From 7805933b10a8192ec8e88687c8bdbf90eee881ae Mon Sep 17 00:00:00 2001
From: 1elf-me <maurice@preuss.io>
Date: Sat, 20 Mar 2021 16:48:50 +0100
Subject: [PATCH] add CheckClientCredentials middleware

---
 .gitignore                                    |  3 +-
 composer.json                                 |  3 +-
 oauth-public.key                              |  0
 .../Exceptions/MissingScopeException.php      | 41 ++++++++++
 .../Middleware/CheckClientCredentials.php     | 82 +++++++++++++++++++
 5 files changed, 127 insertions(+), 2 deletions(-)
 create mode 100644 oauth-public.key
 create mode 100644 src/GhostZero/BitinflowAccounts/Exceptions/MissingScopeException.php
 create mode 100644 src/GhostZero/BitinflowAccounts/Http/Middleware/CheckClientCredentials.php

diff --git a/.gitignore b/.gitignore
index 0419227..317d070 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 vendor
 .phpunit.result.cache
-.idea
\ No newline at end of file
+.idea
+composer.lock
\ No newline at end of file
diff --git a/composer.json b/composer.json
index aa25d08..b75d283 100644
--- a/composer.json
+++ b/composer.json
@@ -14,7 +14,8 @@
         "illuminate/support": "^8.0",
         "illuminate/console": "^8.0",
         "guzzlehttp/guzzle": "^6.3|^7.0.1",
-        "socialiteproviders/manager": "^3.4"
+        "socialiteproviders/manager": "^3.4",
+        "firebase/php-jwt": "^5.2"
     },
     "require-dev": {
         "phpunit/phpunit": "^8.0",
diff --git a/oauth-public.key b/oauth-public.key
new file mode 100644
index 0000000..e69de29
diff --git a/src/GhostZero/BitinflowAccounts/Exceptions/MissingScopeException.php b/src/GhostZero/BitinflowAccounts/Exceptions/MissingScopeException.php
new file mode 100644
index 0000000..fe0c33e
--- /dev/null
+++ b/src/GhostZero/BitinflowAccounts/Exceptions/MissingScopeException.php
@@ -0,0 +1,41 @@
+<?php
+
+namespace GhostZero\BitinflowAccounts\Exceptions;
+
+use Illuminate\Auth\Access\AuthorizationException;
+use Illuminate\Support\Arr;
+
+class MissingScopeException extends AuthorizationException
+{
+    /**
+     * The scopes that the user did not have.
+     *
+     * @var array
+     */
+    protected $scopes;
+
+    /**
+     * Create a new missing scope exception.
+     *
+     * @param array|string $scopes
+     * @param string $message
+     *
+     * @return void
+     */
+    public function __construct($scopes = [], $message = 'Invalid scope(s) provided.')
+    {
+        parent::__construct($message);
+
+        $this->scopes = Arr::wrap($scopes);
+    }
+
+    /**
+     * Get the scopes that the user did not have.
+     *
+     * @return array
+     */
+    public function scopes()
+    {
+        return $this->scopes;
+    }
+}
\ No newline at end of file
diff --git a/src/GhostZero/BitinflowAccounts/Http/Middleware/CheckClientCredentials.php b/src/GhostZero/BitinflowAccounts/Http/Middleware/CheckClientCredentials.php
new file mode 100644
index 0000000..14f0b2e
--- /dev/null
+++ b/src/GhostZero/BitinflowAccounts/Http/Middleware/CheckClientCredentials.php
@@ -0,0 +1,82 @@
+<?php
+
+namespace GhostZero\BitinflowAccounts\Http\Middleware;
+
+use Closure;
+use Firebase\JWT\JWT;
+use Illuminate\Auth\AuthenticationException;
+use Illuminate\Http\Request;
+use GhostZero\BitinflowAccounts\Exceptions\MissingScopeException;
+use stdClass;
+use Throwable;
+
+class CheckClientCredentials
+{
+    public const ALLOWED_ALGORITHMS = ['RS256'];
+
+    /**
+     * Handle an incoming request.
+     *
+     * @param Request $request
+     * @param Closure $next
+     * @param mixed ...$scopes
+     *
+     * @throws AuthenticationException|MissingScopeException
+     *
+     * @return mixed
+     */
+    public function handle($request, Closure $next, ...$scopes)
+    {
+        JWT::$leeway = 60;
+
+        try {
+            $decoded = JWT::decode(
+                $request->bearerToken(),
+                $this->getOauthPublicKey(),
+                self::ALLOWED_ALGORITHMS
+            );
+        } catch (Throwable $exception) {
+            throw new AuthenticationException();
+        }
+
+        $request->attributes->set('oauth_access_token_id', $decoded->jti);
+        $request->attributes->set('oauth_client_id', $decoded->aud);
+        $request->attributes->set('oauth_client_trusted', $decoded->client->trusted);
+        $request->attributes->set('oauth_user_id', $decoded->sub);
+        $request->attributes->set('oauth_scopes', $decoded->scopes);
+
+        $this->validateScopes($decoded, $scopes);
+
+        return $next($request);
+    }
+
+    private function getOauthPublicKey()
+    {
+        return file_get_contents(__DIR__ . '/../../../../../oauth-public.key');
+    }
+
+    /**
+     * Validate token credentials.
+     *
+     * @param stdClass $token
+     * @param array $scopes
+     *
+     * @throws MissingScopeException
+     *
+     * @return void
+     */
+    protected function validateScopes(stdClass $token, array $scopes)
+    {
+        if (empty($scopes) || in_array('*', $token->scopes)) {
+            return;
+        }
+
+        foreach ($scopes as $scope) {
+            if (in_array($scope, $token->scopes)) {
+                return;
+            }
+        }
+
+        throw new MissingScopeException($scopes);
+    }
+}
\ No newline at end of file