Merge branch 'billriess/8.x'

taylorotwell · taylorotwell · commit 11d85331caff · 2020-04-28T16:06:43.000-05:00
diff --git a/database/migrations/2016_06_01_000004_create_oauth_clients_table.php b/database/migrations/2016_06_01_000004_create_oauth_clients_table.php
@@ -18,6 +18,7 @@ public function up()
             $table->unsignedBigInteger('user_id')->nullable()->index();
             $table->string('name');
             $table->string('secret', 100)->nullable();
+            $table->string('provider')->nullable();
             $table->text('redirect');
             $table->boolean('personal_access_client');
             $table->boolean('password_client');
diff --git a/src/Bridge/Client.php b/src/Bridge/Client.php
@@ -16,22 +16,31 @@ class Client implements ClientEntityInterface
      */
     protected $identifier;
 
+    /**
+     * The client's provider.
+     *
+     * @var string
+     */
+    public $provider;
+
     /**
      * Create a new client instance.
      *
      * @param  string  $identifier
      * @param  string  $name
      * @param  string  $redirectUri
      * @param  bool  $isConfidential
+     * @param  string|null  $provider
      * @return void
      */
-    public function __construct($identifier, $name, $redirectUri, $isConfidential = false)
+    public function __construct($identifier, $name, $redirectUri, $isConfidential = false, $provider = null)
     {
         $this->setIdentifier((string) $identifier);
 
         $this->name = $name;
         $this->isConfidential = $isConfidential;
         $this->redirectUri = explode(',', $redirectUri);
+        $this->provider = $provider;
     }
 
     /**
diff --git a/src/Bridge/ClientRepository.php b/src/Bridge/ClientRepository.php
@@ -38,7 +38,11 @@ public function getClientEntity($clientIdentifier)
         }
 
         return new Client(
-            $clientIdentifier, $record->name, $record->redirect, $record->confidential()
+            $clientIdentifier,
+            $record->name,
+            $record->redirect,
+            $record->confidential(),
+            $record->provider
         );
     }
 
diff --git a/src/Bridge/UserRepository.php b/src/Bridge/UserRepository.php
@@ -32,7 +32,7 @@ public function __construct(Hasher $hasher)
      */
     public function getUserEntityByUserCredentials($username, $password, $grantType, ClientEntityInterface $clientEntity)
     {
-        $provider = config('auth.guards.api.provider');
+        $provider = $clientEntity->provider ?: config('auth.guards.api.provider');
 
         if (is_null($model = config('auth.providers.'.$provider.'.model'))) {
             throw new RuntimeException('Unable to determine authentication model from configuration.');
diff --git a/src/Client.php b/src/Client.php
@@ -55,8 +55,10 @@ class Client extends Model
      */
     public function user()
     {
+        $provider = $this->provider ?: config('auth.guards.api.provider');
+
         return $this->belongsTo(
-            config('auth.providers.'.config('auth.guards.api.provider').'.model')
+            config("auth.providers.{$provider}.model")
         );
     }
 
diff --git a/src/ClientRepository.php b/src/ClientRepository.php
@@ -104,17 +104,19 @@ public function personalAccessClient()
      * @param  int  $userId
      * @param  string  $name
      * @param  string  $redirect
+     * @param  string|null  $provider
      * @param  bool  $personalAccess
      * @param  bool  $password
      * @param  bool  $confidential
      * @return \Laravel\Passport\Client
      */
-    public function create($userId, $name, $redirect, $personalAccess = false, $password = false, $confidential = true)
+    public function create($userId, $name, $redirect, $provider = null, $personalAccess = false, $password = false, $confidential = true)
     {
         $client = Passport::client()->forceFill([
             'user_id' => $userId,
             'name' => $name,
             'secret' => ($confidential || $personalAccess) ? Str::random(40) : null,
+            'provider' => $provider,
             'redirect' => $redirect,
             'personal_access_client' => $personalAccess,
             'password_client' => $password,
@@ -136,7 +138,7 @@ public function create($userId, $name, $redirect, $personalAccess = false, $pass
      */
     public function createPersonalAccessClient($userId, $name, $redirect)
     {
-        return tap($this->create($userId, $name, $redirect, true), function ($client) {
+        return tap($this->create($userId, $name, $redirect, null, true), function ($client) {
             $accessClient = Passport::personalAccessClient();
             $accessClient->client_id = $client->id;
             $accessClient->save();
@@ -149,11 +151,12 @@ public function createPersonalAccessClient($userId, $name, $redirect)
      * @param  int  $userId
      * @param  string  $name
      * @param  string  $redirect
+     * @param  string|null  $provider
      * @return \Laravel\Passport\Client
      */
-    public function createPasswordGrantClient($userId, $name, $redirect)
+    public function createPasswordGrantClient($userId, $name, $redirect, $provider = null)
     {
-        return $this->create($userId, $name, $redirect, false, true);
+        return $this->create($userId, $name, $redirect, $provider, false, true);
     }
 
