1C-Bitrix 25.700.0
Загрузка...
Поиск...
Не найдено
auth.php
См. документацию.
1<?php
8
9namespace Bitrix\Rest\OAuth;
10
11
12use Bitrix\Main\Localization\Loc;
13use Bitrix\Rest\Application;
14use Bitrix\Rest\AppTable;
15use Bitrix\Rest\AuthStorageInterface;
16use Bitrix\Rest\Engine\Access;
17use Bitrix\Rest\Engine\Access\HoldEntity;
18use Bitrix\Rest\Event\Session;
19use Bitrix\Rest\Internal\Access\UserAccessChecker;
20use Bitrix\Rest\OAuthService;
21use Bitrix\Main\SystemException;
22
23class Auth
24{
25 const AUTH_TYPE = 'oauth';
26
27 const CACHE_TTL = 3600;
28 const CACHE_PREFIX = "oauth_";
29
30 const PARAM_LOCAL_USER = 'LOCAL_USER';
31 const PARAM_TZ_OFFSET = 'TZ_OFFSET';
32
36 protected static $storage = null;
37
38 protected static $authQueryParams = array(
39 'auth', 'access_token'
40 );
41
42 protected static $authQueryAdditional = array(
43 'auth_connector'
44 );
45
49 public static function authorizeClient($clientId, $userId, $state = '')
50 {
51 return Application::getAuthProvider()->authorizeClient($clientId, $userId, $state);
52 }
53
57 public static function get($clientId, $scope, $additionalParams, $userId)
58 {
59 return Application::getAuthProvider()->get($clientId, $scope, $additionalParams, $userId);
60 }
61
62 public static function storeRegisteredAuth(array $tokenInfo)
63 {
64 static::getStorage()->store($tokenInfo);
65 }
66
67 public static function onRestCheckAuth(array $query, $scope, &$res)
68 {
69 $authKey = static::getAuthKey($query);
70
71 if($authKey)
72 {
73 $tokenInfo = static::check($authKey);
74 if(is_array($tokenInfo))
75 {
76 $error = array_key_exists('error', $tokenInfo);
77
78 if(!$error && !array_key_exists('client_id', $tokenInfo))
79 {
80 $tokenInfo = array('error' => 'CONNECTION_ERROR', 'error_description' => 'Error connecting to authorization server');
81 $error = true;
82 }
83
84 if (!$error && HoldEntity::is(HoldEntity::TYPE_APP, $tokenInfo['client_id']))
85 {
86 $tokenInfo = [
87 'error' => 'OVERLOAD_LIMIT',
88 'error_description' => 'REST API is blocked due to overload.'
89 ];
90 $error = true;
91 }
92
93 if (
94 !$error
95 && (
96 !Access::isAvailable($tokenInfo['client_id'])
97 || (
98 Access::needCheckCount()
99 && !Access::isAvailableCount(Access::ENTITY_TYPE_APP, $tokenInfo['client_id'])
100 )
101 )
102 )
103 {
104 $tokenInfo = [
105 'error' => 'ACCESS_DENIED',
106 'error_description' => 'REST is available only on commercial plans.'
107 ];
108 $error = true;
109 }
110
111 if(!$error)
112 {
113 $clientInfo = AppTable::getByClientId($tokenInfo['client_id']);
114 if(is_array($clientInfo))
115 {
116 \CRestUtil::updateAppStatus($tokenInfo);
117 }
118
119 if(!is_array($clientInfo) || $clientInfo['ACTIVE'] !== 'Y')
120 {
121 $tokenInfo = array('error' => 'APPLICATION_NOT_FOUND', 'error_description' => 'Application not found');
122 $error = true;
123 }
124 }
125
126 if(!$error && $tokenInfo['expires'] <= time())
127 {
128 $tokenInfo = array('error' => 'expired_token', 'error_description' => 'The access token provided has expired');
129 $error = true;
130 }
131
132 if(!$error && $scope !== \CRestUtil::GLOBAL_SCOPE && isset($tokenInfo['scope']))
133 {
134 $tokenScope = explode(',', $tokenInfo['scope']);
135 $tokenScope = \Bitrix\Rest\Engine\RestManager::fillAlternativeScope($scope, $tokenScope);
136 if(!in_array($scope, $tokenScope))
137 {
138 $tokenInfo = array('error' => 'insufficient_scope', 'error_description' => 'The request requires higher privileges than provided by the access token');
139 $error = true;
140 }
141 }
142
143 if(!$error && $tokenInfo['user_id'] > 0)
144 {
145 global $USER;
146 if ($USER instanceof \CUser && $USER->isAuthorized())
147 {
