Require a logged in user to resolve an authoration request

ajgarlag · ajgarlag · commit 0375d4fb0abb · 2024-08-16T12:09:26.000+02:00
diff --git a/src/Event/AuthorizationRequestResolveEvent.php b/src/Event/AuthorizationRequestResolveEvent.php
@@ -42,18 +42,19 @@ final class AuthorizationRequestResolveEvent extends Event
     private $response;
 
     /**
-     * @var UserInterface|null
+     * @var UserInterface
      */
     private $user;
 
     /**
      * @param Scope[] $scopes
      */
-    public function __construct(AuthorizationRequestInterface $authorizationRequest, array $scopes, ClientInterface $client)
+    public function __construct(AuthorizationRequestInterface $authorizationRequest, array $scopes, ClientInterface $client, UserInterface $user)
     {
         $this->authorizationRequest = $authorizationRequest;
         $this->scopes = $scopes;
         $this->client = $client;
+        $this->user = $user;
     }
 
     public function getAuthorizationResolution(): bool
@@ -107,13 +108,6 @@ public function getUser(): ?UserInterface
         return $this->user;
     }
 
-    public function setUser(?UserInterface $user): self
-    {
-        $this->user = $user;
-
-        return $this;
-    }
-
     /**
      * @return Scope[]
      */
diff --git a/src/Event/AuthorizationRequestResolveEventFactory.php b/src/Event/AuthorizationRequestResolveEventFactory.php
@@ -6,36 +6,31 @@
 
 use League\Bundle\OAuth2ServerBundle\Converter\ScopeConverterInterface;
 use League\Bundle\OAuth2ServerBundle\Manager\ClientManagerInterface;
-use League\OAuth2\Server\RequestTypes\AuthorizationRequestInterface;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Security as LegacySecurity;
 
-class AuthorizationRequestResolveEventFactory
-{
-    /**
-     * @var ScopeConverterInterface
-     */
-    private $scopeConverter;
-
-    /**
-     * @var ClientManagerInterface
-     */
-    private $clientManager;
-
-    public function __construct(ScopeConverterInterface $scopeConverter, ClientManagerInterface $clientManager)
+if (class_exists(Security::class)) {
+    final class AuthorizationRequestResolveEventFactory
     {
-        $this->scopeConverter = $scopeConverter;
-        $this->clientManager = $clientManager;
-    }
+        use AuthorizationRequestResolveEventFactoryTrait;
 
-    public function fromAuthorizationRequest(AuthorizationRequestInterface $authorizationRequest): AuthorizationRequestResolveEvent
+        public function __construct(ScopeConverterInterface $scopeConverter, ClientManagerInterface $clientManager, Security $security)
+        {
+            $this->scopeConverter = $scopeConverter;
+            $this->clientManager = $clientManager;
+            $this->security = $security;
+        }
+    }
+} else {
+    final class AuthorizationRequestResolveEventFactory
     {
-        $scopes = $this->scopeConverter->toDomainArray(array_values($authorizationRequest->getScopes()));
-
-        $client = $this->clientManager->find($authorizationRequest->getClient()->getIdentifier());
+        use AuthorizationRequestResolveEventFactoryTrait;
 
