rain-plus/forum-oauth-center
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity

feat: unset csrf in oauth

Browse source
This commit is contained in:
FoskyM 2023-10-02 03:37:57 +08:00
parent cde2367103
commit 418ee02bb4
No known key found for this signature in database
GPG key ID: 42C0ED6994AD7E9C
4 changed files with 51 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
extend.php
View file

@ -12,7 +12,9 @@
namespace FoskyM\OAuthCenter; namespace FoskyM\OAuthCenter;
use Flarum\Extend; use Flarum\Extend;
use Flarum\Http\Middleware\CheckCsrfToken;
use FoskyM\OAuthCenter\Middlewares\ResourceScopeMiddleware; use FoskyM\OAuthCenter\Middlewares\ResourceScopeMiddleware;
use FoskyM\OAuthCenter\Middlewares\UnsetCsrfMiddleware;
return [ return [
(new Extend\Frontend('forum')) (new Extend\Frontend('forum'))
@ -26,7 +28,8 @@ return [
new Extend\Locales(__DIR__.'/locale'), new Extend\Locales(__DIR__.'/locale'),
(new Extend\Routes('forum')) (new Extend\Routes('forum'))
->post('/oauth/authorize', 'oauth.authorize.post', Controllers\AuthorizeController::class), ->post('/oauth/authorize', 'oauth.authorize.post', Controllers\AuthorizeController::class)
->post('/oauth/token', 'oauth.token', Controllers\TokenController::class),
(new Extend\Routes('api')) (new Extend\Routes('api'))
->get('/oauth-clients', 'oauth.clients.list', Api\Controller\ListClientController::class) ->get('/oauth-clients', 'oauth.clients.list', Api\Controller\ListClientController::class)
@ -45,5 +48,7 @@ return [
->serializeToForum('foskym-oauth-center.enforce_state', 'foskym-oauth-center.enforce_state', 'boolval') ->serializeToForum('foskym-oauth-center.enforce_state', 'foskym-oauth-center.enforce_state', 'boolval')
->serializeToForum('foskym-oauth-center.require_exact_redirect_uri', 'foskym-oauth-center.require_exact_redirect_uri', 'boolval'), ->serializeToForum('foskym-oauth-center.require_exact_redirect_uri', 'foskym-oauth-center.require_exact_redirect_uri', 'boolval'),
(new Extend\Middleware('forum'))
->insertBefore(CheckCsrfToken::class, UnsetCsrfMiddleware::class),
(new Extend\Middleware('api'))->add(ResourceScopeMiddleware::class), (new Extend\Middleware('api'))->add(ResourceScopeMiddleware::class),
]; ];

4
src/Controllers/AuthorizeController.php
View file

@ -41,20 +41,18 @@ class AuthorizeController implements RequestHandlerInterface
$response = $oauth->response(); $response = $oauth->response();
if (!$server->validateAuthorizeRequest($request, $response)) { if (!$server->validateAuthorizeRequest($request, $response)) {
$response->getResponseBody();
return new JsonResponse(json_decode($response->getResponseBody(), true)); return new JsonResponse(json_decode($response->getResponseBody(), true));
} }
$is_authorized = Arr::get($params, 'is_authorized', 0); $is_authorized = Arr::get($params, 'is_authorized', 0);
$server->handleAuthorizeRequest($request, $response, $is_authorized, $actor->id); $server->handleAuthorizeRequest($request, $response, $is_authorized, $actor->id);
if ($is_authorized) { if ($is_authorized) {
// this is only here so that you get to see your code in the cURL request. Otherwise, we'd redirect back to the client
$code = substr($response->getHttpHeader('Location'), strpos($response->getHttpHeader('Location'), 'code=') + 5, 40); $code = substr($response->getHttpHeader('Location'), strpos($response->getHttpHeader('Location'), 'code=') + 5, 40);
return new JsonResponse([ return new JsonResponse([
'code' => $code 'code' => $code
]); ]);
} }
$response->getResponseBody();
return new JsonResponse(json_decode($response->getResponseBody(), true)); return new JsonResponse(json_decode($response->getResponseBody(), true));
} }
} }

