IndieAuth endpoint can now return access tokens
This commit is contained in:
parent
5b2bfd5270
commit
7f70f75d05
SSH key fingerprint:
SHA256:CTuSlns5U7qlD9jqHvtnVmfYV3Zwl2Z7WnJ4/dqOaL8
6 changed files with 683 additions and 244 deletions
|
|
@ -4,10 +4,12 @@ declare(strict_types=1);
|
|||
|
||||
namespace App\Http\Controllers;
|
||||
|
||||
use App\Services\TokenService;
|
||||
use Exception;
|
||||
use GuzzleHttp\Client;
|
||||
use GuzzleHttp\Psr7\Uri;
|
||||
use Illuminate\Http\JsonResponse;
|
||||
use Illuminate\Http\RedirectResponse;
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Support\Facades\Cache;
|
||||
use Illuminate\Support\Facades\Validator;
|
||||
|
|
@ -17,6 +19,18 @@ use SodiumException;
|
|||
|
||||
class IndieAuthController extends Controller
|
||||
{
|
||||
public function indieAuthMetadataEndpoint(): JsonResponse
|
||||
{
|
||||
return response()->json([
|
||||
'issuer' => config('app.url'),
|
||||
'authorization_endpoint' => route('indieauth.start'),
|
||||
'token_endpoint' => route('indieauth.token'),
|
||||
'code_challenge_methods_supported' => ['S256'],
|
||||
//'introspection_endpoint' => route('indieauth.introspection'),
|
||||
//'introspection_endpoint_auth_methods_supported' => ['none'],
|
||||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
* Process a GET request to the IndieAuth endpoint.
|
||||
*
|
||||
|
|
@ -78,7 +92,7 @@ class IndieAuthController extends Controller
|
|||
*
|
||||
* @throws RandomException
|
||||
*/
|
||||
public function confirm(Request $request): JsonResponse
|
||||
public function confirm(Request $request): RedirectResponse
|
||||
{
|
||||
$authCode = bin2hex(random_bytes(16));
|
||||
|
||||
|
|
@ -88,7 +102,9 @@ class IndieAuthController extends Controller
|
|||
'code_challenge' => $request->get('code_challenge'),
|
||||
'code_challenge_method' => $request->get('code_challenge_method'),
|
||||
'client_id' => $request->get('client_id'),
|
||||
'redirect_uri' => $request->get('redirect_uri'),
|
||||
'auth_code' => $authCode,
|
||||
'scopes' => $request->get('scopes', ''),
|
||||
];
|
||||
|
||||
Cache::put($cacheKey, $indieAuthRequestData, now()->addMinutes(10));
|
||||
|
|
@ -96,62 +112,33 @@ class IndieAuthController extends Controller
|
|||
$redirectUri = new Uri($request->get('redirect_uri'));
|
||||
$redirectUri = Uri::withQueryValues($redirectUri, [
|
||||
'code' => $authCode,
|
||||
'me' => $request->get('me'),
|
||||
'state' => $request->get('state'),
|
||||
'iss' => config('app.url'),
|
||||
]);
|
||||
|
||||
// For now just dump URL scheme
|
||||
return response()->json([
|
||||
'redirect_uri' => $redirectUri,
|
||||
]);
|
||||
// return response()->json([
|
||||
// 'redirect_uri' => $redirectUri,
|
||||
// ]);
|
||||
|
||||
return redirect()->away($redirectUri);
|
||||
}
|
||||
|
||||
/**
|
||||
* Process a POST request to the IndieAuth endpoint.
|
||||
* Process a POST request to the IndieAuth auth endpoint.
|
||||
*
|
||||
* This is one possible second step in the IndieAuth flow, where the client app sends the auth code to the IndieAuth
|
||||
* endpoint. As it is to the auth endpoint we return profile information. A similar request can be made to the token
|
||||
* endpoint to get an access token.
|
||||
*
|
||||
* This is the second step in the IndieAuth flow, where the client app sends the auth code to the IndieAuth endpoint.
