[Summary view] [Print] [Text view]

   1  <?php
   2  
   3  final class PhabricatorOAuthServerTokenController
   4    extends PhabricatorAuthController {
   5  
   6    public function shouldRequireLogin() {
   7      return false;
   8    }
   9  
  10    public function shouldAllowRestrictedParameter($parameter_name) {
  11      if ($parameter_name == 'code') {
  12        return true;
  13      }
  14      return parent::shouldAllowRestrictedParameter($parameter_name);
  15    }
  16  
  17    public function processRequest() {
  18      $request       = $this->getRequest();
  19      $grant_type    = $request->getStr('grant_type');
  20      $code          = $request->getStr('code');
  21      $redirect_uri  = $request->getStr('redirect_uri');
  22      $client_phid   = $request->getStr('client_id');
  23      $client_secret = $request->getStr('client_secret');
  24      $response      = new PhabricatorOAuthResponse();
  25      $server        = new PhabricatorOAuthServer();
  26      if ($grant_type != 'authorization_code') {
  27        $response->setError('unsupported_grant_type');
  28        $response->setErrorDescription(
  29          'Only grant_type authorization_code is supported.');
  30        return $response;
  31      }
  32      if (!$code) {
  33        $response->setError('invalid_request');
  34        $response->setErrorDescription(
  35          'Required parameter code missing.');
  36        return $response;
  37      }
  38      if (!$client_phid) {
  39        $response->setError('invalid_request');
  40        $response->setErrorDescription(
  41          'Required parameter client_id missing.');
  42        return $response;
  43      }
  44      if (!$client_secret) {
  45        $response->setError('invalid_request');
  46        $response->setErrorDescription(
  47          'Required parameter client_secret missing.');
  48        return $response;
  49      }
  50      // one giant try / catch around all the exciting database stuff so we
  51      // can return a 'server_error' response if something goes wrong!
  52      try {
  53        $auth_code = id(new PhabricatorOAuthServerAuthorizationCode())
  54          ->loadOneWhere('code = %s',
  55                         $code);
  56        if (!$auth_code) {
  57          $response->setError('invalid_grant');
  58          $response->setErrorDescription(
  59            'Authorization code '.$code.' not found.');
  60          return $response;
  61        }
  62  
  63        // if we have an auth code redirect URI, there must be a redirect_uri
  64        // in the request and it must match the auth code redirect uri *exactly*
  65        $auth_code_redirect_uri = $auth_code->getRedirectURI();
  66        if ($auth_code_redirect_uri) {
  67          $auth_code_redirect_uri = new PhutilURI($auth_code_redirect_uri);
  68          $redirect_uri           = new PhutilURI($redirect_uri);
  69          if (!$redirect_uri->getDomain() ||
  70               $redirect_uri != $auth_code_redirect_uri) {
  71            $response->setError('invalid_grant');
  72            $response->setErrorDescription(
  73              'Redirect uri in request must exactly match redirect uri '.
  74              'from authorization code.');
  75            return $response;
  76          }
  77        } else if ($redirect_uri) {
  78          $response->setError('invalid_grant');
  79          $response->setErrorDescription(
  80            'Redirect uri in request and no redirect uri in authorization '.
  81            'code. The two must exactly match.');
  82          return $response;
  83        }
  84  
  85        $client = id(new PhabricatorOAuthServerClient())
  86          ->loadOneWhere('phid = %s',
  87                         $client_phid);
  88        if (!$client) {
  89          $response->setError('invalid_client');
  90          $response->setErrorDescription(
  91            'Client with client_id '.$client_phid.' not found.');
  92          return $response;
  93        }
  94        $server->setClient($client);
  95  
  96        $user_phid = $auth_code->getUserPHID();
  97        $user = id(new PhabricatorUser())
  98          ->loadOneWhere('phid = %s', $user_phid);
  99        if (!$user) {
 100          $response->setError('invalid_grant');
 101          $response->setErrorDescription(
 102            'User with phid '.$user_phid.' not found.');
 103          return $response;
 104        }
 105        $server->setUser($user);
 106  
 107        $test_code = new PhabricatorOAuthServerAuthorizationCode();
 108        $test_code->setClientSecret($client_secret);
 109        $test_code->setClientPHID($client_phid);
 110        $is_good_code = $server->validateAuthorizationCode($auth_code,
 111                                                           $test_code);
 112        if (!$is_good_code) {
 113          $response->setError('invalid_grant');
 114          $response->setErrorDescription(
 115            'Invalid authorization code '.$code.'.');
 116          return $response;
 117        }
 118  
 119        $unguarded    = AphrontWriteGuard::beginScopedUnguardedWrites();
 120        $access_token = $server->generateAccessToken();
 121        $auth_code->delete();
 122        unset($unguarded);
 123        $result = array(
 124          'access_token' => $access_token->getToken(),
 125          'token_type'   => 'Bearer',
 126          'expires_in'   => PhabricatorOAuthServer::ACCESS_TOKEN_TIMEOUT,
 127        );
 128        return $response->setContent($result);
 129      } catch (Exception $e) {
 130        $response->setError('server_error');
 131        $response->setErrorDescription(
 132          'The authorization server encountered an unexpected condition '.
 133          'which prevented it from fulfilling the request.');
 134        return $response;
 135      }
 136    }
 137  
 138  }