     /**
diff --git a/src/Console/ClientCommand.php b/src/Console/ClientCommand.php
@@ -18,6 +18,7 @@ class ClientCommand extends Command
             {--password : Create a password grant client}
             {--client : Create a client credentials grant client}
             {--name= : The name of the client}
+            {--provider= : The name of the user provider}
             {--redirect_uri= : The URI to redirect to after authorization }
             {--user_id= : The user ID the client should be assigned to }
             {--public : Create a public client (Auth code grant type only) }';
@@ -83,8 +84,16 @@ protected function createPasswordClient(ClientRepository $clients)
             config('app.name').' Password Grant Client'
         );
 
+        $providers = array_keys(config('auth.providers'));
+
+        $provider = $this->option('provider') ?: $this->choice(
+            'Which user provider should this client use to retrieve users?',
+            $providers,
+            in_array('users', $providers) ? 'users' : null
+        );
+
         $client = $clients->createPasswordGrantClient(
-            null, $name, 'http://localhost'
+            null, $name, 'http://localhost', $provider
         );
 
         $this->info('Password grant client created successfully.');
@@ -136,7 +145,7 @@ protected function createAuthCodeClient(ClientRepository $clients)
         );
 
         $client = $clients->create(
-            $userId, $name, $redirect, false, false, ! $this->option('public')
+            $userId, $name, $redirect, null, false, false, ! $this->option('public')
         );
 
         $this->info('New client created successfully.');
diff --git a/src/Console/InstallCommand.php b/src/Console/InstallCommand.php
@@ -29,8 +29,10 @@ class InstallCommand extends Command
      */
     public function handle()
     {
+        $provider = in_array('users', array_keys(config('auth.providers'))) ? 'users' : null;
+
         $this->call('passport:keys', ['--force' => $this->option('force'), '--length' => $this->option('length')]);
         $this->call('passport:client', ['--personal' => true, '--name' => config('app.name').' Personal Access Client']);
-        $this->call('passport:client', ['--password' => true, '--name' => config('app.name').' Password Grant Client']);
+        $this->call('passport:client', ['--password' => true, '--name' => config('app.name').' Password Grant Client', '--provider' => $provider]);
     }
 }
diff --git a/src/Guards/TokenGuard.php b/src/Guards/TokenGuard.php
@@ -5,7 +5,6 @@
 use Exception;
 use Firebase\JWT\JWT;
 use Illuminate\Container\Container;
-use Illuminate\Contracts\Auth\UserProvider;
 use Illuminate\Contracts\Debug\ExceptionHandler;
 use Illuminate\Contracts\Encryption\Encrypter;
 use Illuminate\Cookie\Middleware\EncryptCookies;
@@ -16,6 +15,7 @@
 use Laminas\Diactoros\UploadedFileFactory;
 use Laravel\Passport\ClientRepository;
 use Laravel\Passport\Passport;
+use Laravel\Passport\PassportUserProvider;
 use Laravel\Passport\TokenRepository;
 use Laravel\Passport\TransientToken;
 use League\OAuth2\Server\Exception\OAuthServerException;
@@ -34,7 +34,7 @@ class TokenGuard
     /**
      * The user provider implementation.
      *
-     * @var \Illuminate\Contracts\Auth\UserProvider
+     * @var \Laravel\Passport\PassportUserProvider
      */
     protected $provider;
 
