vendor/league/oauth2-server/src/Exception/OAuthServerException.php line 241

Open in your IDE?
  1. <?php
  2. /**
  3. * @author Alex Bilbie <hello@alexbilbie.com>
  4. * @copyright Copyright (c) Alex Bilbie
  5. * @license http://mit-license.org/
  6. *
  7. * @link https://github.com/thephpleague/oauth2-server
  8. */
  10. namespace League\OAuth2\Server\Exception;
  12. use Exception;
  13. use Psr\Http\Message\ResponseInterface;
  14. use Psr\Http\Message\ServerRequestInterface;
  15. use Throwable;
  17. class OAuthServerException extends Exception
  18. {
  19. /**
  20. * @var int
  21. */
  22. private $httpStatusCode;
  24. /**
  25. * @var string
  26. */
  27. private $errorType;
  29. /**
  30. * @var null|string
  31. */
  32. private $hint;
  34. /**
  35. * @var null|string
  36. */
  37. private $redirectUri;
  39. /**
  40. * @var array
  41. */
  42. private $payload;
  44. /**
  45. * @var ServerRequestInterface
  46. */
  47. private $serverRequest;
  49. /**
  50. * Throw a new exception.
  51. *
  52. * @param string $message Error message
  53. * @param int $code Error code
  54. * @param string $errorType Error type
  55. * @param int $httpStatusCode HTTP status code to send (default = 400)
  56. * @param null|string $hint A helper hint
  57. * @param null|string $redirectUri A HTTP URI to redirect the user back to
  58. * @param Throwable $previous Previous exception
  59. */
  60. public function __construct($message, $code, $errorType, $httpStatusCode = 400, $hint = null, $redirectUri = null, Throwable $previous = null)
  61. {
  62. parent::__construct($message, $code, $previous);
  63. $this->httpStatusCode = $httpStatusCode;
  64. $this->errorType = $errorType;
  65. $this->hint = $hint;
  66. $this->redirectUri = $redirectUri;
  67. $this->payload = [
  68. 'error' => $errorType,
  69. 'error_description' => $message,
  70. ];
  71. if ($hint !== null) {
  72. $this->payload['hint'] = $hint;
  73. }
  74. }
  76. /**
  77. * Returns the current payload.
  78. *
  79. * @return array
  80. */
  81. public function getPayload()
  82. {
  83. $payload = $this->payload;
  85. // The "message" property is deprecated and replaced by "error_description"
  86. // TODO: remove "message" property
  87. if (isset($payload['error_description']) && !isset($payload['message'])) {
  88. $payload['message'] = $payload['error_description'];
  89. }
  91. return $payload;
  92. }
  94. /**
  95. * Updates the current payload.
  96. *
  97. * @param array $payload
  98. */
  99. public function setPayload(array $payload)
  100. {
  101. $this->payload = $payload;
  102. }
  104. /**
  105. * Set the server request that is responsible for generating the exception
  106. *
  107. * @param ServerRequestInterface $serverRequest
  108. */
  109. public function setServerRequest(ServerRequestInterface $serverRequest)
  110. {
  111. $this->serverRequest = $serverRequest;
  112. }
  114. /**
  115. * Unsupported grant type error.
  116. *
  117. * @return static
  118. */
  119. public static function unsupportedGrantType()
  120. {
  121. $errorMessage = 'The authorization grant type is not supported by the authorization server.';
  122. $hint = 'Check that all required parameters have been provided';
  124. return new static($errorMessage, 2, 'unsupported_grant_type', 400, $hint);
  125. }
  127. /**
  128. * Invalid request error.
  129. *
  130. * @param string $parameter The invalid parameter
  131. * @param null|string $hint
  132. * @param Throwable $previous Previous exception
  133. *
  134. * @return static
  135. */
  136. public static function invalidRequest($parameter, $hint = null, Throwable $previous = null)
  137. {
  138. $errorMessage = 'The request is missing a required parameter, includes an invalid parameter value, ' .
