feat: unset csrf in oauth
This commit is contained in:
FoskyM
parent
cde2367103
commit
418ee02bb4
4 changed files with 51 additions and 7 deletions
|
|
@ -12,7 +12,9 @@
|
|||
namespace FoskyM\OAuthCenter;
|
||||
|
||||
use Flarum\Extend;
|
||||
use Flarum\Http\Middleware\CheckCsrfToken;
|
||||
use FoskyM\OAuthCenter\Middlewares\ResourceScopeMiddleware;
|
||||
use FoskyM\OAuthCenter\Middlewares\UnsetCsrfMiddleware;
|
||||
|
||||
return [
|
||||
(new Extend\Frontend('forum'))
|
||||
|
|
@ -26,7 +28,8 @@ return [
|
|||
new Extend\Locales(__DIR__.'/locale'),
|
||||
|
||||
(new Extend\Routes('forum'))
|
||||
->post('/oauth/authorize', 'oauth.authorize.post', Controllers\AuthorizeController::class),
|
||||
->post('/oauth/authorize', 'oauth.authorize.post', Controllers\AuthorizeController::class)
|
||||
->post('/oauth/token', 'oauth.token', Controllers\TokenController::class),
|
||||
|
||||
(new Extend\Routes('api'))
|
||||
->get('/oauth-clients', 'oauth.clients.list', Api\Controller\ListClientController::class)
|
||||
|
|
@ -45,5 +48,7 @@ return [
|
|||
->serializeToForum('foskym-oauth-center.enforce_state', 'foskym-oauth-center.enforce_state', 'boolval')
|
||||
->serializeToForum('foskym-oauth-center.require_exact_redirect_uri', 'foskym-oauth-center.require_exact_redirect_uri', 'boolval'),
|
||||
|
||||
(new Extend\Middleware('forum'))
|
||||
->insertBefore(CheckCsrfToken::class, UnsetCsrfMiddleware::class),
|
||||
(new Extend\Middleware('api'))->add(ResourceScopeMiddleware::class),
|
||||
];
|
||||
|
|
|
|||
|
|
@ -41,20 +41,18 @@ class AuthorizeController implements RequestHandlerInterface
|
|||
$response = $oauth->response();
|
||||
|
||||
if (!$server->validateAuthorizeRequest($request, $response)) {
|
||||
$response->getResponseBody();
|
||||
return new JsonResponse(json_decode($response->getResponseBody(), true));
|
||||
}
|
||||
|
||||
$is_authorized = Arr::get($params, 'is_authorized', 0);
|
||||
$server->handleAuthorizeRequest($request, $response, $is_authorized, $actor->id);
|
||||
if ($is_authorized) {
|
||||
// this is only here so that you get to see your code in the cURL request. Otherwise, we'd redirect back to the client
|
||||
$code = substr($response->getHttpHeader('Location'), strpos($response->getHttpHeader('Location'), 'code=') + 5, 40);
|
||||
return new JsonResponse([
|
||||
'code' => $code
|
||||
]);
|
||||
}
|
||||
$response->getResponseBody();
|
||||
|
||||
return new JsonResponse(json_decode($response->getResponseBody(), true));
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -4,10 +4,12 @@ namespace FoskyM\OAuthCenter\Middlewares;
|
|||
|
||||
use Flarum\Foundation\ErrorHandling\ExceptionHandler\IlluminateValidationExceptionHandler;
|
||||
use Flarum\Foundation\ErrorHandling\JsonApiFormatter;
|
||||
use Flarum\Settings\SettingsRepositoryInterface;
|
||||
use FoskyM\OAuthCenter\OAuth;
|
||||
use FoskyM\OAuthCenter\Storage;
|
||||
use Illuminate\Support\Arr;
|
||||
use Illuminate\Validation\ValidationException;
|
||||
use Laminas\Diactoros\Response\JsonResponse;
|
||||
use Psr\Http\Message\ResponseInterface as Response;
|
||||
use Psr\Http\Message\ServerRequestInterface as Request;
|
||||
use Psr\Http\Server\MiddlewareInterface;
|
||||
|
|
@ -20,6 +22,11 @@ use Tobscure\JsonApi\Exception\Handler\ResponseBag;
|
|||
use FoskyM\OAuthCenter\Models\Scope;
|
||||
class ResourceScopeMiddleware implements MiddlewareInterface
|
||||
{
|
||||
protected $settings;
|
||||
public function __construct(SettingsRepositoryInterface $settings)
|
||||
{
|
||||
$this->settings = $settings;
|
||||
}
|
||||
public function process(Request $request, RequestHandlerInterface $handler): Response
|
||||
{
|
||||
$path = $request->getUri()->getPath();
|
||||
|
|
@ -27,12 +34,11 @@ class ResourceScopeMiddleware implements MiddlewareInterface
|
|||
if ($token !== '' && $scope = Scope::get_path_scope($path)) {
|
||||
if (strtolower($request->getMethod()) === strtolower($scope->method)) {
|
||||
try {
|
||||
$oauth = new OAuth();
|
||||
$oauth = new OAuth($this->settings);
|
||||
$server = $oauth->server();
|
||||
$request = $oauth->request();
|
||||
if (!$server->verifyResourceRequest($request::createFromGlobals(), null, $scope->scope)) {
|
||||
$server->getResponse()->send('json');
|
||||
die;
|
||||
return new JsonResponse(json_decode($server->getResponse()->getResponseBody(), true));
|
||||
}
|
||||
/*$error = new ResponseBag('422', [
|
||||
[
|
||||
|
|
|
|||
35
src/Middlewares/UnsetCsrfMiddleware.php
Normal file
35
src/Middlewares/UnsetCsrfMiddleware.php
Normal file
|
|
@ -0,0 +1,35 @@
|
|||
<?php
|
||||
|
||||
namespace FoskyM\OAuthCenter\Middlewares;
|
||||
|
||||
use Flarum\Foundation\ErrorHandling\ExceptionHandler\IlluminateValidationExceptionHandler;
|
||||
use Flarum\Foundation\ErrorHandling\JsonApiFormatter;
|
||||
use FoskyM\OAuthCenter\OAuth;
|
||||
use FoskyM\OAuthCenter\Storage;
|
||||
use Illuminate\Support\Arr;
|
||||
use Illuminate\Validation\ValidationException;
|
||||
use Psr\Http\Message\ResponseInterface as Response;
|
||||
use Psr\Http\Message\ServerRequestInterface as Request;
|
||||
use Psr\Http\Server\MiddlewareInterface;
|
||||
use Psr\Http\Server\RequestHandlerInterface;
|
||||
use Flarum\Http\RequestUtil;
|
||||
use Flarum\Api\JsonApiResponse;
|
||||
use Tobscure\JsonApi\Document;
|
||||
use Tobscure\JsonApi\Exception\Handler\ResponseBag;
|
||||
|
||||
use FoskyM\OAuthCenter\Models\Scope;
|
||||
class UnsetCsrfMiddleware implements MiddlewareInterface
|
||||
{
|
||||
public function process(Request $request, RequestHandlerInterface $handler): Response
|
||||
{
|
||||
$uri = [
|
||||
'/oauth/token',
|
||||
];
|
||||
$path = $request->getUri()->getPath();
|
||||
if (in_array($path, $uri)) {
|
||||
$request = $request->withAttribute('bypassCsrfToken', true);
|
||||
}
|
||||
|
||||
return $handler->handle($request);
|
||||
}
|
||||
}
|
||||
Loading…
Reference in a new issue