|
||||
* @throws SodiumException
|
||||
*/
|
||||
public function processCodeExchange(Request $request): JsonResponse
|
||||
{
|
||||
// First check all the data is present
|
||||
$validator = Validator::make($request->all(), [
|
||||
'grant_type' => 'required:string',
|
||||
'code' => 'required:string',
|
||||
'client_id' => 'required',
|
||||
'redirect_uri' => 'required',
|
||||
'code_verifier' => 'required',
|
||||
]);
|
||||
$invalidCodeResponse = $this->validateAuthorizationCode($request);
|
||||
|
||||
if ($validator->fails()) {
|
||||
return response()->json($validator->errors(), 400);
|
||||
}
|
||||
|
||||
if ($request->get('grant_type') !== 'authorization_code') {
|
||||
return response()->json(['error' => 'only a grant_type of "authorization_code" is supported'], 400);
|
||||
}
|
||||
|
||||
// Check cache for auth code
|
||||
$cacheKey = hash('xxh3', $request->get('client_id'));
|
||||
$indieAuthRequestData = Cache::pull($cacheKey);
|
||||
|
||||
if ($indieAuthRequestData === null) {
|
||||
return response()->json(['error' => 'code is invalid'], 404);
|
||||
}
|
||||
|
||||
if ($indieAuthRequestData['auth_code'] !== $request->get('code')) {
|
||||
return response()->json(['error' => 'code is invalid'], 400);
|
||||
}
|
||||
|
||||
// Check code verifier
|
||||
if (! hash_equals(
|
||||
$indieAuthRequestData['code_challenge'],
|
||||
sodium_bin2base64(
|
||||
hash('sha256', $request->get('code_verifier'), true),
|
||||
SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING
|
||||
)
|
||||
)) {
|
||||
return response()->json(['error' => 'code_verifier is invalid'], 400);
|
||||
if ($invalidCodeResponse instanceof JsonResponse) {
|
||||
return $invalidCodeResponse;
|
||||
}
|
||||
|
||||
return response()->json([
|
||||
|
|
@ -159,6 +146,46 @@ class IndieAuthController extends Controller
|
|||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
* Process a POST request to the IndieAuth token endpoint.
|
||||
*
|
||||
* This is another possible second step in the IndieAuth flow, where the client app sends the auth code to the
|
||||
* IndieAuth token endpoint. As it is to the token endpoint we return an access token.
|
||||
*
|
||||
* @throws SodiumException
|
||||
*/
|
||||
public function processTokenRequest(Request $request): JsonResponse
|
||||
{
|
||||
$indieAuthData = $this->validateAuthorizationCode($request);
|
||||
|
||||
if ($indieAuthData instanceof JsonResponse) {
|
||||
return $indieAuthData;
|
||||
}
|
||||
|
||||
if ($indieAuthData['scopes'] === '') {
|
||||
return response()->json(['errors' => [
|
||||
'scope' => [
|
||||
'The scope property must be non-empty for an access token to be issued.',
|
||||
],
|
||||
]], 400);
|
||||
}
|
||||
|
||||
$tokenData = [
|
||||
'me' => config('app.url'),
|
||||
'client_id' => $request->get('client_id'),
|
||||
'scope' => $indieAuthData['scopes'],
|
||||
];
|
||||
$tokenService = resolve(TokenService::class);
|
||||
$token = $tokenService->getNewToken($tokenData);
|
||||
|
||||
return response()->json([
|
||||
'access_token' => $token,
|
||||
'token_type' => 'Bearer',
|
||||
'scope' => $indieAuthData['scopes'],
|
||||
'me' => config('app.url'),
|
||||
]);
|
||||
}
|
||||
|
||||
protected function isValidRedirectUri(string $clientId, string $redirectUri): bool
|
||||
{
|
||||
// If client_id is not a valid URL, then it's not valid
|
||||
|
|
@ -197,6 +224,114 @@ class IndieAuthController extends Controller
|
|||
|
||||
$redirectUris = $clientInfoParsed['rels']['redirect_uri'] ?? [];
|
||||
|
||||
return in_array($redirectUri, $redirectUris);
|
||||
return in_array($redirectUri, $redirectUris, true);
|
||||
}
|
||||
|
||||
protected function validateAuthorizationCode(Request $request): JsonResponse|array
