vendor/league/oauth2-server/src/AuthorizationValidators/BearerTokenValidator.php line 93

  1. <?php
  2. /**
  3.  * @author      Alex Bilbie <hello@alexbilbie.com>
  4.  * @copyright   Copyright (c) Alex Bilbie
  5.  * @license     http://mit-license.org/
  6.  *
  7.  * @link        https://github.com/thephpleague/oauth2-server
  8.  */
  10. namespace League\OAuth2\Server\AuthorizationValidators;
  12. use DateTimeZone;
  13. use Lcobucci\Clock\SystemClock;
  14. use Lcobucci\JWT\Configuration;
  15. use Lcobucci\JWT\Signer\Key\InMemory;
  16. use Lcobucci\JWT\Signer\Rsa\Sha256;
  17. use Lcobucci\JWT\Validation\Constraint\SignedWith;
  18. use Lcobucci\JWT\Validation\Constraint\LooseValidAt;
  19. use Lcobucci\JWT\Validation\Constraint\ValidAt;
  20. use Lcobucci\JWT\Validation\RequiredConstraintsViolated;
  21. use League\OAuth2\Server\CryptKey;
  22. use League\OAuth2\Server\CryptTrait;
  23. use League\OAuth2\Server\Exception\OAuthServerException;
  24. use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
  25. use Psr\Http\Message\ServerRequestInterface;
  27. class BearerTokenValidator implements AuthorizationValidatorInterface
  28. {
  29.     use CryptTrait;
  31.     /**
  32.      * @var AccessTokenRepositoryInterface
  33.      */
  34.     private $accessTokenRepository;
  36.     /**
  37.      * @var CryptKey
  38.      */
  39.     protected $publicKey;
  41.     /**
  42.      * @var Configuration
  43.      */
  44.     private $jwtConfiguration;
  46.     /**
  47.      * @param AccessTokenRepositoryInterface $accessTokenRepository
  48.      */
  49.     public function __construct(AccessTokenRepositoryInterface $accessTokenRepository)
  50.     {
  51.         $this->accessTokenRepository $accessTokenRepository;
  52.     }
  54.     /**
  55.      * Set the public key
  56.      *
  57.      * @param CryptKey $key
  58.      */
  59.     public function setPublicKey(CryptKey $key)
  60.     {
  61.         $this->publicKey $key;
  63.         $this->initJwtConfiguration();
  64.     }
  66.     /**
  67.      * Initialise the JWT configuration.
  68.      */
  69.     private function initJwtConfiguration()
  70.     {
  71.         $this->jwtConfiguration Configuration::forSymmetricSigner(
  72.             new Sha256(),
  73.             InMemory::plainText('empty''empty')
  74.         );
  76.         $this->jwtConfiguration->setValidationConstraints(
  77.             \class_exists(LooseValidAt::class)
  78.                 ? new LooseValidAt(new SystemClock(new DateTimeZone(\date_default_timezone_get())))
  79.                 : new ValidAt(new SystemClock(new DateTimeZone(\date_default_timezone_get()))),
  80.             new SignedWith(
  81.                 new Sha256(),
  82.                 InMemory::plainText($this->publicKey->getKeyContents(), $this->publicKey->getPassPhrase() ?? '')
  83.             )
  84.         );
  85.     }
  87.     /**
  88.      * {@inheritdoc}
  89.      */
  90.     public function validateAuthorization(ServerRequestInterface $request)
  91.     {
  92.         if ($request->hasHeader('authorization') === false) {
  93.             throw OAuthServerException::accessDenied('Missing "Authorization" header');
  94.         }
  96.         $header $request->getHeader('authorization');
  97.         $jwt \trim((string) \preg_replace('/^\s*Bearer\s/'''$header[0]));
  99.         try {
  100.             // Attempt to parse the JWT
  101.             $token $this->jwtConfiguration->parser()->parse($jwt);
  102.         } catch (\Lcobucci\JWT\Exception $exception) {
  103.             throw OAuthServerException::accessDenied($exception->getMessage(), null$exception);
  104.         }
  106.         try {
  107.             // Attempt to validate the JWT
  108.             $constraints $this->jwtConfiguration->validationConstraints();
  109.             $this->jwtConfiguration->validator()->assert($token, ...$constraints);
  110.         } catch (RequiredConstraintsViolated $exception) {
  111.             throw OAuthServerException::accessDenied('Access token could not be verified');
  112.         }
  114.         $claims $token->claims();
  116.         // Check if token has been revoked
  117.         if ($this->accessTokenRepository->isAccessTokenRevoked($claims->get('jti'))) {
  118.             throw OAuthServerException::accessDenied('Access token has been revoked');
  119.         }
  121.         // Return the request with additional attributes
  122.         return $request
  123.             ->withAttribute('oauth_access_token_id'$claims->get('jti'))
  124.             ->withAttribute('oauth_client_id'$this->convertSingleRecordAudToString($claims->get('aud')))
  125.             ->withAttribute('oauth_user_id'$claims->get('sub'))
  126.             ->withAttribute('oauth_scopes'$claims->get('scopes'));
  127.     }
  129.     /**
  130.      * Convert single record arrays into strings to ensure backwards compatibility between v4 and v3.x of lcobucci/jwt
  131.      *
  132.      * @param mixed $aud
  133.      *
  134.      * @return array|string
  135.      */
  136.     private function convertSingleRecordAudToString($aud)
  137.     {
  138.         return \is_array($aud) && \count($aud) === $aud[0] : $aud;
  139.     }
  140. }