Handle state in OAuth2 client

author: Frederic Guillot <fred@kanboard.net> 2016-03-27 12:23:18 -0400
committer: Frederic Guillot <fred@kanboard.net> 2016-03-27 12:23:18 -0400
commit: c7cceade96d2698d2684add1970c03c8b4f32dfc (patch)
tree: 70bb6e07f42880112502f1218fdb6f05cf4b3da4 /app/Core/Http
parent: 44946ee68473c3fe05b9ece24dace4d6150d7974 (diff)
1 files changed, 37 insertions, 8 deletions
diff --git a/app/Core/Http/OAuth2.php b/app/Core/Http/OAuth2.php
index 6fa1fb0a..211ca5b4 100644
--- a/app/Core/Http/OAuth2.php
+++ b/app/Core/Http/OAuth2.php
@@ -12,14 +12,14 @@ use Kanboard\Core\Base;
  */
 class OAuth2 extends Base
 {
-    private $clientId;
-    private $secret;
-    private $callbackUrl;
-    private $authUrl;
-    private $tokenUrl;
-    private $scopes;
-    private $tokenType;
-    private $accessToken;
+    protected $clientId;
+    protected $secret;
+    protected $callbackUrl;
+    protected $authUrl;
+    protected $tokenUrl;
+    protected $scopes;
+    protected $tokenType;
+    protected $accessToken;
 
     /**
      * Create OAuth2 service
@@ -46,6 +46,33 @@ class OAuth2 extends Base
     }
 
     /**
+     * Generate OAuth2 state and return the token value
+     *
+     * @access public
+     * @return string
+     */
+    public function getState()
+    {
+        if (! isset($this->sessionStorage->oauthState) || empty($this->sessionStorage->oauthState)) {
+            $this->sessionStorage->oauthState = $this->token->getToken();
+        }
+
+        return $this->sessionStorage->oauthState;
+    }
+
+    /**
+     * Check the validity of the state (CSRF token)
+     *
+     * @access public
+     * @param  string $state
+     * @return bool
+     */
+    public function isValidateState($state)
+    {
+        return $state === $this->getState();
+    }
+
+    /**
      * Get authorization url
      *
      * @access public
@@ -58,6 +85,7 @@ class OAuth2 extends Base
             'client_id' => $this->clientId,
             'redirect_uri' => $this->callbackUrl,
             'scope' => implode(' ', $this->scopes),
+            'state' => $this->getState(),
         );
 
         return $this->authUrl.'?'.http_build_query($params);
@@ -94,6 +122,7 @@ class OAuth2 extends Base
                 'client_secret' => $this->secret,
                 'redirect_uri' => $this->callbackUrl,
                 'grant_type' => 'authorization_code',
+                'state' => $this->getState(),
             );
 
             $response = json_decode($this->httpClient->postForm($this->tokenUrl, $params, array('Accept: application/json')), true);
author	Frederic Guillot <fred@kanboard.net>	2016-03-27 12:23:18 -0400
committer	Frederic Guillot <fred@kanboard.net>	2016-03-27 12:23:18 -0400
commit	c7cceade96d2698d2684add1970c03c8b4f32dfc (patch)
tree	70bb6e07f42880112502f1218fdb6f05cf4b3da4 /app/Core/Http
parent	44946ee68473c3fe05b9ece24dace4d6150d7974 (diff)