Merge branch 'master' into patch-1

hafezdivandari · Mar 29, 2024 · d049bc5 · d049bc5
2 parents 4650de7 + ca511c1
commit d049bc5
Show file tree

Hide file tree

Showing 133 changed files with 4,940 additions and 2,827 deletions.
diff --git a/.github/workflows/backwards-compatibility.yml b/.github/workflows/backwards-compatibility.yml
@@ -11,12 +11,12 @@ jobs:
 
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@v2"
+        uses: "actions/checkout@v4"
         with:
           fetch-depth: 0
       - name: Fix git safe.directory in container
         run: mkdir -p /home/runner/work/_temp/_github_home && printf "[safe]\n\tdirectory = /github/workspace" > /home/runner/work/_temp/_github_home/.gitconfig
       - name: "Backwards Compatibility Check"
         uses: docker://nyholm/roave-bc-check-ga
         with:
-          args: --from=${{ github.event.pull_request.base.sha }}
+          args: --from=${{ github.event.pull_request.base.sha }}
diff --git a/.github/workflows/coding-standards.yml b/.github/workflows/coding-standards.yml
@@ -0,0 +1,36 @@
+name: Coding Standards
+
+on:
+  pull_request:
+  push:
+
+jobs:
+  coding-standards:
+    name: Coding Standards
+
+    runs-on: ${{ matrix.operating-system }}
+
+    strategy:
+      matrix:
+        php-version:
+          - 8.3
+        operating-system:
+          - ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          coverage: none
+          php-version: ${{ matrix.php-version }}
+          ini-values: memory_limit=-1
+          tools: composer:v2, cs2pr
+
+      - name: Install Dependencies
+        run: composer update --prefer-stable --prefer-dist --no-interaction --no-progress
+
+      - name: Run Codesniffer
+        run: vendor/bin/phpcs
diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
@@ -0,0 +1,37 @@
+name: Static Analysis
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  static-analysis:
+    name: Static Analysis
+
+    runs-on: ${{ matrix.operating-system }}
+
+    strategy:
+      matrix:
+        php-version: [8.1, 8.2, 8.3]
+        composer-stability: [prefer-lowest, prefer-stable]
+        operating-system:
+          - ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          coverage: none
+          php-version: ${{ matrix.php-version }}
+          ini-values: memory_limit=-1
+          tools: composer:v2, cs2pr
+
+      - name: Install Dependencies
+        run: composer update --${{ matrix.composer-stability }} --prefer-dist --no-interaction --no-progress
+
+      - name: Run Static Analysis
+        run: vendor/bin/phpstan analyse
+
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -8,19 +8,20 @@ on:
 
 jobs:
   tests:
-    runs-on: ubuntu-latest
-
     strategy:
       fail-fast: false
       matrix:
-        php: [8.0, 8.1, 8.2]
+        php: [8.1, 8.2, 8.3]
+        os: [ubuntu-22.04]
         stability: [prefer-lowest, prefer-stable]
 
+    runs-on: ${{ matrix.os }}
+
     name: PHP ${{ matrix.php }} - ${{ matrix.stability }}
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with: 
           fetch-depth: 0
 
@@ -40,7 +41,7 @@ jobs:
           composer global require scrutinizer/ocular
 
       - name: Execute tests
-        run: vendor/bin/phpunit --verbose --coverage-clover=coverage.clover
+        run: vendor/bin/phpunit --coverage-clover=coverage.clover
 
       - name: Code coverage
         if: ${{ github.ref == 'refs/heads/master' && github.repository == 'thephpleague/oauth2-server' }}

diff --git a/.scrutinizer.yml b/.scrutinizer.yml
@@ -1,7 +1,7 @@
 build:
     environment:
         php:
-            version: 7.4
+            version: 8.3.3
     nodes:
         analysis:
             tests:

diff --git a/.styleci.yml b/.styleci.yml
@@ -1,30 +1,21 @@
-preset: psr2
+preset: psr12
 
