From c9f939fc66d4b6819c67cc88db8cd22fff8cf032 Mon Sep 17 00:00:00 2001
From: MilesChou <jangconan@gmail.com>
Date: Tue, 27 Sep 2022 13:08:05 +0800
Subject: [PATCH] day12

---
 app/Http/Controllers/Hydra/AcceptConsent.php  | 49 +++++++++++++++++++
 app/Http/Controllers/Hydra/Consent.php        | 14 ------
 .../Controllers/Hydra/ConsentProvider.php     | 22 ++++++++-
 app/Http/Controllers/Hydra/RejectConsent.php  | 40 +++++++++++++++
 resources/views/auth/consent.blade.php        | 29 +++++++----
 routes/web.php                                |  6 ++-
 6 files changed, 132 insertions(+), 28 deletions(-)
 create mode 100644 app/Http/Controllers/Hydra/AcceptConsent.php
 delete mode 100644 app/Http/Controllers/Hydra/Consent.php
 create mode 100644 app/Http/Controllers/Hydra/RejectConsent.php

diff --git a/app/Http/Controllers/Hydra/AcceptConsent.php b/app/Http/Controllers/Hydra/AcceptConsent.php
new file mode 100644
index 0000000..e3fe02c
--- /dev/null
+++ b/app/Http/Controllers/Hydra/AcceptConsent.php
@@ -0,0 +1,49 @@
+<?php
+
+namespace App\Http\Controllers\Hydra;
+
+use Illuminate\Http\RedirectResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Log;
+use Illuminate\Support\Facades\Redirect;
+use Ory\Hydra\Client\Api\AdminApi;
+use Ory\Hydra\Client\Model\AcceptConsentRequest;
+use RuntimeException;
+
+class AcceptConsent
+{
+    public function __invoke(Request $request, AdminApi $adminApi): RedirectResponse
+    {
+        $consentChallenge = $request->input('challenge');
+
+        if (empty($consentChallenge)) {
+            throw new RuntimeException('No consent_challenge');
+        }
+
+        $scopes = $request->input('scopes');
+
+        if (empty($scopes)) {
+            // 沒填 scope 就請回去按 reject 的按鈕
+            return Redirect::back();
+        }
+
+        $acceptConsentRequest = new AcceptConsentRequest([
+            'grantScope' => array_keys($scopes),
+            'remember' => true,
+            'rememberFor' => 120,
+        ]);
+
+        Log::debug('Accept consent Request', json_decode((string)$acceptConsentRequest, true));
+
+        try {
+            $completedRequest = $adminApi->acceptConsentRequest($consentChallenge, $acceptConsentRequest);
+        } catch (\Throwable $e) {
+            dd($e);
+            throw new RuntimeException('Hydra Server error: ' . $e->getMessage());
+        }
+
+        Log::debug('Consent Completed Request', json_decode((string)$completedRequest, true));
+
+        return Redirect::away($completedRequest->getRedirectTo());
+    }
+}
diff --git a/app/Http/Controllers/Hydra/Consent.php b/app/Http/Controllers/Hydra/Consent.php
deleted file mode 100644
index ccc9792..0000000
--- a/app/Http/Controllers/Hydra/Consent.php
+++ /dev/null
@@ -1,14 +0,0 @@
-<?php
-
-namespace App\Http\Controllers\Hydra;
-
-use Illuminate\Http\Request;
-
-class Consent
-{
-    public function __invoke(Request $request)
-    {
-        dump($request->all());
-        return 'OAuth 2.0 授權完成';
-    }
-}
diff --git a/app/Http/Controllers/Hydra/ConsentProvider.php b/app/Http/Controllers/Hydra/ConsentProvider.php
index e2ad24d..1632dfd 100644
--- a/app/Http/Controllers/Hydra/ConsentProvider.php
+++ b/app/Http/Controllers/Hydra/ConsentProvider.php
@@ -2,10 +2,28 @@
 
 namespace App\Http\Controllers\Hydra;
 
