Merge branch 'master' into dependencies/cakephp-4.5

bedita · Apr 18, 2024 · 40624e3 · 40624e3
2 parents f7b1ecd + 579980a
commit 40624e3
Show file tree

Hide file tree

Showing 6 changed files with 95 additions and 11 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,19 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      gh-actions:
+        patterns: ['actions/*']
+      docker:
+        patterns: ['docker/*']
+      codecov:
+        patterns: ['codecov/*']
diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml
@@ -14,23 +14,23 @@ on:
 
 jobs:
   cs:
-    uses: bedita/github-workflows/.github/workflows/php-cs.yml@v1
+    uses: bedita/github-workflows/.github/workflows/php-cs.yml@v2
     with:
-      php_versions: '["7.4","8.1","8.2"]'
+      php_versions: '["7.4","8.1","8.2","8.3"]'
 
   stan:
-    uses: bedita/github-workflows/.github/workflows/php-stan.yml@v1
+    uses: bedita/github-workflows/.github/workflows/php-stan.yml@v2
     with:
-      php_versions: '["7.4","8.1","8.2"]'
+      php_versions: '["7.4","8.1","8.2","8.3"]'
 
   unit-4:
-    uses: bedita/github-workflows/.github/workflows/php-unit.yml@v1
+    uses: bedita/github-workflows/.github/workflows/php-unit.yml@v2
     with:
-      php_versions: '["7.4","8.1","8.2"]'
+      php_versions: '["7.4","8.1","8.2","8.3"]'
       bedita_version: '4'
 
   unit-5:
-    uses: bedita/github-workflows/.github/workflows/php-unit.yml@v1
+    uses: bedita/github-workflows/.github/workflows/php-unit.yml@v2
     with:
-      php_versions: '["7.4","8.1","8.2"]'
+      php_versions: '["7.4","8.1","8.2","8.3"]'
       bedita_version: '5'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -17,7 +17,7 @@ on:
 
 jobs:
   release-job:
-    uses: bedita/github-workflows/.github/workflows/release.yml@v1
+    uses: bedita/github-workflows/.github/workflows/release.yml@v2
     with:
       main_branch: 'master'
       dist_branches: '["master","1.x"]'

diff --git a/composer.json b/composer.json
@@ -23,6 +23,7 @@
         "php": ">=7.4",
         "bedita/php-sdk": "^2.1.0",
         "cakephp/cakephp": "^4.5.0",
+        "firebase/php-jwt": "^6.9",
         "cakephp/twig-view": "^1.3.0"
     },
     "require-dev": {

diff --git a/src/Authenticator/OAuth2Authenticator.php b/src/Authenticator/OAuth2Authenticator.php
@@ -22,6 +22,7 @@
 use Cake\Log\LogTrait;
 use Cake\Routing\Router;
 use Cake\Utility\Hash;
+use Firebase\JWT\JWT;
 use Psr\Http\Message\ServerRequestInterface;
 
 /**
@@ -85,6 +86,11 @@ public function authenticate(ServerRequestInterface $request): ResultInterface
     {
         // extract provider from request
         $provider = basename($request->getUri()->getPath());
+        // leeway is needed for clock skew
+        $leeway = (int)$this->getConfig(sprintf('providers.%s.clientOptions.jwtLeeway', $provider), 0);
+        if ($leeway) {
+            JWT::$leeway = $leeway;
+        }
 
         $connect = $this->providerConnect($provider, $request);
         if (!empty($connect[static::AUTH_URL_KEY])) {
@@ -97,6 +103,7 @@ public function authenticate(ServerRequestInterface $request): ResultInterface
             'provider_username' => Hash::get($connect, sprintf('user.%s', $usernameField)),
             'access_token' => Hash::get($connect, 'token.access_token'),
             'provider_userdata' => (array)Hash::get($connect, 'user'),
+            'id_token' => Hash::get($connect, 'token.id_token'),
         ];
         $user = $this->_identifier->identify($data);
 
@@ -119,7 +126,11 @@ protected function providerConnect(string $provider, ServerRequestInterface $req
     {
         $this->initProvider($provider, $request);
 
-        $query = $request->getQueryParams();
+        if ($request->getMethod() === 'GET') {
+            $query = $request->getQueryParams();
+        } else {
+            $query = $request->getParsedBody();
+        }
         $sessionKey = $this->getConfig('sessionKey');
         /** @var \Cake\Http\Session $session */
         $session = $request->getAttribute('session');
@@ -134,7 +145,10 @@ protected function providerConnect(string $provider, ServerRequestInterface $req
         }
 
         // Check given state against previously stored one to mitigate CSRF attack
-        if (empty($query['state']) || ($query['state'] !== $session->read($sessionKey))) {
+        if (
+            (empty($query['state']) || $query['state'] !== $session->read($sessionKey))
+            && $request->getMethod() === 'GET'
+        ) {
             $session->delete($sessionKey);
             throw new BadRequestException('Invalid state');
         }

diff --git a/tests/TestCase/Authenticator/OAuth2AuthenticatorTest.php b/tests/TestCase/Authenticator/OAuth2AuthenticatorTest.php
@@ -23,6 +23,7 @@
 use Cake\Http\Session;
 use Cake\TestSuite\TestCase;
 use Cake\Utility\Hash;
+use Firebase\JWT\JWT;
 
 /**
  * {@see \BEdita\WebTools\Authenticator\OAuth2Authenticator} Test Case
@@ -50,6 +51,7 @@ public function authenticateProvider(): array
                     'status' => Result::SUCCESS,
                 ],
                 [
+                    'environment' => ['REQUEST_METHOD' => 'POST'],
                     'url' => '/ext/login/gustavo',
                 ],
                 [
@@ -186,4 +188,52 @@ public function getErrors(): array
         static::assertNotNull($result);
         static::assertEquals($expected['status'], $result->getStatus());
     }
+
+    /**
+     * Test JWT leeway config in `authenticate` method
+     *
+     * @return void
+     * @covers ::authenticate()
+     */
+    public function testAuthenticateLeeway(): void
+    {
+        $identifier = new class () implements IdentifierInterface {
+            public function identify(array $credentials)
+            {
+                return $credentials;
+            }
+
+            public function getErrors(): array
+            {
+                return [];
+            }
+        };
+        $reqConfig = [
+            'url' => '/ext/login/gustavo',
+        ];
+        $request = new ServerRequest($reqConfig);
+        $session = new Session();
+        $session->write(Hash::get($reqConfig, 'data'));
+        $request = $request->withAttribute('session', $session);
+
+        $authenticator = new OAuth2Authenticator($identifier, [
+            'urlResolver' => fn () => '',
+            'providers' => [
+                'gustavo' => [
+                    'class' => TestProvider::class,
+                    'setup' => [
+                        'clientId' => '',
+                    ],
+                    'clientOptions' => [
+                        'jwtLeeway' => 10,
+                    ],
+                ],
+            ],
+        ]);
+        $result = $authenticator->authenticate($request);
+
+        static::assertNotNull($result);
+        static::assertEquals(Result::SUCCESS, $result->getStatus());
+        static::assertEquals(JWT::$leeway, 10);
+    }
 }