MDL-58219 oauth2: Fix token upgrade problem with incremental auth

Part of MDL-58220
2025-01-18 05:58:34 +01:00 · 2017-03-10 12:51:00 +08:00 · 2017-03-10 12:51:00 +08:00 · 2fad141006
commit 2fad141006
parent 28dddbc129
1 changed files with 17 additions and 8 deletions
--- a/lib/oauthlib.php
+++ b/lib/oauthlib.php
@ -397,6 +397,8 @@ abstract class oauth2_client extends curl {
    private $refreshtoken = '';
    /** var string mocknextresponse string */
    private $mocknextresponse = '';
+    /** var array $upgradedcodes list of upgraded codes in this request */
+    private static $upgradedcodes = [];

    /**
     * Returns the auth url for OAuth 2.0 request
@ -441,24 +443,30 @@ abstract class oauth2_client extends curl {
            return false;
        }

-        // If we've been passed then authorization code generated by the
-        // authorization server try and upgrade the token to an access token.
-        $code = optional_param('oauth2code', null, PARAM_RAW);
-        if ($code && $this->upgrade_token($code)) {
-            return true;
-        }
-
        // We have a token so we are logged in.
        if (isset($this->accesstoken->token)) {
            // Check that the access token has all the requested scopes.
+            $scopemissing = false;
            $scopecheck = ' ' . $this->accesstoken->scope . ' ';

            $requiredscopes = explode(' ', $this->scope);
            foreach ($requiredscopes as $requiredscope) {
                if (strpos($scopecheck, ' ' . $requiredscope . ' ') === false) {
-                    return false;
+                    $scopemissing = true;
+                    break;
                }
            }
+            if (!$scopemissing) {
+                return true;
+            }
+        }
+
+        // If we've been passed then authorization code generated by the
+        // authorization server try and upgrade the token to an access token.
+        $code = optional_param('oauth2code', null, PARAM_RAW);
+        // Note - sometimes we may call is_logged_in twice in the same request - we don't want to attempt
+        // to upgrade the same token twice.
+        if ($code && !in_array($code, self::$upgradedcodes) && $this->upgrade_token($code)) {
            return true;
        }

@ -574,6 +582,7 @@ abstract class oauth2_client extends curl {
            $accesstoken->scope = $this->scope;
        }
        // Also add the scopes.
+        self::$upgradedcodes[] = $code;
        $this->store_token($accesstoken);

        return true;