Refactor micropub token verification

2025-04-12 11:47:30 +01:00 · 2025-04-12 11:47:30 +01:00 · 23c275945a
commit 23c275945a
parent 70f90dd456
5 changed files with 101 additions and 136 deletions
--- a/app/Http/Middleware/VerifyMicropubToken.php
+++ b/app/Http/Middleware/VerifyMicropubToken.php
@ -4,31 +4,78 @@ declare(strict_types=1);

 namespace App\Http\Middleware;

+use App\Http\Responses\MicropubResponses;
 use Closure;
 use Illuminate\Http\Request;
+use Lcobucci\JWT\Encoding\CannotDecodeContent;
+use Lcobucci\JWT\Token;
+use Lcobucci\JWT\Token\InvalidTokenStructure;
+use Lcobucci\JWT\Validation\RequiredConstraintsViolated;
 use Symfony\Component\HttpFoundation\Response;
+use Lcobucci\JWT\Configuration;

 class VerifyMicropubToken
 {
    /**
     * Handle an incoming request.
+     *
+     * @param Closure(Request): (Response) $next
     */
    public function handle(Request $request, Closure $next): Response
    {
+        $rawToken = null;
+
        if ($request->input('access_token')) {
-            return $next($request);
+            $rawToken = $request->input('access_token');
+        } elseif ($request->bearerToken()) {
+            $rawToken = $request->bearerToken();
        }

-        if ($request->bearerToken()) {
-            return $next($request->merge([
-                'access_token' => $request->bearerToken(),
-            ]));
+        if (! $rawToken) {
+            return response()->json([
+                'response' => 'error',
+                'error' => 'unauthorized',
+                'error_description' => 'No access token was provided in the request',
+            ], 401);
        }

-        return response()->json([
-            'response' => 'error',
-            'error' => 'unauthorized',
-            'error_description' => 'No access token was provided in the request',
-        ], 401);
+        try {
+            $tokenData = $this->validateToken($rawToken);
+        } catch (RequiredConstraintsViolated|InvalidTokenStructure|CannotDecodeContent) {
+            $micropubResponses = new MicropubResponses;
+
+            return $micropubResponses->invalidTokenResponse();
+        }
+
+        if ($tokenData->claims()->has('scope') === false) {
+            $micropubResponses = new MicropubResponses;
+
+            return $micropubResponses->tokenHasNoScopeResponse();
+        }
+
+        return $next($request->merge([
+            'access_token' => $rawToken,
+            'token_data' => [
+                'me' => $tokenData->claims()->get('me'),
+                'scope' => $tokenData->claims()->get('scope'),
+                'client_id' => $tokenData->claims()->get('client_id'),
+            ],
+        ]));
+    }
+
+    /**
+     * Check the token signature is valid.
+     */
+    private function validateToken(string $bearerToken): Token
+    {
+        $config = resolve(Configuration::class);
+
+        $token = $config->parser()->parse($bearerToken);
+
+        $constraints = $config->validationConstraints();
+
+        $config->validator()->assert($token, ...$constraints);
+
+        return $token;
    }
 }