@@ -63,25 +63,43 @@ class TokenGuard
      * Create a new token guard instance.
      *
      * @param  \League\OAuth2\Server\ResourceServer  $server
-     * @param  \Illuminate\Contracts\Auth\UserProvider  $provider
+     * @param  \Laravel\Passport\PassportUserProvider  $provider
      * @param  \Laravel\Passport\TokenRepository  $tokens
      * @param  \Laravel\Passport\ClientRepository  $clients
      * @param  \Illuminate\Contracts\Encryption\Encrypter  $encrypter
      * @return void
      */
-    public function __construct(ResourceServer $server,
-                                UserProvider $provider,
-                                TokenRepository $tokens,
-                                ClientRepository $clients,
-                                Encrypter $encrypter)
-    {
+    public function __construct(
+        ResourceServer $server,
+        PassportUserProvider $provider,
+        TokenRepository $tokens,
+        ClientRepository $clients,
+        Encrypter $encrypter
+    ) {
         $this->server = $server;
         $this->tokens = $tokens;
         $this->clients = $clients;
         $this->provider = $provider;
         $this->encrypter = $encrypter;
     }
 
+    /**
+     * Determine if the requested provider matches the client's provider.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @return bool
+     */
+    protected function hasValidProvider(Request $request)
+    {
+        $client = $this->client($request);
+
+        if ($client && ! $client->provider) {
+            return true;
+        }
+
+        return $client && $client->provider === $this->provider->getProviderName();
+    }
+
     /**
      * Get the user for the incoming request.
      *
@@ -90,6 +108,10 @@ public function __construct(ResourceServer $server,
      */
     public function user(Request $request)
     {
+        if (! $this->hasValidProvider($request)) {
+            return;
+        }
+
         if ($request->bearerToken()) {
             return $this->authenticateViaBearerToken($request);
         } elseif ($request->cookie(Passport::cookie())) {
diff --git a/src/Http/Middleware/CheckCredentials.php b/src/Http/Middleware/CheckCredentials.php
@@ -101,7 +101,7 @@ protected function validate($psr, $scopes)
     abstract protected function validateCredentials($token);
 
     /**
-     * Validate token credentials.
+     * Validate token scopes.
      *
      * @param  \Laravel\Passport\Token  $token
      * @param  array  $scopes
diff --git a/src/PassportServiceProvider.php b/src/PassportServiceProvider.php
@@ -276,7 +276,7 @@ protected function makeGuard(array $config)
         return new RequestGuard(function ($request) use ($config) {
             return (new TokenGuard(
                 $this->app->make(ResourceServer::class),
-                Auth::createUserProvider($config['provider']),
+                new PassportUserProvider(Auth::createUserProvider($config['provider']), $config['provider']),
                 $this->app->make(TokenRepository::class),
                 $this->app->make(ClientRepository::class),
                 $this->app->make('encrypter')
diff --git a/src/PassportUserProvider.php b/src/PassportUserProvider.php
@@ -0,0 +1,86 @@
+<?php
+
+namespace Laravel\Passport;
+
+use Illuminate\Contracts\Auth\Authenticatable;
+use Illuminate\Contracts\Auth\UserProvider;
+
+class PassportUserProvider implements UserProvider
+{
+    /**
+     * The user provider instance.
+     *
+     * @var \Illuminate\Contracts\Auth\UserProvider
+     */
+    protected $provider;
+
+    /**
+     * The user provider name.
+     *
+     * @var string
+     */
+    protected $providerName;
+
+    /**
+     * Create a new passport user provider.
+     *
+     * @param  \Illuminate\Contracts\Auth\UserProvider  $provider
+     * @param  string  $providerName
+     * @return void
+     */
+    public function __construct(UserProvider $provider, $providerName)
+    {
+        $this->provider = $provider;
+        $this->providerName = $providerName;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function retrieveById($identifier)
+    {
+        return $this->provider->retrieveById($identifier);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function retrieveByToken($identifier, $token)
+    {
+        return $this->provider->retrieveByToken($identifier, $token);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function updateRememberToken(Authenticatable $user, $token)
+    {
+        $this->provider->updateRememberToken($user, $token);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function retrieveByCredentials(array $credentials)
+    {
+        return $this->provider->retrieveByCredentials($credentials);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function validateCredentials(Authenticatable $user, array $credentials)
+    {
+        return $this->provider->validateCredentials($user, $credentials);
+    }
+
+    /**
+     * Get the name of the user provider.
+     *
+     * @return string
+     */
+    public function getProviderName()
+    {
+        return $this->providerName;
+    }
+}
diff --git a/tests/BridgeClientRepositoryTest.php b/tests/BridgeClientRepositoryTest.php
@@ -194,6 +194,8 @@ class BridgeClientRepositoryTestClientStub
 
