From 8277afbccf9ffc44764692852b071bc58d995a09 Mon Sep 17 00:00:00 2001 From: Andrew Millington Date: Sat, 3 Aug 2024 16:36:12 +0100 Subject: [PATCH 1/4] Issue invalid grant if auth code is not correct. Invalid request if decryption issue --- src/CryptTrait.php | 14 ++++++++++++++ src/Grant/AuthCodeGrant.php | 7 +++++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/src/CryptTrait.php b/src/CryptTrait.php index 8b1946fc4..6a440829b 100644 --- a/src/CryptTrait.php +++ b/src/CryptTrait.php @@ -16,7 +16,10 @@ use Defuse\Crypto\Crypto; use Defuse\Crypto\Key; +use Defuse\Crypto\Exception\EnvironmentIsBrokenException; +use Defuse\Crypto\Exception\WrongKeyOrModifiedCiphertextException; use Exception; +use InvalidArgumentException; use LogicException; use function is_string; @@ -64,6 +67,17 @@ protected function decrypt(string $encryptedData): string } throw new LogicException('Encryption key not set when attempting to decrypt'); + } catch (WrongKeyOrModifiedCiphertextException $e) { + $exceptionMessage = 'The authcode or decryption key/password used ' + . 'is not correct'; + + throw new InvalidArgumentException($exceptionMessage, 0, $e); + } catch (EnvironmentIsBrokenException $e) { + $exceptionMessage = 'Auth code decryption failed. This is likely ' + . 'due to an environment issue or runtime bug in the ' + . 'decryption library'; + + throw new LogicException($exceptionMessage, 0, $e); } catch (Exception $e) { throw new LogicException($e->getMessage(), 0, $e); } diff --git a/src/Grant/AuthCodeGrant.php b/src/Grant/AuthCodeGrant.php index 8a24a8e95..6a9821234 100644 --- a/src/Grant/AuthCodeGrant.php +++ b/src/Grant/AuthCodeGrant.php @@ -15,6 +15,7 @@ use DateInterval; use DateTimeImmutable; use Exception; +use InvalidArgumentException; use League\OAuth2\Server\CodeChallengeVerifiers\CodeChallengeVerifierInterface; use League\OAuth2\Server\CodeChallengeVerifiers\PlainVerifier; use League\OAuth2\Server\CodeChallengeVerifiers\S256Verifier; @@ -123,8 +124,10 @@ public function respondToAccessTokenRequest( $authCodePayload->user_id, $authCodePayload->auth_code_id ); + } catch (InvalidArgumentException $e) { + throw OAuthServerException::invalidGrant('Cannot validate the provided authorization code'); } catch (LogicException $e) { - throw OAuthServerException::invalidRequest('code', 'Cannot decrypt the authorization code', $e); + throw OAuthServerException::invalidRequest('code', 'Issue decrypting the authorization code', $e); } $codeVerifier = $this->getRequestParameter('code_verifier', $request); @@ -206,7 +209,7 @@ private function validateAuthorizationCode( } if (time() > $authCodePayload->expire_time) { - throw OAuthServerException::invalidRequest('code', 'Authorization code has expired'); + throw OAuthServerException::invalidGrant('Authorization code has expired'); } if ($this->authCodeRepository->isAuthCodeRevoked($authCodePayload->auth_code_id) === true) { From 16d654de6c02e6aa5d6984273d99f5696325f045 Mon Sep 17 00:00:00 2001 From: Andrew Millington Date: Sat, 3 Aug 2024 17:11:55 +0100 Subject: [PATCH 2/4] Update tests --- src/CryptTrait.php | 2 +- tests/Grant/AuthCodeGrantTest.php | 62 +++++++++++++++++++++++++++++-- 2 files changed, 60 insertions(+), 4 deletions(-) diff --git a/src/CryptTrait.php b/src/CryptTrait.php index 6a440829b..ee481b55c 100644 --- a/src/CryptTrait.php +++ b/src/CryptTrait.php @@ -15,9 +15,9 @@ namespace League\OAuth2\Server; use Defuse\Crypto\Crypto; -use Defuse\Crypto\Key; use Defuse\Crypto\Exception\EnvironmentIsBrokenException; use Defuse\Crypto\Exception\WrongKeyOrModifiedCiphertextException; +use Defuse\Crypto\Key; use Exception; use InvalidArgumentException; use LogicException; diff --git a/tests/Grant/AuthCodeGrantTest.php