otp grant

Author: xtwoend

src/AuthorizationServerFactory.php

@@ -2,8 +2,10 @@
 
 namespace OAuthServer;
 
+use OAuthServer\Grant\OtpGrant;
 use Hyperf\Contract\ConfigInterface;
 use Psr\Container\ContainerInterface;
+use OAuthServer\OneTimePasswordInterface;
 use OAuthServer\Repositories\UserRepository;
 use League\OAuth2\Server\AuthorizationServer;
 use League\OAuth2\Server\Grant\AuthCodeGrant;
@@ -54,6 +56,11 @@ public function __invoke()
                 $this->makePasswordGrant(),
                 $tokenExpiresIn
             );
+
+            $server->enableGrantType(
+                $this->makeOtpGrant(),
+                $tokenExpiresIn
+            );
 
             return $server;
         });
@@ -102,4 +109,15 @@ public function makePasswordGrant()
             $grant->setRefreshTokenTTL(new \DateInterval('P1M'));
         });
     }
+
+    public function makeOtpGrant()
+    {
+        $userRepository = make(UserRepository::class);
+        $refreshTokenRepository = make(RefreshTokenRepository::class);
+        $oneTimePassword = make(OneTimePasswordInterface::class);
+
+        return tap(new OtpGrant($userRepository, $refreshTokenRepository, $oneTimePassword), function ($grant) {
+            $grant->setRefreshTokenTTL(new \DateInterval('P1M'));
+        });
+    }
 }

src/Command/OAuthKeyCommand.php

@@ -41,15 +41,21 @@ public function handle()
     {
         $force = $this->input->getOption('force');
         $length = $this->input->getOption('length');
+        $path = BASE_PATH . DIRECTORY_SEPARATOR . 'var';
 
         [$publicKey, $privateKey] = [
-            BASE_PATH . '/var/oauth-public.key',
-            BASE_PATH . '/var/oauth-private.key',
+            $path . DIRECTORY_SEPARATOR . 'oauth-public.key',
+            $path . DIRECTORY_SEPARATOR . 'oauth-private.key',
         ];
 
         if ((file_exists($publicKey) || file_exists($privateKey)) && ! $force) {
             $this->error('Encryption keys already exist. Use the --force option to overwrite them.');
         } else {
+
+            if (!is_dir($path)) {
+                mkdir($path, 0755, true);
+            }
+
             $private    = RSA::createKey($this->input ? (int) $length : 4096);
             $public     = $private->getPublicKey();
 

src/ConfigProvider.php

@@ -52,7 +52,7 @@ public function __invoke(): array
                 [
                     'id' => 'migration',
                     'description' => 'The migration for oauth.',
-                    'source' => __DIR__ . '/../migrations/*',
+                    'source' => __DIR__ . '/../migrations',
                     'destination' => BASE_PATH . '/migrations',
                 ],
             ],

