From 418ee02bb4f64317507a815d32c8020f1d1d6883 Mon Sep 17 00:00:00 2001 From: FoskyM Date: Mon, 2 Oct 2023 03:37:57 +0800 Subject: [PATCH] feat: unset csrf in oauth --- extend.php | 7 ++++- src/Controllers/AuthorizeController.php | 4 +-- src/Middlewares/ResourceScopeMiddleware.php | 12 +++++-- src/Middlewares/UnsetCsrfMiddleware.php | 35 +++++++++++++++++++++ 4 files changed, 51 insertions(+), 7 deletions(-) create mode 100644 src/Middlewares/UnsetCsrfMiddleware.php diff --git a/extend.php b/extend.php index 824626c..c3ec7d9 100644 --- a/extend.php +++ b/extend.php @@ -12,7 +12,9 @@ namespace FoskyM\OAuthCenter; use Flarum\Extend; +use Flarum\Http\Middleware\CheckCsrfToken; use FoskyM\OAuthCenter\Middlewares\ResourceScopeMiddleware; +use FoskyM\OAuthCenter\Middlewares\UnsetCsrfMiddleware; return [ (new Extend\Frontend('forum')) @@ -26,7 +28,8 @@ return [ new Extend\Locales(__DIR__.'/locale'), (new Extend\Routes('forum')) - ->post('/oauth/authorize', 'oauth.authorize.post', Controllers\AuthorizeController::class), + ->post('/oauth/authorize', 'oauth.authorize.post', Controllers\AuthorizeController::class) + ->post('/oauth/token', 'oauth.token', Controllers\TokenController::class), (new Extend\Routes('api')) ->get('/oauth-clients', 'oauth.clients.list', Api\Controller\ListClientController::class) @@ -45,5 +48,7 @@ return [ ->serializeToForum('foskym-oauth-center.enforce_state', 'foskym-oauth-center.enforce_state', 'boolval') ->serializeToForum('foskym-oauth-center.require_exact_redirect_uri', 'foskym-oauth-center.require_exact_redirect_uri', 'boolval'), + (new Extend\Middleware('forum')) + ->insertBefore(CheckCsrfToken::class, UnsetCsrfMiddleware::class), (new Extend\Middleware('api'))->add(ResourceScopeMiddleware::class), ]; diff --git a/src/Controllers/AuthorizeController.php b/src/Controllers/AuthorizeController.php index 96902af..b004f71 100644 --- a/src/Controllers/AuthorizeController.php +++ b/src/Controllers/AuthorizeController.php @@ -41,20 +41,18 @@ class AuthorizeController implements RequestHandlerInterface $response = $oauth->response(); if (!$server->validateAuthorizeRequest($request, $response)) { - $response->getResponseBody(); return new JsonResponse(json_decode($response->getResponseBody(), true)); } $is_authorized = Arr::get($params, 'is_authorized', 0); $server->handleAuthorizeRequest($request, $response, $is_authorized, $actor->id); if ($is_authorized) { - // this is only here so that you get to see your code in the cURL request. Otherwise, we'd redirect back to the client $code = substr($response->getHttpHeader('Location'), strpos($response->getHttpHeader('Location'), 'code=') + 5, 40); return new JsonResponse([ 'code' => $code ]); } - $response->getResponseBody(); + return new JsonResponse(json_decode($response->getResponseBody(), true)); } } diff --git a/src/Middlewares/ResourceScopeMiddleware.php b/src/Middlewares/ResourceScopeMiddleware.php index 288acbd..620e1a5 100644 --- a/src/Middlewares/ResourceScopeMiddleware.php +++ b/src/Middlewares/ResourceScopeMiddleware.php @@ -4,10 +4,12 @@ namespace FoskyM\OAuthCenter\Middlewares; use Flarum\Foundation\ErrorHandling\ExceptionHandler\IlluminateValidationExceptionHandler; use Flarum\Foundation\ErrorHandling\JsonApiFormatter; +use Flarum\Settings\SettingsRepositoryInterface; use FoskyM\OAuthCenter\OAuth; use FoskyM\OAuthCenter\Storage; use Illuminate\Support\Arr; use Illuminate\Validation\ValidationException; +use Laminas\Diactoros\Response\JsonResponse; use Psr\Http\Message\ResponseInterface as Response; use Psr\Http\Message\ServerRequestInterface as Request; use Psr\Http\Server\MiddlewareInterface; @@ -20,6 +22,11 @@ use Tobscure\JsonApi\Exception\Handler\ResponseBag; use FoskyM\OAuthCenter\Models\Scope; class ResourceScopeMiddleware implements MiddlewareInterface { + protected $settings; + public function __construct(SettingsRepositoryInterface $settings) + { + $this->settings = $settings; + } public function process(Request $request, RequestHandlerInterface $handler): Response { $path = $request->getUri()->getPath(); @@ -27,12 +34,11 @@ class ResourceScopeMiddleware implements MiddlewareInterface if ($token !== '' && $scope = Scope::get_path_scope($path)) { if (strtolower($request->getMethod()) === strtolower($scope->method)) { try { - $oauth = new OAuth(); + $oauth = new OAuth($this->settings); $server = $oauth->server(); $request = $oauth->request(); if (!$server->verifyResourceRequest($request::createFromGlobals(), null, $scope->scope)) { - $server->getResponse()->send('json'); - die; + return new JsonResponse(json_decode($server->getResponse()->getResponseBody(), true)); } /*$error = new ResponseBag('422', [ [ diff --git a/src/Middlewares/UnsetCsrfMiddleware.php b/src/Middlewares/UnsetCsrfMiddleware.php new file mode 100644 index 0000000..f1a2d72 --- /dev/null +++ b/src/Middlewares/UnsetCsrfMiddleware.php @@ -0,0 +1,35 @@ +getUri()->getPath(); + if (in_array($path, $uri)) { + $request = $request->withAttribute('bypassCsrfToken', true); + } + + return $handler->handle($request); + } +}