recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

oauthserver: get client ID/secret from HTTP auth

Summary:
This adds the ability for Phabricator's OAuth server implementation to use HTTP basic auth for the client ID and secret and brings it in line with the OAuth 2.0 specification in this respect.

Fixes T11794

Test Plan: Fixes my use case. Shouldn't impact other use-cases.

Reviewers: #blessed_reviewers, epriestley

Reviewed By: #blessed_reviewers, epriestley

Subscribers: 0, Korvin

Maniphest Tasks: T11794

Differential Revision: https://secure.phabricator.com/D16763

authored by

William Light and committed by
epriestley ee834c59 5e784c99

+26 -2
+26 -2
src/applications/oauthserver/controller/PhabricatorOAuthServerTokenController.php
··· 18 18 $grant_type = $request->getStr('grant_type'); 19 19 $code = $request->getStr('code'); 20 20 $redirect_uri = $request->getStr('redirect_uri'); 21 - $client_phid = $request->getStr('client_id'); 22 - $client_secret = $request->getStr('client_secret'); 23 21 $response = new PhabricatorOAuthResponse(); 24 22 $server = new PhabricatorOAuthServer(); 23 + 24 + $client_id_parameter = $request->getStr('client_id'); 25 + $client_id_header = idx($_SERVER, 'PHP_AUTH_USER'); 26 + if (strlen($client_id_parameter) && strlen($client_id_header)) { 27 + if ($client_id_parameter !== $client_id_header) { 28 + throw new Exception( 29 + pht( 30 + 'Request included a client_id parameter and an "Authorization" '. 31 + 'header with a username, but the values "%s" and "%s") disagree. '. 32 + 'The values must match.', 33 + $client_id_parameter, 34 + $client_id_header)); 35 + } 36 + } 37 + 38 + $client_secret_parameter = $request->getStr('client_secret'); 39 + $client_secret_header = idx($_SERVER, 'PHP_AUTH_PW'); 40 + if (strlen($client_secret_parameter)) { 41 + // If the `client_secret` parameter is present, prefer parameters. 42 + $client_phid = $client_id_parameter; 43 + $client_secret = $client_secret_parameter; 44 + } else { 45 + // Otherwise, read values from the "Authorization" header. 46 + $client_phid = $client_id_header; 47 + $client_secret = $client_secret_header; 48 + } 25 49 26 50 if ($grant_type != 'authorization_code') { 27 51 $response->setError('unsupported_grant_type');