revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2025-02-01 01:18:22 +01:00
Code Issues Releases Wiki Activity

OAuthServer - default "whoami" scope and refine scope-asking workflow

Browse source 
Summary: Ref T7153. The "whoami" scope should be default and always on, because otherwise we can't do anything at all. Also, if a client doesn't want a certain scope, don't bother asking the user for it. To get there, had to add "scope" to the definition of a client.

Test Plan: applied the patch to a phabricator "client" and a phabricator "server" as far as oauth shenanigans go. Then I tried to login / register with oauth. If the "client" was configured to ask for "always on" access I got that in the dialogue, and otherwise no additional scope questions were present. Verified scope was properly granted in either case.

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T7153

Differential Revision: https://secure.phabricator.com/D11705
This commit is contained in:
Bob Trahan 2015-02-06 15:32:55 -08:00
parent 28b23fd789
commit eee8d194eb
2 changed files with 41 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
src/applications/oauthserver/PhabricatorOAuthServerScope.php
View file

@ -18,22 +18,42 @@ final class PhabricatorOAuthServerScope {
); );
} }
static public function getCheckboxControl($current_scopes) { static public function getDefaultScope() {
return self::SCOPE_WHOAMI;
}
static public function getCheckboxControl(
array $current_scopes) {
$have_options = false;
$scopes = self::getScopesDict(); $scopes = self::getScopesDict();
$scope_keys = array_keys($scopes); $scope_keys = array_keys($scopes);
sort($scope_keys); sort($scope_keys);
$default_scope = self::getDefaultScope();
$checkboxes = new AphrontFormCheckboxControl(); $checkboxes = new AphrontFormCheckboxControl();
foreach ($scope_keys as $scope) { foreach ($scope_keys as $scope) {
if ($scope == $default_scope) {
continue;
}
if (!isset($current_scopes[$scope])) {
continue;
}
$checkboxes->addCheckbox( $checkboxes->addCheckbox(
$name = $scope, $name = $scope,
$value = 1, $value = 1,
$label = self::getCheckboxLabel($scope), $label = self::getCheckboxLabel($scope),
$checked = isset($current_scopes[$scope])); $checked = isset($current_scopes[$scope]));
$have_options = true;
} }
$checkboxes->setLabel('Scope');
return $checkboxes; if ($have_options) {
$checkboxes->setLabel(pht('Scope'));
return $checkboxes;
}
return null;
} }
static private function getCheckboxLabel($scope) { static private function getCheckboxLabel($scope) {
@ -58,6 +78,7 @@ final class PhabricatorOAuthServerScope {
$requested_scopes[$scope] = 1; $requested_scopes[$scope] = 1;
} }
} }
$requested_scopes[self::getDefaultScope()] = 1;
return $requested_scopes; return $requested_scopes;
} }

37
src/applications/oauthserver/controller/PhabricatorOAuthServerAuthController.php
View file

@ -13,7 +13,7 @@ final class PhabricatorOAuthServerAuthController
$server = new PhabricatorOAuthServer(); $server = new PhabricatorOAuthServer();
$client_phid = $request->getStr('client_id'); $client_phid = $request->getStr('client_id');
$scope = $request->getStr('scope', array()); $scope = $request->getStr('scope');
$redirect_uri = $request->getStr('redirect_uri'); $redirect_uri = $request->getStr('redirect_uri');
$response_type = $request->getStr('response_type'); $response_type = $request->getStr('response_type');
@ -119,6 +119,13 @@ final class PhabricatorOAuthServerAuthController
phutil_tag('strong', array(), 'scope'))); phutil_tag('strong', array(), 'scope')));
} }
$scope = PhabricatorOAuthServerScope::scopesListToDict($scope); $scope = PhabricatorOAuthServerScope::scopesListToDict($scope);
} else {
return $this->buildErrorResponse(
'invalid_request',
pht('Malformed Request'),
pht(
'Required parameter %s was not present in the request.',
phutil_tag('strong', array(), 'scope')));
} }
// NOTE: We're always requiring a confirmation dialog to redirect. // NOTE: We're always requiring a confirmation dialog to redirect.
@ -130,7 +137,6 @@ final class PhabricatorOAuthServerAuthController
list($is_authorized, $authorization) = $auth_info; list($is_authorized, $authorization) = $auth_info;
if ($request->isFormPost()) { if ($request->isFormPost()) {
// TODO: We should probably validate this more? It feels a little funky.
$scope = PhabricatorOAuthServerScope::getScopesFromRequest($request); $scope = PhabricatorOAuthServerScope::getScopesFromRequest($request);
if ($authorization) { if ($authorization) {
@ -194,25 +200,16 @@ final class PhabricatorOAuthServerAuthController
} }
// Here, we're confirming authorization for the application. // Here, we're confirming authorization for the application.
if ($authorization) {
if ($scope) { $desired_scopes = array_merge($scope, $authorization->getScope());
if ($authorization) {
$desired_scopes = array_merge($scope,
$authorization->getScope());
} else {
$desired_scopes = $scope;
}
if (!PhabricatorOAuthServerScope::validateScopesDict($desired_scopes)) {
return $this->buildErrorResponse(
'invalid_scope',
pht('Invalid Scope'),
pht('The requested scope is invalid, unknown, or malformed.'));
}
} else { } else {
$desired_scopes = array( $desired_scopes = $scope;
PhabricatorOAuthServerScope::SCOPE_WHOAMI => 1, }
PhabricatorOAuthServerScope::SCOPE_OFFLINE_ACCESS => 1, if (!PhabricatorOAuthServerScope::validateScopesDict($desired_scopes)) {
); return $this->buildErrorResponse(
'invalid_scope',
pht('Invalid Scope'),
pht('The requested scope is invalid, unknown, or malformed.'));
} }
$form = id(new AphrontFormView()) $form = id(new AphrontFormView())