fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

PMCORE-1181 Is possible to get an access token without send a valid 'client_id' and 'client_secret'

Browse Source
This commit is contained in:
Roly Rudy Gutierrez Pinto
2020-04-15 02:33:51 -04:00
parent 349f4be85a
commit 85e3f191b1
7 changed files with 722 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
workflow/engine/src/ProcessMaker/Model/LicenseManager.php Normal file
View File

@@ -0,0 +1,14 @@
<?php
namespace ProcessMaker\Model;
use Illuminate\Database\Eloquent\Model;
class LicenseManager extends Model
{
protected $table = "LICENSE_MANAGER";
protected $primaryKey = "LICENSE_UID";
public $incrementing = false;
public $timestamps = false;
}

14
workflow/engine/src/ProcessMaker/Model/OauthClients.php Normal file
View File

@@ -0,0 +1,14 @@
<?php
namespace ProcessMaker\Model;
use Illuminate\Database\Eloquent\Model;
class OauthClients extends Model
{
protected $table = "OAUTH_CLIENTS";
protected $primaryKey = "CLIENT_ID";
public $incrementing = false;
public $timestamps = false;
}

43
workflow/engine/src/ProcessMaker/Services/OAuth2/Server.php
View File

@@ -4,10 +4,13 @@ namespace ProcessMaker\Services\OAuth2;
use Luracast\Restler\iAuthenticate;
use Luracast\Restler\RestException;
use OAuth2\Request;
use OAuth2\Response;
use PmoauthUserAccessTokens;
/*----------------------------------********---------------------------------*/
use ProcessMaker\ChangeLog\ChangeLog;
/*----------------------------------********---------------------------------*/
use ProcessMaker\Core\System;
use ProcessMaker\Policies\ControlUnderUpdating;
class Server implements iAuthenticate
{
@@ -271,30 +274,41 @@ class Server implements iAuthenticate
}
}
/**
* Stage 3: Client directly calls this api to exchange access token
*
* It can then use this access token to make calls to protected api
*
* It can then use this access token to make calls to protected api.
* @format JsonFormat,UploadFormat
* @param object $request
* @param boolean $returnResponse
* @return mixed
*/
public function postToken($request = null, $returnResponse = false)
{
\ProcessMaker\Policies\ControlUnderUpdating::verifyUnderUpgrading();
ControlUnderUpdating::verifyUnderUpgrading();
// Handle a request for an OAuth2.0 Access Token and send the response to the client
if ($request == null) {
$request = \OAuth2\Request::createFromGlobals();
$request = Request::createFromGlobals();
}
$grantTypeIdentifier = $request->request('grant_type');
if ($grantTypeIdentifier === 'password') {
$clientId = $request->request('client_id');
$clientSecret = $request->request('client_secret');
if (empty($clientId) || empty($clientSecret)) {
$message = "Invalid REST API credentials, please send a valid client_id and client_secret.";
$res = new Response();
$res->setError(400, 'invalid_client', $message);
$res->send();
return;
}
}
$response = $this->server->handleTokenRequest($request); //Set/Get token //PmPdo->setAccessToken()
$token = $response->getParameters();
if (array_key_exists('access_token', $token)
&& array_key_exists('refresh_token', $token)
) {
if (array_key_exists('access_token', $token) && array_key_exists('refresh_token', $token)) {
if ($request == null) {
session_start();
}
@@ -302,16 +316,12 @@ class Server implements iAuthenticate
// verify if the client is our local PM Designer client
if ($data['client_id'] == self::getPmClientId()) {
//error_log('do stuff - is a request from local pm client');
//require_once "classes/model/PmoauthUserAccessTokens.php";
$userToken = new \PmoauthUserAccessTokens();
$userToken = new PmoauthUserAccessTokens();
$userToken->setAccessToken($token['access_token']);
$userToken->setRefreshToken($token['refresh_token']);
$userToken->setUserId($data['user_id']);
$userToken->setSessionId(session_id());
$userToken->setSessionName(session_name());
$userToken->save();
}
}
@@ -320,8 +330,7 @@ class Server implements iAuthenticate
return $response;
} else {
$response->send();
exit(0);
return;
}
}