12
src/Middlewares/ResourceScopeMiddleware.php
View file

@ -4,10 +4,12 @@ namespace FoskyM\OAuthCenter\Middlewares;
use Flarum\Foundation\ErrorHandling\ExceptionHandler\IlluminateValidationExceptionHandler; use Flarum\Foundation\ErrorHandling\ExceptionHandler\IlluminateValidationExceptionHandler;
use Flarum\Foundation\ErrorHandling\JsonApiFormatter; use Flarum\Foundation\ErrorHandling\JsonApiFormatter;
use Flarum\Settings\SettingsRepositoryInterface;
use FoskyM\OAuthCenter\OAuth; use FoskyM\OAuthCenter\OAuth;
use FoskyM\OAuthCenter\Storage; use FoskyM\OAuthCenter\Storage;
use Illuminate\Support\Arr; use Illuminate\Support\Arr;
use Illuminate\Validation\ValidationException; use Illuminate\Validation\ValidationException;
use Laminas\Diactoros\Response\JsonResponse;
use Psr\Http\Message\ResponseInterface as Response; use Psr\Http\Message\ResponseInterface as Response;
use Psr\Http\Message\ServerRequestInterface as Request; use Psr\Http\Message\ServerRequestInterface as Request;
use Psr\Http\Server\MiddlewareInterface; use Psr\Http\Server\MiddlewareInterface;
@ -20,6 +22,11 @@ use Tobscure\JsonApi\Exception\Handler\ResponseBag;
use FoskyM\OAuthCenter\Models\Scope; use FoskyM\OAuthCenter\Models\Scope;
class ResourceScopeMiddleware implements MiddlewareInterface class ResourceScopeMiddleware implements MiddlewareInterface
{ {
protected $settings;
public function __construct(SettingsRepositoryInterface $settings)
{
$this->settings = $settings;
}
public function process(Request $request, RequestHandlerInterface $handler): Response public function process(Request $request, RequestHandlerInterface $handler): Response
{ {
$path = $request->getUri()->getPath(); $path = $request->getUri()->getPath();
@ -27,12 +34,11 @@ class ResourceScopeMiddleware implements MiddlewareInterface
if ($token !== '' && $scope = Scope::get_path_scope($path)) { if ($token !== '' && $scope = Scope::get_path_scope($path)) {
if (strtolower($request->getMethod()) === strtolower($scope->method)) { if (strtolower($request->getMethod()) === strtolower($scope->method)) {
try { try {
$oauth = new OAuth(); $oauth = new OAuth($this->settings);
$server = $oauth->server(); $server = $oauth->server();
$request = $oauth->request(); $request = $oauth->request();
if (!$server->verifyResourceRequest($request::createFromGlobals(), null, $scope->scope)) { if (!$server->verifyResourceRequest($request::createFromGlobals(), null, $scope->scope)) {
$server->getResponse()->send('json'); return new JsonResponse(json_decode($server->getResponse()->getResponseBody(), true));
die;
} }
/*$error = new ResponseBag('422', [ /*$error = new ResponseBag('422', [
[ [

35
src/Middlewares/UnsetCsrfMiddleware.php Normal file
View file

@ -0,0 +1,35 @@
<?php
namespace FoskyM\OAuthCenter\Middlewares;
use Flarum\Foundation\ErrorHandling\ExceptionHandler\IlluminateValidationExceptionHandler;
use Flarum\Foundation\ErrorHandling\JsonApiFormatter;
use FoskyM\OAuthCenter\OAuth;
use FoskyM\OAuthCenter\Storage;
use Illuminate\Support\Arr;
use Illuminate\Validation\ValidationException;
use Psr\Http\Message\ResponseInterface as Response;
use Psr\Http\Message\ServerRequestInterface as Request;
use Psr\Http\Server\MiddlewareInterface;
use Psr\Http\Server\RequestHandlerInterface;
use Flarum\Http\RequestUtil;
use Flarum\Api\JsonApiResponse;
use Tobscure\JsonApi\Document;
use Tobscure\JsonApi\Exception\Handler\ResponseBag;
use FoskyM\OAuthCenter\Models\Scope;
class UnsetCsrfMiddleware implements MiddlewareInterface
{
public function process(Request $request, RequestHandlerInterface $handler): Response
{
$uri = [
'/oauth/token',
];
$path = $request->getUri()->getPath();
if (in_array($path, $uri)) {
$request = $request->withAttribute('bypassCsrfToken', true);
}
return $handler->handle($request);
}
}