Merge pull request #788 from bshaffer/develop

v1.9.0

.gitattributes

@@ -0,0 +1,7 @@
+# Exclude unused files
+# see: https://redd.it/2jzp6k
+/tests                     export-ignore
+.travis.yml                export-ignore
+.gitattributes             export-ignore
+.gitignore                 export-ignore
+phpunit.xml                export-ignore

.travis.yml

@@ -1,25 +1,31 @@
 language: php
 sudo: false
+cache:
+  directories:
+    - $HOME/.composer/cache
+    - vendor
 php:
 - 5.3
 - 5.4
 - 5.5
 - 5.6
-- hhvm
+- 7.0
+- 7.1
 env:
   global:
-  - SKIP_MONGO_TESTS=1
   - secure: Bc5ZqvZ1YYpoPZNNuU2eCB8DS6vBYrAdfBtTenBs5NSxzb+Vjven4kWakbzaMvZjb/Ib7Uph7DGuOtJXpmxnvBXPLd707LZ89oFWN/yqQlZKCcm8iErvJCB5XL+/ONHj2iPdR242HJweMcat6bMCwbVWoNDidjtWMH0U2mYFy3M=
   - secure: R3bXlymyFiY2k2jf7+fv/J8i34wtXTkmD4mCr5Ps/U+vn9axm2VtvR2Nj+r7LbRjn61gzFE/xIVjYft/wOyBOYwysrfriydrnRVS0owh6y+7EyOyQWbRX11vVQMf8o31QCQE5BY58V5AJZW3MjoOL0FVlTgySJiJvdw6Pv18v+E=
 services:
 - mongodb
 - redis-server
 - cassandra
+before_install:
+- phpenv config-rm xdebug.ini || return 0
+- phpenv version-name | grep ^5.[3-6] && composer remove mongodb/mongodb --dev && echo "extension=mongo.so" >> ~/.phpenv/versions/$(phpenv version-name)/etc/php.ini ; true
+- phpenv version-name | grep ^7 && echo "extension=mongodb.so" >> ~/.phpenv/versions/$(phpenv version-name)/etc/php.ini ; true
+install:
+- composer install
 before_script:
 - psql -c 'create database oauth2_server_php;' -U postgres
-- composer require predis/predis:dev-master
-- composer require thobbs/phpcassa:dev-master
-- composer require 'aws/aws-sdk-php:~2.8'
-- composer require 'firebase/php-jwt:~2.2'
 after_script:
 - php test/cleanup.php

CHANGELOG.md

@@ -8,6 +8,23 @@ To see the files changed for a given bug, go to https://github.com/bshaffer/oaut
 To get the diff between two versions, go to https://github.com/bshaffer/oauth2-server-php/compare/v1.0...v1.1
 To get the diff for a specific change, go to https://github.com/bshaffer/oauth2-server-php/commit/XXX where XXX is the change hash
 
+* 1.9.0 (2016-01-06)
+
+  PR: https://github.com/bshaffer/oauth2-server-php/pull/788
+
+  * bug #645 - Allow null for client_secret
+  * bug #651 - Fix bug in isPublicClient of Cassandra Storage
+  * bug #670 - Bug in client's scope restriction
+  * bug #672 - Implemented method to override the password hashing algorithm
+  * bug #698 - Fix Token Response's Content-Type to application/json
+  * bug #729 - Ensures unsetAccessToken and unsetRefreshToken return a bool
+  * bug #749 - Fix UserClaims for CodeIdToken
+  * bug #784 - RFC6750 compatibility
+  * bug #776 - Fix "redirect_uri_mismatch" for URIs with encoded characters
+  * bug #759 - no access token supplied to resource controller results in empty request body
+  * bug #773 - Use OpenSSL random method before attempting Mcrypt's.
+  * bug #790 - Add mongo db
+
 * 1.8.0 (2015-09-18)
 
