laravel · taylorotwell · Feb 11, 2020 · Feb 11, 2020 · Feb 11, 2020
diff --git a/resources/views/authorize.blade.php b/resources/views/authorize.blade.php
@@ -69,6 +69,7 @@
 
                                 <input type="hidden" name="state" value="{{ $request->state }}">
                                 <input type="hidden" name="client_id" value="{{ $client->id }}">
+                                <input type="hidden" name="auth_token" value="{{ $authToken }}">
                                 <button type="submit" class="btn btn-success btn-approve">Authorize</button>
                             </form>
 
@@ -79,6 +80,7 @@
 
                                 <input type="hidden" name="state" value="{{ $request->state }}">
                                 <input type="hidden" name="client_id" value="{{ $client->id }}">
+                                <input type="hidden" name="auth_token" value="{{ $authToken }}">
                                 <button class="btn btn-danger">Cancel</button>
                             </form>
                         </div>

diff --git a/src/Exceptions/InvalidAuthTokenException.php b/src/Exceptions/InvalidAuthTokenException.php
@@ -0,0 +1,18 @@
+<?php
+
+namespace Laravel\Passport\Exceptions;
+
+use Illuminate\Auth\Access\AuthorizationException;
+
+class InvalidAuthTokenException extends AuthorizationException
+{
+    /**
+     * Create a new InvalidAuthTokenException for different auth tokens.
+     *
+     * @return static
+     */
+    public static function different()
+    {
+        return new static('The provided auth token for the request is different from the session auth token.');
+    }
+}
diff --git a/src/Http/Controllers/ApproveAuthorizationController.php b/src/Http/Controllers/ApproveAuthorizationController.php
@@ -36,6 +36,8 @@ public function __construct(AuthorizationServer $server)
      */
     public function approve(Request $request)
     {
+        $this->assertValidAuthToken($request);
+
         $authRequest = $this->getAuthRequestFromSession($request);
 
         return $this->convertResponse(

diff --git a/src/Http/Controllers/AuthorizationController.php b/src/Http/Controllers/AuthorizationController.php
@@ -4,6 +4,7 @@
 
 use Illuminate\Contracts\Routing\ResponseFactory;
 use Illuminate\Http\Request;
+use Illuminate\Support\Str;
 use Laminas\Diactoros\Response as Psr7Response;
 use Laravel\Passport\Bridge\User;
 use Laravel\Passport\ClientRepository;
@@ -73,13 +74,15 @@ public function authorize(ServerRequestInterface $psrRequest,
             return $this->approveRequest($authRequest, $user);
         }
 
+        $request->session()->put('authToken', $authToken = Str::random());
         $request->session()->put('authRequest', $authRequest);
 
         return $this->response->view('passport::authorize', [
             'client' => $client,
             'user' => $user,
             'scopes' => $scopes,
             'request' => $request,
+            'authToken' => $authToken,
         ]);
     }
 

diff --git a/src/Http/Controllers/DenyAuthorizationController.php b/src/Http/Controllers/DenyAuthorizationController.php
@@ -36,6 +36,8 @@ public function __construct(ResponseFactory $response)
      */
     public function deny(Request $request)
     {
+        $this->assertValidAuthToken($request);
+
         $authRequest = $this->getAuthRequestFromSession($request);
 
         $clientUris = Arr::wrap($authRequest->getClient()->getRedirectUri());

diff --git a/src/Http/Controllers/RetrievesAuthRequestFromSession.php b/src/Http/Controllers/RetrievesAuthRequestFromSession.php
@@ -5,9 +5,25 @@
 use Exception;
 use Illuminate\Http\Request;
 use Laravel\Passport\Bridge\User;
+use Laravel\Passport\Exceptions\InvalidAuthTokenException;
 
 trait RetrievesAuthRequestFromSession
 {
+    /**
+     * Make sure the auth token matches the one in the session.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @return void
+     *
+     * @throws \Laravel\Passport\Exceptions\InvalidAuthTokenException
+     */
+    protected function assertValidAuthToken(Request $request)
+    {
+        if ($request->has('auth_token') && $request->session()->get('authToken') !== $request->get('auth_token')) {
+            throw InvalidAuthTokenException::different();
+        }
+    }
+
     /**
      * Get the authorization request from the session.
      *

diff --git a/tests/ApproveAuthorizationControllerTest.php b/tests/ApproveAuthorizationControllerTest.php
@@ -26,11 +26,17 @@ public function test_complete_authorization_request()
 
