rain-plus/forum-oauth-center
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity

fix: check permissions in grant type of user credentials

Browse source
This commit is contained in:
FoskyM 2023-10-13 20:56:45 +08:00
parent debfb5201e
commit 357e796b83
No known key found for this signature in database
GPG key ID: 42C0ED6994AD7E9C
4 changed files with 38 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
extend.php
View file

@ -16,6 +16,7 @@ use Flarum\Http\Middleware\AuthenticateWithHeader;
use Flarum\Http\Middleware\CheckCsrfToken; use Flarum\Http\Middleware\CheckCsrfToken;
use FoskyM\OAuthCenter\Middlewares\ResourceScopeMiddleware; use FoskyM\OAuthCenter\Middlewares\ResourceScopeMiddleware;
use FoskyM\OAuthCenter\Middlewares\UnsetCsrfMiddleware; use FoskyM\OAuthCenter\Middlewares\UnsetCsrfMiddleware;
use FoskyM\OAuthCenter\Middlewares\UserCredentialsMiddleware;
return [ return [
(new Extend\Frontend('forum')) (new Extend\Frontend('forum'))
@ -54,5 +55,6 @@ return [
(new Extend\Middleware('api')) (new Extend\Middleware('api'))
->insertAfter(AuthenticateWithHeader::class, ResourceScopeMiddleware::class), ->insertAfter(AuthenticateWithHeader::class, ResourceScopeMiddleware::class),
(new Extend\Middleware('forum')) (new Extend\Middleware('forum'))
->insertBefore(CheckCsrfToken::class, UnsetCsrfMiddleware::class), ->insertBefore(CheckCsrfToken::class, UnsetCsrfMiddleware::class)
->insertAfter(CheckCsrfToken::class, UserCredentialsMiddleware::class),
]; ];

3
src/Api/Controller/ShowClientController.php
View file

@ -4,7 +4,6 @@ namespace FoskyM\OAuthCenter\Api\Controller;
use Flarum\Api\Controller\AbstractListController; use Flarum\Api\Controller\AbstractListController;
use Flarum\Http\RequestUtil; use Flarum\Http\RequestUtil;
use Flarum\User\Exception\NotAuthenticatedException;
use Illuminate\Support\Arr; use Illuminate\Support\Arr;
use Psr\Http\Message\ServerRequestInterface; use Psr\Http\Message\ServerRequestInterface;
use Tobscure\JsonApi\Document; use Tobscure\JsonApi\Document;
@ -22,7 +21,7 @@ class ShowClientController extends AbstractListController
$actor->assertRegistered(); $actor->assertRegistered();
if (!$actor->hasPermission('foskym-oauth-center.use-oauth')) { if (!$actor->hasPermission('foskym-oauth-center.use-oauth')) {
throw new NotAuthenticatedException(); return [];
} }
$client = Client::where('client_id', $client_id)->get(); $client = Client::where('client_id', $client_id)->get();

3
src/Controllers/AuthorizeController.php
View file

@ -9,7 +9,6 @@
* file that was distributed with this source code. * file that was distributed with this source code.
*/ */
namespace FoskyM\OAuthCenter\Controllers; namespace FoskyM\OAuthCenter\Controllers;
use Flarum\User\Exception\NotAuthenticatedException;
use Flarum\User\User; use Flarum\User\User;
use Flarum\Http\RequestUtil; use Flarum\Http\RequestUtil;
use FoskyM\OAuthCenter\OAuth; use FoskyM\OAuthCenter\OAuth;
@ -35,7 +34,7 @@ class AuthorizeController implements RequestHandlerInterface
$actor->assertRegistered(); $actor->assertRegistered();
if (!$actor->hasPermission('foskym-oauth-center.use-oauth')) { if (!$actor->hasPermission('foskym-oauth-center.use-oauth')) {
throw new NotAuthenticatedException(); return new JsonResponse([ 'error' => 'no_permission', 'error_description' => 'Don\'t have the permissions of oauth' ]);
} }
$params = $request->getParsedBody(); $params = $request->getParsedBody();

33
src/Middlewares/UserCredentialsMiddleware.php Normal file
View file

@ -0,0 +1,33 @@
<?php
namespace FoskyM\OAuthCenter\Middlewares;
use Flarum\User\User;
use FoskyM\OAuthCenter\OAuth;
use FoskyM\OAuthCenter\Storage;
use Illuminate\Support\Arr;
use Psr\Http\Message\ResponseInterface as Response;
use Psr\Http\Message\ServerRequestInterface as Request;
use Psr\Http\Server\MiddlewareInterface;
use Psr\Http\Server\RequestHandlerInterface;
use Laminas\Diactoros\Response\JsonResponse;
use FoskyM\OAuthCenter\Models\Scope;
class UserCredentialsMiddleware implements MiddlewareInterface
{
public function process(Request $request, RequestHandlerInterface $handler): Response
{
$uri = [
'/oauth/token',
];
$path = $request->getUri()->getPath();
if (in_array($path, $uri) && Arr::get($request->getParsedBody(), 'grant_type', '') === 'password') {
if ($user = User::where('username', Arr::get($request->getParsedBody(), 'username', ''))->first()) {
if (!$user->hasPermission('foskym-oauth-center.use-oauth')) {
return new JsonResponse([ 'error' => 'no_permission', 'error_description' => 'Don\'t have the permissions of oauth' ]);
}
}
}
return $handler->handle($request);
}
}