Credential grant scopes

composer.json

@@ -37,7 +37,7 @@
     },
     "extra": {
         "branch-alias": {
-            "dev-master": "1.0-dev"
+            "dev-master": "2.0-dev"
         }
     },
     "minimum-stability": "dev",

src/Bridge/AccessTokenRepository.php

@@ -3,7 +3,7 @@
 namespace Laravel\Passport\Bridge;
 
 use DateTime;
-use Illuminate\Database\Connection;
+use Laravel\Passport\TokenRepository;
 use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
@@ -17,17 +17,17 @@ class AccessTokenRepository implements AccessTokenRepositoryInterface
      *
      * @var \Illuminate\Database\Connection
      */
-    protected $database;
+    protected $tokenRepository;
 
     /**
      * Create a new repository instance.
      *
      * @param  \Illuminate\Database\Connection  $database
      * @return void
      */
-    public function __construct(Connection $database)
+    public function __construct(TokenRepository $tokenRepository)
     {
-        $this->database = $database;
+        $this->tokenRepository = $tokenRepository;
     }
 
     /**
@@ -43,7 +43,7 @@ public function getNewToken(ClientEntityInterface $clientEntity, array $scopes,
      */
     public function persistNewAccessToken(AccessTokenEntityInterface $accessTokenEntity)
     {
-        $this->database->table('oauth_access_tokens')->insert([
+        $this->tokenRepository->create([
             'id' => $accessTokenEntity->getIdentifier(),
             'user_id' => $accessTokenEntity->getUserIdentifier(),
             'client_id' => $accessTokenEntity->getClient()->getIdentifier(),
@@ -60,16 +60,14 @@ public function persistNewAccessToken(AccessTokenEntityInterface $accessTokenEnt
      */
     public function revokeAccessToken($tokenId)
     {
-        $this->database->table('oauth_access_tokens')
-                    ->where('id', $tokenId)->update(['revoked' => true]);
+        $this->tokenRepository->revokeAccessToken($tokenId);
     }
 
     /**
      * {@inheritdoc}
      */
     public function isAccessTokenRevoked($tokenId)
     {
-        return $this->database->table('oauth_access_tokens')
-                    ->where('id', $tokenId)->where('revoked', 1)->exists();
+        return $this->tokenRepository->isAccessTokenRevoked($tokenId);
     }
 }

src/Http/Middleware/CheckClientCredentials.php

@@ -37,16 +37,22 @@ public function __construct(ResourceServer $server)
      *
      * @throws \Illuminate\Auth\AuthenticationException
      */
-    public function handle($request, Closure $next)
+    public function handle($request, Closure $next, ...$scopes)
     {
         $psr = (new DiactorosFactory)->createRequest($request);
 
         try{
-            $this->server->validateAuthenticatedRequest($psr);
+            $psr = $this->server->validateAuthenticatedRequest($psr);
         } catch (OAuthServerException $e) {
             throw new AuthenticationException;
         }
 
+        foreach ($scopes as $scope) {
+           if (!in_array($scope,$psr->getAttribute('oauth_scopes'))) {
+             throw new AuthenticationException;
+           }
+         }
+
         return $next($request);
     }
 }

src/TokenRepository.php

@@ -4,6 +4,17 @@
 
 class TokenRepository
 {
+    /**
+     * Creates a new Access Token
+     *
+     * @param  array  $attributes
+     * @return Token
+     */
+    public function create($attributes)
+    {
+        return Token::create($attributes);
+    }
+
     /**
      * Get a token by the given ID.
      *
@@ -21,11 +32,33 @@ public function find($id)
      * @param  Token  $token
      * @return void
      */
-    public function save($token)
+    public function save(Token $token)
     {
         $token->save();
     }
 
+    /**
+     * Revoke an access token.
+     *
+     * @param string $id
+     */
+    public function revokeAccessToken($id)
+    {
+        return $this->find($id)->update(['revoked' => true]);
+    }
+
+    /**
+     * Check if the access token has been revoked.
+     *
+     * @param string $id
+     *
+     * @return bool Return true if this token has been revoked
+     */
+    public function isAccessTokenRevoked($id)
+    {
+        return Token::where('id', $id)->where('revoked', true)->exists();
+    }
+
     /**
      * Revoke all of the access tokens for a given user and client.
      *

tests/BridgeAccessTokenRepositoryTest.php

@@ -13,9 +13,9 @@ public function test_access_tokens_can_be_persisted()
     {
         $expiration = Carbon::now();
 
-        $database = Mockery::mock('Illuminate\Database\Connection');
+        $tokenRepository = Mockery::mock('Laravel\Passport\TokenRepository');
 
-        $database->shouldReceive('table->insert')->once()->andReturnUsing(function ($array) use ($expiration) {
+        $tokenRepository->shouldReceive('create')->once()->andReturnUsing(function ($array) use ($expiration) {
             $this->assertEquals(1, $array['id']);
             $this->assertEquals(2, $array['user_id']);
             $this->assertEquals('client-id', $array['client_id']);
@@ -31,7 +31,7 @@ public function test_access_tokens_can_be_persisted()
         $accessToken->setExpiryDateTime($expiration);
         $accessToken->setClient(new Laravel\Passport\Bridge\Client('client-id', 'name', 'redirect'));
 
-        $repository = new Laravel\Passport\Bridge\AccessTokenRepository($database);
+        $repository = new Laravel\Passport\Bridge\AccessTokenRepository($tokenRepository);
 
         $repository->persistNewAccessToken($accessToken);
     }

tests/CheckClientCredentialsTest.php

@@ -0,0 +1,78 @@
+<?php
+
+use Laravel\Passport\Http\Middleware\CheckClientCredentials;
+use Illuminate\Http\Request;
+
+class CheckClientCredentialsTest extends PHPUnit_Framework_TestCase
+{
+    public function tearDown()
+    {
+        Mockery::close();
+    }
+
+    public function test_request_is_passed_along_if_token_is_valid()
+    {
+        $resourceServer = Mockery::mock('League\OAuth2\Server\ResourceServer');
+        $resourceServer->shouldReceive('validateAuthenticatedRequest')->andReturn($psr = Mockery::mock());
+        $psr->shouldReceive('getAttribute')->with('oauth_user_id')->andReturn(1);
+        $psr->shouldReceive('getAttribute')->with('oauth_client_id')->andReturn(1);
+        $psr->shouldReceive('getAttribute')->with('oauth_access_token_id')->andReturn('token');
+
+        $middleware = new CheckClientCredentials($resourceServer);
+
+        $request = Request::create('/');
+        $request->headers->set('Authorization', 'Bearer token');
+
+        $response = $middleware->handle($request, function () {
+            return 'response';
+        });
+
+        $this->assertEquals('response', $response);
+
+    }
+
+    /**
+     * @expectedException Illuminate\Auth\AuthenticationException
+     */
+    public function test_exception_is_thrown_when_oauth_throws_exception()
+    {
+        $resourceServer = Mockery::mock('League\OAuth2\Server\ResourceServer');
+        $resourceServer->shouldReceive('validateAuthenticatedRequest')->andReturnUsing(function () {
+            throw new League\OAuth2\Server\Exception\OAuthServerException('message', 500, 'error type');
+        });
+
+        $middleware = new CheckClientCredentials($resourceServer);
+
+        $request = Request::create('/');
+        $request->headers->set('Authorization', 'Bearer token');
+
+        $middleware->handle($request, function () {
+            return 'response';
+        });
+
+    }
+
+    /**
+     * @expectedException Illuminate\Auth\AuthenticationException
+     */
+    public function test_exception_is_thrown_if_token_does_not_have_required_scopes()
+    {
+        $resourceServer = Mockery::mock('League\OAuth2\Server\ResourceServer');
+        $resourceServer->shouldReceive('validateAuthenticatedRequest')->andReturn($psr = Mockery::mock());
+        $psr->shouldReceive('getAttribute')->with('oauth_user_id')->andReturn(1);
+        $psr->shouldReceive('getAttribute')->with('oauth_client_id')->andReturn(1);
+        $psr->shouldReceive('getAttribute')->with('oauth_access_token_id')->andReturn('token');
+        $psr->shouldReceive('getAttribute')->with('oauth_scopes')->andReturn(['foo','notbar']);
+
+        $middleware = new CheckClientCredentials($resourceServer);
+
+        $request = Request::create('/');
+        $request->headers->set('Authorization', 'Bearer token');
+
+        $response = $middleware->handle($request, function () {
+            return 'response';
+        },'foo', 'bar');
+
+    }
+
+}

tests/PersonalAccessTokenFactoryTest.php

@@ -39,7 +39,7 @@ class PersonalAccessTokenFactoryTestClientStub
     public $secret = 'something';
 }
 
-class PersonalAccessTokenFactoryTestModelStub extends Illuminate\Database\Eloquent\Model
+class PersonalAccessTokenFactoryTestModelStub extends Laravel\Passport\Token
 {
     public $id = 1;
     public $secret = 'something';