src/Grant/OtpGrant.php

@@ -0,0 +1,119 @@
+<?php
+
+namespace OAuthServer\Grant;
+
+use DateInterval;
+use League\OAuth2\Server\RequestEvent;
+use OAuthServer\OneTimePasswordInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use League\OAuth2\Server\Grant\AbstractGrant;
+use League\OAuth2\Server\Entities\UserEntityInterface;
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
+use League\OAuth2\Server\Repositories\UserRepositoryInterface;
+use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
+
+/**
+ * OTP grant class.
+ */
+class OtpGrant extends AbstractGrant
+{
+    protected $otp;
+
+    /**
+     * @param UserRepositoryInterface         $userRepository
+     * @param RefreshTokenRepositoryInterface $refreshTokenRepository
+     * @param OneTimePasswordInterface $otp
+     */
+    public function __construct(
+        UserRepositoryInterface $userRepository,
+        RefreshTokenRepositoryInterface $refreshTokenRepository,
+        OneTimePasswordInterface $otp
+    ) {
+        $this->setUserRepository($userRepository);
+        $this->setRefreshTokenRepository($refreshTokenRepository);
+        $this->otp = $otp;
+
+        $this->refreshTokenTTL = new DateInterval('P1M');
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function respondToAccessTokenRequest(
+        ServerRequestInterface $request,
+        ResponseTypeInterface $responseType,
+        DateInterval $accessTokenTTL
+    ) {
+        // Validate request
+        $client = $this->validateClient($request);
+        $scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope));
+        $user = $this->validateUser($request, $client, $this->otp);
+
+        // Finalize the requested scopes
+        $finalizedScopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client, $user->getIdentifier());
+
+        // Issue and persist new access token
+        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $user->getIdentifier(), $finalizedScopes);
+        $this->getEmitter()->emit(new RequestEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request));
+        $responseType->setAccessToken($accessToken);
+
+        // Issue and persist new refresh token if given
+        $refreshToken = $this->issueRefreshToken($accessToken);
+
+        if ($refreshToken !== null) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::REFRESH_TOKEN_ISSUED, $request));
+            $responseType->setRefreshToken($refreshToken);
+        }
+
+        return $responseType;
+    }
+
+    /**
+     * @param ServerRequestInterface $request
+     * @param ClientEntityInterface  $client
+     *
+     * @throws OAuthServerException
+     *
+     * @return UserEntityInterface
+     */
+    protected function validateUser(ServerRequestInterface $request, ClientEntityInterface $client, OneTimePasswordInterface $otp)
+    {
+        $phone = $this->getRequestParameter('phone', $request);
+
+        if (\is_null($phone)) {
+            throw OAuthServerException::invalidRequest('phone');
+        }
+
+        $code = $this->getRequestParameter('code', $request);
+
+        if (\is_null($code)) {
+            throw OAuthServerException::invalidRequest('code');
+        }
+
+        $user = $this->userRepository->getUserEntityByOtp(
+            $phone,
+            $code,
+            $this->getIdentifier(),
+            $client,
+            $otp
+        );
+
+        if ($user instanceof UserEntityInterface === false) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::USER_AUTHENTICATION_FAILED, $request));
+
+            throw OAuthServerException::invalidGrant();
+        }
+
+        return $user;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getIdentifier()
+    {
+        return 'otp';
+    }
+}

src/OneTimePasswordInterface.php

@@ -0,0 +1,8 @@
+<?php
+
+namespace OAuthServer;
+
+interface OneTimePasswordInterface
+{
+    public function verify(string $phone, string $code): bool;
+}

src/Repositories/UserRepository.php

@@ -12,6 +12,7 @@
 use RuntimeException;
 use Hyperf\DbConnection\Db;
 use OAuthServer\Entities\UserEntity;
+use OAuthServer\OneTimePasswordInterface;
 use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Repositories\UserRepositoryInterface;
 
@@ -47,6 +48,38 @@ public function getUserEntityByUserCredentials(
         return new UserEntity($user->id);
     }
 
+    public function getUserEntityByOtp(
+        $phone,
+        $code,
+        $grantType,
+        ClientEntityInterface $clientEntity,
+        OneTimePasswordInterface $otp
+    ) {
+        $provider = $clientEntity->provider ?: config('oauth.provider');
+
+        if (is_null($config = config('databases.'.$provider, null))) {
+            throw new RuntimeException('Unable to determine authentication from configuration.');
+        }
+
+        if ($grantType !== 'otp') {
+            throw new RuntimeException('Invalid Grant Type');
+        }
+
+        $query = Db::connection($provider);
+
+        $user = $query->table('users')->where('phone', $phone)->first();
+
+        if (! $user) {
+            return;
+        }
+
+        if (! $otp->verify($user->phone, $code)) {
+            return;
+        }
+
+        return new UserEntity($user->id);
+    }
+
     public function getUserByProviderUserId($id, $client)
     {
         $provider = $client->provider;