1 files changed, 59 insertions, 0 deletions

diff --git a/lib/classes/OAuth2/Bridge/ClientRepository.php b/lib/classes/OAuth2/Bridge/ClientRepository.php
new file mode 100644
index 0000000..b6fd4f6
--- /dev/null
+++ b/lib/classes/OAuth2/Bridge/ClientRepository.php
@@ -0,0 +1,59 @@
+<?php
+
+namespace Studip\OAuth2\Bridge;
+
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
+use Studip\OAuth2\Models\Client;
+
+class ClientRepository implements ClientRepositoryInterface
+{
+    /**
+     * Get a client.
+     *
+     * @param string $clientIdentifier The client's identifier
+     */
+    public function getClientEntity($clientIdentifier): ?ClientEntityInterface
+    {
+        $sorm = Client::findActive($clientIdentifier);
+        if (!$sorm) {
+            return null;
+        }
+
+        return new ClientEntity(
+            $clientIdentifier,
+            $sorm['name'],
+            explode(',', $sorm['redirect']),
+            $sorm->confidential()
+        );
+    }
+
+    /**
+     * Validate a client's secret.
+     *
+     * @param string      $clientIdentifier The client's identifier
+     * @param string|null $clientSecret     The client's secret (if sent)
+     * @param string|null $grantType        The type of grant the client is using (if sent)
+     */
+    public function validateClient($clientIdentifier, $clientSecret, $grantType): bool
+    {
+        if ($grantType !== 'authorization_code') {
+            return false;
+        }
+        $client = Client::findActive($clientIdentifier);
+        if (!$client) {
+            return false;
+        }
+
+        return !$client->confidential() || $this->verifySecret((string) $clientSecret, $client->secret);
+    }
+
+    /**
+     * @param string $clientSecret
+     * @param string $storedHash
+     */
+    protected function verifySecret($clientSecret, $storedHash): bool
+    {
+        return password_verify($clientSecret, $storedHash);
+    }
+}