fix: check permissions in grant type of user credentials
This commit is contained in:
FoskyM
parent
debfb5201e
commit
357e796b83
4 changed files with 38 additions and 5 deletions
|
|
@ -16,6 +16,7 @@ use Flarum\Http\Middleware\AuthenticateWithHeader;
|
|||
use Flarum\Http\Middleware\CheckCsrfToken;
|
||||
use FoskyM\OAuthCenter\Middlewares\ResourceScopeMiddleware;
|
||||
use FoskyM\OAuthCenter\Middlewares\UnsetCsrfMiddleware;
|
||||
use FoskyM\OAuthCenter\Middlewares\UserCredentialsMiddleware;
|
||||
|
||||
return [
|
||||
(new Extend\Frontend('forum'))
|
||||
|
|
@ -54,5 +55,6 @@ return [
|
|||
(new Extend\Middleware('api'))
|
||||
->insertAfter(AuthenticateWithHeader::class, ResourceScopeMiddleware::class),
|
||||
(new Extend\Middleware('forum'))
|
||||
->insertBefore(CheckCsrfToken::class, UnsetCsrfMiddleware::class),
|
||||
->insertBefore(CheckCsrfToken::class, UnsetCsrfMiddleware::class)
|
||||
->insertAfter(CheckCsrfToken::class, UserCredentialsMiddleware::class),
|
||||
];
|
||||
|
|
|
|||
|
|
@ -4,7 +4,6 @@ namespace FoskyM\OAuthCenter\Api\Controller;
|
|||
|
||||
use Flarum\Api\Controller\AbstractListController;
|
||||
use Flarum\Http\RequestUtil;
|
||||
use Flarum\User\Exception\NotAuthenticatedException;
|
||||
use Illuminate\Support\Arr;
|
||||
use Psr\Http\Message\ServerRequestInterface;
|
||||
use Tobscure\JsonApi\Document;
|
||||
|
|
@ -22,7 +21,7 @@ class ShowClientController extends AbstractListController
|
|||
$actor->assertRegistered();
|
||||
|
||||
if (!$actor->hasPermission('foskym-oauth-center.use-oauth')) {
|
||||
throw new NotAuthenticatedException();
|
||||
return [];
|
||||
}
|
||||
|
||||
$client = Client::where('client_id', $client_id)->get();
|
||||
|
|
|
|||
|
|
@ -9,7 +9,6 @@
|
|||
* file that was distributed with this source code.
|
||||
*/
|
||||
namespace FoskyM\OAuthCenter\Controllers;
|
||||
use Flarum\User\Exception\NotAuthenticatedException;
|
||||
use Flarum\User\User;
|
||||
use Flarum\Http\RequestUtil;
|
||||
use FoskyM\OAuthCenter\OAuth;
|
||||
|
|
@ -35,7 +34,7 @@ class AuthorizeController implements RequestHandlerInterface
|
|||
$actor->assertRegistered();
|
||||
|
||||
if (!$actor->hasPermission('foskym-oauth-center.use-oauth')) {
|
||||
throw new NotAuthenticatedException();
|
||||
return new JsonResponse([ 'error' => 'no_permission', 'error_description' => 'Don\'t have the permissions of oauth' ]);
|
||||
}
|
||||
|
||||
$params = $request->getParsedBody();
|
||||
|
|
|
|||
33
src/Middlewares/UserCredentialsMiddleware.php
Normal file
33
src/Middlewares/UserCredentialsMiddleware.php
Normal file
|
|
@ -0,0 +1,33 @@
|
|||
<?php
|
||||
|
||||
namespace FoskyM\OAuthCenter\Middlewares;
|
||||
|
||||
use Flarum\User\User;
|
||||
use FoskyM\OAuthCenter\OAuth;
|
||||
use FoskyM\OAuthCenter\Storage;
|
||||
use Illuminate\Support\Arr;
|
||||
use Psr\Http\Message\ResponseInterface as Response;
|
||||
use Psr\Http\Message\ServerRequestInterface as Request;
|
||||
use Psr\Http\Server\MiddlewareInterface;
|
||||
use Psr\Http\Server\RequestHandlerInterface;
|
||||
use Laminas\Diactoros\Response\JsonResponse;
|
||||
use FoskyM\OAuthCenter\Models\Scope;
|
||||
class UserCredentialsMiddleware implements MiddlewareInterface
|
||||
{
|
||||
public function process(Request $request, RequestHandlerInterface $handler): Response
|
||||
{
|
||||
$uri = [
|
||||
'/oauth/token',
|
||||
];
|
||||
$path = $request->getUri()->getPath();
|
||||
if (in_array($path, $uri) && Arr::get($request->getParsedBody(), 'grant_type', '') === 'password') {
|
||||
if ($user = User::where('username', Arr::get($request->getParsedBody(), 'username', ''))->first()) {
|
||||
if (!$user->hasPermission('foskym-oauth-center.use-oauth')) {
|
||||
return new JsonResponse([ 'error' => 'no_permission', 'error_description' => 'Don\'t have the permissions of oauth' ]);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return $handler->handle($request);
|
||||
}
|
||||
}
|
||||
Loading…
Reference in a new issue