vendor/shopware/core/Framework/Api/OAuth/BearerTokenValidator.php line 42

Open in your IDE?
  1. <?php declare(strict_types=1);
  3. namespace Shopware\Core\Framework\Api\OAuth;
  5. use Doctrine\DBAL\Connection;
  6. use Lcobucci\JWT\Configuration;
  7. use Lcobucci\JWT\UnencryptedToken;
  8. use League\OAuth2\Server\AuthorizationValidators\AuthorizationValidatorInterface;
  9. use League\OAuth2\Server\Exception\OAuthServerException;
  10. use Psr\Http\Message\ServerRequestInterface;
  11. use Shopware\Core\Framework\Log\Package;
  12. use Shopware\Core\Framework\Uuid\Uuid;
  13. use Shopware\Core\PlatformRequest;
  15. #[Package('core')]
  16. class BearerTokenValidator implements AuthorizationValidatorInterface
  17. {
  18. private Connection $connection;
  20. private AuthorizationValidatorInterface $decorated;
  22. private Configuration $configuration;
  24. /**
  25. * @internal
  26. */
  27. public function __construct(
  28. AuthorizationValidatorInterface $decorated,
  29. Connection $connection,
  30. Configuration $configuration
  31. ) {
  32. $this->decorated = $decorated;
  33. $this->connection = $connection;
  34. $this->configuration = $configuration;
  35. }
  37. /**
  38. * @return ServerRequestInterface
  39. */
  40. public function validateAuthorization(ServerRequestInterface $request)
  41. {
  42. $request = $this->decorated->validateAuthorization($request);
  44. $header = $request->getHeader('authorization');
  46. $jwt = trim(preg_replace('/^(?:\s+)?Bearer\s/', '', $header[0]) ?? '');
  48. /** @var UnencryptedToken $token */
  49. $token = $this->configuration->parser()->parse($jwt);
  51. if ($userId = $request->getAttribute(PlatformRequest::ATTRIBUTE_OAUTH_USER_ID)) {
  52. $this->validateAccessTokenIssuedAt($token->claims()->get('iat', 0), $userId);
  53. }
  55. return $request;
  56. }
  58. /**
  59. * @throws OAuthServerException
  60. */
  61. private function validateAccessTokenIssuedAt(\DateTimeImmutable $tokenIssuedAt, string $userId): void
  62. {
  63. $lastUpdatedPasswordAt = $this->connection->createQueryBuilder()
  64. ->select(['last_updated_password_at'])
  65. ->from('user')
  66. ->where('id = :userId')
  67. ->setParameter('userId', Uuid::fromHexToBytes($userId))
  68. ->executeQuery()
  69. ->fetchOne();
  71. if ($lastUpdatedPasswordAt === false) {
  72. throw OAuthServerException::accessDenied('Access token is invalid');
  73. }
  75. if ($lastUpdatedPasswordAt === null) {
  76. return;
  77. }
  79. $lastUpdatedPasswordAt = strtotime($lastUpdatedPasswordAt);
  81. if ($tokenIssuedAt->getTimestamp() <= $lastUpdatedPasswordAt) {
  82. throw OAuthServerException::accessDenied('Access token is expired');
  83. }
  84. }
  85. }