|
||||
{
|
||||
// First check all the data is present
|
||||
$validator = Validator::make($request->all(), [
|
||||
'grant_type' => 'required:string',
|
||||
'code' => 'required:string',
|
||||
'client_id' => 'required',
|
||||
'redirect_uri' => 'required',
|
||||
'code_verifier' => 'required',
|
||||
]);
|
||||
|
||||
if ($validator->fails()) {
|
||||
return response()->json(['errors' => $validator->errors()], 400);
|
||||
}
|
||||
|
||||
if ($request->get('grant_type') !== 'authorization_code') {
|
||||
return response()->json(['errors' => [
|
||||
'grant_type' => [
|
||||
'Only a grant type of "authorization_code" is supported.',
|
||||
],
|
||||
]], 400);
|
||||
}
|
||||
|
||||
// Check cache for auth code
|
||||
$cacheKey = hash('xxh3', $request->get('client_id'));
|
||||
$indieAuthRequestData = Cache::pull($cacheKey);
|
||||
|
||||
if ($indieAuthRequestData === null) {
|
||||
return response()->json(['errors' => [
|
||||
'code' => [
|
||||
'The code is invalid.',
|
||||
],
|
||||
]], 404);
|
||||
}
|
||||
|
||||
// Check the IndieAuth code
|
||||
if (! array_key_exists('auth_code', $indieAuthRequestData)) {
|
||||
return response()->json(['errors' => [
|
||||
'code' => [
|
||||
'The code is invalid.',
|
||||
],
|
||||
]], 400);
|
||||
}
|
||||
if ($indieAuthRequestData['auth_code'] !== $request->get('code')) {
|
||||
return response()->json(['errors' => [
|
||||
'code' => [
|
||||
'The code is invalid.',
|
||||
],
|
||||
]], 400);
|
||||
}
|
||||
|
||||
// Check code verifier
|
||||
if (! array_key_exists('code_challenge', $indieAuthRequestData)) {
|
||||
return response()->json(['errors' => [
|
||||
'code_verifier' => [
|
||||
'The code verifier is invalid.',
|
||||
],
|
||||
]], 400);
|
||||
}
|
||||
if (! hash_equals(
|
||||
$indieAuthRequestData['code_challenge'],
|
||||
sodium_bin2base64(
|
||||
hash('sha256', $request->get('code_verifier'), true),
|
||||
SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING
|
||||
)
|
||||
)) {
|
||||
return response()->json(['errors' => [
|
||||
'code_verifier' => [
|
||||
'The code verifier is invalid.',
|
||||
],
|
||||
]], 400);
|
||||
}
|
||||
|
||||
// Check redirect_uri
|
||||
if (! array_key_exists('redirect_uri', $indieAuthRequestData)) {
|
||||
return response()->json(['errors' => [
|
||||
'redirect_uri' => [
|
||||
'The redirect uri is invalid.',
|
||||
],
|
||||
]], 400);
|
||||
}
|
||||
if ($indieAuthRequestData['redirect_uri'] !== $request->get('redirect_uri')) {
|
||||
return response()->json(['errors' => [
|
||||
'redirect_uri' => [
|
||||
'The redirect uri is invalid.',
|
||||
],
|
||||
]], 400);
|
||||
}
|
||||
|
||||
// Check client_id
|
||||
if (! array_key_exists('client_id', $indieAuthRequestData)) {
|
||||
return response()->json(['errors' => [
|
||||
'client_id' => [
|
||||
'The client id is invalid.',
|
||||
],
|
||||
]], 400);
|
||||
}
|
||||
if ($indieAuthRequestData['client_id'] !== $request->get('client_id')) {
|
||||
return response()->json(['errors' => [
|
||||
'client_id' => [
|
||||
'The client id is invalid.',
|
||||
],
|
||||
]], 400);
|
||||
}
|
||||
|
||||
return $indieAuthRequestData;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,109 +0,0 @@
|
|||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Http\Controllers;
|
||||
|
||||
use App\Services\TokenService;
|
||||
use GuzzleHttp\Client as GuzzleClient;
|
||||
use GuzzleHttp\Exception\BadResponseException;
|
||||
use Illuminate\Http\JsonResponse;
|
||||
use Illuminate\Http\Request;
|
||||
use IndieAuth\Client;
|
||||
use JsonException;
|
||||
|
||||
/**
|
||||
* @psalm-suppress UnusedClass
|
||||
*/
|
||||
class TokenEndpointController extends Controller
|
||||
{
|
||||
/**
|
||||
* @var Client The IndieAuth Client.
