Merge pull request #6 from designmynight/introspect-guard

robbytaylor · web-flow · commit b6a7c4a5ab2c · 2018-08-21T15:33:41.000+01:00
Introspect guard
diff --git a/composer.json b/composer.json
@@ -1,6 +1,6 @@
 {
-    "name": "designmynight/laravel-oauth-introspect-middleware",
-    "description": "Laravel Middleware for letting a resource owner verify a OAuth2 access tokens with a remote authorization server",
+    "name": "designmynight/laravel-oauth-introspection-client",
+    "description": "Laravel package for letting a resource owner verify OAuth2 access tokens with a remote authorization server",
     "type": "library",
     "license": "MIT",
     "authors": [
diff --git a/src/Facades/Introspect.php b/src/Facades/Introspect.php
@@ -0,0 +1,14 @@
+<?php
+
+namespace DesignMyNight\Laravel\OAuth2\Facades;
+
+use DesignMyNight\Laravel\OAuth2\Introspect as IntrospectService;
+use Illuminate\Support\Facades\Facade;
+
+class Introspect extends Facade
+{
+    protected static function getFacadeAccessor()
+    {
+        return IntrospectService::class;
+    }
+}
diff --git a/src/Guard/IntrospectGuard.php b/src/Guard/IntrospectGuard.php
@@ -0,0 +1,58 @@
+<?php
+
+namespace DesignMyNight\Laravel\OAuth2\Guard;
+
+use DesignMyNight\Laravel\OAuth2\Introspect;
+use Illuminate\Contracts\Auth\Authenticatable;
+use Illuminate\Contracts\Auth\Guard;
+
+class IntrospectGuard implements Guard
+{
+    protected $user;
+
+    public function __construct(Introspect $introspect)
+    {
+        $this->introspect = $introspect;
+    }
+
+    public function authenticate()
+    {
+        return $this->check();
+    }
+
+    public function check()
+    {
+       return ! is_null($this->user());
+    }
+
+    public function guest()
+    {
+        return !$this->check();
+    }
+
+    public function id()
+    {
+        return $this->check() ? $this->user()->getKey() : null;
+    }
+
+    public function user()
+    {
+        if ($this->user === null) {
+            $this->user = $this->introspect
+                ->verifyToken()
+                ->getUser();
+        }
+
+        return $this->user;
+    }
+
+    public function setUser(Authenticatable $user): void
+    {
+        $this->user = $user;
+    }
+
+    public function validate(array $credentials = []): bool
+    {
+        return true;
+    }
+}
diff --git a/src/Introspect.php b/src/Introspect.php
@@ -0,0 +1,120 @@
+<?php
+
+namespace DesignMyNight\Laravel\OAuth2;
+
+use GuzzleHttp\Exception\RequestException;
+use Illuminate\Contracts\Auth\Authenticatable;
+use Illuminate\Auth\AuthenticationException;
+use Illuminate\Foundation\Auth\User;
+use Illuminate\Http\Request;
+use Laravel\Passport\Exceptions\MissingScopeException;
+
+class Introspect
+{
+    protected $accessTokenCacheKey = 'access_token';
+    protected $client = null;
+    protected $result;
+    protected $userDataKey = 'user';
+    protected $userModelClass = User::class;
+
+    public function __construct(IntrospectClient $client, Request $request)
+    {
+        $this->client = $client;
+        $this->request = $request;
+    }
+
+    protected function getIntrospectionResult()
+    {
+        if ($this->result !== null) {
+            return $this->result;
+        }
+
+        try {
+            $this->result = $this->client->introspect($this->request->bearerToken());
+        } catch (RequestException $e) {
+            if ($e->hasResponse()) {
+                $result = json_decode((string) $e->getResponse()->getBody(), true);
+
+                if (isset($result['error'])) {
+                    throw new AuthenticationException($result['error']['title'] ?? '');
+                }
+            }
+
+            throw new AuthenticationException($e->getMessage());
+        }
+
+        return $this->result;
+    }
+
+    public function mustHaveScopes(array $requiredScopes = [])
+    {
+        $result = $this->getIntrospectionResult();
+        $givenScopes = explode(' ', $result['scope']);
+        $missingScopes = array_diff($requiredScopes, $givenScopes);
+
+        if (count($missingScopes) > 0) {
+            throw new MissingScopeException($missingScopes);
+        }
+    }
+
+    public function setUserDataKey(string $key): self
+    {
+        $this->userDataKey = $key;
+
+        return $this;
+    }
+
+    public function setUserModelClass(string $class): self
+    {
+        $this->userModelClass = $class;
+
+        return $this;
+    }
+
+    public function tokenIsActive(): bool
+    {
+        $result = $this->getIntrospectionResult();
+
+        return $result['active'] === true;
+    }
+
+    public function tokenIsNotActive(): bool
+    {
+        return !$this->tokenIsActive();
+    }
+
+    public function getUser()
+    {
+        $result = $this->getIntrospectionResult();
+
+        if (isset($result[$this->userDataKey]) && !empty($result[$this->userDataKey])) {
+            $user = $this->getUserModel();
+            $user->forceFill($result[$this->userDataKey]);
+
+            return $user;
+        }
+
+        return null;
+    }
+
+    public function getUserModel(): Authenticatable
+    {
+        $class = $this->getUserModelClass();
+
+        return new $class();
+    }
+
+    public function getUserModelClass(): string
+    {
+        return $this->userModelClass;
+    }
+
+    public function verifyToken()
+    {
+        if ($this->tokenIsNotActive()) {
+            throw new AuthenticationException('Invalid token');
+        }
+
+        return $this;
+    }
+}
diff --git a/src/IntrospectClient.php b/src/IntrospectClient.php
@@ -0,0 +1,85 @@
+<?php
+
+namespace DesignMyNight\Laravel\OAuth2;
+
+use GuzzleHttp\Client;
+use Illuminate\Auth\AuthenticationException;
+use Illuminate\Cache\Repository as Cache;
+
+class IntrospectClient
+{
+    protected $accessTokenCacheKey = 'access_token';
+
+    protected $cache;
+    protected $client;
+    protected $config;
+
+    public function __construct(array $config, Cache $cache)
+    {
+        $this->cache = $cache;
+        $this->config = $config;
+    }
+
+    protected function getAccessToken(): string
+    {
+        $accessToken = $this->cache->get($this->accessTokenCacheKey);
+
+        return $accessToken ?: $this->getNewAccessToken();
+    }
+
+    protected function getClient(): Client
+    {
+        if ($this->client === null) {
+            $this->setClient(new Client());
+        }
+
+        return $this->client;
+    }
+
+    protected function getNewAccessToken(): string
+    {
+        $response = $this->getClient()->post($this->config['token_url'], [
+            'form_params' => [
+                'grant_type' => 'client_credentials',
+                'client_id' => $this->config['client_id'],
+                'client_secret' => $this->config['client_secret'],
+                'scope' => $this->config['scope'],
+            ],
+        ]);
+
+        $result = json_decode((string) $response->getBody(), true);
+
+        if (isset($result['access_token'])) {
+            $accessToken = $result['access_token'];
+
+            $this->cache->add($this->accessTokenCacheKey, $accessToken, intVal($result['expires_in']) / 60);
+
+            return $accessToken;
+        }
+
+        throw new AuthenticationException('Did not receive an access token');
+    }
+
+    public function introspect(string $token)
+    {
+        $response = $this->getClient()->post($this->config['introspect_url'], [
+            'form_params' => [
+                'token_type_hint' => 'access_token',
+                'token' => $token,
+            ],
+            'headers' => [
+                'Accept' => 'application/json',
+                'Authorization' => 'Bearer ' . $this->getAccessToken(),
+            ],
+        ]);
+
+        return json_decode((string) $response->getBody(), true);
+    }
+
+    public function setClient(Client $client): self
+    {
+        $this->client = $client;
+
+        return $this;
+    }
+}
diff --git a/src/IntrospectMiddlewareServiceProvider.php b/src/IntrospectMiddlewareServiceProvider.php
@@ -1,7 +1,12 @@
 <?php
+
 namespace DesignMyNight\Laravel\OAuth2;
 