   PR: https://github.com/bshaffer/oauth2-server-php/pull/643

composer.json

@@ -12,16 +12,23 @@
         }
     ],
     "homepage": "http://github.com/bshaffer/oauth2-server-php",
+    "autoload": {
+        "psr-0": { "OAuth2": "src/" }
+    },
     "require":{
         "php":">=5.3.9"
     },
-    "autoload": {
-        "psr-0": { "OAuth2": "src/" }
+    "require-dev": {
+        "aws/aws-sdk-php": "~2.8",
+        "firebase/php-jwt": "~2.2",
+        "predis/predis": "dev-master",
+        "thobbs/phpcassa": "dev-master",
+        "mongodb/mongodb": "^1.1"
     },
     "suggest": {
-        "predis/predis": "Required to use the Redis storage engine",
-        "thobbs/phpcassa": "Required to use the Cassandra storage engine",
-        "aws/aws-sdk-php": "~2.8 is required to use the DynamoDB storage engine",
-        "firebase/php-jwt": "~2.2 is required to use JWT features"
+        "predis/predis": "Required to use Redis storage",
+        "thobbs/phpcassa": "Required to use Cassandra storage",
+        "aws/aws-sdk-php": "~2.8 is required to use DynamoDB storage",
+        "firebase/php-jwt": "~1.1 is required to use MondoDB storage"
     }
 }

src/OAuth2/Controller/AuthorizeController.php

@@ -126,6 +126,11 @@ protected function buildAuthorizeParameters($request, $response, $user_id)
         return $params;
     }
 
+    /**
+     * @param RequestInterface $request
+     * @param ResponseInterface $response
+     * @return bool
+     */
     public function validateAuthorizeRequest(RequestInterface $request, ResponseInterface $response)
     {
         // Make sure a valid client id was supplied (we can not redirect because we were unable to verify the URI)
@@ -236,8 +241,8 @@ public function validateAuthorizeRequest(RequestInterface $request, ResponseInte
             // restrict scope by client specific scope if applicable,
             // otherwise verify the scope exists
             $clientScope = $this->clientStorage->getClientScope($client_id);
-            if ((is_null($clientScope) && !$this->scopeUtil->scopeExists($requestedScope))
-                || ($clientScope && !$this->scopeUtil->checkScope($requestedScope, $clientScope))) {
+            if ((empty($clientScope) && !$this->scopeUtil->scopeExists($requestedScope))
+                || (!empty($clientScope) && !$this->scopeUtil->checkScope($requestedScope, $clientScope))) {
                 $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'invalid_scope', 'An unsupported scope was requested', null);
 
                 return false;
@@ -341,9 +346,14 @@ protected function validateRedirectUri($inputUri, $registeredUriString)
                     return true;
                 }
             } else {
+                $registered_uri_length = strlen($registered_uri);
+                if ($registered_uri_length === 0) {
+                    return false;
+                }
+
                 // the input uri is validated against the registered uri using case-insensitive match of the initial string
                 // i.e. additional query parameters may be applied
-                if (strcasecmp(substr($inputUri, 0, strlen($registered_uri)), $registered_uri) === 0) {
+                if (strcasecmp(substr($inputUri, 0, $registered_uri_length), $registered_uri) === 0) {
                     return true;
                 }
             }

src/OAuth2/Controller/ResourceController.php

@@ -83,7 +83,7 @@ public function getAccessTokenData(RequestInterface $request, ResponseInterface
             } elseif (!isset($token["expires"]) || !isset($token["client_id"])) {
                 $response->setError(401, 'malformed_token', 'Malformed token (missing "expires")');
             } elseif (time() > $token["expires"]) {
-                $response->setError(401, 'expired_token', 'The access token provided has expired');
+                $response->setError(401, 'invalid_token', 'The access token provided has expired');
             } else {
                 return $token;
             }

src/OAuth2/Controller/TokenController.php

@@ -12,14 +12,33 @@
 use OAuth2\ResponseInterface;
 
 /**
- * @see OAuth2\Controller\TokenControllerInterface
+ * @see \OAuth2\Controller\TokenControllerInterface
  */
 class TokenController implements TokenControllerInterface
 {
+    /**
+     * @var AccessTokenInterface
+     */
     protected $accessToken;
+
+    /**
+     * @var array
+     */
     protected $grantTypes;
+
+    /**
+     * @var ClientAssertionTypeInterface
+     */
     protected $clientAssertionType;
+
+    /**
+     * @var Scope|ScopeInterface
+     */
     protected $scopeUtil;
+
+    /**
+     * @var ClientInterface
+     */
     protected $clientStorage;
 
     public function __construct(AccessTokenInterface $accessToken, ClientInterface $clientStorage, array $grantTypes = array(), ClientAssertionTypeInterface $clientAssertionType = null, ScopeInterface $scopeUtil = null)
@@ -51,7 +70,11 @@ public function handleTokenRequest(RequestInterface $request, ResponseInterface
             // server MUST disable caching in headers when tokens are involved
             $response->setStatusCode(200);
             $response->addParameters($token);
-            $response->addHttpHeaders(array('Cache-Control' => 'no-store', 'Pragma' => 'no-cache'));
+            $response->addHttpHeaders(array(
+                'Cache-Control' => 'no-store',
+                'Pragma' => 'no-cache',
+                'Content-Type' => 'application/json'
+            ));
         }
     }
 
