Page Menu
Home
c4science
Search
Configure Global Search
Log In
Files
F93599897
PhabricatorOAuthServerAuthController.php
No One
Temporary
Actions
Download File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Subscribers
None
File Metadata
Details
File Info
Storage
Attached
Created
Sat, Nov 30, 01:46
Size
7 KB
Mime Type
text/x-php
Expires
Mon, Dec 2, 01:46 (1 d, 23 h)
Engine
blob
Format
Raw Data
Handle
22671337
Attached To
rPH Phabricator
PhabricatorOAuthServerAuthController.php
View Options
<?php
/*
* Copyright 2012 Facebook, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/**
* @group oauthserver
*/
final
class
PhabricatorOAuthServerAuthController
extends
PhabricatorAuthController
{
public
function
shouldRequireLogin
()
{
return
true
;
}
public
function
processRequest
()
{
$request
=
$this
->
getRequest
();
$current_user
=
$request
->
getUser
();
$server
=
new
PhabricatorOAuthServer
();
$client_phid
=
$request
->
getStr
(
'client_id'
);
$scope
=
$request
->
getStr
(
'scope'
);
$redirect_uri
=
$request
->
getStr
(
'redirect_uri'
);
$state
=
$request
->
getStr
(
'state'
);
$response_type
=
$request
->
getStr
(
'response_type'
);
$response
=
new
PhabricatorOAuthResponse
();
// state is an opaque value the client sent us for their own purposes
// we just need to send it right back to them in the response!
if
(
$state
)
{
$response
->
setState
(
$state
);
}
if
(!
$client_phid
)
{
$response
->
setError
(
'invalid_request'
);
$response
->
setErrorDescription
(
'Required parameter client_id not specified.'
);
return
$response
;
}
$server
->
setUser
(
$current_user
);
// one giant try / catch around all the exciting database stuff so we
// can return a 'server_error' response if something goes wrong!
try
{
$client
=
id
(
new
PhabricatorOAuthServerClient
())
->
loadOneWhere
(
'phid = %s'
,
$client_phid
);
if
(!
$client
)
{
$response
->
setError
(
'invalid_request'
);
$response
->
setErrorDescription
(
'Client with id '
.
$client_phid
.
' not found.'
);
return
$response
;
}
$server
->
setClient
(
$client
);
if
(
$redirect_uri
)
{
$client_uri
=
new
PhutilURI
(
$client
->
getRedirectURI
());
$redirect_uri
=
new
PhutilURI
(
$redirect_uri
);
if
(!(
$server
->
validateSecondaryRedirectURI
(
$redirect_uri
,
$client_uri
)))
{
$response
->
setError
(
'invalid_request'
);
$response
->
setErrorDescription
(
'The specified redirect URI is invalid. The redirect URI '
.
'must be a fully-qualified domain with no fragments and '
.
'must have the same domain and at least the same query '
.
'parameters as the redirect URI the client registered.'
);
return
$response
;
}
$uri
=
$redirect_uri
;
$access_token_uri
=
$uri
;
}
else
{
$uri
=
new
PhutilURI
(
$client
->
getRedirectURI
());
$access_token_uri
=
null
;
}
// we've now validated this request enough overall such that we
// can safely redirect to the client with the response
$response
->
setClientURI
(
$uri
);
if
(
empty
(
$response_type
))
{
$response
->
setError
(
'invalid_request'
);
$response
->
setErrorDescription
(
'Required parameter response_type not specified.'
);
return
$response
;
}
if
(
$response_type
!=
'code'
)
{
$response
->
setError
(
'unsupported_response_type'
);
$response
->
setErrorDescription
(
'The authorization server does not support obtaining an '
.
'authorization code using the specified response_type. '
.
'You must specify the response_type as "code".'
);
return
$response
;
}
if
(
$scope
)
{
if
(!
PhabricatorOAuthServerScope
::
validateScopesList
(
$scope
))
{
$response
->
setError
(
'invalid_scope'
);
$response
->
setErrorDescription
(
'The requested scope is invalid, unknown, or malformed.'
);
return
$response
;
}
$scope
=
PhabricatorOAuthServerScope
::
scopesListToDict
(
$scope
);
}
$authorization
=
$server
->
userHasAuthorizedClient
(
$scope
);
if
(
$authorization
)
{
$return_auth_code
=
true
;
$unguarded_write
=
AphrontWriteGuard
::
beginScopedUnguardedWrites
();
}
else
if
(
$request
->
isFormPost
())
{
$scope
=
PhabricatorOAuthServerScope
::
getScopesFromRequest
(
$request
);
$authorization
=
$server
->
authorizeClient
(
$scope
);
$return_auth_code
=
true
;
$unguarded_write
=
null
;
}
else
{
$return_auth_code
=
false
;
$unguarded_write
=
null
;
}
if
(
$return_auth_code
)
{
// step 1 -- generate authorization code
$auth_code
=
$server
->
generateAuthorizationCode
(
$access_token_uri
);
// step 2 return it
$content
=
array
(
'code'
=>
$auth_code
->
getCode
(),
'scope'
=>
$authorization
->
getScopeString
(),
);
$response
->
setContent
(
$content
);
return
$response
->
setClientURI
(
$uri
);
}
unset
(
$unguarded_write
);
}
catch
(
Exception
$e
)
{
// Note we could try harder to determine between a server_error
// vs temporarily_unavailable. Good enough though.
$response
->
setError
(
'server_error'
);
$response
->
setErrorDescription
(
'The authorization server encountered an unexpected condition '
.
'which prevented it from fulfilling the request. '
);
return
$response
;
}
// display time -- make a nice form for the user to grant the client
// access to the granularity specified by $scope
$name
=
phutil_escape_html
(
$client
->
getName
());
$title
=
'Authorize '
.
$name
.
'?'
;
$panel
=
new
AphrontPanelView
();
$panel
->
setWidth
(
AphrontPanelView
::
WIDTH_FORM
);
$panel
->
setHeader
(
$title
);
$description
=
"Do want to authorize {$name} to access your "
.
"Phabricator account data?"
;
if
(
$scope
)
{
$desired_scopes
=
$scope
;
if
(!
PhabricatorOAuthServerScope
::
validateScopesDict
(
$desired_scopes
))
{
$response
->
setError
(
'invalid_scope'
);
$response
->
setErrorDescription
(
'The requested scope is invalid, unknown, or malformed.'
);
return
$response
;
}
}
else
{
$desired_scopes
=
array
(
PhabricatorOAuthServerScope
::
SCOPE_WHOAMI
=>
1
,
PhabricatorOAuthServerScope
::
SCOPE_OFFLINE_ACCESS
=>
1
);
}
$cancel_uri
=
$this
->
getClientURI
(
$client
,
$redirect_uri
);
$cancel_params
=
array
(
'error'
=>
'access_denied'
,
'error_description'
=>
'The resource owner (aka the user) denied the request.'
);
$cancel_uri
->
setQueryParams
(
$cancel_params
);
$form
=
id
(
new
AphrontFormView
())
->
setUser
(
$current_user
)
->
appendChild
(
id
(
new
AphrontFormStaticControl
())
->
setValue
(
$description
)
)
->
appendChild
(
PhabricatorOAuthServerScope
::
getCheckboxControl
()
)
->
appendChild
(
id
(
new
AphrontFormSubmitControl
())
->
setValue
(
'Authorize'
)
->
addCancelButton
(
$cancel_uri
)
);
$panel
->
appendChild
(
$form
);
return
$this
->
buildStandardPageResponse
(
$panel
,
array
(
'title'
=>
$title
));
}
}
Event Timeline
Log In to Comment