+use Illuminate\Cache\Repository as Cache;
 use Illuminate\Foundation\Application as LaravelApplication;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Config;
 use Illuminate\Support\ServiceProvider;
 use Laravel\Lumen\Application as LumenApplication;
 
@@ -21,14 +26,29 @@ public function boot()
 
         $this->loadRoutesFrom($routes);
         $this->mergeConfigFrom($source, 'authorizationserver');
+
+        $this->bootIntrospection();
     }
 
-    /**
-     * Register the service provider.
-     *
-     * @return void
-     */
-    public function register()
+    protected function bootIntrospection()
     {
+        $request = $this->app->make(Request::class);
+        $cache = $this->app->make(Cache::class);
+        $config = Config::get('authorizationserver');
+
+        $client = new IntrospectClient($config, $cache);
+        $introspect = new Introspect($client, $request);
+
+        $this->app->singleton(IntrospectClient::class, function() use($client) {
+            return $client;
+        });
+
+        $this->app->singleton(Introspect::class, function() use($introspect) {
+            return $introspect;
+        });
+
+        Auth::extend('introspect', function () use($introspect) {
+            return new Guard\IntrospectGuard($introspect);
+        });
     }
 }
diff --git a/src/VerifyAccessToken.php b/src/VerifyAccessToken.php

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`		`- "name": "designmynight/laravel-oauth-introspect-middleware",`
`3`		`- "description": "Laravel Middleware for letting a resource owner verify a OAuth2 access tokens with a remote authorization server",`
	`2`	`+ "name": "designmynight/laravel-oauth-introspection-client",`
	`3`	`+ "description": "Laravel package for letting a resource owner verify OAuth2 access tokens with a remote authorization server",`
`4`	`4`	`"type": "library",`
`5`	`5`	`"license": "MIT",`
`6`	`6`	`"authors": [`