Harden AuthCodeGrant::canRespondToAccessTokenRequest (#25)

* Skip (additional) checks when grant_type isn't even authorization_code * Simplify check whether code request parameter is present * Handle exception when code can't be decrypted (for example when sending empty value, or any value which isn't properly encrypted) * Add check whether decoded token contains scopes (to prevent undefined variable error when it isn't)
limosa-io · Jul 24, 2023 · ccd719a · ccd719a
1 parent 7cf381d
commit ccd719a
Showing 1 changed file with 15 additions and 6 deletions.
diff --git a/src/Grant/AuthCodeGrant.php b/src/Grant/AuthCodeGrant.php
@@ -85,16 +85,25 @@ public function canRespondToAuthorizationRequest(ServerRequestInterface $request
     public function canRespondToAccessTokenRequest(ServerRequestInterface $request)
     {
         $requestParameters = (array) $request->getParsedBody();
-        //FIXME: for some reason, the unit test complete if the next three lines are removed
-        if (!in_array('code', array_keys($requestParameters))) {
+
+        // Don't try to handle code when it isn't even an authorization_code request
+        if (!array_key_exists('grant_type', $requestParameters)
+            || $requestParameters['grant_type'] !== 'authorization_code'
+        ) {
+            return false;
+        }
+
+        if (!array_key_exists('code', $requestParameters)) {
             return false;
         }
 
-        $authCodePayload = json_decode($this->decrypt($requestParameters['code']));
+        try {
+            $authCodePayload = json_decode($this->decrypt($requestParameters['code']));
+        } catch (LogicException $e) {
+            return false;
+        }
 
-        return (in_array('openid', $authCodePayload->scopes) &&
-            array_key_exists('grant_type', $requestParameters) &&
-            $requestParameters['grant_type'] === 'authorization_code');
+        return isset($authCodePayload->scopes) && in_array('openid', $authCodePayload->scopes);
     }
 
     /**