         $request = m::mock(Request::class);
         $request->shouldReceive('session')->andReturn($session = m::mock());
+        $request->shouldReceive('has')->with('auth_token')->andReturn(true);
+        $request->shouldReceive('get')->with('auth_token')->andReturn('foo');
+
+        $session->shouldReceive('get')->once()->with('authToken')->andReturn('foo');
         $session->shouldReceive('get')
             ->once()
             ->with('authRequest')
             ->andReturn($authRequest = m::mock(AuthorizationRequest::class));
+
         $request->shouldReceive('user')->andReturn(new ApproveAuthorizationControllerFakeUser);
+
         $authRequest->shouldReceive('getClient->getIdentifier')->andReturn(1);
         $authRequest->shouldReceive('getUser->getIdentifier')->andReturn(2);
         $authRequest->shouldReceive('setUser')->once();

diff --git a/tests/AuthorizationControllerTest.php b/tests/AuthorizationControllerTest.php
@@ -43,6 +43,7 @@ public function test_authorization_view_is_presented()
 
         $request = m::mock(Request::class);
         $request->shouldReceive('session')->andReturn($session = m::mock());
+        $session->shouldReceive('put')->withSomeOfArgs('authToken');
         $session->shouldReceive('put')->with('authRequest', $authRequest);
         $request->shouldReceive('user')->andReturn($user = m::mock());
 

diff --git a/tests/DenyAuthorizationControllerTest.php b/tests/DenyAuthorizationControllerTest.php
@@ -27,7 +27,10 @@ public function test_authorization_can_be_denied()
         $request->shouldReceive('session')->andReturn($session = m::mock());
         $request->shouldReceive('user')->andReturn(new DenyAuthorizationControllerFakeUser);
         $request->shouldReceive('input')->with('state')->andReturn('state');
+        $request->shouldReceive('has')->with('auth_token')->andReturn(true);
+        $request->shouldReceive('get')->with('auth_token')->andReturn('foo');
 
+        $session->shouldReceive('get')->once()->with('authToken')->andReturn('foo');
         $session->shouldReceive('get')->once()->with('authRequest')->andReturn($authRequest = m::mock(
             AuthorizationRequest::class
         ));
@@ -56,6 +59,8 @@ public function test_authorization_can_be_denied_with_multiple_redirect_uris()
         $request->shouldReceive('session')->andReturn($session = m::mock());
         $request->shouldReceive('user')->andReturn(new DenyAuthorizationControllerFakeUser);
         $request->shouldReceive('input')->with('state')->andReturn('state');
+        $request->shouldReceive('has')->with('auth_token')->andReturn(true);
+        $request->shouldReceive('get')->with('auth_token')->andReturn('foo');
 
         $session->shouldReceive('get')->once()->with('authRequest')->andReturn($authRequest = m::mock(
             AuthorizationRequest::class
@@ -67,6 +72,7 @@ public function test_authorization_can_be_denied_with_multiple_redirect_uris()
         $authRequest->shouldReceive('getRedirectUri')->andReturn('http://localhost');
         $authRequest->shouldReceive('getClient->getRedirectUri')->andReturn(['http://localhost.localdomain', 'http://localhost']);
 
+        $session->shouldReceive('get')->once()->with('authToken')->andReturn('foo');
         $response->shouldReceive('redirectTo')->once()->andReturnUsing(function ($url) {
             return $url;
         });
@@ -85,7 +91,10 @@ public function test_authorization_can_be_denied_implicit()
         $request->shouldReceive('session')->andReturn($session = m::mock());
         $request->shouldReceive('user')->andReturn(new DenyAuthorizationControllerFakeUser);
         $request->shouldReceive('input')->with('state')->andReturn('state');
+        $request->shouldReceive('has')->with('auth_token')->andReturn(true);
+        $request->shouldReceive('get')->with('auth_token')->andReturn('foo');
 
+        $session->shouldReceive('get')->once()->with('authToken')->andReturn('foo');
         $session->shouldReceive('get')->once()->with('authRequest')->andReturn($authRequest = m::mock(
             AuthorizationRequest::class
         ));
@@ -114,7 +123,10 @@ public function test_authorization_can_be_denied_with_existing_query_string()
         $request->shouldReceive('session')->andReturn($session = m::mock());
         $request->shouldReceive('user')->andReturn(new DenyAuthorizationControllerFakeUser);
         $request->shouldReceive('input')->with('state')->andReturn('state');
+        $request->shouldReceive('has')->with('auth_token')->andReturn(true);
+        $request->shouldReceive('get')->with('auth_token')->andReturn('foo');
 
+        $session->shouldReceive('get')->once()->with('authToken')->andReturn('foo');
         $session->shouldReceive('get')->once()->with('authRequest')->andReturn($authRequest = m::mock(
             AuthorizationRequest::class
         ));
@@ -146,7 +158,10 @@ public function test_auth_request_should_exist()
         $request->shouldReceive('session')->andReturn($session = m::mock());
         $request->shouldReceive('user')->never();
         $request->shouldReceive('input')->never();
+        $request->shouldReceive('has')->with('auth_token')->andReturn(true);
+        $request->shouldReceive('get')->with('auth_token')->andReturn('foo');
 
+        $session->shouldReceive('get')->once()->with('authToken')->andReturn('foo');
         $session->shouldReceive('get')->once()->with('authRequest')->andReturnNull();
 
         $response->shouldReceive('redirectTo')->never();