From 8e54ee1509d64d8adcac09d856c8464195847a64 Mon Sep 17 00:00:00 2001 From: Jono Radich Date: Wed, 1 Feb 2017 11:32:44 +1300 Subject: [PATCH] Improve validation in the grant types to catch empty inputs --- src/League/OAuth2/Server/Grant/AuthCode.php | 16 ++--- .../OAuth2/Server/Grant/ClientCredentials.php | 4 +- src/League/OAuth2/Server/Grant/Password.php | 8 +-- .../OAuth2/Server/Grant/RefreshToken.php | 6 +- tests/authorization/AuthCodeGrantTest.php | 54 +++++++++++++++- .../ClientCredentialsGrantTest.php | 41 ++++++++++++- tests/authorization/PasswordGrantTest.php | 41 ++++++++++++- tests/authorization/RefreshTokenTest.php | 61 ++++++++++++++++++- 8 files changed, 208 insertions(+), 23 deletions(-) diff --git a/src/League/OAuth2/Server/Grant/AuthCode.php b/src/League/OAuth2/Server/Grant/AuthCode.php index ade22c961..b33bd6dd6 100644 --- a/src/League/OAuth2/Server/Grant/AuthCode.php +++ b/src/League/OAuth2/Server/Grant/AuthCode.php @@ -77,15 +77,15 @@ public function checkAuthoriseParams($inputParams = array()) // Auth params $authParams = $this->authServer->getParam(array('client_id', 'redirect_uri', 'response_type', 'scope', 'state'), 'get', $inputParams); - if (is_null($authParams['client_id'])) { + if (empty($authParams['client_id'])) { throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_id'), 0); } - if (is_null($authParams['redirect_uri'])) { + if (empty($authParams['redirect_uri'])) { throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'redirect_uri'), 0); } - if ($this->authServer->stateParamRequired() === true && is_null($authParams['state'])) { + if ($this->authServer->stateParamRequired() === true && empty($authParams['state'])) { throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'state'), 0); } @@ -98,7 +98,7 @@ public function checkAuthoriseParams($inputParams = array()) $authParams['client_details'] = $clientDetails; - if (is_null($authParams['response_type'])) { + if (empty($authParams['response_type'])) { throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'response_type'), 0); } @@ -185,15 +185,15 @@ public function completeFlow($inputParams = null) // Get the required params $authParams = $this->authServer->getParam(array('client_id', 'client_secret', 'redirect_uri', 'code'), 'post', $inputParams); - if (is_null($authParams['client_id'])) { + if (empty($authParams['client_id'])) { throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_id'), 0); } - if (is_null($authParams['client_secret'])) { + if (empty($authParams['client_secret'])) { throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_secret'), 0); } - if (is_null($authParams['redirect_uri'])) { + if (empty($authParams['redirect_uri'])) { throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'redirect_uri'), 0); } @@ -207,7 +207,7 @@ public function completeFlow($inputParams = null) $authParams['client_details'] = $clientDetails; // Validate the authorization code - if (is_null($authParams['code'])) { + if (empty($authParams['code'])) { throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'code'), 0); } diff --git a/src/League/OAuth2/Server/Grant/ClientCredentials.php b/src/League/OAuth2/Server/Grant/ClientCredentials.php index e005380ad..2c9dcdfad 100644 --- a/src/League/OAuth2/Server/Grant/ClientCredentials.php +++ b/src/League/OAuth2/Server/Grant/ClientCredentials.php @@ -88,11 +88,11 @@ public function completeFlow($inputParams = null) // Get the required params $authParams = $this->authServer->getParam(array('client_id', 'client_secret'), 'post', $inputParams); - if (is_null($authParams['client_id'])) { + if (empty($authParams['client_id'])) { throw new Exception\ClientException(sprintf(Authorization::getExceptionMessage('invalid_request'), 'client_id'), 0); } - if (is_null($authParams['client_secret'])) { + if (empty($authParams['client_secret'])) { throw new Exception\ClientException(sprintf(Authorization::getExceptionMessage('invalid_request'), 'client_secret'), 0); } diff --git a/src/League/OAuth2/Server/Grant/Password.php b/src/League/OAuth2/Server/Grant/Password.php index f95ccfc85..4393ed4a8 100644 --- a/src/League/OAuth2/Server/Grant/Password.php +++ b/src/League/OAuth2/Server/Grant/Password.php @@ -89,11 +89,11 @@ public function completeFlow($inputParams = null) // Get the required params $authParams = $this->authServer->getParam(array('client_id', 'client_secret', 'username', 'password'), 'post', $inputParams); - if (is_null($authParams['client_id'])) { + if (empty($authParams['client_id'])) { throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_id'), 0); } - if (is_null($authParams['client_secret'])) { + if (empty($authParams['client_secret'])) { throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_secret'), 0); } @@ -106,11 +106,11 @@ public function completeFlow($inputParams = null) $authParams['client_details'] = $clientDetails; - if (is_null($authParams['username'])) { + if (empty($authParams['username'])) { throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'username'), 0); } - if (is_null($authParams['password'])) { + if (empty($authParams['password'])) { throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'password'), 0); } diff --git a/src/League/OAuth2/Server/Grant/RefreshToken.php b/src/League/OAuth2/Server/Grant/RefreshToken.php index c565f5358..81ca58140 100644 --- a/src/League/OAuth2/Server/Grant/RefreshToken.php +++ b/src/League/OAuth2/Server/Grant/RefreshToken.php @@ -102,11 +102,11 @@ public function completeFlow($inputParams = null) // Get the required params $authParams = $this->authServer->getParam(array('client_id', 'client_secret', 'refresh_token', 'scope'), 'post', $inputParams); - if (is_null($authParams['client_id'])) { + if (empty($authParams['client_id'])) { throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_id'), 0); } - if (is_null($authParams['client_secret'])) { + if (empty($authParams['client_secret'])) { throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_secret'), 0); } @@ -119,7 +119,7 @@ public function completeFlow($inputParams = null) $authParams['client_details'] = $clientDetails; - if (is_null($authParams['refresh_token'])) { + if (empty($authParams['refresh_token'])) { throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'refresh_token'), 0); } diff --git a/tests/authorization/AuthCodeGrantTest.php b/tests/authorization/AuthCodeGrantTest.php index fadf90f2c..7d416c0d7 100644 --- a/tests/authorization/AuthCodeGrantTest.php +++ b/tests/authorization/AuthCodeGrantTest.php @@ -62,6 +62,20 @@ public function test_checkAuthoriseParams_noClientId() $g->checkAuthoriseParams(); } + /** + * @expectedException League\OAuth2\Server\Exception\ClientException + * @expectedExceptionCode 0 + */ + public function test_checkAuthoriseParams_emptyClientId() + { + $a = $this->returnDefault(); + $g = new League\OAuth2\Server\Grant\AuthCode(); + $a->addGrantType($g); + $g->checkAuthoriseParams(array( + 'client_id' => '' + )); + } + /** * @expectedException League\OAuth2\Server\Exception\ClientException * @expectedExceptionCode 0 @@ -76,6 +90,21 @@ public function test_checkAuthoriseParams_noRedirectUri() )); } + /** + * @expectedException League\OAuth2\Server\Exception\ClientException + * @expectedExceptionCode 0 + */ + public function test_checkAuthoriseParams_emptyRedirectUri() + { + $a = $this->returnDefault(); + $g = new League\OAuth2\Server\Grant\AuthCode(); + $a->addGrantType($g); + $g->checkAuthoriseParams(array( + 'client_id' => 1234, + 'redirect_uri' => '' + )); + } + /** * @expectedException League\OAuth2\Server\Exception\ClientException * @expectedExceptionCode 0 @@ -132,6 +161,29 @@ public function test_checkAuthoriseParams_missingResponseType() )); } + /** + * @expectedException League\OAuth2\Server\Exception\ClientException + * @expectedExceptionCode 0 + */ + public function test_checkAuthoriseParams_emptyResponseType() + { + $this->client->shouldReceive('getClient')->andReturn(array( + 'client_id' => 1234, + 'client_secret' => 5678, + 'redirect_uri' => 'http://foo/redirect', + 'name' => 'Example Client' + )); + + $a = $this->returnDefault(); + $g = new League\OAuth2\Server\Grant\AuthCode(); + $a->addGrantType($g); + $g->checkAuthoriseParams(array( + 'client_id' => 1234, + 'redirect_uri' => 'http://foo/redirect', + 'response_type' => '' + )); + } + /** * @expectedException League\OAuth2\Server\Exception\ClientException * @expectedExceptionCode 3 @@ -425,4 +477,4 @@ function test_newAuthoriseRequest() } -} \ No newline at end of file +} diff --git a/tests/authorization/ClientCredentialsGrantTest.php b/tests/authorization/ClientCredentialsGrantTest.php index bb3126904..9b5bcc5ad 100644 --- a/tests/authorization/ClientCredentialsGrantTest.php +++ b/tests/authorization/ClientCredentialsGrantTest.php @@ -41,7 +41,25 @@ public function test_issueAccessToken_clientCredentialsGrant_missingClientId() * @expectedException League\OAuth2\Server\Exception\ClientException * @expectedExceptionCode 0 */ - public function test_issueAccessToken_clientCredentialsGrant_missingClientPassword() + public function test_issueAccessToken_clientCredentialsGrant_emptyClientId() + { + $a = $this->returnDefault(); + $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials()); + + $request = new League\OAuth2\Server\Util\Request(array(), $_POST); + $a->setRequest($request); + + $a->issueAccessToken(array( + 'grant_type' => 'client_credentials', + 'client_id' => '' + )); + } + + /** + * @expectedException League\OAuth2\Server\Exception\ClientException + * @expectedExceptionCode 0 + */ + public function test_issueAccessToken_clientCredentialsGrant_missingClientSecret() { $a = $this->returnDefault(); $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials()); @@ -55,6 +73,25 @@ public function test_issueAccessToken_clientCredentialsGrant_missingClientPasswo )); } + /** + * @expectedException League\OAuth2\Server\Exception\ClientException + * @expectedExceptionCode 0 + */ + public function test_issueAccessToken_clientCredentialsGrant_emptyClientSecret() + { + $a = $this->returnDefault(); + $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials()); + + $request = new League\OAuth2\Server\Util\Request(array(), $_POST); + $a->setRequest($request); + + $a->issueAccessToken(array( + 'grant_type' => 'client_credentials', + 'client_id' => 1234, + 'client_secret' => '' + )); + } + /** * @expectedException League\OAuth2\Server\Exception\ClientException * @expectedExceptionCode 8 @@ -411,4 +448,4 @@ function test_issueAccessToken_clientCredentialsGrant_withRefreshToken() $this->assertEquals(time()+$a->getAccessTokenTTL(), $v['expires']); } -} \ No newline at end of file +} diff --git a/tests/authorization/PasswordGrantTest.php b/tests/authorization/PasswordGrantTest.php index 71d2cec30..c33acd423 100644 --- a/tests/authorization/PasswordGrantTest.php +++ b/tests/authorization/PasswordGrantTest.php @@ -41,7 +41,25 @@ public function test_issueAccessToken_passwordGrant_missingClientId() * @expectedException League\OAuth2\Server\Exception\ClientException * @expectedExceptionCode 0 */ - public function test_issueAccessToken_passwordGrant_missingClientPassword() + public function test_issueAccessToken_passwordGrant_emptyClientId() + { + $a = $this->returnDefault(); + $a->addGrantType(new League\OAuth2\Server\Grant\Password()); + + $request = new League\OAuth2\Server\Util\Request(array(), $_POST); + $a->setRequest($request); + + $a->issueAccessToken(array( + 