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Log;
+use Ory\Hydra\Client\Api\AdminApi;
+use RuntimeException;
+
 class ConsentProvider
 {
-    public function __invoke()
+    public function __invoke(Request $request, AdminApi $adminApi)
     {
-        return view('auth.consent');
+        $consentChallenge = $request->input('consent_challenge');
+
+        if (empty($consentChallenge)) {
+            throw new RuntimeException('No consent_challenge');
+        }
+
+        $consentRequest = $adminApi->getConsentRequest($consentChallenge);
+
+        Log::debug('Get consent Request', json_decode((string)$consentRequest, true));
+
+        return view('auth.consent', [
+            'challenge' => $consentChallenge,
+            'scopes' => $consentRequest->getRequestedScope(),
+        ]);
     }
 }
diff --git a/app/Http/Controllers/Hydra/RejectConsent.php b/app/Http/Controllers/Hydra/RejectConsent.php
new file mode 100644
index 0000000..afd744e
--- /dev/null
+++ b/app/Http/Controllers/Hydra/RejectConsent.php
@@ -0,0 +1,40 @@
+<?php
+
+namespace App\Http\Controllers\Hydra;
+
+use Illuminate\Http\RedirectResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Log;
+use Illuminate\Support\Facades\Redirect;
+use Ory\Hydra\Client\Api\AdminApi;
+use Ory\Hydra\Client\Model\RejectRequest;
+use RuntimeException;
+
+class RejectConsent
+{
+    public function __invoke(Request $request, AdminApi $adminApi): RedirectResponse
+    {
+        $consentChallenge = $request->input('challenge');
+
+        if (empty($consentChallenge)) {
+            throw new RuntimeException('No consent_challenge');
+        }
+
+        $rejectRequest = new RejectRequest([
+            'error' => 'access_denied',
+            'errorDescription' => 'The request was rejected by end-user',
+        ]);
+
+        Log::debug('Reject consent Request', json_decode((string)$rejectRequest, true));
+
+        try {
+            $completedRequest = $adminApi->rejectConsentRequest($consentChallenge, $rejectRequest);
+        } catch (\Throwable $e) {
+            throw new RuntimeException('Hydra Server error: ' . $e->getMessage());
+        }
+
+        Log::debug('Consent Completed Request', json_decode((string)$completedRequest, true));
+
+        return Redirect::away($completedRequest->getRedirectTo());
+    }
+}
diff --git a/resources/views/auth/consent.blade.php b/resources/views/auth/consent.blade.php
index b225061..44277da 100644
--- a/resources/views/auth/consent.blade.php
+++ b/resources/views/auth/consent.blade.php
@@ -12,22 +12,20 @@
         <!-- Validation Errors -->
         <x-auth-validation-errors class="mb-4" :errors="$errors" />
 
-        <form method="POST" action="{{ route('oauth2.consent') }}">
+        <form method="POST" action="{{ route('oauth2.consent.accept') }}">
             @csrf
+            <input type="hidden" name="challenge" value="{{ $challenge }}" />
 
             <!-- Scopes -->
             <div>
                 <x-input-label for="scope" :value="__('Scopes')" />
 
-                <label for="scopes" class="inline-flex items-center">
-                    <input type="checkbox" class="rounded border-gray-300 text-indigo-600 shadow-sm focus:border-indigo-300 focus:ring focus:ring-indigo-200 focus:ring-opacity-50" name="scope[openid]">
-                    <span class="ml-2 text-sm text-gray-600">{{ __('openid') }}</span>
-                </label>
-
-                <label for="email" class="inline-flex items-center">
-                    <input type="checkbox" class="rounded border-gray-300 text-indigo-600 shadow-sm focus:border-indigo-300 focus:ring focus:ring-indigo-200 focus:ring-opacity-50" name="scope[email]">
-                    <span class="ml-2 text-sm text-gray-600">{{ __('email') }}</span>
-                </label>
+                @foreach($scopes as $scope)
+                    <label for="scopes-{{ $scope }}" class="inline-flex items-center">
+                        <input type="checkbox" class="rounded border-gray-300 text-indigo-600 shadow-sm focus:border-indigo-300 focus:ring focus:ring-indigo-200 focus:ring-opacity-50" checked name="scopes[{{ $scope }}]">
+                        <span class="ml-2 text-sm text-gray-600">{{ __($scope) }}</span>
+                    </label>
+                @endforeach
             </div>
 
             <!-- Remember Me -->
@@ -44,5 +42,16 @@
                 </x-primary-button>
             </div>
         </form>
+
+        <form method="POST" action="{{ route('oauth2.consent.reject') }}">
+            @csrf
+            <input type="hidden" name="challenge" value="{{ $challenge }}" />
+
+            <div class="flex items-center justify-end mt-4">
+                <x-primary-button class="ml-3">
+                    {{ __('Reject Permission') }}
+                </x-primary-button>
+            </div>
+        </form>
     </x-auth-card>
 </x-guest-layout>
diff --git a/routes/web.php b/routes/web.php
index d3bae1e..65c0917 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -1,9 +1,10 @@
 <?php
 
-use App\Http\Controllers\Hydra\Consent;
+use App\Http\Controllers\Hydra\AcceptConsent;
 use App\Http\Controllers\Hydra\ConsentProvider;
 use App\Http\Controllers\Hydra\Login;
 use App\Http\Controllers\Hydra\LoginProvider;
+use App\Http\Controllers\Hydra\RejectConsent;
 use Illuminate\Support\Facades\Route;
 
 /*
@@ -29,6 +30,7 @@
 Route::post('/oauth2/login', Login::class);
 
 Route::get('/oauth2/consent', ConsentProvider::class)->name('oauth2.consent');
-Route::post('/oauth2/consent', Consent::class);
+Route::post('/oauth2/consent/accept', AcceptConsent::class)->name('oauth2.consent.accept');
+Route::post('/oauth2/consent/reject', RejectConsent::class)->name('oauth2.consent.reject');
 
 require __DIR__.'/auth.php';