-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathLogoutController.php
94 lines (82 loc) · 3.32 KB
/
LogoutController.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
<?php
namespace NPR\One\Controllers;
use GuzzleHttp\Client;
use NPR\One\DI\DI;
use NPR\One\Exceptions\ApiException;
/**
* This controller should always be used by every consumer, regardless of whether you are using the `authorization_code`
* or `device_code` grant types. Use this to fully log out users by revoking their `access_token` and `refresh_token`
* from the NPR authorization server and then deleting the reference to the refresh token in the secure cookie or other
* secure storage provider.
*
* @package NPR\One\Controllers
*/
class LogoutController extends AbstractOAuth2Controller
{
/**
* Revokes an access+refresh token pair and removes the refresh token from the secure storage layer.
* By default, this takes in an access token (string); however, the access token *may* be omitted, in which case it
* will attempt to revoke the pair based on the refresh token previously saved to the secure storage layer. If no
* refresh token is found, this function will throw an exception (because there is nothing to be revoked).
*
* @api
* @param string|null $accessToken
* @throws \Exception if no access token is passed in and no refresh token is found in the secure storage layer
* @throws \GuzzleHttp\Exception\GuzzleException
*/
public function deleteAccessAndRefreshTokens($accessToken = null)
{
$this->ensureExternalProvidersExist();
if (empty($accessToken))
{
$refreshToken = $this->getSecureStorageProvider()->get('refresh_token');
if (empty($refreshToken))
{
throw new \Exception('Could not locate a token to revoke');
}
$this->revokeToken($refreshToken, true);
}
else
{
$this->revokeToken($accessToken);
}
$this->getSecureStorageProvider()->remove('refresh_token');
}
/**
* Makes the actual call to the revoke token endpoint in the NPR One Authorization Service.
*
* @internal
* @param string $token
* @param bool $isRefreshToken
* @throws ApiException
* @throws \GuzzleHttp\Exception\GuzzleException
*/
private function revokeToken($token, $isRefreshToken = false)
{
if (empty($token) || !is_string($token))
{
throw new \InvalidArgumentException('Must specify token to be revoked');
}
$this->ensureExternalProvidersExist();
$additionalParams = [];
if ($isRefreshToken === true)
{
$additionalParams['token_type_hint'] = 'refresh_token';
}
/** @var Client $client */
$client = DI::container()->get(Client::class);
$response = $client->request('POST', $this->getConfigProvider()->getNprAuthorizationServiceHost() . '/v2/token/revoke', [
'headers' => [
'Authorization' => 'Bearer ' . $this->getConfigProvider()->getClientCredentialsToken()
],
'form_params' => array_merge([
'token' => $token,
], $additionalParams)
]);
if ($response->getStatusCode() >= 400)
{
throw new ApiException("Error during revokeToken for token $token", $response); // @codeCoverageIgnore
}
// A successful call has no response body, so there's nothing to return!
}
}