@@ -60,11 +83,11 @@ public function handleTokenRequest(RequestInterface $request, ResponseInterface
      * This would be called from the "/token" endpoint as defined in the spec.
      * You can call your endpoint whatever you want.
      *
-     * @param $request - RequestInterface
-     * Request object to grant access token
+     * @param RequestInterface $request Request object to grant access token
+     * @param ResponseInterface $response
      *
-     * @throws InvalidArgumentException
-     * @throws LogicException
+     * @throws \InvalidArgumentException
+     * @throws \LogicException
      *
      * @see http://tools.ietf.org/html/rfc6749#section-4
      * @see http://tools.ietf.org/html/rfc6749#section-10.6
@@ -204,10 +227,8 @@ public function grantAccessToken(RequestInterface $request, ResponseInterface $r
     /**
      * addGrantType
      *
-     * @param grantType - OAuth2\GrantTypeInterface
-     * the grant type to add for the specified identifier
-     * @param identifier - string
-     * a string passed in as "grant_type" in the response that will call this grantType
+     * @param GrantTypeInterface $grantType the grant type to add for the specified identifier
+     * @param string $identifier a string passed in as "grant_type" in the response that will call this grantType
      */
     public function addGrantType(GrantTypeInterface $grantType, $identifier = null)
     {

src/OAuth2/GrantType/AuthorizationCode.php

@@ -17,7 +17,7 @@ class AuthorizationCode implements GrantTypeInterface
     protected $authCode;
 
     /**
-     * @param OAuth2\Storage\AuthorizationCodeInterface $storage REQUIRED Storage class for retrieving authorization code information
+     * @param \OAuth2\Storage\AuthorizationCodeInterface $storage REQUIRED Storage class for retrieving authorization code information
      */
     public function __construct(AuthorizationCodeInterface $storage)
     {
@@ -49,7 +49,7 @@ public function validateRequest(RequestInterface $request, ResponseInterface $re
          * @uri - http://tools.ietf.org/html/rfc6749#section-4.1.3
          */
         if (isset($authCode['redirect_uri']) && $authCode['redirect_uri']) {
-            if (!$request->request('redirect_uri') || urldecode($request->request('redirect_uri')) != $authCode['redirect_uri']) {
+            if (!$request->request('redirect_uri') || urldecode($request->request('redirect_uri')) != urldecode($authCode['redirect_uri'])) {
                 $response->setError(400, 'redirect_uri_mismatch', "The redirect URI is missing or do not match", "#section-4.1.3");
 
                 return false;

src/OAuth2/OpenID/ResponseType/CodeIdToken.php

@@ -16,8 +16,8 @@ public function __construct(AuthorizationCodeInterface $authCode, IdTokenInterfa
     public function getAuthorizeResponse($params, $user_id = null)
     {
         $result = $this->authCode->getAuthorizeResponse($params, $user_id);
-        $id_token = $this->idToken->createIdToken($params['client_id'], $user_id, $params['nonce']);
-        $result[1]['query']['id_token'] = $id_token;
+        $resultIdToken = $this->idToken->getAuthorizeResponse($params, $user_id);
+        $result[1]['query']['id_token'] = $resultIdToken[1]['fragment']['id_token'];
 
         return $result;
     }

src/OAuth2/OpenID/ResponseType/IdToken.php

@@ -84,7 +84,7 @@ protected function createAtHash($access_token, $client_id = null)
         // maps HS256 and RS256 to sha256, etc.
         $algorithm = $this->publicKeyStorage->getEncryptionAlgorithm($client_id);
         $hash_algorithm = 'sha' . substr($algorithm, 2);
-        $hash = hash($hash_algorithm, $access_token);
+        $hash = hash($hash_algorithm, $access_token, true);
         $at_hash = substr($hash, 0, strlen($hash) / 2);
 
         return $this->encryptionUtil->urlSafeB64Encode($at_hash);

src/OAuth2/Response.php

@@ -176,7 +176,7 @@ public function getResponseBody($format = 'json')
     {
         switch ($format) {
             case 'json':
-                return json_encode($this->parameters);
+                return $this->parameters ? json_encode($this->parameters) : '';
             case 'xml':
                 // this only works for single-level arrays
                 $xml = new \SimpleXMLElement('<response/>');