'grant_type' => 'password', + 'client_id' => '' + )); + } + + /** + * @expectedException League\OAuth2\Server\Exception\ClientException + * @expectedExceptionCode 0 + */ + public function test_issueAccessToken_passwordGrant_missingClientSecret() { $a = $this->returnDefault(); $a->addGrantType(new League\OAuth2\Server\Grant\Password()); @@ -55,6 +73,25 @@ public function test_issueAccessToken_passwordGrant_missingClientPassword() )); } + /** + * @expectedException League\OAuth2\Server\Exception\ClientException + * @expectedExceptionCode 0 + */ + public function test_issueAccessToken_passwordGrant_emptyClientSecret() + { + $a = $this->returnDefault(); + $a->addGrantType(new League\OAuth2\Server\Grant\Password()); + + $request = new League\OAuth2\Server\Util\Request(array(), $_POST); + $a->setRequest($request); + + $a->issueAccessToken(array( + 'grant_type' => 'password', + 'client_id' => 1234, + 'client_secret' => '' + )); + } + /** * @expectedException League\OAuth2\Server\Exception\ClientException * @expectedExceptionCode 8 @@ -614,4 +651,4 @@ function test_issueAccessToken_passwordGrant_withRefreshToken() $this->assertEquals(time()+$a->getAccessTokenTTL(), $v['expires']); } -} \ No newline at end of file +} diff --git a/tests/authorization/RefreshTokenTest.php b/tests/authorization/RefreshTokenTest.php index 290169e33..543c5ffe8 100644 --- a/tests/authorization/RefreshTokenTest.php +++ b/tests/authorization/RefreshTokenTest.php @@ -87,6 +87,24 @@ public function test_issueAccessToken_refreshTokenGrant_missingClientId() )); } + /** + * @expectedException League\OAuth2\Server\Exception\ClientException + * @expectedExceptionCode 0 + */ + public function test_issueAccessToken_refreshTokenGrant_emptyClientId() + { + $a = $this->returnDefault(); + $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken()); + + $request = new League\OAuth2\Server\Util\Request(array(), $_POST); + $a->setRequest($request); + + $a->issueAccessToken(array( + 'grant_type' => 'refresh_token', + 'client_id' => '' + )); + } + /** * @expectedException League\OAuth2\Server\Exception\ClientException * @expectedExceptionCode 0 @@ -105,6 +123,25 @@ public function test_issueAccessToken_refreshTokenGrant_missingClientSecret() )); } + /** + * @expectedException League\OAuth2\Server\Exception\ClientException + * @expectedExceptionCode 0 + */ + public function test_issueAccessToken_refreshTokenGrant_emptyClientSecret() + { + $a = $this->returnDefault(); + $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken()); + + $request = new League\OAuth2\Server\Util\Request(array(), $_POST); + $a->setRequest($request); + + $a->issueAccessToken(array( + 'grant_type' => 'refresh_token', + 'client_id' => 1234, + 'client_secret' => '' + )); + } + /** * @expectedException League\OAuth2\Server\Exception\ClientException * @expectedExceptionCode 8 @@ -147,6 +184,28 @@ public function test_issueAccessToken_refreshTokenGrant_missingRefreshToken() )); } + /** + * @expectedException League\OAuth2\Server\Exception\ClientException + * @expectedExceptionCode 0 + */ + public function test_issueAccessToken_refreshTokenGrant_emptyRefreshToken() + { + $this->client->shouldReceive('getClient')->andReturn(array()); + + $a = $this->returnDefault(); + $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken()); + + $request = new League\OAuth2\Server\Util\Request(array(), $_POST); + $a->setRequest($request); + + $a->issueAccessToken(array( + 'grant_type' => 'refresh_token', + 'client_id' => 1234, + 'client_secret' => 5678, + 'refresh_token' => '' + )); + } + /** * @expectedException League\OAuth2\Server\Exception\ClientException * @expectedExceptionCode 0 @@ -422,4 +481,4 @@ public function test_issueAccessToken_refreshTokenGrant_badNewScopes() 'scope' => 'foobar' )); } -} \ No newline at end of file +}