Skip to content

Commit

Permalink
Merge branch 'release/2.0.4'
Browse files Browse the repository at this point in the history
  • Loading branch information
alexbilbie committed May 9, 2013
2 parents ffc286c + 08a7055 commit 1375f91
Show file tree
Hide file tree
Showing 8 changed files with 43 additions and 99 deletions.
18 changes: 17 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,22 @@
# Changelog

## 2.0.0 (released 2013-05-06)
## 2.0.4 (released 2013-05-09)

* Renamed primary key in oauth_client_endpoints table
* Adding missing column to oauth_session_authcodes
* SECURITY FIX: A refresh token should be bound to a client ID

## 2.0.3 (released 2013-05-08)

* Fixed a link to code in composer.json

## 2.0.2 (released 2013-05-08)

* Updated README with wiki guides
* Removed `null` as default parameters in some methods in the storage interfaces
* Fixed license copyright

## 2.0.0 (released 2013-05-08)

**If you're upgrading from v1.0.8 there are lots of breaking changes**

Expand Down
2 changes: 1 addition & 1 deletion composer.json
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"name": "league/oauth2-server",
"description": "A lightweight and powerful OAuth 2.0 authorization and resource server library with support for all the core specification grants. This library will allow you to secure your API with OAuth and allow your applications users to approve apps that want to access their data from your API.",
"version": "2.0.3",
"version": "2.0.4",
"homepage": "https://github.com/php-loep/oauth2-server",
"license": "MIT",
"require": {
Expand Down
14 changes: 9 additions & 5 deletions sql/mysql.sql
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,13 @@ CREATE TABLE `oauth_clients` (
) ENGINE=INNODB DEFAULT CHARSET=utf8;

CREATE TABLE `oauth_client_endpoints` (
`endpoint_id` INT(10) UNSIGNED NOT NULL AUTO_INCREMENT,
`client_id` CHAR(40) NOT NULL,
`redirect_uri` VARCHAR(255) NOT NULL,
PRIMARY KEY (`endpoint_id`),
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`client_id` char(40) NOT NULL,
`redirect_uri` varchar(255) NOT NULL,
PRIMARY KEY (`id`),
KEY `i_oaclen_clid` (`client_id`),
CONSTRAINT `f_oaclen_clid` FOREIGN KEY (`client_id`) REFERENCES `oauth_clients` (`id`) ON DELETE CASCADE ON UPDATE CASCADE
) ENGINE=INNODB DEFAULT CHARSET=utf8;
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

CREATE TABLE `oauth_sessions` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
Expand All @@ -41,6 +41,7 @@ CREATE TABLE `oauth_session_authcodes` (
`session_id` int(10) unsigned NOT NULL,
`auth_code` char(40) NOT NULL DEFAULT '',
`auth_code_expires` int(10) unsigned NOT NULL,
`scope_ids` char(255) DEFAULT NULL,
PRIMARY KEY (`session_id`),
CONSTRAINT `f_oaseau_seid` FOREIGN KEY (`session_id`) REFERENCES `oauth_sessions` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
Expand All @@ -56,7 +57,10 @@ CREATE TABLE `oauth_session_refresh_tokens` (
`session_access_token_id` int(10) unsigned NOT NULL,
`refresh_token` char(40) NOT NULL DEFAULT '',
`refresh_token_expires` int(10) unsigned NOT NULL,
`client_id` char(40) NOT NULL DEFAULT '',
PRIMARY KEY (`session_access_token_id`),
KEY `client_id` (`client_id`),
CONSTRAINT `oauth_session_refresh_tokens_ibfk_1` FOREIGN KEY (`client_id`) REFERENCES `oauth_clients` (`id`) ON DELETE CASCADE,
CONSTRAINT `f_oasetore_setoid` FOREIGN KEY (`session_access_token_id`) REFERENCES `oauth_session_access_tokens` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

Expand Down
2 changes: 1 addition & 1 deletion src/League/OAuth2/Server/Grant/AuthCode.php
Original file line number Diff line number Diff line change
Expand Up @@ -283,7 +283,7 @@ public function completeFlow($inputParams = null)
if ($this->authServer->hasGrantType('refresh_token')) {
$refreshToken = SecureKey::make();
$refreshTokenTTL = time() + $this->authServer->getGrantType('refresh_token')->getRefreshTokenTTL();
$this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL);
$this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL, $authParams['client_id']);
$response['refresh_token'] = $refreshToken;
}

