Merge in v9 branch

.github/workflows/backwards-compatibility.yml

@@ -14,7 +14,8 @@ jobs:
         uses: "actions/checkout@v2"
         with:
           fetch-depth: 0
-
+      - name: Fix git safe.directory in container
+        run: mkdir -p /home/runner/work/_temp/_github_home && printf "[safe]\n\tdirectory = /github/workspace" > /home/runner/work/_temp/_github_home/.gitconfig
       - name: "Backwards Compatibility Check"
         uses: docker://nyholm/roave-bc-check-ga
         with:

.github/workflows/tests.yml

@@ -8,19 +8,29 @@ on:
 
 jobs:
   tests:
-    runs-on: ubuntu-latest
-
     strategy:
       fail-fast: false
       matrix:
-        php: [7.4, 8.0, 8.1]
+        php: [8.1, 8.2]
+        os: [ubuntu-22.04]
         stability: [prefer-lowest, prefer-stable]
+        include:
+          - os: ubuntu-20.04
+            php: 8.0
+            stability: prefer-lowest
+          - os: ubuntu-20.04
+            php: 8.0
+            stability: prefer-stable
+
+    runs-on: ${{ matrix.os }}
 
     name: PHP ${{ matrix.php }} - ${{ matrix.stability }}
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
+        with: 
+          fetch-depth: 0
 
       - name: Setup PHP
         uses: shivammathur/setup-php@v2
@@ -30,13 +40,17 @@ jobs:
           coverage: pcov
 
       - name: Install dependencies
-        run: composer update --${{ matrix.stability }} --prefer-dist --no-interaction --no-progress
+        run:
+          composer update --${{ matrix.stability }} --prefer-dist --no-interaction --no-progress
+
+      - name: Install Scrutinizer/Ocular
+        run:
+          composer global require scrutinizer/ocular
 
       - name: Execute tests
         run: vendor/bin/phpunit --verbose --coverage-clover=coverage.clover
 
       - name: Code coverage
-        if: ${{ github.ref == 'refs/heads/master' && matrix.php != 8.0 && github.repository == 'thephpleague/oauth2-server' }}
-        run: |
-          wget https://scrutinizer-ci.com/ocular.phar
-          php ocular.phar code-coverage:upload --format=php-clover coverage.clover
+        if: ${{ github.ref == 'refs/heads/master' && github.repository == 'thephpleague/oauth2-server' }}
+        run:
+          ~/.composer/vendor/bin/ocular code-coverage:upload --format=php-clover coverage.clover

CHANGELOG.md

@@ -22,11 +22,49 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Removed
 - Removed message property from OAuthException HTTP response. Now just use error_description as per the OAuth 2 spec (PR #1375)
 
-### [8.3.6] - released 2022-11-14
+## [8.5.4] - released 2023-08-25
+### Added
+- Support for league/uri ^7.0 (PR #1367)
+
+## [8.5.3] - released 2023-07-06
+### Security
+- If a key string is provided to the CryptKey constructor with an invalid 
+passphrase, the LogicException message generated will expose the given key. 
+The key is no longer leaked via this exception (PR #1353)
+
+## [8.5.2] - released 2023-06-16
+### Changed
+- Bumped the versions for laminas/diactoros and psr/http-message to support 
+PSR-7 v2.0 (PR #1339)
+
+## [8.5.1] - released 2023-04-04
+### Fixed
+- Fixed PHP version constraints and lcobucci/clock version constraint to support PHP 8.1 (PR #1336)
+
+## [8.5.0] - released 2023-04-03
+### Added
+- Support for PHP 8.1 and 8.2 (PR #1333)
+
+### Removed
+- Support PHP 7.2, 7.3, and 7.4 (PR #1333)
+
+## [8.4.1] - released 2023-03-22
+### Fixed
+- Fix deprecation notices for PHP 8.x (PR #1329)
+
+## [8.4.0] - released 2023-02-15
+### Added
+- You can now set a leeway for time drift between servers when validating a JWT (PR #1304)
+
+### Security
+- Access token requests that contain a code_verifier but are not bound to a code_challenge will be rejected to prevent
+a PKCE downgrade attack (PR #1326)
+
+## [8.3.6] - released 2022-11-14
 ### Fixed
 - Use LooseValidAt instead of StrictValidAt so that users aren't forced to use claims such as NBF in their JWT tokens (PR #1312)
 
-### [8.3.5] - released 2022-05-12
+## [8.3.5] - released 2022-05-12
 ### Fixed
 - Use InMemory::plainText('empty', 'empty') instead of InMemory::plainText('') to avoid [new empty string exception](https://github.com/lcobucci/jwt/pull/833) thrown by lcobucci/jwt (PR #1282)
 
@@ -583,7 +621,14 @@ Version 5 is a complete code rewrite.
 
