boenadmin/BastionSSO
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
BastionSSO/app/Http/Controllers/Api/OauthUserInfoController.php

125 lines
4.1 KiB
PHP
Raw Blame History

<?php
namespace App\Http\Controllers\Api;
use App\Http\Controllers\Controller;
use App\Models\OauthScope;
use App\Services\OAuth\OAuthClientAuthService;
use App\Services\OAuth\OAuthTokenService;
use hg\apidoc\annotation as Apidoc;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Collection;
#[Apidoc\Title('OAuth 协议 UserInfo 端点')]
class OauthUserInfoController extends Controller
{
public function __construct(
private readonly OAuthTokenService $tokenService,
private readonly OAuthClientAuthService $clientAuthService
) {}
#[Apidoc\Title('UserInfo'), Apidoc\Method('GET'), Apidoc\Url('/oauth/userinfo')]
public function userinfo(Request $request): JsonResponse
{
$rawToken = trim((string) ($request->bearerToken() ?: $request->query('access_token', '')));
if ($rawToken === '') {
return $this->invalidTokenResponse('Missing access token.');
}
$accessToken = $this->tokenService->validateAccessToken($rawToken);
if (! $accessToken || ! $accessToken->user || ! $accessToken->client) {
return $this->invalidTokenResponse('Invalid access token.');
}
$scopeNames = $this->clientAuthService->parseScopes((string) $accessToken->scope);
$scopes = OauthScope::query()
->whereIn('name', $scopeNames)
->where('is_active', true)
->get();
$scopeFields = $scopes
->flatMap(function (OauthScope $scope): array {
$claims = $scope->claims;
if (! is_array($claims)) {
return [];
}
return array_values($claims);
})
->map(fn ($field): string => trim((string) $field))
->filter()
->unique()
->values();
$clientFields = collect($accessToken->client->allowed_userinfo_fields ?? config('oauth.userinfo_fields', []))
->map(fn ($field): string => trim((string) $field))
->filter()
->unique()
->values();
$finalFields = $scopeFields
->intersect($clientFields)
->values();
$user = $accessToken->user;
$claims = [
'sub' => (string) $user->id,
'nickname' => (string) ($user->nickname ?? ''),
'email' => (string) ($user->email ?? ''),
'phone' => (string) ($user->phone ?? ''),
];
$payload = ['sub' => $claims['sub']];
foreach ($finalFields as $fieldName) {
$field = (string) $fieldName;
if ($field === 'sub') {
continue;
}
if (array_key_exists($field, $claims) && $claims[$field] !== '') {
$payload[$field] = $claims[$field];
}
}
$payload = $this->applyClientClaimRemap($payload, collect($accessToken->client->userinfo_claim_remap ?? []));
return response()
->json($payload)
->header('Cache-Control', 'no-store')
->header('Pragma', 'no-cache');
}
/**
* @param array<string, mixed> $payload
* @param Collection<int|string, mixed> $remapRules
* @return array<string, mixed>
*/
private function applyClientClaimRemap(array $payload, Collection $remapRules): array
{
foreach ($remapRules as $source => $target) {
$from = trim((string) $source);
$to = trim((string) $target);
if ($from === '' || $to === '' || $from === 'sub' || ! array_key_exists($from, $payload)) {
continue;
}
$payload[$to] = $payload[$from];
unset($payload[$from]);
}
return $payload;
}
private function invalidTokenResponse(string $description): JsonResponse
{
return response()
->json([
'error' => 'invalid_token',
'error_description' => $description,
], 401)
->header('WWW-Authenticate', 'Bearer error="invalid_token"')
->header('Cache-Control', 'no-store')
->header('Pragma', 'no-cache');
}
}
Reference in New Issue View Git Blame Copy Permalink