Expand Down
2 changes: 1 addition & 1 deletion src/League/OAuth2/Server/Grant/Password.php
Original file line number Diff line number Diff line change
Expand Up @@ -214,7 +214,7 @@ public function completeFlow($inputParams = null)
if ($this->authServer->hasGrantType('refresh_token')) {
$refreshToken = SecureKey::make();
$refreshTokenTTL = time() + $this->authServer->getGrantType('refresh_token')->getRefreshTokenTTL();
$this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL);
$this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL, $authParams['client_id']);
$response['refresh_token'] = $refreshToken;
}

Expand Down
4 changes: 2 additions & 2 deletions src/League/OAuth2/Server/Grant/RefreshToken.php
Original file line number Diff line number Diff line change
Expand Up @@ -143,7 +143,7 @@ public function completeFlow($inputParams = null)
}

// Validate refresh token
$accessTokenId = $this->authServer->getStorage('session')->validateRefreshToken($authParams['refresh_token']);
$accessTokenId = $this->authServer->getStorage('session')->validateRefreshToken($authParams['refresh_token'], $authParams['client_id']);

if ($accessTokenId === false) {
throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_refresh'), 0);
Expand All @@ -168,7 +168,7 @@ public function completeFlow($inputParams = null)
$this->authServer->getStorage('session')->associateScope($newAccessTokenId, $scope['id']);
}

$this->authServer->getStorage('session')->associateRefreshToken($newAccessTokenId, $refreshToken, $refreshTokenExpires);
$this->authServer->getStorage('session')->associateRefreshToken($newAccessTokenId, $refreshToken, $refreshTokenExpires, $authParams['client_id']);

return array(
'access_token' => $accessToken,
Expand Down
92 changes: 7 additions & 85 deletions src/League/OAuth2/Server/Storage/PDO/Session.php
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,6 @@

class Session implements SessionInterface
{
/**
* Create a new session
* @param string $clientId The client ID
* @param string $ownerType The type of the session owner (e.g. "user")
* @param string $ownerId The ID of the session owner (e.g. "123")
* @return int The session ID
*/
public function createSession($clientId, $ownerType, $ownerId)
{
$db = \ezcDbInstance::get();
Expand All @@ -27,13 +20,6 @@ public function createSession($clientId, $ownerType, $ownerId)
return $db->lastInsertId();
}

/**
* Delete a session
* @param string $clientId The client ID
* @param string $ownerType The type of the session owner (e.g. "user")
* @param string $ownerId The ID of the session owner (e.g. "123")
* @return void
*/
public function deleteSession($clientId, $ownerType, $ownerId)
{
$db = \ezcDbInstance::get();
Expand All @@ -46,12 +32,6 @@ public function deleteSession($clientId, $ownerType, $ownerId)
$stmt->execute();
}

/**
* Associate a redirect URI with a session
* @param int $sessionId The session ID
* @param string $redirectUri The redirect URI
* @return void
*/
public function associateRedirectUri($sessionId, $redirectUri)
{
$db = \ezcDbInstance::get();
Expand All @@ -63,13 +43,6 @@ public function associateRedirectUri($sessionId, $redirectUri)
$stmt->execute();
}

/**
* Associate an access token with a session
* @param int $sessionId The session ID
* @param string $accessToken The access token
* @param int $expireTime Unix timestamp of the access token expiry time
* @return void
*/
public function associateAccessToken($sessionId, $accessToken, $expireTime)
{
$db = \ezcDbInstance::get();
Expand All @@ -84,33 +57,19 @@ public function associateAccessToken($sessionId, $accessToken, $expireTime)
return $db->lastInsertId();
}

/**
* Associate a refresh token with a session
* @param int $accessTokenId The access token ID
* @param string $refreshToken The refresh token
* @param int $expireTime Unix timestamp of the refresh token expiry time
* @return void
*/
public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime)
public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime, $clientId)
{
$db = \ezcDbInstance::get();

$stmt = $db->prepare('INSERT INTO oauth_session_refresh_tokens (session_access_token_id, refresh_token, refresh_token_expires) VALUE
(:accessTokenId, :refreshToken, :expireTime)');
$stmt = $db->prepare('INSERT INTO oauth_session_refresh_tokens (session_access_token_id, refresh_token, refresh_token_expires, client_id) VALUE
(:accessTokenId, :refreshToken, :expireTime, :clientId)');
$stmt->bindValue(':accessTokenId', $accessTokenId);
$stmt->bindValue(':refreshToken', $refreshToken);
$stmt->bindValue(':expireTime', $expireTime);
$stmt->bindValue(':clientId', $clientId);
$stmt->execute();
}