 risky: true
 
 enabled:
-  - binary_operator_spaces
   - blank_line_before_return
-  - concat_with_spaces
   - fully_qualified_strict_types
-  - function_typehint_space
   - hash_to_slash_comment
   - include
-  - lowercase_cast
   - method_separation
   - native_function_casing
-  - native_function_invocation
-  - no_blank_lines_after_class_opening
   - no_blank_lines_between_uses
   - no_duplicate_semicolons
-  - no_leading_import_slash
-  - no_leading_namespace_whitespace
   - no_multiline_whitespace_before_semicolons
   - no_php4_constructor
   - no_short_bool_cast
   - no_singleline_whitespace_before_semicolons
   - no_trailing_comma_in_singleline_array
-  - no_unreachable_default_argument_value
   - no_unused_imports
   - no_whitespace_before_comma_in_array
   - ordered_imports
@@ -43,13 +34,9 @@ enabled:
   - phpdoc_var_without_name
   - print_to_echo
   - short_array_syntax
-  - short_scalar_cast
   - single_quote
   - spaces_cast
   - standardize_not_equal
-  - ternary_operator_spaces
   - trailing_comma_in_multiline_array
   - trim_array_spaces
-  - unary_operator_spaces
   - whitespace_after_comma_in_array
-  - whitespacy_lines
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,41 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## [9.0.0-RC1] - released 2024-03-27
+### Added
+- Device Authorization Grant added (PR #1074)
+- GrantTypeInterface has a new function, `revokeRefreshTokens()` for enabling or disabling refresh tokens after use (PR #1375)
+- A CryptKeyInterface to allow developers to change the CryptKey implementation with greater ease (PR #1044)
+- The authorization server can now finalize scopes when a client uses a refresh token (PR #1094)
+- An AuthorizationRequestInterface to make it easier to extend the AuthorizationRequest (PR #1110)
+- Added function `getKeyContents()` to the `CryptKeyInterface` (PR #1375)
+
+### Fixed
+- If a refresh token has expired, been revoked, cannot be decrypted, or does not belong to the correct client, the server will now issue an `invalid_grant` error and a HTTP 400 response. In previous versions the server incorrectly issued an `invalid_request` and HTTP 401 response (PR #1042) (PR #1082)
+
+### Changed
+- Authorization Request objects are now created through the factory method, `createAuthorizationRequest()` (PR #1111)
+- Changed parameters for `finalizeScopes()` to allow a reference to an auth code ID (PR #1112)
+- AccessTokenEntityInterface now requires the implementation of `toString()` instead of the magic method `__toString()` (PR #1395)
+
+### Removed
+- Removed message property from OAuthException HTTP response. Now just use error_description as per the OAuth 2 spec (PR #1375)
+
+## [8.5.4] - released 2023-08-25
+### Added
+- Support for league/uri ^7.0 (PR #1367)
+
+## [8.5.3] - released 2023-07-06
+### Security
+- If a key string is provided to the CryptKey constructor with an invalid 
+passphrase, the LogicException message generated will expose the given key. 
+The key is no longer leaked via this exception (PR #1353)
+
+## [8.5.2] - released 2023-06-16
+### Changed
+- Bumped the versions for laminas/diactoros and psr/http-message to support 
+PSR-7 v2.0 (PR #1339)
+
 ## [8.5.1] - released 2023-04-04
 ### Fixed
 - Fixed PHP version constraints and lcobucci/clock version constraint to support PHP 8.1 (PR #1336)
@@ -104,7 +139,6 @@ a PKCE downgrade attack (PR #1326)
 - If you provide a valid redirect_uri with the auth code grant and an invalid scope, the server will use the given 
 redirect_uri instead of the default client redirect uri (PR #1126)
 
-
 ## [8.1.0] - released 2020-04-29
 
 ### Added
@@ -591,7 +625,11 @@ Version 5 is a complete code rewrite.
 
 - First major release
 
-[Unreleased]: https://github.com/thephpleague/oauth2-server/compare/8.5.1...HEAD
+[Unreleased]: https://github.com/thephpleague/oauth2-server/compare/9.0.0-RC1...HEAD
+[9.0.0-RC1]: https://github.com/thephpleague/oauth2-server/compare/8.5.4...9.0.0-RC1
+[8.5.4]: https://github.com/thephpleague/oauth2-server/compare/8.5.3...8.5.4
+[8.5.3]: https://github.com/thephpleague/oauth2-server/compare/8.5.2...8.5.3
+[8.5.2]: https://github.com/thephpleague/oauth2-server/compare/8.5.1...8.5.2
 [8.5.1]: https://github.com/thephpleague/oauth2-server/compare/8.5.0...8.5.1
 [8.5.0]: https://github.com/thephpleague/oauth2-server/compare/8.4.1...8.5.0
 [8.4.1]: https://github.com/thephpleague/oauth2-server/compare/8.4.0...8.4.1

diff --git a/README.md b/README.md
@@ -12,27 +12,29 @@
 Out of the box it supports the following grants:
 
 * Authorization code grant
-* Implicit grant
 * Client credentials grant
-* Resource owner password credentials grant
+* Device authorization grant
+* Implicit grant
 * Refresh grant
+* Resource owner password credentials grant
 
 The following RFCs are implemented:
 
 * [RFC6749 "OAuth 2.0"](https://tools.ietf.org/html/rfc6749)
 * [RFC6750 " The OAuth 2.0 Authorization Framework: Bearer Token Usage"](https://tools.ietf.org/html/rfc6750)
 * [RFC7519 "JSON Web Token (JWT)"](https://tools.ietf.org/html/rfc7519)
 * [RFC7636 "Proof Key for Code Exchange by OAuth Public Clients"](https://tools.ietf.org/html/rfc7636)
+* [RFC8628 "OAuth 2.0 Device Authorization Grant](https://tools.ietf.org/html/rfc8628)
 
 This library was created by Alex Bilbie. Find him on Twitter at [@alexbilbie](https://twitter.com/alexbilbie).
 
