Merge pull request #12445 from MrPetovan/bug/12382-tag-attachment

[friendica.git] / src / Module / OAuth / Token.php

diff --git a/src/Module/OAuth/Token.php b/src/Module/OAuth/Token.php
index 20ba22490c6d325ea4d195b571c89d1fb15d6c2c..1da8df18d5a41c64137a4661edce2a2362fb68a2 100644 (file)
--- a/src/Module/OAuth/Token.php
+++ b/src/Module/OAuth/Token.php
@@ -1,6 +1,6 @@
 <?php
 /**
- * @copyright Copyright (C) 2010-2021, the Friendica project
+ * @copyright Copyright (C) 2010-2022, the Friendica project
  *
  * @license GNU AGPL version 3 or any later version
  *
@@ -27,6 +27,8 @@ use Friendica\Database\DBA;
 use Friendica\DI;
 use Friendica\Module\BaseApi;
 use Friendica\Security\OAuth;
+use Friendica\Util\DateTimeFormat;
+use Psr\Http\Message\ResponseInterface;
 
 /**
  * @see https://docs.joinmastodon.org/spec/oauth/
@@ -34,16 +36,21 @@ use Friendica\Security\OAuth;
  */
 class Token extends BaseApi
 {
-       protected function post(array $request = [], array $post = [])
+       public function run(array $request = [], bool $scopecheck = true): ResponseInterface
        {
-               $request = self::getRequest([
+               return parent::run($request, false);
+       }
+
+       protected function post(array $request = [])
+       {
+               $request = $this->getRequest([
                        'client_id'     => '', // Client ID, obtained during app registration
                        'client_secret' => '', // Client secret, obtained during app registration
                        'redirect_uri'  => '', // Set a URI to redirect the user to. If this parameter is set to "urn:ietf:wg:oauth:2.0:oob" then the token will be shown instead. Must match one of the redirect URIs declared during app registration.
                        'scope'         => 'read', // List of requested OAuth scopes, separated by spaces. Must be a subset of scopes declared during app registration. If not provided, defaults to "read".
                        'code'          => '', // A user authorization code, obtained via /oauth/authorize
                        'grant_type'    => '', // Set equal to "authorization_code" if code is provided in order to gain user-level access. Otherwise, set equal to "client_credentials" to obtain app-level access only.
-               ]);
+               ], $request);
 
                // AndStatus transmits the client data in the AUTHORIZATION header field, see https://github.com/andstatus/andstatus/issues/530
                $authorization = $_SERVER['HTTP_AUTHORIZATION'] ?? '';
@@ -76,12 +83,12 @@ class Token extends BaseApi
                        $token = OAuth::createTokenForUser($application, 0, '');
                } elseif ($request['grant_type'] == 'authorization_code') {
                        // For security reasons only allow freshly created tokens
-                       $condition = ["`redirect_uri` = ? AND `id` = ? AND `code` = ? AND `created_at` > UTC_TIMESTAMP() - INTERVAL ? MINUTE",
-                               $request['redirect_uri'], $application['id'], $request['code'], 5];
+                       $condition = ["`redirect_uri` = ? AND `id` = ? AND `code` = ? AND `created_at` > ?",
+                               $request['redirect_uri'], $application['id'], $request['code'], DateTimeFormat::utc('now - 5 minutes')];
 
                        $token = DBA::selectFirst('application-view', ['access_token', 'created_at'], $condition);
                        if (!DBA::isResult($token)) {
-                               Logger::warning('Token not found or outdated', $condition);
+                               Logger::notice('Token not found or outdated', $condition);
                                DI::mstdnError()->Unauthorized();
                        }
                } else {