API: GraphQLとOAuth2.0の実装

.env.dist

@@ -48,3 +48,9 @@ MAILER_URL=null://localhost
 #ECCUBE_GC_MAXLIFETIME=1440
 
 ###< APPLICATION CONFIG ###
+
+###> trikoder/oauth2-bundle ###
+# Fallback OAuth2 encryption key
+# Please override this with a secure value: https://oauth2.thephpleague.com/installation/#string-password
+OAUTH2_ENCRYPTION_KEY=c6f06eb702cd2e49dd4912a904dae6ea
+###< trikoder/oauth2-bundle ###

.travis.yml

@@ -20,7 +20,6 @@ cache:
     - bin/.phpunit
 
 php:
-  - 7.1
   - 7.2
   - 7.3
   - 7.4snapshot
@@ -51,6 +50,11 @@ eccube_setup: &eccube_setup |
   bin/console doctrine:database:create --env=dev
   bin/console doctrine:schema:create --env=dev
   bin/console eccube:fixtures:load --env=dev
+  mkdir var/oauth
+  openssl genrsa -out private.key 2048
+  openssl rsa -in private.key -pubout -out public.key
+  mv private.key var/oauth
+  mv public.key var/oauth
 
 package_api_setup: &package_api_setup |
   mkdir ${PWD}/repos

README.md

@@ -36,6 +36,77 @@ npm ci # 初回およびpackage-lock.jsonに変更があったとき
 npm run build # Sass のビルド
 ```
 
+### OAuth2の設定
+
+```shell
+mkdir var/oauth
+cd var/oauth
+openssl genrsa -out private.key 2048
+openssl rsa -in private.key -pubout -out public.key
+```
+
+[詳しくはこちら](https://oauth2.thephpleague.com/installation/#generating-public-and-private-keys)
+
+[クライアントの作成コマンドはこちら](https://github.com/trikoder/oauth2-bundle/blob/v2.x/docs/basic-setup.md)
+[grant-type](https://github.com/trikoder/oauth2-bundle/blob/v2.x/OAuth2Grants.php)
+
+クライアント作成例
+
+```shell
+bin/console trikoder:oauth2:create-client --redirect-uri=http://127.0.0.1:8000/ --grant-type=authorization_code --grant-type=client_credentials --grant-type=implicit --grant-type=password --grant-type=refresh_token --scope=read --scope=write
+bin/console trikoder:oauth2:list-clients
+```
+
+#### Client credentials grant
+
+```shell
+curl -X POST \
+  http://127.0.0.1:8000/token \
+  -H 'cache-control: no-cache' \
+  -H 'content-type: application/x-www-form-urlencoded' \
+  -d 'grant_type=client_credentials&client_id={client_id}&client_secret={client_secret}&scope=read'
+```
+
+#### Resource owner password credentials grant
+
+```shell
+curl -X POST \
+  http://127.0.0.1:8000/token \
+  -H 'cache-control: no-cache' \
+  -H 'content-type: application/x-www-form-urlencoded' \
+  -d 'grant_type=password&client_id={client_id}&client_secret={client_secret}&scope=read&username=admin&password=password'
+```
+
+#### Implicit grant
+
+```uri
+http://127.0.0.1:8000/admin/authorize?response_type=token&client_id={client_id}&client_secret={client_secret}&scope=read&state={csrf_token}
+```
+
+#### Authorization code grant
+
+```uri
+http://127.0.0.1:8000/admin/authorize?response_type=code&client_id={client_id}&redirect_uri={redirect_uri}&scope=read&state={csrf_token}
+```
+
+```shell
+curl -X POST \
+  http://127.0.0.1:8000/token \
+  -H 'cache-control: no-cache' \
+  -H 'content-type: application/x-www-form-urlencoded' \
+  -d 'grant_type=authorization_code&client_id={client_id}&client_secret={client_secret}&redirect_uri={redirect_uri}&code={code}'
+```
+
+#### Refresh token grant
+
+```shell
+curl -X POST \
+  http://127.0.0.1:8000/token \
+  -H 'cache-control: no-cache' \
+  -H 'content-type: application/x-www-form-urlencoded' \
+  -d 'grant_type=refresh_token&client_id={client_id}&client_secret={client_secret}&refresh_token={refresh_token}'
+```
+
 ### 動作確認環境
 
 * Apache/2.4.x (mod_rewrite / mod_ssl 必須)

app/config/eccube/bundles.php

@@ -1,16 +1,5 @@
 <?php
 
-/*
- * This file is part of EC-CUBE
- *
- * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
- *
- * http://www.ec-cube.co.jp/
- *
- * For the full copyright and license information, please view the LICENSE
- * file that was distributed with this source code.
- */
-
 return [
     Symfony\Bundle\FrameworkBundle\FrameworkBundle::class => ['all' => true],
     Symfony\Bundle\SecurityBundle\SecurityBundle::class => ['all' => true],
@@ -29,4 +18,5 @@
     Symfony\Bundle\MakerBundle\MakerBundle::class => ['dev' => true],
     SunCat\MobileDetectBundle\MobileDetectBundle::class => ['all' => true],
     Knp\Bundle\PaginatorBundle\KnpPaginatorBundle::class => ['all' => true],
+    Trikoder\Bundle\OAuth2Bundle\TrikoderOAuth2Bundle::class => ['all' => true],
 ];

app/config/eccube/packages/nyholm_psr7.yaml

@@ -0,0 +1,21 @@