b/tests/Grant/AuthCodeGrantTest.php index 6a6842661..2bcd756e3 100644 --- a/tests/Grant/AuthCodeGrantTest.php +++ b/tests/Grant/AuthCodeGrantTest.php @@ -1450,7 +1450,7 @@ public function testRespondToAccessTokenRequestClientMismatch(): void } } - public function testRespondToAccessTokenRequestBadCodeEncryption(): void + public function testRespondToAccessTokenRequestBadCode(): void { $client = new ClientEntity(); @@ -1492,7 +1492,7 @@ public function testRespondToAccessTokenRequestBadCodeEncryption(): void 'grant_type' => 'authorization_code', 'client_id' => 'foo', 'redirect_uri' => self::REDIRECT_URI, - 'code' => 'sdfsfsd', + 'code' => 'badCode', ] ); @@ -1500,10 +1500,66 @@ public function testRespondToAccessTokenRequestBadCodeEncryption(): void /* @var StubResponseType $response */ $grant->respondToAccessTokenRequest($request, new StubResponseType(), new DateInterval('PT10M')); } catch (OAuthServerException $e) { - self::assertEquals($e->getHint(), 'Cannot decrypt the authorization code'); + self::assertEquals($e->getErrorType(), 'invalid_grant'); + self::assertEquals($e->getHint(), 'Cannot validate the provided authorization code'); } } +public function testRespondToAccessTokenRequestNoEncryptionKey(): void +{ + $client = new ClientEntity(); + + $client->setIdentifier('foo'); + $client->setRedirectUri(self::REDIRECT_URI); + $client->setConfidential(); + + $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock(); + + $clientRepositoryMock->method('getClientEntity')->willReturn($client); + $clientRepositoryMock->method('validateClient')->willReturn(true); + + $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock(); + $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf(); + + $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(); + $refreshTokenRepositoryMock->method('persistNewRefreshToken')->willReturnSelf(); + + $grant = new AuthCodeGrant( + $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(), + $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(), + new DateInterval('PT10M') + ); + $grant->setClientRepository($clientRepositoryMock); + $grant->setAccessTokenRepository($accessTokenRepositoryMock); + $grant->setRefreshTokenRepository($refreshTokenRepositoryMock); + // We deliberately don't set an encryption key here + + $request = new ServerRequest( + [], + [], + null, + 'POST', + 'php://input', + [], + [], + [], + [ + 'grant_type' => 'authorization_code', + 'client_id' => 'foo', + 'redirect_uri' => self::REDIRECT_URI, + 'code' => 'badCode', + ] + ); + + try { + /* @var StubResponseType $response */ + $grant->respondToAccessTokenRequest($request, new StubResponseType(), new DateInterval('PT10M')); + } catch (OAuthServerException $e) { + self::assertEquals($e->getErrorType(), 'invalid_request'); + self::assertEquals($e->getHint(), 'Issue decrypting the authorization code'); + } +} + public function testRespondToAccessTokenRequestBadCodeVerifierPlain(): void { $client = new ClientEntity(); From 46a504fe4ae711c40ef9637938b58f2650f82d11 Mon Sep 17 00:00:00 2001 From: Andrew Millington Date: Sat, 3 Aug 2024 17:16:54 +0100 Subject: [PATCH 3/4] Fix coding standard issues --- tests/Grant/AuthCodeGrantTest.php | 96 +++++++++++++++---------------- 1 file changed, 48 insertions(+), 48 deletions(-) diff --git a/tests/Grant/AuthCodeGrantTest.php b/tests/Grant/AuthCodeGrantTest.php index 2bcd756e3..e041b45a6 100644 --- a/tests/Grant/AuthCodeGrantTest.php +++ b/tests/Grant/AuthCodeGrantTest.php @@ -1505,60 +1505,60 @@ public function testRespondToAccessTokenRequestBadCode(): void } } -public function testRespondToAccessTokenRequestNoEncryptionKey(): void -{ - $client = new