 - First major release
 
-[Unreleased]: https://github.com/thephpleague/oauth2-server/compare/8.3.6...HEAD
+[Unreleased]: https://github.com/thephpleague/oauth2-server/compare/8.5.4...HEAD
+[8.5.4]: https://github.com/thephpleague/oauth2-server/compare/8.5.3...8.5.4
+[8.5.3]: https://github.com/thephpleague/oauth2-server/compare/8.5.2...8.5.3
+[8.5.2]: https://github.com/thephpleague/oauth2-server/compare/8.5.1...8.5.2
+[8.5.1]: https://github.com/thephpleague/oauth2-server/compare/8.5.0...8.5.1
+[8.5.0]: https://github.com/thephpleague/oauth2-server/compare/8.4.1...8.5.0
+[8.4.1]: https://github.com/thephpleague/oauth2-server/compare/8.4.0...8.4.1
+[8.4.0]: https://github.com/thephpleague/oauth2-server/compare/8.3.6...8.4.0
 [8.3.6]: https://github.com/thephpleague/oauth2-server/compare/8.3.5...8.3.6
 [8.3.5]: https://github.com/thephpleague/oauth2-server/compare/8.3.4...8.3.5
 [8.3.4]: https://github.com/thephpleague/oauth2-server/compare/8.3.3...8.3.4

README.md

@@ -30,10 +30,9 @@ This library was created by Alex Bilbie. Find him on Twitter at [@alexbilbie](ht
 
 The latest version of this package supports the following versions of PHP:
 
-* PHP 7.2
-* PHP 7.3
-* PHP 7.4
 * PHP 8.0
+* PHP 8.1
+* PHP 8.2
 
 The `openssl` and `json` extensions are also required.
 

composer.json

@@ -4,18 +4,18 @@
     "homepage": "https://oauth2.thephpleague.com/",
     "license": "MIT",
     "require": {
-        "php": "^7.4 || ^8.0",
+        "php": "^8.0",
         "ext-openssl": "*",
         "league/event": "^2.2",
-        "league/uri": "^6.4",
-        "lcobucci/jwt": "^4.1.5",
-        "psr/http-message": "^1.0.1",
+        "league/uri": "^6.7 || ^7.0",
+        "lcobucci/jwt": "^4.3 || ^5.0",
+        "psr/http-message": "^1.0.1 || ^2.0",
         "defuse/php-encryption": "^2.3.1",
-        "ext-json": "*"
+        "lcobucci/clock": "^2.2 || ^3.0"
     },
     "require-dev": {
-        "phpunit/phpunit": "^9.5.11",
-        "laminas/laminas-diactoros": "^2.8.0",
+        "phpunit/phpunit": "^9.6.6",
+        "laminas/laminas-diactoros": "^3.0.0",
         "phpstan/phpstan": "^1.10.26",
         "phpstan/phpstan-phpunit": "^1.3.14",
         "roave/security-advisories": "dev-master",

examples/public/client_credentials.php

@@ -53,20 +53,16 @@
 ]);
 
 $app->post('/access_token', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
-
     /* @var \League\OAuth2\Server\AuthorizationServer $server */
     $server = $app->getContainer()->get(AuthorizationServer::class);
 
     try {
-
         // Try to respond to the request
         return $server->respondToAccessTokenRequest($request, $response);
     } catch (OAuthServerException $exception) {
-
         // All instances of OAuthServerException can be formatted into a HTTP response
         return $exception->generateHttpResponse($response);
     } catch (\Exception $exception) {
-
         // Unknown exception
         $body = new Stream('php://temp', 'r+');
         $body->write($exception->getMessage());

examples/public/password.php

@@ -17,7 +17,6 @@
 $app = new App([
     // Add the authorization server to the DI container
     AuthorizationServer::class => function () {
-
         // Setup the authorization server
         $server = new AuthorizationServer(
             new ClientRepository(),                 // instance of ClientRepositoryInterface
@@ -46,20 +45,16 @@
 $app->post(
     '/access_token',
     function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
-
         /* @var \League\OAuth2\Server\AuthorizationServer $server */
         $server = $app->getContainer()->get(AuthorizationServer::class);
 
         try {
-
             // Try to respond to the access token request
             return $server->respondToAccessTokenRequest($request, $response);
         } catch (OAuthServerException $exception) {
-
             // All instances of OAuthServerException can be converted to a PSR-7 response
             return $exception->generateHttpResponse($response);
         } catch (\Exception $exception) {
-
             // Catch unexpected exceptions
             $body = $response->getBody();
             $body->write($exception->getMessage());

phpstan.neon.dist

@@ -8,6 +8,3 @@ parameters:
           message: '#Call to an undefined method League\\OAuth2\\Server\\ResponseTypes\\ResponseTypeInterface::getAccessToken\(\)\.#'
           path: tests/Grant/ClientCredentialsGrantTest.php 
         - '#Return type \(League\\Event\\EmitterInterface\|null\) of method LeagueTests\\Stubs\\GrantType::getEmitter\(\) should be covariant with return type \(League\\Event\\EmitterInterface\) of method League\\Event\\EmitterAwareInterface::getEmitter\(\)#'
-        - '#Method League\\OAuth2\\Server\\Grant\\AbstractGrant::issueAccessToken\(\) should return League\\OAuth2\\Server\\Entities\\AccessTokenEntityInterface but return statement is missing\.#'
-        - '#Method League\\OAuth2\\Server\\Grant\\AbstractGrant::issueAuthCode\(\) should return League\\OAuth2\\Server\\Entities\\AuthCodeEntityInterface but return statement is missing\.#'
-        - '#Method League\\OAuth2\\Server\\Grant\\AbstractGrant::issueRefreshToken\(\) should return League\\OAuth2\\Server\\Entities\\RefreshTokenEntityInterface\|null but return statement is missing\.#'

