Merge pull request EC-CUBE#22 from nanasess/require-redirect_uri

redirect_uri を必須にする
okazy · Jul 14, 2020 · 00c8b98 · 00c8b98
2 parents f155e40 + b8084ef
commit 00c8b98
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/EventListener/AuthorizationRequestResolveListener.php b/EventListener/AuthorizationRequestResolveListener.php
@@ -5,6 +5,7 @@
 
 use Eccube\Entity\Master\Authority;
 use Eccube\Entity\Member;
+use League\OAuth2\Server\Exception\OAuthServerException;
 use Plugin\Api\Form\Type\Admin\OAuth2AuthorizationType;
 use Symfony\Bridge\PsrHttpMessage\Factory\PsrHttpFactory;
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
@@ -60,6 +61,12 @@ public function onAuthorizationRequestResolve(AuthorizationRequestResolveEvent $
             return;
         }
 
+        if (!$request->query->has('redirect_uri')) {
+            // redirect_uri_mismatch を返すべきだが OAuthServerException ではサポートされていない
+            // http://openid-foundation-japan.github.io/draft-ietf-oauth-v2.ja.html#auth-error-codes
+            throw OAuthServerException::invalidRequest('redirect_uri');
+        }
+
         if (!$event->isAuthorizationApproved()) {
             $builder = $this->formFactory->createBuilder(OAuth2AuthorizationType::class);
             $form = $builder->getForm();

diff --git a/Tests/Web/Admin/OAuth2/OAuth2ControllerTest.php b/Tests/Web/Admin/OAuth2/OAuth2ControllerTest.php
@@ -34,7 +34,7 @@ public function testRoutingAdminOauth2Authorize_ログインしている場合
                                    'oauth2_authorize',
                                    [
                                        'client_id' => $Client->getIdentifier(),
-                                       'redirect_uri' => current($Client->getRedirectUris()),
+                                       'redirect_uri' => (string) current($Client->getRedirectUris()),
                                        'response_type' => 'code',
                                        'scope' => 'read',
                                        'state' => 'xxx'
@@ -57,7 +57,7 @@ public function testRoutingAdminOauth2Authorize_権限移譲を許可()
             'oauth2_authorize',
             [
                 'client_id' => $Client->getIdentifier(),
-                'redirect_uri' => current($Client->getRedirectUris()),
+                'redirect_uri' => (string) current($Client->getRedirectUris()),
                 'response_type' => 'code',
                 'scope' => 'read',
                 'state' => 'xxx'