-        if (null === $client) {
-            throw new \RuntimeException(\sprintf('No client found for the given identifier \'%s\'.', $authorizationRequest->getClient()->getIdentifier()));
+        public function __construct(ScopeConverterInterface $scopeConverter, ClientManagerInterface $clientManager, LegacySecurity $security)
+        {
+            $this->scopeConverter = $scopeConverter;
+            $this->clientManager = $clientManager;
+            $this->security = $security;
         }
-
-        return new AuthorizationRequestResolveEvent($authorizationRequest, $scopes, $client);
     }
 }
diff --git a/src/Event/AuthorizationRequestResolveEventFactoryTrait.php b/src/Event/AuthorizationRequestResolveEventFactoryTrait.php
@@ -0,0 +1,50 @@
+<?php
+
+declare(strict_types=1);
+
+namespace League\Bundle\OAuth2ServerBundle\Event;
+
+use League\Bundle\OAuth2ServerBundle\Converter\ScopeConverterInterface;
+use League\Bundle\OAuth2ServerBundle\Manager\ClientManagerInterface;
+use League\OAuth2\Server\RequestTypes\AuthorizationRequestInterface;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Security as LegacySecurity;
+
+/**
+ * @internal
+ */
+trait AuthorizationRequestResolveEventFactoryTrait
+{
+    /**
+     * @var ScopeConverterInterface
+     */
+    private $scopeConverter;
+
+    /**
+     * @var ClientManagerInterface
+     */
+    private $clientManager;
+
+    /**
+     * @var Security|LegacySecurity
+     */
+    private $security;
+
+    public function fromAuthorizationRequest(AuthorizationRequestInterface $authorizationRequest): AuthorizationRequestResolveEvent
+    {
+        $scopes = $this->scopeConverter->toDomainArray(array_values($authorizationRequest->getScopes()));
+
+        $client = $this->clientManager->find($authorizationRequest->getClient()->getIdentifier());
+
+        if (null === $client) {
+            throw new \RuntimeException(\sprintf('No client found for the given identifier \'%s\'.', $authorizationRequest->getClient()->getIdentifier()));
+        }
+
+        $user = $this->security->getUser();
+        if (null === $user) {
+            throw new \RuntimeException('A logged in user is required to resolve the request authorization.');
+        }
+
+        return new AuthorizationRequestResolveEvent($authorizationRequest, $scopes, $client, $user);
+    }
+}
diff --git a/src/EventListener/AuthorizationRequestUserResolvingListener.php b/src/EventListener/AuthorizationRequestUserResolvingListener.php
diff --git a/src/EventListener/AuthorizationRequestUserResolvingListenerTrait.php b/src/EventListener/AuthorizationRequestUserResolvingListenerTrait.php
diff --git a/src/Resources/config/services.php b/src/Resources/config/services.php
@@ -22,7 +22,6 @@
 use League\Bundle\OAuth2ServerBundle\Converter\UserConverterInterface;
 use League\Bundle\OAuth2ServerBundle\Event\AuthorizationRequestResolveEventFactory;
 use League\Bundle\OAuth2ServerBundle\EventListener\AddClientDefaultScopesListener;
-use League\Bundle\OAuth2ServerBundle\EventListener\AuthorizationRequestUserResolvingListener;
 use League\Bundle\OAuth2ServerBundle\Manager\AccessTokenManagerInterface;
 use League\Bundle\OAuth2ServerBundle\Manager\AuthorizationCodeManagerInterface;
 use League\Bundle\OAuth2ServerBundle\Manager\ClientManagerInterface;
@@ -55,9 +54,11 @@
 use Nyholm\Psr7\Factory\Psr17Factory;
 use Symfony\Bridge\PsrHttpMessage\Factory\HttpFoundationFactory;
 use Symfony\Bridge\PsrHttpMessage\Factory\PsrHttpFactory;
+use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\DependencyInjection\Loader\Configurator\ContainerConfigurator;
 use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\Security\Core\Security as LegacySecurity;
 
 return static function (ContainerConfigurator $container): void {
     $container->services()
@@ -206,18 +207,6 @@
             ->tag('controller.service_arguments')
         ->alias(AuthorizationController::class, 'league.oauth2_server.controller.authorization')
 
-        // Authorization listeners
-        ->set('league.oauth2_server.listener.authorization_request_user_resolving', AuthorizationRequestUserResolvingListener::class)
-            ->args([
-                service('security.helper'),
-            ])
-            ->tag('kernel.event_listener', [
-                'event' => OAuth2Events::AUTHORIZATION_REQUEST_RESOLVE,
-                'method' => 'onAuthorizationRequest',
-                'priority' => 1024,
-            ])
-        ->alias(AuthorizationRequestUserResolvingListener::class, 'league.oauth2_server.listener.authorization_request_user_resolving')
-
         // Token controller
         ->set('league.oauth2_server.controller.token', TokenController::class)
             ->args([
@@ -292,6 +281,7 @@
             ->args([
                 service(ScopeConverterInterface::class),
                 service(ClientManagerInterface::class),
+                service(class_exists(Security::class) ? Security::class : LegacySecurity::class),
             ])
         ->alias(AuthorizationRequestResolveEventFactory::class, 'league.oauth2_server.factory.authorization_request_resolve_event')
 
diff --git a/tests/Acceptance/AuthorizationEndpointTest.php b/tests/Acceptance/AuthorizationEndpointTest.php
@@ -31,6 +31,13 @@ protected function setUp(): void
         );
     }
 
