Fix CORS issue for revoking and requesting an access token (bshaffer#829)

ApacheEx · bshaffer · commit e826aaf653b3 · 2017-05-04T11:15:43.000-07:00
diff --git a/src/OAuth2/Controller/TokenController.php b/src/OAuth2/Controller/TokenController.php
@@ -118,9 +118,15 @@ public function handleTokenRequest(RequestInterface $request, ResponseInterface
      */
     public function grantAccessToken(RequestInterface $request, ResponseInterface $response)
     {
-        if (strtolower($request->server('REQUEST_METHOD')) != 'post') {
+        if (strtolower($request->server('REQUEST_METHOD')) === 'options') {
+            $response->addHttpHeaders(array('Allow' => 'POST, OPTIONS'));
+
+            return null;
+        }
+
+        if (strtolower($request->server('REQUEST_METHOD')) !== 'post') {
             $response->setError(405, 'invalid_request', 'The request method must be POST when requesting an access token', '#section-3.2');
-            $response->addHttpHeaders(array('Allow' => 'POST'));
+            $response->addHttpHeaders(array('Allow' => 'POST, OPTIONS'));
 
             return null;
         }
@@ -287,9 +293,15 @@ public function handleRevokeRequest(RequestInterface $request, ResponseInterface
      */
     public function revokeToken(RequestInterface $request, ResponseInterface $response)
     {
-        if (strtolower($request->server('REQUEST_METHOD')) != 'post') {
+        if (strtolower($request->server('REQUEST_METHOD')) === 'options') {
+            $response->addHttpHeaders(array('Allow' => 'POST, OPTIONS'));
+
+            return null;
+        }
+
+        if (strtolower($request->server('REQUEST_METHOD')) !== 'post') {
             $response->setError(405, 'invalid_request', 'The request method must be POST when revoking an access token', '#section-3.2');
-            $response->addHttpHeaders(array('Allow' => 'POST'));
+            $response->addHttpHeaders(array('Allow' => 'POST, OPTIONS'));
 
             return null;
         }
@@ -318,4 +330,4 @@ public function revokeToken(RequestInterface $request, ResponseInterface $respon
 
         return true;
     }
-}
+}
diff --git a/test/OAuth2/Controller/TokenControllerTest.php b/test/OAuth2/Controller/TokenControllerTest.php
@@ -271,6 +271,48 @@ public function testInvalidRequestMethodForRevoke()
         $this->assertEquals($response->getParameter('error_description'), 'The request method must be POST when revoking an access token');
     }
 
+    public function testCanUseCrossOriginRequestForRevoke()
+    {
+        $server = $this->getTestServer();
+
+        $request = new TestRequest();
+        $request->setMethod('OPTIONS');
+
+        $server->handleRevokeRequest($request, $response = new Response());
+        $this->assertTrue($response instanceof Response);
+        $this->assertEquals(200, $response->getStatusCode(), var_export($response, 1));
+        $this->assertEquals($response->getHttpHeader('Allow'), 'POST, OPTIONS');
+    }
+
+    public function testInvalidRequestMethodForAccessToken()
+    {
+        $server = $this->getTestServer();
+
+        $request = new TestRequest();
+        $request->setQuery(array(
+            'token_type_hint' => 'access_token'
+        ));
+
+        $server->handleTokenRequest($request, $response = new Response());
+        $this->assertTrue($response instanceof Response);
+        $this->assertEquals(405, $response->getStatusCode(), var_export($response, 1));
+        $this->assertEquals($response->getParameter('error'), 'invalid_request');
+        $this->assertEquals($response->getParameter('error_description'), 'The request method must be POST when requesting an access token');
+    }
+
+    public function testCanUseCrossOriginRequestForAccessToken()
+    {
+        $server = $this->getTestServer();
+
+        $request = new TestRequest();
+        $request->setMethod('OPTIONS');
+
+        $server->handleTokenRequest($request, $response = new Response());
+        $this->assertTrue($response instanceof Response);
+        $this->assertEquals(200, $response->getStatusCode(), var_export($response, 1));
+        $this->assertEquals($response->getHttpHeader('Allow'), 'POST, OPTIONS');
+    }
+
     public function testCreateController()
     {
         $storage = Bootstrap::getInstance()->getMemoryStorage();
diff --git a/test/lib/OAuth2/Request/TestRequest.php b/test/lib/OAuth2/Request/TestRequest.php
@@ -45,9 +45,14 @@ public function setQuery(array $query)
         $this->query = $query;
     }
 
+    public function setMethod($method)
+    {
+        $this->server['REQUEST_METHOD'] = $method;
+    }
+
     public function setPost(array $params)
     {
-        $this->server['REQUEST_METHOD'] = 'POST';
+        $this->setMethod('POST');
         $this->request = $params;
     }
 

Original file line number	Diff line number	Diff line change
`@@ -45,9 +45,14 @@ public function setQuery(array $query)`
`45`	`45`	`$this->query = $query;`
`46`	`46`	`}`
`47`	`47`
	`48`	`+ public function setMethod($method)`
	`49`	`+ {`
	`50`	`+ $this->server['REQUEST_METHOD'] = $method;`
	`51`	`+ }`
	`52`	`+`
`48`	`53`	`public function setPost(array $params)`
`49`	`54`	`{`
`50`		`- $this->server['REQUEST_METHOD'] = 'POST';`
	`55`	`+ $this->setMethod('POST');`
`51`	`56`	`$this->request = $params;`
`52`	`57`	`}`
`53`	`58`