Improved Missing Scope error

if scope was missing on oauth2 request, not a very descriptive error was given. Change-Id: I2573c77bcfec8dd340ae60e15db8c2558c3af851
2017-09-27 12:36:29 -03:00 · 2017-09-27 12:36:29 -03:00 · d83b763c2c
parent c2a3148da4
commit d83b763c2c
4 changed files with 42 additions and 2 deletions
--- a/app/Models/OAuth2/Client.php
+++ b/app/Models/OAuth2/Client.php
@ -235,8 +235,13 @@ class Client extends BaseModelEloquent implements IClient
        return explode(',',$this->redirect_uris);
    }

+    /**
+     * @param string $scope
+     * @return bool
+     */
    public function isScopeAllowed($scope)
    {
+        if(empty($scope)) return false;
        $res            = true;
        $desired_scopes = explode(" ",$scope);
        foreach($desired_scopes as $desired_scope){
--- a/app/libs/OAuth2/Exceptions/ScopeNotAllowedException.php
+++ b/app/libs/OAuth2/Exceptions/ScopeNotAllowedException.php
@ -18,6 +18,14 @@ use OAuth2\OAuth2Protocol;
 */
 final class ScopeNotAllowedException extends OAuth2BaseException
 {
+    /**
+     * @param string $scope
+     */
+    public function __construct($scope = null)
+    {
+        $description = empty($scope) ? "missing scope param" : sprintf("scope not allowed %s", $scope);
+        parent::__construct($description);
+    }

    /**
     * @return string
--- a/app/libs/OAuth2/GrantTypes/InteractiveGrantType.php
+++ b/app/libs/OAuth2/GrantTypes/InteractiveGrantType.php
@ -210,8 +210,8 @@ abstract class InteractiveGrantType extends AbstractGrantType
            //check requested scope
            $scope = $request->getScope();
            $this->log_service->debug_msg(sprintf("scope %s", $scope));
-            if (!$client->isScopeAllowed($scope)) {
-                throw new ScopeNotAllowedException(sprintf("scope %s", $scope));
+            if (empty($scope) || !$client->isScopeAllowed($scope)) {
+                throw new ScopeNotAllowedException($scope);
            }

            $authentication_response = $this->auth_service->getUserAuthenticationResponse();
--- a/tests/OAuth2ProtocolTest.php
+++ b/tests/OAuth2ProtocolTest.php
@ -1170,4 +1170,31 @@ class OAuth2ProtocolTest extends OpenStackIDBaseTest
        }

    }
+
+    public function testMissingScope()
+    {
+
+        $client_id = 'Jiz87D8/Vcvr6fvQbH4HyNgwTlfSyQ3x.openstack.client';
+
+        $params = array(
+            'client_id' => $client_id,
+            'redirect_uri' => 'https://www.test.com/oauth2',
+            'response_type' => 'code',
+        );
+
+        $response = $this->action("POST", "OAuth2\OAuth2ProviderController@auth",
+            $params,
+            array(),
+            array(),
+            array());
+
+        $this->assertResponseStatus(302);
+
+        $url = $response->getTargetUrl();
+
+        $comps = @parse_url($url);
+
+        $this->assertTrue(isset($comps["query"]));
+        $this->assertTrue($comps["query"] == "error=invalid_scope&error_description=missing+scope+param");
+    }
 }