Add hooks for the refresh cycle and step-up authentication

pjcdawkins · pjcdawkins · commit e6592519de6c · 2024-11-25T10:53:17.000Z
diff --git a/src/GuzzleMiddleware.php b/src/GuzzleMiddleware.php
@@ -2,10 +2,12 @@
 
 namespace Platformsh\OAuth2\Client;
 
+use GuzzleHttp\Exception\BadResponseException;
 use League\OAuth2\Client\Grant\AbstractGrant;
 use League\OAuth2\Client\Grant\ClientCredentials;
 use League\OAuth2\Client\Grant\RefreshToken;
 use League\OAuth2\Client\Provider\AbstractProvider;
+use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
 use League\OAuth2\Client\Token\AccessToken;
 use Psr\Http\Message\RequestInterface;
 use Psr\Http\Message\ResponseInterface;
@@ -18,20 +20,32 @@ class GuzzleMiddleware
     /** @var AbstractGrant $grant */
     private $grant;
 
-    /** @var \League\OAuth2\Client\Token\AccessToken|null */
+    /** @var AccessToken|null */
     private $accessToken;
 
     /** @var array */
-    private $grantOptions = [];
+    private $grantOptions;
 
     /** @var callable|null */
     private $tokenSave;
 
+    /** @var callable|null */
+    protected $onRefreshStart;
+
+    /** @var callable|null */
+    protected $onRefreshEnd;
+
+    /** @var callable|null */
+    protected $onRefreshError;
+
+    /** @var callable|null */
+    protected $onStepUpAuthResponse;
+
     /**
      * GuzzleMiddleware constructor.
      *
-     * @param \League\OAuth2\Client\Provider\AbstractProvider $provider
-     * @param \League\OAuth2\Client\Grant\AbstractGrant       $grant
+     * @param AbstractProvider $provider
+     * @param AbstractGrant $grant
      * @param array                                           $grantOptions
      */
     public function __construct(AbstractProvider $provider, AbstractGrant $grant = null, array $grantOptions = [])
@@ -53,6 +67,54 @@ public function setTokenSaveCallback(callable $tokenSave)
         $this->tokenSave = $tokenSave;
     }
 
+    /**
+     * Sets a callback that will be triggered when token refresh starts.
+     *
+     * @param callable $callback
+     *   A callback which accepts 1 argument, the refresh token being used if
+     *   available (a string or null), and returns an AccessToken or null.
+     */
+    public function setOnRefreshStart(callable $callback)
+    {
+        $this->onRefreshStart = $callback;
+    }
+
+    /**
+     * Set a callback that will be triggered when token refresh ends.
+     *
+     * @param callable $callback
+     *   A callback which accepts 1 argument, the refresh token which was used
+     *   if available (a string or null).
+     */
+    public function setOnRefreshEnd(callable $callback)
+    {
+        $this->onRefreshEnd = $callback;
+    }
+
+    /**
+     * Set a callback that will react to a refresh token error.
+     *
+     * @param callable $callback
+     *   A callback which accepts one argument, the BadResponseException, and
+     *   returns an AccessToken or null.
+     */
+    public function setOnRefreshError(callable $callback)
+    {
+        $this->onRefreshError = $callback;
+    }
+
+    /**
+     * Set a callback that will react to a step-up authentication response (RFC 9470).
+     *
+     * @param callable $callback
+     *   A callback which accepts one argument, the response, of type \GuzzleHttp\Message\ResponseInterface,
+     *   and returns an AccessToken or null.
+     */
+    public function setOnStepUpAuthResponse(callable $callback)
+    {
+        $this->onStepUpAuthResponse = $callback;
+    }
+
     /**
      * Main middleware callback.
      *
@@ -73,23 +135,42 @@ public function __invoke(callable $next)
             /** @var \GuzzleHttp\Promise\PromiseInterface $promise */
             $promise = $next($request, $options);
 
-            return $promise->then(
-                function (ResponseInterface $response) use ($request, $options, $token, $next) {
-                    if ($response->getStatusCode() === 401) {
-                        // Consider the old token invalid, and get a new one.
-                        $token = $this->getAccessToken($token);
+            return $promise->then(function (ResponseInterface $response) use ($request, $options, $token, $next) {
+                if ($response->getStatusCode() !== 401) {
+                    return $response;
+                }
 