phpunit.xml.dist

@@ -1,14 +1,21 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<phpunit colors="true" convertNoticesToExceptions="true" convertWarningsToExceptions="true" stopOnError="true"
-         stopOnFailure="true" stopOnIncomplete="false" stopOnSkipped="false" bootstrap="tests/Bootstrap.php">
-    <testsuites>
-        <testsuite name="Tests">
-            <directory>./tests/</directory>
-        </testsuite>
-    </testsuites>
-    <filter>
-        <whitelist addUncoveredFilesFromWhitelist="true">
-            <directory suffix=".php">src</directory>
-        </whitelist>
-    </filter>
+<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/9.3/phpunit.xsd"
+         colors="true"
+         stopOnError="true"
+         stopOnFailure="true"
+         stopOnIncomplete="false"
+         stopOnSkipped="false"
+         bootstrap="tests/Bootstrap.php"
+>
+  <coverage includeUncoveredFiles="true">
+    <include>
+      <directory suffix=".php">src</directory>
+    </include>
+  </coverage>
+  <testsuites>
+    <testsuite name="Tests">
+      <directory>./tests/</directory>
+    </testsuite>
+  </testsuites>
 </phpunit>

src/AuthorizationValidators/BearerTokenValidator.php

@@ -12,6 +12,7 @@
 
 namespace League\OAuth2\Server\AuthorizationValidators;
 
+use DateInterval;
 use DateTimeZone;
 use Lcobucci\Clock\SystemClock;
 use Lcobucci\JWT\Configuration;
@@ -43,7 +44,7 @@ class BearerTokenValidator implements AuthorizationValidatorInterface
 
     private Configuration $jwtConfiguration;
 
-    public function __construct(private AccessTokenRepositoryInterface $accessTokenRepository)
+    public function __construct(private AccessTokenRepositoryInterface $accessTokenRepository, private ?DateInterval $jwtValidAtDateLeeway = null)
     {
     }
 
@@ -67,14 +68,16 @@ private function initJwtConfiguration(): void
             InMemory::plainText('empty', 'empty')
         );
 
+        $clock = new SystemClock(new DateTimeZone(date_default_timezone_get()));
+
         $publicKeyContents = $this->publicKey->getKeyContents();
 
         if ($publicKeyContents === '') {
             throw new RuntimeException('Public key is empty');
         }
 
         $this->jwtConfiguration->setValidationConstraints(
-            new LooseValidAt(new SystemClock(new DateTimeZone(date_default_timezone_get()))),
+            new LooseValidAt($clock, $this->jwtValidAtDateLeeway),
             new SignedWith(
                 new Sha256(),
                 InMemory::plainText($publicKeyContents, $this->publicKey->getPassPhrase() ?? '')
@@ -106,7 +109,7 @@ public function validateAuthorization(ServerRequestInterface $request): ServerRe
             $constraints = $this->jwtConfiguration->validationConstraints();
             $this->jwtConfiguration->validator()->assert($token, ...$constraints);
         } catch (RequiredConstraintsViolated $exception) {
-            throw OAuthServerException::accessDenied('Access token could not be verified');
+            throw OAuthServerException::accessDenied('Access token could not be verified', null, $exception);
         }
 
         if (!$token instanceof UnencryptedToken) {

src/CryptKey.php

@@ -71,7 +71,7 @@ public function __construct(string $keyPath, protected ?string $passPhrase = nul
                 throw new LogicException('Unable to read key from file ' . $keyPath);
             }
         } else {
-            throw new LogicException('Unable to read key from file ' . $keyPath);
+            throw new LogicException('Invalid key supplied');
         }
 
         if ($keyPermissionsCheck === true) {

src/Entities/Traits/ClientTrait.php

@@ -26,6 +26,7 @@ trait ClientTrait
     /**
      * Get the client's name.
      *
+     *
      * @codeCoverageIgnore
      */
     public function getName(): string

src/Grant/AbstractGrant.php

@@ -386,6 +386,9 @@ protected function issueAccessToken(
                 }
             }
         }
+
+        // This should never be hit. It is here to work around a PHPStan false error
+        return $accessToken;
     }
 
     /**
@@ -430,6 +433,9 @@ protected function issueAuthCode(
                 }
             }
         }
+
+        // This should never be hit. It is here to work around a PHPStan false error
+        return $authCode;
     }
 
     /**
@@ -461,6 +467,9 @@ protected function issueRefreshToken(AccessTokenEntityInterface $accessToken): ?
                 }
             }
         }
+
+        // This should never be hit. It is here to work around a PHPStan false error
+        return $refreshToken;
     }
 
     /**