  139. 'includes a parameter more than once, or is otherwise malformed.';
  140. $hint = ($hint === null) ? \sprintf('Check the `%s` parameter', $parameter) : $hint;
  142. return new static($errorMessage, 3, 'invalid_request', 400, $hint, null, $previous);
  143. }
  145. /**
  146. * Invalid client error.
  147. *
  148. * @param ServerRequestInterface $serverRequest
  149. *
  150. * @return static
  151. */
  152. public static function invalidClient(ServerRequestInterface $serverRequest)
  153. {
  154. $exception = new static('Client authentication failed', 4, 'invalid_client', 401);
  156. $exception->setServerRequest($serverRequest);
  158. return $exception;
  159. }
  161. /**
  162. * Invalid scope error.
  163. *
  164. * @param string $scope The bad scope
  165. * @param null|string $redirectUri A HTTP URI to redirect the user back to
  166. *
  167. * @return static
  168. */
  169. public static function invalidScope($scope, $redirectUri = null)
  170. {
  171. $errorMessage = 'The requested scope is invalid, unknown, or malformed';
  173. if (empty($scope)) {
  174. $hint = 'Specify a scope in the request or set a default scope';
  175. } else {
  176. $hint = \sprintf(
  177. 'Check the `%s` scope',
  178. \htmlspecialchars($scope, ENT_QUOTES, 'UTF-8', false)
  179. );
  180. }
  182. return new static($errorMessage, 5, 'invalid_scope', 400, $hint, $redirectUri);
  183. }
  185. /**
  186. * Invalid credentials error.
  187. *
  188. * @return static
  189. */
  190. public static function invalidCredentials()
  191. {
  192. return new static('The user credentials were incorrect.', 6, 'invalid_grant', 400);
  193. }
  195. /**
  196. * Server error.
  197. *
  198. * @param string $hint
  199. * @param Throwable $previous
  200. *
  201. * @return static
  202. *
  203. * @codeCoverageIgnore
  204. */
  205. public static function serverError($hint, Throwable $previous = null)
  206. {
  207. return new static(
  208. 'The authorization server encountered an unexpected condition which prevented it from fulfilling'
  209. . ' the request: ' . $hint,
  210. 7,
  211. 'server_error',
  212. 500,
  213. null,
  214. null,
  215. $previous
  216. );
  217. }
  219. /**
  220. * Invalid refresh token.
  221. *
  222. * @param null|string $hint
  223. * @param Throwable $previous
  224. *
  225. * @return static
  226. */
  227. public static function invalidRefreshToken($hint = null, Throwable $previous = null)
  228. {
  229. return new static('The refresh token is invalid.', 8, 'invalid_request', 401, $hint, null, $previous);
  230. }
  232. /**
  233. * Access denied.
  234. *
  235. * @param null|string $hint
  236. * @param null|string $redirectUri
  237. * @param Throwable $previous
  238. *
  239. * @return static
  240. */
  241. public static function accessDenied($hint = null, $redirectUri = null, Throwable $previous = null)
  242. {
  243. return new static(
  244. 'The resource owner or authorization server denied the request.',
  245. 9,
  246. 'access_denied',
  247. 401,
  248. $hint,
  249. $redirectUri,
  250. $previous
  251. );
  252. }
  254. /**
  255. * Invalid grant.
  256. *
  257. * @param string $hint
  258. *
  259. * @return static
  260. */
  261. public static function invalidGrant($hint = '')
  262. {
  263. return new static(
  264. 'The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token '
  265. . 'is invalid, expired, revoked, does not match the redirection URI used in the authorization request, '
  266. . 'or was issued to another client.',
  267. 10,
  268. 'invalid_grant',
  269. 400,
  270. $hint
  271. );
  272. }
  274. /**
  275. * @return string
  276. */
  277. public function getErrorType()
  278. {
  279. return $this->errorType;
  280. }
  282. /**
  283. * Generate a HTTP response.
