-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathScopeParameterChecker.php
More file actions
64 lines (53 loc) · 2.32 KB
/
ScopeParameterChecker.php
File metadata and controls
64 lines (53 loc) · 2.32 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
<?php
declare(strict_types=1);
/*
* The MIT License (MIT)
*
* Copyright (c) 2014-2019 Spomky-Labs
*
* This software may be modified and distributed under the terms
* of the MIT license. See the LICENSE file for details.
*/
namespace OAuth2Framework\Component\Scope;
use OAuth2Framework\Component\AuthorizationEndpoint\AuthorizationRequest\AuthorizationRequest;
use OAuth2Framework\Component\AuthorizationEndpoint\ParameterChecker\ParameterChecker;
use OAuth2Framework\Component\Scope\Policy\ScopePolicyManager;
use function Safe\preg_match;
use function Safe\sprintf;
class ScopeParameterChecker implements ParameterChecker
{
private ScopeRepository $scopeRepository;
private ScopePolicyManager $scopePolicyManager;
public function __construct(ScopeRepository $scopeRepository, ScopePolicyManager $scopePolicyManager)
{
$this->scopeRepository = $scopeRepository;
$this->scopePolicyManager = $scopePolicyManager;
}
public function check(AuthorizationRequest $authorization): void
{
$requestedScope = $this->getRequestedScope($authorization);
$requestedScope = $this->scopePolicyManager->apply($requestedScope, $authorization->getClient());
if ('' === $requestedScope) {
return;
}
$scopes = explode(' ', $requestedScope);
$availableScopes = $this->scopeRepository->all();
if (0 !== \count(array_diff($scopes, $availableScopes))) {
throw new \InvalidArgumentException(sprintf('An unsupported scope was requested. Available scopes are %s.', implode(', ', $availableScopes)));
}
$authorization->getMetadata()->set('scope', implode(' ', $scopes));
$authorization->setResponseParameter('scope', implode(' ', $scopes)); //TODO: should be done after consent depending on approved scope
}
private function getRequestedScope(AuthorizationRequest $authorization): string
{
if ($authorization->hasQueryParam('scope')) {
$requestedScope = $authorization->getQueryParam('scope');
if (1 !== preg_match('/^[\x20\x23-\x5B\x5D-\x7E]+$/', $requestedScope)) {
throw new \InvalidArgumentException('Invalid characters found in the "scope" parameter.');
}
} else {
$requestedScope = '';
}
return $requestedScope;
}
}