From 357e796b838e8c3e1d2fcc85d7f6aefccddc68b4 Mon Sep 17 00:00:00 2001 From: FoskyM Date: Fri, 13 Oct 2023 20:56:45 +0800 Subject: [PATCH] fix: check permissions in grant type of user credentials --- extend.php | 4 ++- src/Api/Controller/ShowClientController.php | 3 +- src/Controllers/AuthorizeController.php | 3 +- src/Middlewares/UserCredentialsMiddleware.php | 33 +++++++++++++++++++ 4 files changed, 38 insertions(+), 5 deletions(-) create mode 100644 src/Middlewares/UserCredentialsMiddleware.php diff --git a/extend.php b/extend.php index b4680d5..5bae177 100644 --- a/extend.php +++ b/extend.php @@ -16,6 +16,7 @@ use Flarum\Http\Middleware\AuthenticateWithHeader; use Flarum\Http\Middleware\CheckCsrfToken; use FoskyM\OAuthCenter\Middlewares\ResourceScopeMiddleware; use FoskyM\OAuthCenter\Middlewares\UnsetCsrfMiddleware; +use FoskyM\OAuthCenter\Middlewares\UserCredentialsMiddleware; return [ (new Extend\Frontend('forum')) @@ -54,5 +55,6 @@ return [ (new Extend\Middleware('api')) ->insertAfter(AuthenticateWithHeader::class, ResourceScopeMiddleware::class), (new Extend\Middleware('forum')) - ->insertBefore(CheckCsrfToken::class, UnsetCsrfMiddleware::class), + ->insertBefore(CheckCsrfToken::class, UnsetCsrfMiddleware::class) + ->insertAfter(CheckCsrfToken::class, UserCredentialsMiddleware::class), ]; diff --git a/src/Api/Controller/ShowClientController.php b/src/Api/Controller/ShowClientController.php index 726246b..9b4ebe5 100644 --- a/src/Api/Controller/ShowClientController.php +++ b/src/Api/Controller/ShowClientController.php @@ -4,7 +4,6 @@ namespace FoskyM\OAuthCenter\Api\Controller; use Flarum\Api\Controller\AbstractListController; use Flarum\Http\RequestUtil; -use Flarum\User\Exception\NotAuthenticatedException; use Illuminate\Support\Arr; use Psr\Http\Message\ServerRequestInterface; use Tobscure\JsonApi\Document; @@ -22,7 +21,7 @@ class ShowClientController extends AbstractListController $actor->assertRegistered(); if (!$actor->hasPermission('foskym-oauth-center.use-oauth')) { - throw new NotAuthenticatedException(); + return []; } $client = Client::where('client_id', $client_id)->get(); diff --git a/src/Controllers/AuthorizeController.php b/src/Controllers/AuthorizeController.php index 2270376..2a57c5e 100644 --- a/src/Controllers/AuthorizeController.php +++ b/src/Controllers/AuthorizeController.php @@ -9,7 +9,6 @@ * file that was distributed with this source code. */ namespace FoskyM\OAuthCenter\Controllers; -use Flarum\User\Exception\NotAuthenticatedException; use Flarum\User\User; use Flarum\Http\RequestUtil; use FoskyM\OAuthCenter\OAuth; @@ -35,7 +34,7 @@ class AuthorizeController implements RequestHandlerInterface $actor->assertRegistered(); if (!$actor->hasPermission('foskym-oauth-center.use-oauth')) { - throw new NotAuthenticatedException(); + return new JsonResponse([ 'error' => 'no_permission', 'error_description' => 'Don\'t have the permissions of oauth' ]); } $params = $request->getParsedBody(); diff --git a/src/Middlewares/UserCredentialsMiddleware.php b/src/Middlewares/UserCredentialsMiddleware.php new file mode 100644 index 0000000..5273a5d --- /dev/null +++ b/src/Middlewares/UserCredentialsMiddleware.php @@ -0,0 +1,33 @@ +getUri()->getPath(); + if (in_array($path, $uri) && Arr::get($request->getParsedBody(), 'grant_type', '') === 'password') { + if ($user = User::where('username', Arr::get($request->getParsedBody(), 'username', ''))->first()) { + if (!$user->hasPermission('foskym-oauth-center.use-oauth')) { + return new JsonResponse([ 'error' => 'no_permission', 'error_description' => 'Don\'t have the permissions of oauth' ]); + } + } + } + + return $handler->handle($request); + } +}