+services:
+    # Register nyholm/psr7 services for autowiring with PSR-17 (HTTP factories)
+    Psr\Http\Message\RequestFactoryInterface: '@nyholm.psr7.psr17_factory'
+    Psr\Http\Message\ResponseFactoryInterface: '@nyholm.psr7.psr17_factory'
+    Psr\Http\Message\ServerRequestFactoryInterface: '@nyholm.psr7.psr17_factory'
+    Psr\Http\Message\StreamFactoryInterface: '@nyholm.psr7.psr17_factory'
+    Psr\Http\Message\UploadedFileFactoryInterface: '@nyholm.psr7.psr17_factory'
+    Psr\Http\Message\UriFactoryInterface: '@nyholm.psr7.psr17_factory'
+
+    # Register nyholm/psr7 services for autowiring with HTTPlug factories
+    Http\Message\MessageFactory: '@nyholm.psr7.httplug_factory'
+    Http\Message\RequestFactory: '@nyholm.psr7.httplug_factory'
+    Http\Message\ResponseFactory: '@nyholm.psr7.httplug_factory'
+    Http\Message\StreamFactory: '@nyholm.psr7.httplug_factory'
+    Http\Message\UriFactory: '@nyholm.psr7.httplug_factory'
+
+    nyholm.psr7.psr17_factory:
+        class: Nyholm\Psr7\Factory\Psr17Factory
+
+    nyholm.psr7.httplug_factory:
+        class: Nyholm\Psr7\Factory\HttplugFactory

app/config/eccube/packages/security.yaml

@@ -20,8 +20,13 @@ security:
         dev:
             pattern: ^/(_(profiler|wdt)|css|images|js)/
             security: false
+        api:
+            pattern: ^/api
+            security: true
+            stateless: true
+            oauth2: true
         admin:
-            pattern: '^/%eccube_admin_route%/'
+            pattern: '^(/%eccube_admin_route%/|/authorize)'
             anonymous: true
             provider: member_provider
             form_login:

app/config/eccube/packages/trikoder_oauth2.yaml

@@ -0,0 +1,15 @@
+trikoder_oauth2:
+
+    authorization_server:
+        private_key: '%kernel.project_dir%/var/oauth/private.key'
+        private_key_passphrase: null
+
+        encryption_key: '%env(string:OAUTH2_ENCRYPTION_KEY)%'
+
+    resource_server:
+        public_key: '%kernel.project_dir%/var/oauth/public.key'
+
+    scopes: ['read', 'write']
+
+    persistence:
+        doctrine: null

app/config/eccube/routes/trikoder_oauth2.yaml

@@ -0,0 +1,2 @@
+oauth2:
+    resource: '@TrikoderOAuth2Bundle/Resources/config/routes.xml'

app/config/eccube/services.yaml

@@ -171,3 +171,10 @@ services:
         # Symfony\Bridge\Twig\Extension\RoutingExtensionの後に登録するため,
         # autoconfigureはfalseにし, CompilerPassで追加する.
         autoconfigure: false
+
+    Eccube\EventListener\UserResolveListener:
+        arguments:
+            - '@Eccube\Security\Core\User\MemberProvider'
+            - '@Eccube\Security\Core\Encoder\UserPasswordEncoder'
+        tags:
+            - { name: kernel.event_listener, event: trikoder.oauth2.user_resolve, method: onUserResolve }

appveyor.yml

@@ -67,6 +67,11 @@ before_test:
   - php bin\console doctrine:database:create
   - php bin\console doctrine:schema:create
   - php bin\console eccube:fixtures:load
+  - mkdir var\oauth
+  - openssl genrsa -out private.key 2048
+  - openssl rsa -in private.key -pubout -out public.key
+  - move private.key var\oauth
+  - move public.key var\oauth
 
 test_script:
   - php bin\phpunit --exclude-group cache-clear

composer.json

@@ -12,7 +12,7 @@
     },
     "minimum-stability": "stable",
     "require": {
-        "php": "^7.1.3",
+        "php": "^7.2.0",
         "ext-intl": "*",
         "ext-mbstring": "*",
         "composer/ca-bundle": "^1.1",
@@ -40,6 +40,7 @@
         "mobiledetect/mobiledetectlib": "^2.8",
         "monolog/monolog": "^1.23",
         "nesbot/carbon": "^1.22",
+        "nyholm/psr7": "^1.2",
         "pimple/pimple": "^1.1",
         "psr/cache": "^1.0",
         "psr/container": "^1.0",
@@ -101,9 +102,11 @@
         "symfony/workflow": "^3.4",
         "symfony/yaml": "^3.4",
         "tecnickcom/tcpdf": "^6.2",
+        "trikoder/oauth2-bundle": "^2.1",
         "twig/extensions": "^1.5",
         "twig/twig": "^2.4",
-        "vlucas/phpdotenv": "v2.4.0"
+        "vlucas/phpdotenv": "v2.4.0",
+        "webonyx/graphql-php": "^0.13.8"
     },
     "require-dev": {
         "bheller/images-generator": "^1.0",
@@ -181,7 +184,7 @@
     },
     "config": {
         "platform": {
-            "php": "7.1.3"
+            "php": "7.2.0"
         },
         "preferred-install": {
             "*": "dist"