vendor/shopware/core/Framework/Api/OAuth/BearerTokenValidator.php line 40

Open in your IDE?
  1. <?php declare(strict_types=1);
  3. namespace Shopware\Core\Framework\Api\OAuth;
  5. use Doctrine\DBAL\Connection;
  6. use Lcobucci\JWT\Configuration;
  7. use Lcobucci\JWT\UnencryptedToken;
  8. use League\OAuth2\Server\AuthorizationValidators\AuthorizationValidatorInterface;
  9. use League\OAuth2\Server\Exception\OAuthServerException;
  10. use Psr\Http\Message\ServerRequestInterface;
  11. use Shopware\Core\Framework\Log\Package;
  12. use Shopware\Core\Framework\Uuid\Uuid;
  13. use Shopware\Core\PlatformRequest;
  15. #[Package('core')]
  16. class BearerTokenValidator implements AuthorizationValidatorInterface
  17. {
  18.     private Connection $connection;
  20.     private AuthorizationValidatorInterface $decorated;
  22.     private Configuration $configuration;
  24.     /**
  25.      * @internal
  26.      */
  27.     public function __construct(
  28.         AuthorizationValidatorInterface $decorated,
  29.         Connection $connection,
  30.         Configuration $configuration
  31.     ) {
  32.         $this->decorated $decorated;
  33.         $this->connection $connection;
  34.         $this->configuration $configuration;
  35.     }
  37.     /**
  38.      * @return ServerRequestInterface
  39.      */
  40.     public function validateAuthorization(ServerRequestInterface $request)
  41.     {
  42.         $request $this->decorated->validateAuthorization($request);
  44.         $header $request->getHeader('authorization');
  46.         $jwt trim(preg_replace('/^(?:\s+)?Bearer\s/'''$header[0]) ?? '');
  48.         /** @var UnencryptedToken $token */
  49.         $token $this->configuration->parser()->parse($jwt);
  51.         if ($userId $request->getAttribute(PlatformRequest::ATTRIBUTE_OAUTH_USER_ID)) {
  52.             $this->validateAccessTokenIssuedAt($token->claims()->get('iat'0), $userId);
  53.         }
  55.         return $request;
  56.     }
  58.     /**
  59.      * @throws OAuthServerException
  60.      */
  61.     private function validateAccessTokenIssuedAt(\DateTimeImmutable $tokenIssuedAtstring $userId): void
  62.     {
  63.         $lastUpdatedPasswordAt $this->connection->createQueryBuilder()
  64.             ->select(['last_updated_password_at'])
  65.             ->from('user')
  66.             ->where('id = :userId')
  67.             ->setParameter('userId'Uuid::fromHexToBytes($userId))
  68.             ->executeQuery()
  69.             ->fetchOne();
  71.         if ($lastUpdatedPasswordAt === false) {
  72.             throw OAuthServerException::accessDenied('Access token is invalid');
  73.         }
  75.         if ($lastUpdatedPasswordAt === null) {
  76.             return;
  77.         }
  79.         $lastUpdatedPasswordAt strtotime($lastUpdatedPasswordAt);
  81.         if ($tokenIssuedAt->getTimestamp() <= $lastUpdatedPasswordAt) {
  82.             throw OAuthServerException::accessDenied('Access token is expired');
  83.         }
  84.     }
  85. }