Allow restricting access based on scopes

Author: arietimmerman

README.md

@@ -19,14 +19,22 @@ composer require arietimmerman/laravel-oauth-introspect-middleware
 
 and add the Service Provider in your `config/app.php`
 
-~~~
-\ArieTimmerman\Laravel\OAuth2\ServiceProvider::class
+~~~.php
+'providers' => [
+     // [..]
+    \ArieTimmerman\Laravel\OAuth2\ServiceProvider::class
+     // [..]
+];
 ~~~
 
 and add the MiddleWare in your `App/Http/Kernel.php`
 
-~~~
-\ArieTimmerman\Laravel\OAuth2\VerifyAccessToken::class
+~~~.php
+protected $routeMiddleware = [
+    // [..]
+    'verifyaccesstoken' => \ArieTimmerman\Laravel\OAuth2\VerifyAccessToken::class,
+    // [..]   
+];
 ~~~  
 
 publish the configuration
@@ -54,3 +62,12 @@ AUTHORIZATION_SERVER_AUTHORIZATION_URL="${AUTHORIZATION_SERVER_URL}/oauth/author
 AUTHORIZATION_SERVER_REDIRECT_URL=https://my.machine.dom
 ~~~
 
+Now, use the middleware.
+
+~~~.php
+Route::group(['middleware'=>'verifyaccesstoken:required-scope1,required-scope2'], function () {
+	Route::get('/endpoint1', 'UserController@index');
+	Route::resource('/resource', 'OrderController');
+});
+~~~
+

routes/routes.php

@@ -12,7 +12,7 @@
 			'client_id' => config('authorizationserver.authorization_server_client_id'),
 			'redirect_uri' => config('authorizationserver.authorization_server_redirect_url'),
 			'response_type' => 'token',
-			'scope' => '',
+			'scope' => 'place-orders',
 	]);
 
 	return redirect(config('authorizationserver.authorization_server_authorization_url') . '?' . $query);

src/VerifyAccessToken.php

@@ -32,20 +32,20 @@ public function setClient(\GuzzleHttp\Client $client) {
 	/**
 	 */
 	protected function getIntrospect($accessToken) {
-		$guzzle = $this->getClient ();
+		$guzzle = $this->getClient ();		
 
 		$response = $guzzle->post ( config ( 'authorizationserver.authorization_server_introspect_url' ), [ 
 				'form_params' => [ 
 						'token_type_hint' => 'access_token',
 
 						// This is the access token for verifying the user's access token
-						'token' => $this->getAccessToken () 
+						'token' => $accessToken
 				],
 				'headers' => [ 
-						'Authorization' => 'Bearer ' . $accessToken 
+						'Authorization' => 'Bearer ' . $this->getAccessToken ()  
 				] 
 		] );
-		
+
 		return json_decode ( ( string ) $response->getBody (), true );
 	}
 
@@ -88,9 +88,9 @@ protected function getAccessToken() {
 	 * @param \Closure $next        	
 	 * @return mixed
 	 */
-	public function handle($request, Closure $next, $scopes = null) {
+	public function handle($request, Closure $next, ...$scopes) {
 		$authorization = $request->header ( 'Authorization' );
-		
+	
 		if (strlen ( $authorization ) == 0) {
 			throw new InvalidInputException ( "No Authorization header present" );
 		}
@@ -105,7 +105,6 @@ public function handle($request, Closure $next, $scopes = null) {
 		try {
 
 			$result = $this->getIntrospect ( $receivedAccessToken );
-			
 			if (! $result ['active']) {
 
 				throw new InvalidAccessTokenException ( "Invalid token!" );
@@ -119,15 +118,17 @@ public function handle($request, Closure $next, $scopes = null) {
 
 				$scopesForToken = \explode ( " ", $result ['scope'] );
 
-				if (count ( $scopes ) != count ( array_intersect ( $scopes, $scopesForToken ) )) {
-					throw new InvalidAccessTokenException ( "Missing required scopes!" );
+				if ( count($misingScopes = array_diff ( $scopes, $scopesForToken ) ) > 0 ) {
+					throw new InvalidAccessTokenException ( "Missing the following required scopes: " . implode(" ,",$misingScopes) );
 				} else {
 				}
 			}
 		} catch ( RequestException $e ) {
 			if ($e->hasResponse ()) {
 				$result = json_decode ( ( string ) $e->getResponse ()->getBody (), true );
 
+				var_dump($result);exit;
+
 				if (isset ( $result ['error'] )) {
 					throw new InvalidAccessTokenException ( $result ['error'] ['title'] ?? "Invalid token!");
 				} else {