148 if ((int)$USER->getId() !== (int)$tokenInfo['user_id'])
149 {
150 $tokenInfo = [
151 'error' => 'authorization_error',
152 'error_description' => Loc::getMessage('REST_OAUTH_ERROR_LOGOUT_BEFORE'),
153 ];
154 $error = true;
155 }
156 }
157 elseif (!\CRestUtil::makeAuth($tokenInfo))
158 {
159 $tokenInfo = array('error' => 'authorization_error', 'error_description' => 'Unable to authorize user');
160 $error = true;
161 }
162 elseif(!\CRestUtil::checkAppAccess($tokenInfo['client_id']))
163 {
164 $tokenInfo = array('error' => 'user_access_error', 'error_description' => 'The user does not have access to the application.');
165 $error = true;
166 }
167 }
168
169 $res = $tokenInfo;
170
171 $res['parameters_clear'] = static::$authQueryParams;
172 $res['auth_type'] = static::AUTH_TYPE;
173 $res['parameters_callback'] = array(__CLASS__, 'updateTokenParameters');
174
175 foreach(static::$authQueryAdditional as $key)
176 {
177 if(array_key_exists($key, $query))
178 {
179 $res[$key] = $query[$key];
180 $res['parameters_clear'][] = $key;
181 }
182 }
183
184 return !$error;
185 }
186
187 return false;
188 }
189
190 return null;
191 }
192
193 public static function getAuthKey(array $query)
194 {
195 $authKey = null;
196
197 $authHeader = \Bitrix\Main\Application::getInstance()->getContext()->getRequest()->getHeader('Authorization');
198 if($authHeader !== null)
199 {
200 if(preg_match('/^Bearer\s+/i', $authHeader))
201 {
202 $authKey = preg_replace('/^Bearer\s+/i', '', $authHeader);
203 }
204 }
205
206 if($authKey === null)
207 {
208 foreach(static::$authQueryParams as $key)
209 {
210 if(array_key_exists($key, $query) && !is_array($query[$key]))
211 {
212 $authKey = $query[$key];
213 break;
214 }
215 }
216 }
217
218 return $authKey;
219 }
220
221 public static function updateTokenParameters($tokenInfo)
222 {
223 $authResult = static::getStorage()->restore($tokenInfo['access_token']);
224
225 if(is_array($authResult))
226 {
227 if(!is_array($authResult['parameters']))
228 {
229 $authResult['parameters'] = array();
230 }
231
232 $authResult['parameters'] = array_replace_recursive($authResult['parameters'], $tokenInfo['parameters']);
233
234 static::getStorage()->rewrite($authResult);
235 }
236 }
237
238 protected static function check($accessToken)
239 {
240 $authResult = static::getStorage()->restore($accessToken);
241 if($authResult === false)
242 {
243 if (!OAuthService::getEngine()->isRegistered())
244 {
245 try
246 {
247 OAuthService::register();
248 }
249 catch(SystemException $e)
250 {
251 return ['error' => 'CONNECTION_ERROR', 'error_description' => 'Error connecting to authorization server'];
252 }
253 }
254
255 $tokenInfo = OAuthService::getEngine()->getClient()->checkAuth($accessToken);
256
257 if(is_array($tokenInfo))
258 {
259 if($tokenInfo['result'])
260 {
261 $authResult = $tokenInfo['result'];
262 $authResult['user_id'] = $authResult['parameters'][static::PARAM_LOCAL_USER];
263 unset($authResult['parameters'][static::PARAM_LOCAL_USER]);
264 $accessChecker = new UserAccessChecker((int)$authResult['user_id']);
265
266 if (!$accessChecker->canAuthorize())
267 {
268 return ['error' => 'ACCESS_DENIED', 'error_description' => "Current user can't be authorized in this context"];
269 }
270
271 // compatibility with old oauth response
272 if(!isset($authResult['expires']) && isset($authResult['expires_in']))
273 {
274 $authResult['expires'] = time() + $authResult['expires_in'];
275 }
276 }
277 else
278 {
279 $authResult = $tokenInfo;
280 $authResult['access_token'] = $accessToken;
281 }
282
283 static::getStorage()->store($authResult);
284 }
285 else
286 {
287 $authResult = ['access_token' => $accessToken];
288 }
289 }
290
291 return $authResult;
292 }
293