ClientEntity(); - - $client->setIdentifier('foo'); - $client->setRedirectUri(self::REDIRECT_URI); - $client->setConfidential(); - - $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock(); - - $clientRepositoryMock->method('getClientEntity')->willReturn($client); - $clientRepositoryMock->method('validateClient')->willReturn(true); - - $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock(); - $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf(); - - $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(); - $refreshTokenRepositoryMock->method('persistNewRefreshToken')->willReturnSelf(); - - $grant = new AuthCodeGrant( - $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(), - $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(), - new DateInterval('PT10M') - ); - $grant->setClientRepository($clientRepositoryMock); - $grant->setAccessTokenRepository($accessTokenRepositoryMock); - $grant->setRefreshTokenRepository($refreshTokenRepositoryMock); - // We deliberately don't set an encryption key here - - $request = new ServerRequest( - [], - [], - null, - 'POST', - 'php://input', - [], - [], - [], - [ + public function testRespondToAccessTokenRequestNoEncryptionKey(): void + { + $client = new ClientEntity(); + + $client->setIdentifier('foo'); + $client->setRedirectUri(self::REDIRECT_URI); + $client->setConfidential(); + + $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock(); + + $clientRepositoryMock->method('getClientEntity')->willReturn($client); + $clientRepositoryMock->method('validateClient')->willReturn(true); + + $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock(); + $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf(); + + $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(); + $refreshTokenRepositoryMock->method('persistNewRefreshToken')->willReturnSelf(); + + $grant = new AuthCodeGrant( + $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(), + $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(), + new DateInterval('PT10M') + ); + $grant->setClientRepository($clientRepositoryMock); + $grant->setAccessTokenRepository($accessTokenRepositoryMock); + $grant->setRefreshTokenRepository($refreshTokenRepositoryMock); + // We deliberately don't set an encryption key here + + $request = new ServerRequest( + [], + [], + null, + 'POST', + 'php://input', + [], + [], + [], + [ 'grant_type' => 'authorization_code', 'client_id' => 'foo', 'redirect_uri' => self::REDIRECT_URI, 'code' => 'badCode', - ] - ); + ] + ); - try { - /* @var StubResponseType $response */ - $grant->respondToAccessTokenRequest($request, new StubResponseType(), new DateInterval('PT10M')); - } catch (OAuthServerException $e) { - self::assertEquals($e->getErrorType(), 'invalid_request'); - self::assertEquals($e->getHint(), 'Issue decrypting the authorization code'); + try { + /* @var StubResponseType $response */ + $grant->respondToAccessTokenRequest($request, new StubResponseType(), new DateInterval('PT10M')); + } catch (OAuthServerException $e) { + self::assertEquals($e->getErrorType(), 'invalid_request'); + self::assertEquals($e->getHint(), 'Issue decrypting the authorization code'); + } } -} public function testRespondToAccessTokenRequestBadCodeVerifierPlain(): void { From 5e69f11ee9d531d62ebee32fc9e6686aa22f0bf1 Mon Sep 17 00:00:00 2001 From: Andrew Millington Date: Sat, 3 Aug 2024 17:20:10 +0100 Subject: [PATCH 4/4] Update changelog --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7f0b78058..a8e99966b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). +## [Unreleased] +### Fixed +- In the Auth Code grant, when requesting an access token with an invalid auth code, we now respond with an invalid_grant error instead of invalid_request (PR #1433) + ## [9.0.0] - released 2024-05-13 ### Added - Device Authorization Grant added (PR #1074)