*/ class AccessTokenMapper extends QBMapper { public function __construct( IDBConnection $db, private ITimeFactory $timeFactory, ) { parent::__construct($db, 'oauth2_access_tokens'); } /** * @param string $code * @return AccessToken * @throws AccessTokenNotFoundException */ public function getByCode(string $code): AccessToken { $qb = $this->db->getQueryBuilder(); $qb ->select('*') ->from($this->tableName) ->where($qb->expr()->eq('hashed_code', $qb->createNamedParameter(hash('sha512', $code)))); try { $token = $this->findEntity($qb); } catch (IMapperException $e) { throw new AccessTokenNotFoundException('Could not find access token', 0, $e); } return $token; } /** * delete all access token from a given client * * @param int $id */ public function deleteByClientId(int $id) { $qb = $this->db->getQueryBuilder(); $qb ->delete($this->tableName) ->where($qb->expr()->eq('client_id', $qb->createNamedParameter($id, IQueryBuilder::PARAM_INT))); $qb->executeStatement(); } /** * Delete access tokens that have an expired authorization code * -> those that are old enough * and which never delivered any oauth token (still in authorization state) * * @return void * @throws Exception */ public function cleanupExpiredAuthorizationCode(): void { $now = $this->timeFactory->now()->getTimestamp(); $maxTokenCreationTs = $now - OauthApiController::AUTHORIZATION_CODE_EXPIRES_AFTER; $qb = $this->db->getQueryBuilder(); $qb ->delete($this->tableName) ->where($qb->expr()->eq('token_count', $qb->createNamedParameter(0, IQueryBuilder::PARAM_INT))) ->andWhere($qb->expr()->lt('code_created_at', $qb->createNamedParameter($maxTokenCreationTs, IQueryBuilder::PARAM_INT))); $qb->executeStatement(); } /** * Rotate an access token only if it still matches the caller's previously-read state. * * @param int $id * @param string $oldCode * @param string $newCode * @param string $encryptedToken * @param bool $expectAuthorizationCodeState Require the token to still be unused * @return int Number of updated rows */ public function rotateToken(int $id, string $oldCode, string $newCode, string $encryptedToken, bool $expectAuthorizationCodeState): int { $qb = $this->db->getQueryBuilder(); $qb ->update($this->tableName) ->set('hashed_code', $qb->createNamedParameter(hash('sha512', $newCode))) ->set('encrypted_token', $qb->createNamedParameter($encryptedToken)) ->set('token_count', $qb->createFunction('token_count + 1')) ->where($qb->expr()->eq('id', $qb->createNamedParameter($id, IQueryBuilder::PARAM_INT))) ->andWhere($qb->expr()->eq('hashed_code', $qb->createNamedParameter(hash('sha512', $oldCode)))); if ($expectAuthorizationCodeState) { $qb->andWhere($qb->expr()->eq('token_count', $qb->createNamedParameter(0, IQueryBuilder::PARAM_INT))); } return $qb->executeStatement(); } }