diff --git a/.github/workflows/coding-standards.yml b/.github/workflows/coding-standards.yml index e5c9be702..a8151d98d 100644 --- a/.github/workflows/coding-standards.yml +++ b/.github/workflows/coding-standards.yml @@ -31,6 +31,6 @@ jobs: - name: Install Dependencies run: composer update --prefer-stable --prefer-dist --no-interaction --no-progress - + - name: Run Codesniffer run: vendor/bin/phpcs diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index 063e3f875..eeef57c5c 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -34,4 +34,4 @@ jobs: - name: Run Static Analysis run: vendor/bin/phpstan analyse - + diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 0d76a2fa1..c40fe60f2 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -22,7 +22,7 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 - with: + with: fetch-depth: 0 - name: Setup PHP diff --git a/CHANGELOG.md b/CHANGELOG.md index 6307e0024..cb06d25f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,14 +12,14 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ### Fixed - In the Auth Code grant, when requesting an access token with an invalid auth code, we now respond with an invalid_grant error instead of invalid_request (PR #1433) -- Fixed spec compliance issue where device access token request was mistakenly expecting to receive scopes in the request (PR #1412) +- Fixed spec compliance issue where device access token request was mistakenly expecting to receive scopes in the request (PR #1412) - Refresh tokens pre version 9 might have had user IDs set as ints which meant they were incorrectly rejected. We now cast these values to strings to allow old refresh tokens (PR #1436) ## [9.0.1] - released 2024-10-14 ### Fixed - Auto-generated event emitter is now persisted. Previously, a new emitter was generated every time (PR #1428) - Fixed bug where you could not omit a redirect uri even if one had not been specified during the auth request (PR #1428) -- Fixed bug where "state" parameter wasn't present on `invalid_scope` error response and wasn't on fragment part of `access_denied` redirect URI on Implicit grant (PR #1298) +- Fixed bug where "state" parameter wasn't present on `invalid_scope` error response and wasn't on fragment part of `access_denied` redirect URI on Implicit grant (PR #1298) - Fixed bug where disabling refresh token revocation via `revokeRefreshTokens(false)` unintentionally disables issuing new refresh token (PR #1449) ## [9.0.0] - released 2024-05-13 @@ -71,13 +71,13 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## [8.5.3] - released 2023-07-06 ### Security -- If a key string is provided to the CryptKey constructor with an invalid -passphrase, the LogicException message generated will expose the given key. +- If a key string is provided to the CryptKey constructor with an invalid +passphrase, the LogicException message generated will expose the given key. The key is no longer leaked via this exception (PR #1353) ## [8.5.2] - released 2023-06-16 ### Changed -- Bumped the versions for laminas/diactoros and psr/http-message to support +- Bumped the versions for laminas/diactoros and psr/http-message to support PSR-7 v2.0 (PR #1339) ## [8.5.1] - released 2023-04-04 @@ -169,13 +169,13 @@ a PKCE downgrade attack (PR #1326) - Removed support for PHP 7.2 (PR #1146) ### Fixed -- Fix typo in parameter hint. `code_challenged` changed to `code_challenge`. Thrown by Auth Code Grant when the code challenge does not match the regex. (PR #1130) +- Fix typo in parameter hint. `code_challenged` changed to `code_challenge`. Thrown by Auth Code Grant when the code challenge does not match the regex. (PR #1130) - Undefined offset was returned when no client redirect URI was set. Now throw an invalidClient exception if no redirect URI is set against a client (PR #1140) ## [8.1.1] - released 2020-07-01 ### Fixed -- If you provide a valid redirect_uri with the auth code grant and an invalid scope, the server will use the given +- If you provide a valid redirect_uri with the auth code grant and an invalid scope, the server will use the given redirect_uri instead of the default client redirect uri (PR #1126) ## [8.1.0] - released 2020-04-29 @@ -195,9 +195,9 @@ redirect_uri instead of the default client redirect uri (PR #1126) ### Fixed - Clients are now explicitly prevented from using the Client Credentials grant unless they are confidential to conform with the OAuth2 spec (PR #1035) -- Abstract method `getIdentifier()` added to AccessTokenTrait. The trait cannot be used without the `getIdentifier()` +- Abstract method `getIdentifier()` added to AccessTokenTrait. The trait cannot be used without the `getIdentifier()` method being defined (PR #1051) -- An exception is now thrown if a refresh token is accidentally sent in place of an authorization code when using the +- An exception is now thrown if a refresh token is accidentally sent in place of an authorization code when using the Auth Code Grant (PR #1057) - Can now send access token request without being forced to specify a redirect URI (PR #1096) - In the BearerTokenValidator, if an implementation is using PDO, there is a possibility that a RuntimeException will be thrown when checking if an access token is revoked. This scenario no longer incorrectly issues an exception with a hint mentioning an issue with JSON decoding. (PR #1107) @@ -251,7 +251,7 @@ Auth Code Grant (PR #1057) ## [7.3.0] - released 2018-11-13 ### Changed -- Moved the `finalizeScopes()` call from `validateAuthorizationRequest` method to the `completeAuthorizationRequest` method so it is called just before the access token is issued (PR #923) +- Moved the `finalizeScopes()` call from `validateAuthorizationRequest` method to the `completeAuthorizationRequest` method so it is called just before the access token