jonny/jonnybarnes.uk
1
0
Fork 0
Code Issues 5 Pull requests Projects Releases 5 Packages Wiki Activity Actions

Improve scope checking

Browse source 
Whether the scopes are defined as a space separated string, or an array,
we should now be checking them without any errors.
This commit is contained in:
Jonny Barnes 2024-07-13 14:52:57 +01:00
parent 55afa8f01d
commit baee7ade4f
Signed by: jonny
SSH key fingerprint: SHA256:CTuSlns5U7qlD9jqHvtnVmfYV3Zwl2Z7WnJ4/dqOaL8
3 changed files with 29 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
app/Http/Controllers/MicropubController.php
View file

@ -13,6 +13,7 @@ use App\Services\Micropub\UpdateService;
use App\Services\TokenService;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use illuminate\Support\Arr;
use Lcobucci\JWT\Encoding\CannotDecodeContent;
use Lcobucci\JWT\Token\InvalidTokenStructure;
use Lcobucci\JWT\Validation\RequiredConstraintsViolated;
@ -67,7 +68,12 @@ class MicropubController extends Controller
$this->logMicropubRequest($request->all());
if (($request->input('h') === 'entry') || ($request->input('type.0') === 'h-entry')) {
if (stripos($tokenData->claims()->get('scope'), 'create') === false) {
$scopes = $tokenData->claims()->get('scope');
if (is_string($scopes)) {
$scopes = explode(' ', $scopes);
}
if (!in_array('create', $scopes)) {
$micropubResponses = new MicropubResponses();
return $micropubResponses->insufficientScopeResponse();
@ -81,7 +87,11 @@ class MicropubController extends Controller
}
if ($request->input('h') === 'card' || $request->input('type.0') === 'h-card') {
if (stripos($tokenData->claims()->get('scope'), 'create') === false) {
$scopes = $tokenData->claims()->get('scope');
if (is_string($scopes)) {
$scopes = explode(' ', $scopes);
}
if (!in_array('create', $scopes)) {
$micropubResponses = new MicropubResponses();
return $micropubResponses->insufficientScopeResponse();
@ -95,7 +105,11 @@ class MicropubController extends Controller
}
if ($request->input('action') === 'update') {
if (stripos($tokenData->claims()->get('scope'), 'update') === false) {
$scopes = $tokenData->claims()->get('scope');
if (is_string($scopes)) {
$scopes = explode(' ', $scopes);
}
if (!in_array('update', $scopes)) {
$micropubResponses = new MicropubResponses();
return $micropubResponses->insufficientScopeResponse();

12
app/Http/Controllers/MicropubMediaController.php
View file

@ -51,7 +51,11 @@ class MicropubMediaController extends Controller
return $micropubResponses->tokenHasNoScopeResponse();
}
if (Str::contains($tokenData->claims()->get('scope'), 'create') === false) {
$scopes = $tokenData->claims()->get('scope');
if (is_string($scopes)) {
$scopes = explode(' ', $scopes);
}
if (!in_array('create', $scopes)) {
$micropubResponses = new MicropubResponses();
return $micropubResponses->insufficientScopeResponse();
@ -119,7 +123,11 @@ class MicropubMediaController extends Controller
return $micropubResponses->tokenHasNoScopeResponse();
}
if (Str::contains($tokenData->claims()->get('scope'), 'create') === false) {
$scopes = $tokenData->claims()->get('scope');
if (is_string($scopes)) {
$scopes = explode(' ', $scopes);
}
if (!in_array('create', $scopes)) {
$micropubResponses = new MicropubResponses();
return $micropubResponses->insufficientScopeResponse();

4
tests/TestToken.php
View file

@ -14,8 +14,8 @@ trait TestToken
return $config->builder()
->issuedAt(new DateTimeImmutable())
->withClaim('client_id', 'https://quill.p3k.io')
->withClaim('me', 'https://jonnybarnes.localhost')
->withClaim('scope', 'create update')
->withClaim('me', 'http://jonnybarnes.localhost')
->withClaim('scope', ['create', 'update'])
->getToken($config->signer(), $config->signingKey())
->toString();
}