From 9b0f5ab08694823de948f60b1cf83b8ccc793b0b Mon Sep 17 00:00:00 2001 From: TobMoeller Date: Sat, 21 Jun 2025 01:54:16 +0200 Subject: [PATCH 1/2] throw an exception if an invalid token response was received --- src/Two/AbstractProvider.php | 4 ++++ src/Two/InvalidTokenResponseException.php | 10 ++++++++++ tests/OAuthTwoTest.php | 17 +++++++++++++++++ 3 files changed, 31 insertions(+) create mode 100644 src/Two/InvalidTokenResponseException.php diff --git a/src/Two/AbstractProvider.php b/src/Two/AbstractProvider.php index 4dfb7c75..fedaf18d 100644 --- a/src/Two/AbstractProvider.php +++ b/src/Two/AbstractProvider.php @@ -239,6 +239,10 @@ public function user() $response = $this->getAccessTokenResponse($this->getCode()); + if (! Arr::has($response, 'access_token')) { + throw new InvalidTokenResponseException; + } + $user = $this->getUserByToken(Arr::get($response, 'access_token')); return $this->userInstance($response, $user); diff --git a/src/Two/InvalidTokenResponseException.php b/src/Two/InvalidTokenResponseException.php new file mode 100644 index 00000000..8946bef7 --- /dev/null +++ b/src/Two/InvalidTokenResponseException.php @@ -0,0 +1,10 @@ +assertSame($user->id, $provider->user()->id); } + public function testExceptionIsThrownIfAccessTokenIsMissing() + { + $this->expectException(InvalidTokenResponseException::class); + + $request = Request::create('foo', 'GET', ['state' => str_repeat('A', 40), 'code' => 'code']); + $request->setLaravelSession($session = m::mock(Session::class)); + $session->expects('pull')->with('state')->andReturns(str_repeat('A', 40)); + $provider = new OAuthTwoTestProviderStub($request, 'client_id', 'client_secret', 'redirect_uri'); + $provider->http = m::mock(stdClass::class); + $provider->http->expects('post')->with('http://token.url', [ + 'headers' => ['Accept' => 'application/json'], 'form_params' => ['grant_type' => 'authorization_code', 'client_id' => 'client_id', 'client_secret' => 'client_secret', 'code' => 'code', 'redirect_uri' => 'redirect_uri'], + ])->andReturns($response = m::mock(stdClass::class)); + $response->expects('getBody')->andReturns('::invalid_response::'); + $provider->user(); + } + public function testUserReturnsAUserInstanceForTheAuthenticatedFacebookRequest() { $request = Request::create('foo', 'GET', ['state' => str_repeat('A', 40), 'code' => 'code']); From 03dc4b90bebac346bc8ea00dd74c3e34214e5496 Mon Sep 17 00:00:00 2001 From: TobMoeller Date: Sat, 21 Jun 2025 02:05:15 +0200 Subject: [PATCH 2/2] add array check --- src/Two/AbstractProvider.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Two/AbstractProvider.php b/src/Two/AbstractProvider.php index fedaf18d..8af721f6 100644 --- a/src/Two/AbstractProvider.php +++ b/src/Two/AbstractProvider.php @@ -239,7 +239,7 @@ public function user() $response = $this->getAccessTokenResponse($this->getCode()); - if (! Arr::has($response, 'access_token')) { + if (! is_array($response) || ! Arr::has($response, 'access_token')) { throw new InvalidTokenResponseException; }