is issued (PR #923) ### Added - Added a ScopeTrait to provide an implementation for jsonSerialize (PR #952) @@ -353,7 +353,7 @@ To address feedback from the security release the following change has been made ## [5.1.4] - 2017-07-01 - Fixed multiple security vulnerabilities as a result of a security audit paid for by the [Mozilla Secure Open Source Fund](https://wiki.mozilla.org/MOSS/Secure_Open_Source). All users of this library are encouraged to update as soon as possible to this version or version 6.0 or greater. - - It is recommended on each `AuthorizationServer` instance you set the `setEncryptionKey()`. This will result in stronger encryption being used. If this method is not set messages will be sent to the defined error handling routines (using `error_log`). Please see the examples and documentation for examples. +- It is recommended on each `AuthorizationServer` instance you set the `setEncryptionKey()`. This will result in stronger encryption being used. If this method is not set messages will be sent to the defined error handling routines (using `error_log`). Please see the examples and documentation for examples. - TravisCI now tests PHP 7.1 (Issue #671) - Fix middleware example fatal error (Issue #682) - Fix typo in the first README sentence (Issue #690) diff --git a/README.md b/README.md index 454ddde93..5ed6a76ac 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ Out of the box it supports the following grants: The following RFCs are implemented: * [RFC6749 "OAuth 2.0"](https://tools.ietf.org/html/rfc6749) -* [RFC6750 " The OAuth 2.0 Authorization Framework: Bearer Token Usage"](https://tools.ietf.org/html/rfc6750) +* [RFC6750 "The OAuth 2.0 Authorization Framework: Bearer Token Usage"](https://tools.ietf.org/html/rfc6750) * [RFC7519 "JSON Web Token (JWT)"](https://tools.ietf.org/html/rfc7519) * [RFC7636 "Proof Key for Code Exchange by OAuth Public Clients"](https://tools.ietf.org/html/rfc7636) * [RFC8628 "OAuth 2.0 Device Authorization Grant](https://tools.ietf.org/html/rfc8628) diff --git a/examples/README.md b/examples/README.md index 8213e61c0..69df9cef6 100644 --- a/examples/README.md +++ b/examples/README.md @@ -63,12 +63,12 @@ curl -X "POST" "http://localhost:4444/device_code.php/device_authorization" \ --data-urlencode "client_id=myawesomeapp" \ --data-urlencode "client_secret=abc123" \ --data-urlencode "scope=basic email" -``` +``` We have set up the example so that a user ID is already associated with the device code. In a production application you would implement an authorization view to allow a user to authorize the device. -Issue the following cURL request to exchange your device code for an access token. Replace `{{DEVICE_CODE}}` with the +Issue the following cURL request to exchange your device code for an access token. Replace `{{DEVICE_CODE}}` with the device code returned from your first cURL post: ``` @@ -79,4 +79,4 @@ curl -X "POST" "http://localhost:4444/device_code.php/access_token" \ --data-urlencode "device_code={{DEVICE_CODE}}" \ --data-urlencode "client_id=myawesomeapp" \ --data-urlencode "client_secret=abc123" -``` \ No newline at end of file +``` diff --git a/examples/public/auth_code.php b/examples/public/auth_code.php index 7fc528cc7..6864d77a4 100644 --- a/examples/public/auth_code.php +++ b/examples/public/auth_code.php @@ -27,7 +27,7 @@ use Slim\App; $app = new App([ - 'settings' => [ + 'settings' => [ 'displayErrorDetails' => true, ], AuthorizationServer::class => function () { diff --git a/examples/public/client_credentials.php b/examples/public/client_credentials.php index 080b06e07..2d23a3292 100644 --- a/examples/public/client_credentials.php +++ b/examples/public/client_credentials.php @@ -24,7 +24,7 @@ use Slim\App; $app = new App([ - 'settings' => [ + 'settings' => [ 'displayErrorDetails' => true, ], AuthorizationServer::class => function () { diff --git a/examples/public/implicit.php b/examples/public/implicit.php index 9a968d4be..4b74d4287 100644 --- a/examples/public/implicit.php +++ b/examples/public/implicit.php @@ -25,7 +25,7 @@ use Slim\App; $app = new App([ - 'settings' => [ + 'settings' => [ 'displayErrorDetails' => true, ], AuthorizationServer::class => function () { diff --git a/examples/public/middleware_use.php b/examples/public/middleware_use.php index 49bb5b5bb..23441d9df 100644 --- a/examples/public/middleware_use.php +++ b/examples/public/middleware_use.php @@ -29,7 +29,7 @@ use Slim\App; $app = new App([ - 'settings' => [ + 'settings' => [ 'displayErrorDetails' => true, ], AuthorizationServer::class => function () { diff --git a/examples/public/refresh_token.php b/examples/public/refresh_token.php index f287ae54f..102b0a4e2 100644 --- a/examples/public/refresh_token.php +++ b/examples/public/refresh_token.php @@ -24,7 +24,7 @@ use Slim\App; $app = new App([ - 'settings' => [ + 'settings' => [ 'displayErrorDetails' => true, ], AuthorizationServer::class => function () { diff --git a/src/ResponseTypes/DeviceCodeResponse.php b/src/ResponseTypes/DeviceCodeResponse.php index 91a8df69a..bce576868 100644 --- a/src/ResponseTypes/DeviceCodeResponse.php +++ b/src/ResponseTypes/DeviceCodeResponse.php @@ -35,10 +35,10 @@ public function generateHttpResponse(ResponseInterface $response): ResponseInter $expireDateTime = $this->deviceCodeEntity->getExpiryDateTime()->getTimestamp(); $responseParams = [ - 'device_code' => $this->deviceCodeEntity->getIdentifier(), - 'user_code' => $this->deviceCodeEntity->getUserCode(), + 'device_code' => $this->deviceCodeEntity->getIdentifier(), + 'user_code' => $this->deviceCodeEntity->getUserCode(), 'verification_uri' => $this->deviceCodeEntity->getVerificationUri(), - 'expires_in' => $expireDateTime - time(), + 'expires_in' => $expireDateTime - time(), ]; if ($this->includeVerificationUriComplete === true) {