  284. *
  285. * @param ResponseInterface $response
  286. * @param bool $useFragment True if errors should be in the URI fragment instead of query string
  287. * @param int $jsonOptions options passed to json_encode
  288. *
  289. * @return ResponseInterface
  290. */
  291. public function generateHttpResponse(ResponseInterface $response, $useFragment = false, $jsonOptions = 0)
  292. {
  293. $headers = $this->getHttpHeaders();
  295. $payload = $this->getPayload();
  297. if ($this->redirectUri !== null) {
  298. if ($useFragment === true) {
  299. $this->redirectUri .= (\strstr($this->redirectUri, '#') === false) ? '#' : '&';
  300. } else {
  301. $this->redirectUri .= (\strstr($this->redirectUri, '?') === false) ? '?' : '&';
  302. }
  304. return $response->withStatus(302)->withHeader('Location', $this->redirectUri . \http_build_query($payload));
  305. }
  307. foreach ($headers as $header => $content) {
  308. $response = $response->withHeader($header, $content);
  309. }
  311. $responseBody = \json_encode($payload, $jsonOptions) ?: 'JSON encoding of payload failed';
  313. $response->getBody()->write($responseBody);
  315. return $response->withStatus($this->getHttpStatusCode());
  316. }
  318. /**
  319. * Get all headers that have to be send with the error response.
  320. *
  321. * @return array Array with header values
  322. */
  323. public function getHttpHeaders()
  324. {
  325. $headers = [
  326. 'Content-type' => 'application/json',
  327. ];
  329. // Add "WWW-Authenticate" header
  330. //
  331. // RFC 6749, section 5.2.:
  332. // "If the client attempted to authenticate via the 'Authorization'
  333. // request header field, the authorization server MUST
  334. // respond with an HTTP 401 (Unauthorized) status code and
  335. // include the "WWW-Authenticate" response header field
  336. // matching the authentication scheme used by the client.
  337. if ($this->errorType === 'invalid_client' && $this->requestHasAuthorizationHeader()) {
  338. $authScheme = \strpos($this->serverRequest->getHeader('Authorization')[0], 'Bearer') === 0 ? 'Bearer' : 'Basic';
  340. $headers['WWW-Authenticate'] = $authScheme . ' realm="OAuth"';
  341. }
  343. return $headers;
  344. }
  346. /**
  347. * Check if the exception has an associated redirect URI.
  348. *
  349. * Returns whether the exception includes a redirect, since
  350. * getHttpStatusCode() doesn't return a 302 when there's a
  351. * redirect enabled. This helps when you want to override local
  352. * error pages but want to let redirects through.
  353. *
  354. * @return bool
  355. */
  356. public function hasRedirect()
  357. {
  358. return $this->redirectUri !== null;
  359. }
  361. /**
  362. * Returns the Redirect URI used for redirecting.
  363. *
  364. * @return string|null
  365. */
  366. public function getRedirectUri()
  367. {
  368. return $this->redirectUri;
  369. }
  371. /**
  372. * Returns the HTTP status code to send when the exceptions is output.
  373. *
  374. * @return int
  375. */
  376. public function getHttpStatusCode()
  377. {
  378. return $this->httpStatusCode;
  379. }
  381. /**
  382. * @return null|string
  383. */
  384. public function getHint()
  385. {
  386. return $this->hint;
  387. }
  389. /**
  390. * Check if the request has a non-empty 'Authorization' header value.
  391. *
  392. * Returns true if the header is present and not an empty string, false
  393. * otherwise.
  394. *
  395. * @return bool
  396. */
  397. private function requestHasAuthorizationHeader()
  398. {
  399. if (!$this->serverRequest->hasHeader('Authorization')) {
  400. return false;
  401. }
  403. $authorizationHeader = $this->serverRequest->getHeader('Authorization');
  405. // Common .htaccess configurations yield an empty string for the
  406. // 'Authorization' header when one is not provided by the client.
  407. // For practical purposes that case should be treated as though the
  408. // header isn't present.
  409. // See https://github.com/thephpleague/oauth2-server/issues/1162
  410. if (empty($authorizationHeader) || empty($authorizationHeader[0])) {
  411. return false;
  412. }
  414. return true;
  415. }
  416. }