 ## Requirements
 
 The latest version of this package supports the following versions of PHP:
 
-* PHP 8.0
 * PHP 8.1
 * PHP 8.2
+* PHP 8.3
 
 The `openssl` and `json` extensions are also required.
 

diff --git a/composer.json b/composer.json
@@ -4,22 +4,29 @@
     "homepage": "https://oauth2.thephpleague.com/",
     "license": "MIT",
     "require": {
-        "php": "^8.0",
+        "php": "~8.1.0 || ~8.2.0 || ~8.3.0",
         "ext-openssl": "*",
-        "league/event": "^2.2",
-        "league/uri": "^6.7",
-        "lcobucci/jwt": "^4.3 || ^5.0",
-        "psr/http-message": "^1.0.1",
-        "defuse/php-encryption": "^2.3",
+        "league/event": "^3.0",
+        "league/uri": "^7.0",
+        "lcobucci/jwt": "^5.0",
+        "psr/http-message": "^2.0",
+        "defuse/php-encryption": "^2.4",
         "ext-json": "*",
-        "lcobucci/clock": "^2.2 || ^3.0"
+        "lcobucci/clock": "^2.3 || ^3.0",
+        "psr/http-server-middleware": "^1.0"
     },
     "require-dev": {
-        "phpunit/phpunit": "^9.6.6",
-        "laminas/laminas-diactoros": "^2.24.0",
-        "phpstan/phpstan": "^0.12.57",
-        "phpstan/phpstan-phpunit": "^0.12.16",
-        "roave/security-advisories": "dev-master"
+        "phpunit/phpunit": "^9.6.15",
+        "laminas/laminas-diactoros": "^3.3.0",
+        "phpstan/phpstan": "^1.10.55",
+        "phpstan/phpstan-phpunit": "^1.3.15",
+        "roave/security-advisories": "dev-master",
+        "phpstan/extension-installer": "^1.3.1",
+        "phpstan/phpstan-deprecation-rules": "^1.1.4",
+        "phpstan/phpstan-strict-rules": "^1.5.2",
+        "slevomat/coding-standard": "^8.14.1",
+        "php-parallel-lint/php-parallel-lint": "^1.3.2",
+        "squizlabs/php_codesniffer": "^3.8"
     },
     "repositories": [
         {
@@ -70,5 +77,12 @@
         "psr-4": {
             "LeagueTests\\": "tests/"
         }
+    },
+    "config": {
+        "allow-plugins": {
+            "ocramius/package-versions": true,
+            "phpstan/extension-installer": true,
+            "dealerdirect/phpcodesniffer-composer-installer": false
+        }
     }
 }
diff --git a/examples/README.md b/examples/README.md
@@ -51,3 +51,32 @@ curl -X "POST" "http://localhost:4444/refresh_token.php/access_token" \
 	--data-urlencode "client_secret=abc123" \
 	--data-urlencode "refresh_token={{REFRESH_TOKEN}}"
 ```
+
+## Testing the device authorization grant example
+
+Send the following cURL request. This will return a device code which can be exchanged for an access token.
+
+```
+curl -X "POST" "http://localhost:4444/device_code.php/device_authorization" \
+	-H "Content-Type: application/x-www-form-urlencoded" \
+	-H "Accept: 1.0" \
+	--data-urlencode "client_id=myawesomeapp" \
+	--data-urlencode "client_secret=abc123" \
+	--data-urlencode "scope=basic email"
+```	
+
+We have set up the example so that a user ID is already associated with the device code. In a production application you
+would implement an authorization view to allow a user to authorize the device.
+
+Issue the following cURL request to exchange your device code for an access token. Replace `{{DEVICE_CODE}}` with the 
+device code returned from your first cURL post:
+
+```
+curl -X "POST" "http://localhost:4444/device_code.php/access_token" \
+	-H "Content-Type: application/x-www-form-urlencoded" \
+	-H "Accept: 1.0" \
+	--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:device_code" \
+	--data-urlencode "device_code={{DEVICE_CODE}}" \
+	--data-urlencode "client_id=myawesomeapp" \
+	--data-urlencode "client_secret=abc123"
+```
diff --git a/examples/composer.json b/examples/composer.json
@@ -3,7 +3,7 @@
         "slim/slim": "^3.12.3"
     },
     "require-dev": {
-        "league/event": "^2.2",
+        "league/event": "^3.0",
         "lcobucci/jwt": "^3.4.6 || ^4.0.4",
         "psr/http-message": "^1.0.1",
         "defuse/php-encryption": "^2.2.1",