chadicus / slim-oauth2-routes Goto Github PK

Travis-CI now allows PHP 7.2 builds. It should be added to the .travis-ci.yml file.

Requires the user to authenticate and redirects back to the client with an authorization code (Authorization Code grant type) or access token (Implicit grant type).

Hi!

I have used your package in my project and it has worked. However, due to a server disk failure, I transferred my project to localhost and reconfigured it to a local database storage. When I accessed /authorize, the invoke seems to not work. I've put var_dumps at the functions, but it seems the var_dump inside the __invoke magic function did not execute, thus the authorization form did not appear.

What seems to be the problem?

Earl

satooshi/php-coveralls has become php-coveralls/php-coveralls. The dev dependencies should be updated accordingly.

Expected behavior

Actual behavior

Steps to reproduce the behavior

Expected behavior

When a user authorizes a client, the user_id should be saved with the authorization code if the user_id argument is set.

Actual behavior

The authorization code is created but without any user_id (the column user_id in table oauth_authorization_codes remains NULL)

Steps to reproduce the behavior

Invoke the Authorize route, with or without a user_id argument.

Suggested fix

The Authorize route calls handleAuthorizeRequest() on the OAuth2 server, but doesn't pass the user_id argument (which then defaults to null). Therefore the OAuth2 server won't link the authorization code to the user_id.

I suggest adding the user_id at line 84 of Authorize.php:

$user_id = isset($arguments['user_id']) ? $arguments['user_id'] : null;
$this->server->handleAuthorizeRequest($oauth2Request, $oauth2Response, $authorized === 'yes', $user_id);

Context

In my application I use Slim middleware to validate the user credentials and then set the user_id argument:

$loginMiddelware = function ($request, $response, $next) 
{
  $email = $request->getParam('email');
  $password = $request->getParam('password');

  // Validate the user credentials
  $user_id = getUserIdIfValidCredentials($email, $password);
  if ($user_id === FALSE || !is_numeric($user_id)) {
    return $response->withStatus(303)->withHeader('Location', URL_AUTHORIZE_INVALID_CREDENTIALS);
  }

  // Set the user_id argument so that Routes\Authorize can give it to handleAuthorizeRequest
  $route = $request->getAttribute('route');
  $route->setArgument('user_id', $user_id);

  // Credentials are valid, continue so the authorization code can be sent to the clients callback_uri
  $response = $next($request, $response);
  return $response;
};