+    private function loginUser(string $username = FixtureFactory::FIXTURE_USER, string $firewallContext = 'authorization'): void
+    {
+        $userProvider = static::getContainer()->get('security.user_providers');
+        $user = method_exists($userProvider, 'loadUserByIdentifier') ? $userProvider->loadUserByIdentifier($username) : $userProvider->loadUserByUsername($username);
+        $this->client->loginUser($user, $firewallContext);
+    }
+
     public function testSuccessfulCodeRequest(): void
     {
         $this->client
@@ -40,6 +47,8 @@ public function testSuccessfulCodeRequest(): void
                 $event->resolveAuthorization(AuthorizationRequestResolveEvent::AUTHORIZATION_APPROVED);
             });
 
+        $this->loginUser();
+
         $this->client->request(
             'GET',
             '/authorize',
@@ -75,6 +84,8 @@ public function testSuccessfulPKCEAuthCodeRequest(): void
             '-_'
         );
 
+        $this->loginUser();
+
         $this->client
             ->getContainer()
             ->get('event_dispatcher')
@@ -138,6 +149,8 @@ public function testAuthCodeRequestWithPublicClientWithoutCodeChallengeWhenTheCh
                 $this->fail('This event should not have been dispatched.');
             });
 
+        $this->loginUser();
+
         $this->client->request(
             'GET',
             '/authorize',
@@ -176,6 +189,8 @@ public function testAuthCodeRequestWithClientWhoIsNotAllowedToMakeARequestWithPl
                 $this->fail('This event should not have been dispatched.');
             });
 
+        $this->loginUser();
+
         $this->client->request(
             'GET',
             '/authorize',
@@ -220,6 +235,8 @@ public function testAuthCodeRequestWithClientWhoIsAllowedToMakeARequestWithPlain
                 $event->resolveAuthorization(AuthorizationRequestResolveEvent::AUTHORIZATION_APPROVED);
             });
 
+        $this->loginUser();
+
         $this->client->request(
             'GET',
             '/authorize',
@@ -272,6 +289,8 @@ public function testSuccessfulTokenRequest(): void
                 $event->resolveAuthorization(AuthorizationRequestResolveEvent::AUTHORIZATION_APPROVED);
             });
 
+        $this->loginUser();
+
         $this->client->request(
             'GET',
             '/authorize',
@@ -308,6 +327,8 @@ public function testCodeRequestRedirectToResolutionUri(): void
                 ]));
             });
 
+        $this->loginUser();
+
         $this->client->request(
             'GET',
             '/authorize',
@@ -341,6 +362,8 @@ public function testAuthorizationRequestEventIsStoppedAfterSettingAResponse(): v
             ]));
         }, 200);
 
+        $this->loginUser();
+
         $this->client->request(
             'GET',
             '/authorize',
@@ -374,6 +397,8 @@ public function testAuthorizationRequestEventIsStoppedAfterResolution(): void
             );
         }, 100);
 
+        $this->loginUser();
+
         $this->client->request(
             'GET',
             '/authorize',
@@ -406,6 +431,8 @@ public function testFailedCodeRequestRedirectWithFakedRedirectUri(): void
                 $event->resolveAuthorization(AuthorizationRequestResolveEvent::AUTHORIZATION_APPROVED);
             });
 
+        $this->loginUser();
+
         $this->client->request(
             'GET',
             '/authorize',
@@ -430,6 +457,7 @@ public function testFailedCodeRequestRedirectWithFakedRedirectUri(): void
 
     public function testFailedAuthorizeRequest(): void
     {
+        $this->loginUser();
         $this->client->request(
             'GET',
             '/authorize'
diff --git a/tests/TestKernel.php b/tests/TestKernel.php
@@ -117,6 +117,12 @@ public function registerContainerConfiguration(LoaderInterface $loader): void
                         'stateless' => true,
                         'oauth2' => true,
                     ],
+                    'authorization' => [
+                        'provider' => 'in_memory',
+                        'pattern' => '^/authorize',
+                        'http_basic' => true,
+                        'stateless' => true,
+                    ],
                 ],
                 'providers' => [
                     'in_memory' => [
@@ -138,6 +144,12 @@ public function registerContainerConfiguration(LoaderInterface $loader): void
                         ],
                     ],
                 ],
+                'access_control' => [
+                    [
+                        'path' => '^/authorize',
+                        'roles' => class_exists(Security::class) ? 'IS_AUTHENTICATED' : 'IS_AUTHENTICATED_REMEMBERED',
+                    ],
+                ],
             ];
 
             if (!class_exists(Security::class)) {