|
||||
*/
|
||||
protected Client $client;
|
||||
|
||||
/**
|
||||
* @var GuzzleClient The GuzzleHttp client.
|
||||
*/
|
||||
protected GuzzleClient $guzzle;
|
||||
|
||||
protected TokenService $tokenService;
|
||||
|
||||
/**
|
||||
* Inject the dependencies.
|
||||
*/
|
||||
public function __construct(
|
||||
Client $client,
|
||||
GuzzleClient $guzzle,
|
||||
TokenService $tokenService
|
||||
) {
|
||||
$this->client = $client;
|
||||
$this->guzzle = $guzzle;
|
||||
$this->tokenService = $tokenService;
|
||||
}
|
||||
|
||||
/**
|
||||
* If the user has auth’d via the IndieAuth protocol, issue a valid token.
|
||||
*/
|
||||
public function create(Request $request): JsonResponse
|
||||
{
|
||||
$auth = $this->verifyIndieAuthCode(
|
||||
config('url.authorization_endpoint'),
|
||||
$request->input('code'),
|
||||
$request->input('redirect_uri'),
|
||||
$request->input('client_id'),
|
||||
);
|
||||
|
||||
if ($auth === null || ! array_key_exists('me', $auth)) {
|
||||
return response()->json([
|
||||
'error' => 'There was an error verifying the IndieAuth code',
|
||||
], 401);
|
||||
}
|
||||
|
||||
$scope = $auth['scope'] ?? '';
|
||||
$tokenData = [
|
||||
'me' => config('app.url'),
|
||||
'client_id' => $request->input('client_id'),
|
||||
'scope' => $scope,
|
||||
];
|
||||
$token = $this->tokenService->getNewToken($tokenData);
|
||||
$content = [
|
||||
'me' => config('app.url'),
|
||||
'scope' => $scope,
|
||||
'access_token' => $token,
|
||||
];
|
||||
|
||||
return response()->json($content);
|
||||
}
|
||||
|
||||
protected function verifyIndieAuthCode(
|
||||
string $authorizationEndpoint,
|
||||
string $code,
|
||||
string $redirectUri,
|
||||
string $clientId
|
||||
): ?array {
|
||||
try {
|
||||
$response = $this->guzzle->request('POST', $authorizationEndpoint, [
|
||||
'headers' => [
|
||||
'Accept' => 'application/json',
|
||||
],
|
||||
'form_params' => [
|
||||
'code' => $code,
|
||||
'me' => config('app.url'),
|
||||
'redirect_uri' => $redirectUri,
|
||||
'client_id' => $clientId,
|
||||
],
|
||||
]);
|
||||
} catch (BadResponseException) {
|
||||
return null;
|
||||
}
|
||||
|
||||
try {
|
||||
$authData = json_decode((string) $response->getBody(), true, 512, JSON_THROW_ON_ERROR);
|
||||
} catch (JsonException) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return $authData;
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue