Merge pull request hwi#45 from stloyd/infinity_loop

Throw exception in security listener when `code` is missing
stof · Jun 29, 2012 · 7a90bbe · 7a90bbe
2 parents 7d76be0 + fefc54a
commit 7a90bbe
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 9 deletions.
diff --git a/OAuth/ResourceOwner/GenericOAuth1ResourceOwner.php b/OAuth/ResourceOwner/GenericOAuth1ResourceOwner.php
@@ -103,10 +103,6 @@ public function getAuthorizationUrl($redirectUri, array $extraParameters = array
      */
     public function getAccessToken(Request $request, $redirectUri, array $extraParameters = array())
     {
-        if (null === $oauthToken = $request->query->has('oauth_token')) {
-            throw new \RuntimeException('No oauth_token provided in the request.');
-        }
-
         if (null === $requestToken = $this->storage->fetch($this, $request->query->get('oauth_token'))) {
             throw new \RuntimeException('No request token found in the storage.');
         }

diff --git a/OAuth/ResourceOwner/GenericOAuth2ResourceOwner.php b/OAuth/ResourceOwner/GenericOAuth2ResourceOwner.php
@@ -69,10 +69,6 @@ public function getAuthorizationUrl($redirectUri, array $extraParameters = array
      */
     public function getAccessToken(Request $request, $redirectUri, array $extraParameters = array())
     {
-        if (null === $code = $request->query->get('code')) {
-            throw new \RuntimeException('No code provided in the request.');
-        }
-
         $parameters = array_merge($extraParameters, array(
             'code'          => $code,
             'grant_type'    => 'authorization_code',

diff --git a/Security/Http/Firewall/OAuthListener.php b/Security/Http/Firewall/OAuthListener.php
@@ -15,7 +15,6 @@
     Symfony\Component\HttpFoundation\Request,
     Symfony\Component\Security\Core\Exception\AuthenticationException;
 
-
 use HWI\Bundle\OAuthBundle\Security\Core\Authentication\Token\OAuthToken,
     HWI\Bundle\OAuthBundle\Security\Http\ResourceOwnerMap;
 
@@ -75,6 +74,11 @@ protected function attemptAuthentication(Request $request)
     {
         list($resourceOwner, $checkPath) = $this->resourceOwnerMap->getResourceOwnerByRequest($request);
 
+        if (!$resourceOwner->handles($request)) {
+            // Can't use AuthenticationException below, as it leads to infinity loop
+            throw new \RuntimeException('No oauth code in the request.');
+        }
+
         $accessToken = $resourceOwner->getAccessToken(
             $request,
             $this->httpUtils->createRequest($request, $checkPath)->getUri()