     public $password_client = false;
 
+    public $provider = null;
+
     public $grant_types;
 
     public function firstParty()
diff --git a/tests/TokenGuardTest.php b/tests/TokenGuardTest.php

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,11 @@ public function getClientEntity($clientIdentifier)`
`38`	`38`	`}`
`39`	`39`
`40`	`40`	`return new Client(`
`41`		`- $clientIdentifier, $record->name, $record->redirect, $record->confidential()`
	`41`	`+ $clientIdentifier,`
	`42`	`+ $record->name,`
	`43`	`+ $record->redirect,`
	`44`	`+ $record->confidential(),`
	`45`	`+ $record->provider`
`42`	`46`	`);`
`43`	`47`	`}`
`44`	`48`
Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ public function __construct(Hasher $hasher)`
`32`	`32`	`*/`
`33`	`33`	`public function getUserEntityByUserCredentials($username, $password, $grantType, ClientEntityInterface $clientEntity)`
`34`	`34`	`{`
`35`		`- $provider = config('auth.guards.api.provider');`
	`35`	`+ $provider = $clientEntity->provider ?: config('auth.guards.api.provider');`
`36`	`36`
`37`	`37`	`if (is_null($model = config('auth.providers.'.$provider.'.model'))) {`
`38`	`38`	`throw new RuntimeException('Unable to determine authentication model from configuration.');`
Original file line number	Diff line number	Diff line change
`@@ -55,8 +55,10 @@ class Client extends Model`
`55`	`55`	`*/`
`56`	`56`	`public function user()`
`57`	`57`	`{`
	`58`	`+ $provider = $this->provider ?: config('auth.guards.api.provider');`
	`59`	`+`
`58`	`60`	`return $this->belongsTo(`
`59`		`- config('auth.providers.'.config('auth.guards.api.provider').'.model')`
	`61`	`+ config("auth.providers.{$provider}.model")`
`60`	`62`	`);`
`61`	`63`	`}`
`62`	`64`
Original file line number	Diff line number	Diff line change
`@@ -29,8 +29,10 @@ class InstallCommand extends Command`
`29`	`29`	`*/`
`30`	`30`	`public function handle()`
`31`	`31`	`{`
	`32`	`+ $provider = in_array('users', array_keys(config('auth.providers'))) ? 'users' : null;`
	`33`	`+`
`32`	`34`	`$this->call('passport:keys', ['--force' => $this->option('force'), '--length' => $this->option('length')]);`
`33`	`35`	`$this->call('passport:client', ['--personal' => true, '--name' => config('app.name').' Personal Access Client']);`
`34`		`- $this->call('passport:client', ['--password' => true, '--name' => config('app.name').' Password Grant Client']);`
	`36`	`+ $this->call('passport:client', ['--password' => true, '--name' => config('app.name').' Password Grant Client', '--provider' => $provider]);`
`35`	`37`	`}`
`36`	`38`	`}`
Original file line number	Diff line number	Diff line change
`@@ -101,7 +101,7 @@ protected function validate($psr, $scopes)`
`101`	`101`	`abstract protected function validateCredentials($token);`
`102`	`102`
`103`	`103`	`/**`
`104`		`- * Validate token credentials.`
	`104`	`+ * Validate token scopes.`
`105`	`105`	`*`
`106`	`106`	`* @param \Laravel\Passport\Token $token`
`107`	`107`	`* @param array $scopes`