294 protected static function getTokenParams($additionalParams, $userId)
295 {
296 if(!is_array($additionalParams))
297 {
298 $additionalParams = array();
299 }
300
301 $additionalParams[static::PARAM_LOCAL_USER] = $userId;
302 $additionalParams[static::PARAM_TZ_OFFSET] = \CTimeZone::getOffset();
303 $additionalParams[Session::PARAM_SESSION] = Session::get();
304
305 return $additionalParams;
306 }
307
311 public static function getStorage()
312 {
313 if(static::$storage === null)
314 {
315 static::setStorage(new StorageCache());
316 }
317
318 return static::$storage;
319 }
320
324 public static function setStorage(AuthStorageInterface $storage)
325 {
326 static::$storage = $storage;
327 }
328}
$userId
if(!is_object($USER)||! $USER->IsAuthorized()) $userId
Определения check_mail.php:18
Bitrix\Main\Application\getInstance
static getInstance()
Определения application.php:98
Bitrix\Rest\APAuth\Auth
Определения auth.php:22
Bitrix\Rest\AppTable
Определения app.php:68
Bitrix\Rest\AppTable\getByClientId
static getByClientId($clientId)
Определения app.php:967
Bitrix\Rest\Application\getAuthProvider
static getAuthProvider()
Определения application.php:19
Bitrix\Rest\Engine\RestManager\fillAlternativeScope
static fillAlternativeScope($scope, $scopeList)
Определения restmanager.php:90
Bitrix\Rest\OAuth\Auth\getTokenParams
static getTokenParams($additionalParams, $userId)
Определения auth.php:294
Bitrix\Rest\OAuth\Auth\$authQueryParams
static $authQueryParams
Определения auth.php:38
Bitrix\Rest\OAuth\Auth\$storage
static $storage
Определения auth.php:36
Bitrix\Rest\OAuth\Auth\setStorage
static setStorage(AuthStorageInterface $storage)
Определения auth.php:324
Bitrix\Rest\OAuth\Auth\updateTokenParameters
static updateTokenParameters($tokenInfo)
Определения auth.php:221
Bitrix\Rest\OAuth\Auth\check
static check($accessToken)
Определения auth.php:238
Bitrix\Rest\OAuth\Auth\AUTH_TYPE
const AUTH_TYPE
Определения auth.php:25
Bitrix\Rest\OAuth\Auth\authorizeClient
static authorizeClient($clientId, $userId, $state='')
Определения auth.php:49
Bitrix\Rest\OAuth\Auth\storeRegisteredAuth
static storeRegisteredAuth(array $tokenInfo)
Определения auth.php:62
Bitrix\Rest\OAuth\Auth\$authQueryAdditional
static $authQueryAdditional
Определения auth.php:42
Bitrix\Rest\OAuth\Auth\PARAM_LOCAL_USER
const PARAM_LOCAL_USER
Определения auth.php:30
Bitrix\Rest\OAuth\Auth\getAuthKey
static getAuthKey(array $query)
Определения auth.php:193
Bitrix\Rest\OAuth\Auth\CACHE_TTL
const CACHE_TTL
Определения auth.php:27
Bitrix\Rest\OAuth\Auth\PARAM_TZ_OFFSET
const PARAM_TZ_OFFSET
Определения auth.php:31
Bitrix\Rest\OAuth\Auth\CACHE_PREFIX
const CACHE_PREFIX
Определения auth.php:28
Bitrix\Rest\OAuth\Auth\getStorage
static getStorage()
Определения auth.php:311
Bitrix\Rest\OAuth\Auth\onRestCheckAuth
static onRestCheckAuth(array $query, $scope, &$res)
Определения auth.php:67
Bitrix\Rest\OAuthService\getEngine
static getEngine()
Определения oauthservice.php:49
Bitrix\Rest\OAuthService\register
static register()
Определения oauthservice.php:59
CUser
Определения user.php:6037
array
</td ></tr ></table ></td ></tr >< tr >< td class="bx-popup-label bx-width30"><?=GetMessage("PAGE_NEW_TAGS")?> array( $site)
Определения file_new.php:804
$res
$res
Определения filter_act.php:7
$query
$query
Определения get_search.php:11
$USER
global $USER
Определения csv_new_run.php:40
Bitrix\Rest\OAuth
Определения auth.php:9
elseif
if( $daysToExpire >=0 &&$daysToExpire< 60 elseif)( $daysToExpire< 0)
Определения prolog_main_admin.php:393
$key
if(empty($signedUserToken)) $key
Определения quickway.php:257
$clientId
$clientId
Определения seo_client.php:18
$error
$error
Определения subscription_card_product.php:20