/**
* Assocate an authorization code with a session
* @param int $sessionId The session ID
* @param string $authCode The authorization code
* @param int $expireTime Unix timestamp of the access token expiry time
* @param string $scopeIds Comma seperated list of scope IDs to be later associated (default = null)
* @return void
*/
public function associateAuthCode($sessionId, $authCode, $expireTime, $scopeIds = null)
{
$db = \ezcDbInstance::get();
Expand All @@ -124,11 +83,6 @@ public function associateAuthCode($sessionId, $authCode, $expireTime, $scopeIds
$stmt->execute();
}

/**
* Remove an associated authorization token from a session
* @param int $sessionId The session ID
* @return void
*/
public function removeAuthCode($sessionId)
{
$db = \ezcDbInstance::get();
Expand All @@ -138,13 +92,6 @@ public function removeAuthCode($sessionId)
$stmt->execute();
}

/**
* Validate an authorization code
* @param string $clientId The client ID
* @param string $redirectUri The redirect URI
* @param string $authCode The authorization code
* @return void
*/
public function validateAuthCode($clientId, $redirectUri, $authCode)
{
$db = \ezcDbInstance::get();
Expand All @@ -166,11 +113,6 @@ public function validateAuthCode($clientId, $redirectUri, $authCode)
return ($result === false) ? false : (array) $result;
}

/**
* Validate an access token
* @param string $accessToken The access token to be validated
* @return void
*/
public function validateAccessToken($accessToken)
{
$db = \ezcDbInstance::get();
Expand All @@ -183,29 +125,20 @@ public function validateAccessToken($accessToken)
return ($result === false) ? false : (array) $result;
}

/**
* Validate a refresh token
* @param string $refreshToken The access token
* @return void
*/
public function validateRefreshToken($refreshToken)
public function validateRefreshToken($refreshToken, $clientId)
{
$db = \ezcDbInstance::get();

$stmt = $db->prepare('SELECT session_access_token_id FROM `oauth_session_refresh_tokens` WHERE
refresh_token = :refreshToken AND refresh_token_expires >= ' . time());
refresh_token = :refreshToken AND client_id = :clientId AND refresh_token_expires >= ' . time());
$stmt->bindValue(':refreshToken', $refreshToken);
$stmt->bindValue(':clientId', $clientId);
$stmt->execute();

$result = $stmt->fetchObject();
return ($result === false) ? false : $result->session_access_token_id;
}

/**
* Get an access token by ID
* @param int $accessTokenId The access token ID
* @return array
*/
public function getAccessToken($accessTokenId)
{
$db = \ezcDbInstance::get();
Expand All @@ -218,12 +151,6 @@ public function getAccessToken($accessTokenId)
return ($result === false) ? false : (array) $result;
}

/**
* Associate a scope with an access token
* @param int $accessTokenId The ID of the access token
* @param int $scopeId The ID of the scope
* @return void
*/
public function associateScope($accessTokenId, $scopeId)
{
$db = \ezcDbInstance::get();
Expand All @@ -235,11 +162,6 @@ public function associateScope($accessTokenId, $scopeId)
$stmt->execute();
}

/**
* Get all associated access tokens for an access token
* @param string $accessToken The access token
* @return array
*/
public function getScopes($accessToken)
{
$db = \ezcDbInstance::get();
Expand Down
8 changes: 5 additions & 3 deletions src/League/OAuth2/Server/Storage/SessionInterface.php
Original file line number Diff line number Diff line change
Expand Up @@ -91,9 +91,10 @@ public function associateAccessToken($sessionId, $accessToken, $expireTime);
* @param int $accessTokenId The access token ID
* @param string $refreshToken The refresh token
* @param int $expireTime Unix timestamp of the refresh token expiry time
* @param string $clientId The client ID
* @return void
*/
public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime);
public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime, $clientId);

/**
* Assocate an authorization code with a session
Expand Down Expand Up @@ -191,13 +192,14 @@ public function validateAccessToken($accessToken);
*
* <code>
* SELECT session_access_token_id FROM `oauth_session_refresh_tokens` WHERE refresh_token = :refreshToken
* AND refresh_token_expires >= UNIX_TIMESTAMP(NOW())
* AND refresh_token_expires >= UNIX_TIMESTAMP(NOW()) AND client_id = :clientId
* </code>
*
* @param string $refreshToken The access token
* @param string $clientId The client ID
* @return int|bool The ID of the access token the refresh token is linked to (or false if invalid)
*/
public function validateRefreshToken($refreshToken);
public function validateRefreshToken($refreshToken, $clientId);

/**
* Get an access token by ID
Expand Down

0 comments on commit 1375f91

Please sign in to comment.