKey(CryptKey $key)
  66.     {
  67.         $this->publicKey $key;
  69.         $this->initJwtConfiguration();
  70.     }
  72.     /**
  73.      * Initialise the JWT configuration.
  74.      */
  75.     private function initJwtConfiguration()
  76.     {
  77.         $this->jwtConfiguration Configuration::forSymmetricSigner(
  78.             new Sha256(),
  79.             InMemory::plainText('empty''empty')
  80.         );
  82.         $clock = new SystemClock(new DateTimeZone(\date_default_timezone_get()));
  83.         $this->jwtConfiguration->setValidationConstraints(
  84.             new LooseValidAt($clock$this->jwtValidAtDateLeeway),
  85.             new SignedWith(
  86.                 new Sha256(),
  87.                 InMemory::plainText($this->publicKey->getKeyContents(), $this->publicKey->getPassPhrase() ?? '')
  88.             )
  89.         );
  90.     }
  92.     /**
  93.      * {@inheritdoc}
  94.      */
  95.     public function validateAuthorization(ServerRequestInterface $request)
  96.     {
  97.         if ($request->hasHeader('authorization') === false) {
  98.             throw OAuthServerException::accessDenied('Missing "Authorization" header');
  99.         }
  101.         $header $request->getHeader('authorization');
  102.         $jwt \trim((string) \preg_replace('/^\s*Bearer\s/'''$header[0]));
  104.         try {
  105.             // Attempt to parse the JWT
  106.             $token $this->jwtConfiguration->parser()->parse($jwt);
  107.         } catch (\Lcobucci\JWT\Exception $exception) {
  108.             throw OAuthServerException::accessDenied($exception->getMessage(), null$exception);
  109.         }
  111.         try {
  112.             // Attempt to validate the JWT
  113.             $constraints $this->jwtConfiguration->validationConstraints();
  114.             $this->jwtConfiguration->validator()->assert($token, ...$constraints);
  115.         } catch (RequiredConstraintsViolated $exception) {
  116.             throw OAuthServerException::accessDenied('Access token could not be verified'null$exception);
  117.         }
  119.         $claims $token->claims();
  121.         // Check if token has been revoked
  122.         if ($this->accessTokenRepository->isAccessTokenRevoked($claims->get('jti'))) {
  123.             throw OAuthServerException::accessDenied('Access token has been revoked');
  124.         }
  126.         // Return the request with additional attributes
  127.         return $request
  128.             ->withAttribute('oauth_access_token_id'$claims->get('jti'))
  129.             ->withAttribute('oauth_client_id'$this->convertSingleRecordAudToString($claims->get('aud')))
  130.             ->withAttribute('oauth_user_id'$claims->get('sub'))
  131.             ->withAttribute('oauth_scopes'$claims->get('scopes'));
  132.     }
  134.     /**
  135.      * Convert single record arrays into strings to ensure backwards compatibility between v4 and v3.x of lcobucci/jwt
  136.      *
  137.      * @param mixed $aud
  138.      *
  139.      * @return array|string
  140.      */
  141.     private function convertSingleRecordAudToString($aud)
  142.     {
  143.         return \is_array($aud) && \count($aud) === $aud[0] : $aud;
  144.     }
  145. }