-                        // Retry the request.
-                        $request = $this->authenticateRequest($request, $token);
-                        $response = $next($request, $options);
+                if (isset($this->onStepUpAuthResponse) && $this->isStepUpAuthenticationResponse($response)) {
+                    $newToken = call_user_func($this->onStepUpAuthResponse, $response);
+                    $this->accessToken = $newToken;
+                    if (is_callable($this->tokenSave)) {
+                        call_user_func($this->tokenSave, $this->accessToken);
                     }
-
-                    return $response;
+                } else {
+                    // Consider the old token invalid, and get a new one.
+                    $this->getAccessToken($token);
                 }
-            );
+
+                // Retry the request.
+                $request = $this->authenticateRequest($request, $token);
+                return $next($request, $options);
+            });
         };
     }
 
+    /**
+     * Checks for a step-up authentication response (RFC 9470).
+     *
+     * @param ResponseInterface $response
+     *
+     * @return bool
+     */
+    protected function isStepUpAuthenticationResponse(ResponseInterface $response)
+    {
+        $authHeader = implode("\n", $response->getHeader('WWW-Authenticate'));
+        return stripos($authHeader, 'Bearer') !== false && strpos($authHeader, 'insufficient_user_authentication') !== false;
+    }
+
     /**
      * Check if a request is configured to use OAuth2.
      *
@@ -116,10 +197,10 @@ private function isOAuth2(RequestInterface $request, array $options)
     /**
      * Add authentication to an HTTP request.
      *
-     * @param \Psr\Http\Message\RequestInterface      $request
-     * @param \League\OAuth2\Client\Token\AccessToken $token
+     * @param RequestInterface $request
+     * @param AccessToken $token
      *
-     * @return \Psr\Http\Message\RequestInterface
+     * @return RequestInterface
      */
     private function authenticateRequest(RequestInterface $request, AccessToken $token)
     {
@@ -131,13 +212,14 @@ private function authenticateRequest(RequestInterface $request, AccessToken $tok
     }
 
     /**
-     * Get the current access token.
+     * Get the current or a new access token.
      *
      * @param AccessToken|null $invalid
      *   A token to consider invalid.
      *
-     * @return \League\OAuth2\Client\Token\AccessToken
+     * @return AccessToken
      *   The OAuth2 access token.
+     * @throws IdentityProviderException
      */
     private function getAccessToken(AccessToken $invalid = null)
     {
@@ -155,23 +237,58 @@ private function getAccessToken(AccessToken $invalid = null)
      * Acquire a new access token using a refresh token or the configured grant.
      *
      * @return AccessToken
+     * @throws IdentityProviderException
      */
     private function acquireAccessToken()
     {
         if (isset($this->accessToken) && $this->accessToken->getRefreshToken()) {
-            return $this->provider->getAccessToken(new RefreshToken(), ['refresh_token' => $this->accessToken->getRefreshToken()]);
+            $currentRefreshToken = $this->accessToken->getRefreshToken();
+            try {
+                if (isset($this->onRefreshStart)) {
+                    $result = call_user_func($this->onRefreshStart, $currentRefreshToken);
+                    if ($result instanceof AccessToken) {
+                        return $result;
+                    }
+                }
+                return $this->provider->getAccessToken(new RefreshToken(), ['refresh_token' => $this->accessToken->getRefreshToken()]);
+            } catch (BadResponseException $e) {
+                if (isset($this->onRefreshError)) {
+                    $accessToken = call_user_func($this->onRefreshError, $e);
+                    if ($accessToken) {
+                        return $accessToken;
+                    }
+                }
+                throw $e;
+            } finally {
+                if (isset($this->onRefreshEnd)) {
+                    call_user_func($this->onRefreshEnd, $currentRefreshToken);
+                }
+            }
         }
 
         return $this->provider->getAccessToken($this->grant, $this->grantOptions);
     }
 
     /**
-     * Set the access token for the next request.
+     * Set the access token for the next request(s).
      *
-     * @param \League\OAuth2\Client\Token\AccessToken $token
+     * @param AccessToken $token
      */
     public function setAccessToken(AccessToken $token)
     {
         $this->accessToken = $token;
     }
+
+    /**
+     * Set the access token for the next request(s), and save it to storage.
+     *
+     * @param AccessToken $token
+     */
+    public function saveAccessToken(AccessToken $token)
+    {
+        $this->accessToken = $token;
+        if (is_callable($this->tokenSave)) {
+            call_user_func($this->tokenSave, $this->accessToken);
+        }
+    }
 }
