vendor/shopware/core/Framework/Api/OAuth/BearerTokenValidator.php line 41

Open in your IDE?
  1. <?php declare(strict_types=1);
  2. namespace Shopware\Core\Framework\Api\OAuth;
  3. use Doctrine\DBAL\Connection;
  4. use Lcobucci\JWT\Configuration;
  5. use Lcobucci\JWT\UnencryptedToken;
  6. use League\OAuth2\Server\AuthorizationValidators\AuthorizationValidatorInterface;
  7. use League\OAuth2\Server\Exception\OAuthServerException;
  8. use Psr\Http\Message\ServerRequestInterface;
  9. use Shopware\Core\Framework\Uuid\Uuid;
  10. use Shopware\Core\PlatformRequest;
  11. /**
  12.  * @package core
  13.  */
  14. class BearerTokenValidator implements AuthorizationValidatorInterface
  15. {
  16.     private Connection $connection;
  17.     private AuthorizationValidatorInterface $decorated;
  18.     private Configuration $configuration;
  19.     /**
  20.      * @internal
  21.      */
  22.     public function __construct(
  23.         AuthorizationValidatorInterface $decorated,
  24.         Connection $connection,
  25.         Configuration $configuration
  26.     ) {
  27.         $this->decorated $decorated;
  28.         $this->connection $connection;
  29.         $this->configuration $configuration;
  30.     }
  31.     /**
  32.      * @return ServerRequestInterface
  33.      */
  34.     public function validateAuthorization(ServerRequestInterface $request)
  35.     {
  36.         $request $this->decorated->validateAuthorization($request);
  37.         $header $request->getHeader('authorization');
  38.         $jwt trim(preg_replace('/^(?:\s+)?Bearer\s/'''$header[0]) ?? '');
  39.         /** @var UnencryptedToken $token */
  40.         $token $this->configuration->parser()->parse($jwt);
  41.         if ($userId $request->getAttribute(PlatformRequest::ATTRIBUTE_OAUTH_USER_ID)) {
  42.             $this->validateAccessTokenIssuedAt($token->claims()->get('iat'0), $userId);
  43.         }
  44.         return $request;
  45.     }
  46.     /**
  47.      * @throws OAuthServerException
  48.      */
  49.     private function validateAccessTokenIssuedAt(\DateTimeImmutable $tokenIssuedAtstring $userId): void
  50.     {
  51.         $lastUpdatedPasswordAt $this->connection->createQueryBuilder()
  52.             ->select(['last_updated_password_at'])
  53.             ->from('user')
  54.             ->where('id = :userId')
  55.             ->setParameter('userId'Uuid::fromHexToBytes($userId))
  56.             ->executeQuery()
  57.             ->fetchOne();
  58.         if ($lastUpdatedPasswordAt === false) {
  59.             throw OAuthServerException::accessDenied('Access token is invalid');
  60.         }
  61.         if ($lastUpdatedPasswordAt === null) {
  62.             return;
  63.         }
  64.         $lastUpdatedPasswordAt strtotime($lastUpdatedPasswordAt);
  65.         if ($tokenIssuedAt->getTimestamp() <= $lastUpdatedPasswordAt) {
  66.             throw OAuthServerException::accessDenied('Access token is expired');
  67.         }
  68.     }
  69. }