From df19c6c1e8a8cd9f8925bc690331db14762d516e Mon Sep 17 00:00:00 2001 From: Alexander Kras'ko <0m3r.mail@gmail.com> Date: Thu, 11 Jul 2024 16:15:15 +0300 Subject: [PATCH] Move code for oauth tokens in standalone package swissup/module-oauth2-client --- Api/Data/ServiceInterface.php | 8 +- Controller/Adminhtml/Email/Service/Save.php | 4 +- Controller/Gmail/GetOAuth2Token.php | 155 -------------------- Mail/Transport/GmailOAuth2.php | 4 +- Model/Service.php | 10 +- Model/Service/Encryptor.php | 33 +---- Plugin/Model/ServiceOAuth2TokenPlugin.php | 119 +++++++-------- README.md | 2 +- composer.json | 2 +- etc/db_schema.xml | 1 - etc/frontend/routes.xml | 8 - etc/module.xml | 2 +- 12 files changed, 71 insertions(+), 277 deletions(-) delete mode 100644 Controller/Gmail/GetOAuth2Token.php delete mode 100644 etc/frontend/routes.xml diff --git a/Api/Data/ServiceInterface.php b/Api/Data/ServiceInterface.php index 3e011b5..1b7ba41 100644 --- a/Api/Data/ServiceInterface.php +++ b/Api/Data/ServiceInterface.php @@ -16,7 +16,7 @@ interface ServiceInterface const PORT = 'port'; const SECURE = 'secure'; const AUTH = 'auth'; - const TOKEN = 'token'; + const TOKEN_ID = 'token_id'; const KEY = 'key'; const REMOVE = 'remove'; @@ -120,7 +120,7 @@ public function getAuth(); /** * @return mixed */ - public function getToken(); + public function getTokenId(); /** * Get key @@ -225,10 +225,10 @@ public function setSecure($secure); public function setAuth($auth); /** - * @param string $token + * @param int $tokenId * @return \Swissup\Email\Api\Data\ServiceInterface */ - public function setToken($token); + public function setTokenId($tokenId); /** * Set key diff --git a/Controller/Adminhtml/Email/Service/Save.php b/Controller/Adminhtml/Email/Service/Save.php index 162217d..444aa14 100644 --- a/Controller/Adminhtml/Email/Service/Save.php +++ b/Controller/Adminhtml/Email/Service/Save.php @@ -76,8 +76,8 @@ public function execute() $this->session->setFormData(false); if ($model->hasData('callback_url')) { - $flowUrl = $model->getData('callback_url'); - return $resultRedirect->setUrl($flowUrl); + $callbackUrl = $model->getData('callback_url'); + return $resultRedirect->setUrl($callbackUrl); } if ($this->getRequest()->getParam('back')) { diff --git a/Controller/Gmail/GetOAuth2Token.php b/Controller/Gmail/GetOAuth2Token.php deleted file mode 100644 index 5b4ae28..0000000 --- a/Controller/Gmail/GetOAuth2Token.php +++ /dev/null @@ -1,155 +0,0 @@ -session = $session; - $this->serviceRepository = $serviceRepository; - $this->urlDecoder = $urldecoder; - $this->tokenValidator = $tokenValidator; - } - - private function isLoggedIn() - { - $request = $this->getRequest(); - $serviceId = $request->getParam('id', false); - $sessionIdKey = self::SESSION_ID_KEY; - - if (!empty($serviceId)) { - if ($this->tokenValidator->validateRequest($request)) { - $this->session->setData($sessionIdKey, $serviceId); - } else { - $this->session->setData($sessionIdKey, null); - } - } - - return (bool) $this->session->getData($sessionIdKey); - } - - private function getServiceId() - { - $sessionIdKey = self::SESSION_ID_KEY; - return (int) $this->session->getData($sessionIdKey); - } - - private function redirectReferer() - { - $refererUrl = $this->session->getData('referer'); - $refererUrl = empty($refererUrl) ? $this->_redirect->getRedirectUrl() : $refererUrl; - return $this->_redirect($refererUrl); - } - - /** - * Post user question - * - * @inherit - */ - public function execute() - { - if (!$this->isLoggedIn()) { - return $this->redirectReferer(); - } - - $id = $this->getServiceId(); - $service = $this->serviceRepository->getById($id); - - $request = $this->getRequest(); - $refererUrl = $request->getParam('referer'); - $refererUrl = $this->urlDecoder->decode($refererUrl); - if (!empty($refererUrl)) { - $this->session->setData('referer', $refererUrl); - } - - /* @var \League\OAuth2\Client\Provider\Google $provider */ - $provider = new \League\OAuth2\Client\Provider\Google([ - 'clientId' => $service->getUser(), - 'clientSecret' => $service->getPassword(), - 'redirectUri' => $this->_url->getUrl('*/*/*'), -// 'hostedDomain' => 'example.com', // optional; used to restrict access to users on your G Suite/Google Apps for Business accounts - 'scopes' => ['https://mail.google.com/'], - 'accessType' => 'offline' - ]); - - $errorParam = $request->getParam('error'); - $codeParam = $request->getParam('code'); - $stateParam = $request->getParam('state'); - - if (!empty($errorParam)) { - $this->messageManager->addErrorMessage( - htmlspecialchars($errorParam, ENT_QUOTES, 'UTF-8') - ); - return $this->redirectReferer(); - } elseif (empty($codeParam)) { - - // If we don't have an authorization code then get one - $authUrl = $provider->getAuthorizationUrl(/*['scope' => ['https://mail.google.com/']]*/); - $this->session->setData(self::FLOW_STATE_KEY, $provider->getState()); - - $resultRedirect = $this->resultRedirectFactory->create(); - $resultRedirect->setUrl($authUrl); - - return $resultRedirect; - // Check given state against previously stored one to mitigate CSRF attack - } elseif (empty($stateParam) || ($stateParam !== $this->session->getData(self::FLOW_STATE_KEY))) { - $this->session->setData(self::FLOW_STATE_KEY, null); - $this->messageManager->addErrorMessage( - __('Invalid state') - ); - return $this->redirectReferer(); - } else { - // Try to get an access token (using the authorization code grant) - $token = $provider->getAccessToken('authorization_code', [ - 'code' => $codeParam - ]); - - $refreshToken = $token->getRefreshToken(); - if (empty($refreshToken)) { - $authUrl = $provider->getAuthorizationUrl(['prompt' => 'consent', 'access_type' => 'offline']); - $this->session->setData(self::FLOW_STATE_KEY, $provider->getState()); - - $resultRedirect = $this->resultRedirectFactory->create(); - $resultRedirect->setUrl($authUrl); - return $resultRedirect; - } - $this->session->setData(self::FLOW_STATE_KEY, null); - - $tokenOptions = array_merge($token->jsonSerialize(), ['refresh_token' => $refreshToken]); - $service->setToken($tokenOptions); - $this->serviceRepository->save($service); - } - - return $this->redirectReferer(); - } -} diff --git a/Mail/Transport/GmailOAuth2.php b/Mail/Transport/GmailOAuth2.php index d4ac96e..3702268 100644 --- a/Mail/Transport/GmailOAuth2.php +++ b/Mail/Transport/GmailOAuth2.php @@ -24,8 +24,8 @@ public function __construct( SmtpOptions $options = null ) { if (! $options instanceof SmtpOptions) { - $host = 'smtp.gmail.com'; - $port = 587; + $host = isset($config['host']) ? $config['host'] : 'smtp.gmail.com'; + $port = isset($config['port']) ? (int) $config['port'] : 587; if (!isset($config['token']) || !isset($config['token']['access_token'])) { $phrase = new \Magento\Framework\Phrase('token is broken'); diff --git a/Model/Service.php b/Model/Service.php index e93fdae..4040708 100644 --- a/Model/Service.php +++ b/Model/Service.php @@ -161,11 +161,11 @@ public function getAuth() } /** - * @return string + * @return int */ - public function getToken() + public function getTokenId() { - return $this->getData(self::TOKEN); + return $this->getData(self::TOKEN_ID); } /** @@ -309,9 +309,9 @@ public function setAuth($auth) return $this->setData(self::AUTH, $auth); } - public function setToken($token) + public function setTokenId($tokenId) { - return $this->setData(self::TOKEN, $token); + return $this->setData(self::TOKEN_ID, $tokenId); } /** diff --git a/Model/Service/Encryptor.php b/Model/Service/Encryptor.php index 46c7db7..ad30a20 100644 --- a/Model/Service/Encryptor.php +++ b/Model/Service/Encryptor.php @@ -13,18 +13,12 @@ class Encryptor implements ServiceEncryptorInterface */ private $encryptor; - /** - * @var SerializerInterface - */ - private $serializer; - /** * @param EncryptorInterface $encryptor */ - public function __construct(EncryptorInterface $encryptor, SerializerInterface $serializer) + public function __construct(EncryptorInterface $encryptor) { $this->encryptor = $encryptor; - $this->serializer = $serializer; } /** @@ -32,24 +26,7 @@ public function __construct(EncryptorInterface $encryptor, SerializerInterface $ */ private function getAttributes() { - return ['password', 'token']; - } - - /** - * @return string[] - */ - private function getSerializableAttributes() - { - return ['token']; - } - - /** - * @param $attribute - * @return bool - */ - private function isSerializableAttribute($attribute) - { - return in_array($attribute, $this->getSerializableAttributes()); + return ['password']; } /** @@ -60,9 +37,6 @@ public function encrypt(ServiceInterface $object): void { foreach ($this->getAttributes() as $attributeCode) { $value = $object->getData($attributeCode); - if ($this->isSerializableAttribute($attributeCode)) { - $value = $this->serializer->serialize($value); - } if ($value) { $object->setData($attributeCode, $this->encryptor->encrypt($value)); } @@ -80,9 +54,6 @@ public function decrypt(ServiceInterface $object): void if ($value) { try { $value = $this->encryptor->decrypt($value); - if ($this->isSerializableAttribute($attributeCode)) { - $value = $this->serializer->unserialize($value); - } $object->setData($attributeCode, $value); } catch (\Exception $e) { // value is not encrypted or something wrong with encrypted data diff --git a/Plugin/Model/ServiceOAuth2TokenPlugin.php b/Plugin/Model/ServiceOAuth2TokenPlugin.php index 99001b9..72031ba 100644 --- a/Plugin/Model/ServiceOAuth2TokenPlugin.php +++ b/Plugin/Model/ServiceOAuth2TokenPlugin.php @@ -3,8 +3,8 @@ namespace Swissup\Email\Plugin\Model; -use Magento\Framework\DataObject; use Swissup\Email\Model\Service; +use Swissup\OAuth2Client\Model\AccessTokenRepository; class ServiceOAuth2TokenPlugin { @@ -15,19 +15,9 @@ class ServiceOAuth2TokenPlugin private $serviceRepository; /** - * @var \Magento\Framework\Url + * @var AccessTokenRepository */ - private $urlBuilder; - - /** - * @var \Magento\Framework\Url\EncoderInterface - */ - private $urlEncoder; - - /** - * @var \Swissup\OAuth2Client\Model\Data\FlowToken - */ - private $flowToken; + private $accessTokenRepository; /** * @var \Psr\Log\LoggerInterface $logger @@ -36,81 +26,78 @@ class ServiceOAuth2TokenPlugin public function __construct( \Swissup\Email\Model\ServiceRepository $serviceRepository, - \Magento\Framework\Url $urlBuilder, - \Magento\Framework\Url\EncoderInterface $urlEncoder, - \Swissup\OAuth2Client\Model\Data\FlowToken $flowToken, + \Swissup\OAuth2Client\Model\AccessTokenRepository $accessTokenRepository, \Psr\Log\LoggerInterface $logger ) { $this->serviceRepository = $serviceRepository; - $this->urlBuilder = $urlBuilder; - $this->urlEncoder = $urlEncoder; - $this->flowToken = $flowToken; + $this->accessTokenRepository = $accessTokenRepository; $this->logger = $logger; } + private function isGoogleOAuth2(Service $service): bool + { + return $service->getAuth() === Service::AUTH_TYPE_XOAUTH2 && $service->getType() === Service::TYPE_GMAILOAUTH2; + } + public function afterAfterCommitCallback(Service $subject): void { - if ($subject->getAuth() !== Service::AUTH_TYPE_XOAUTH2 || - $subject->getType() !== Service::TYPE_GMAILOAUTH2) { + if (!$this->isGoogleOAuth2($subject)) { return; } + $tokenId = $subject->getTokenId(); + /** @var $accessToken \Swissup\OAuth2Client\Model\AccessToken */ + $accessToken = $this->accessTokenRepository->getById($tokenId); - $tokenOptions = $subject->getToken(); - if (empty($tokenOptions)) { - $urlBuilder = $this->urlBuilder; - $refererUrl = $urlBuilder->getCurrentUrl(); - $refererUrl = $this->urlEncoder->encode($refererUrl); - $callbackUrl = $urlBuilder->getUrl( - 'swissup_email/gmail/getOAuth2Token', - [ - '_nosid' => true, - '_query' => [ - 'id' => $subject->getId(), - 'referer' => $refererUrl, - 'token' => $this->flowToken->getToken(), - ] - ] - ); + if (!$accessToken->isInitialized()) { + $callbackUrl = $accessToken->getCallbackUrl(); $subject->setData('callback_url', $callbackUrl); } } public function afterAfterLoad(Service $subject): void { - if ($subject->getAuth() !== Service::AUTH_TYPE_XOAUTH2 || - $subject->getType() !== Service::TYPE_GMAILOAUTH2) { + if (!$this->isGoogleOAuth2($subject)) { return; } - $tokenOptions = $subject->getToken(); - if (empty($tokenOptions)) { - return; + // create new access token record + $tokenId = $subject->getTokenId(); + if (empty($tokenId)) { + /** @var \Swissup\OAuth2Client\Model\AccessToken $accessToken */ + $accessToken = $this->accessTokenRepository->create(); + $accessToken->setHasDataChanges(true); + $accessToken = $this->accessTokenRepository->save($accessToken); + $tokenId = $accessToken->getId(); + + $subject->setTokenId($tokenId); + $this->serviceRepository->save($subject); } - $storedToken = new \League\OAuth2\Client\Token\AccessToken($tokenOptions); - $refreshToken = $storedToken->getRefreshToken(); - if ($storedToken->hasExpired() && !empty($refreshToken)) { - $urlBuilder = $this->urlBuilder; - $redirectUri = $urlBuilder->getUrl('swissup_email/gmail/getOAuth2Token'); - /* @var \League\OAuth2\Client\Provider\Google $provider */ - $provider = new \League\OAuth2\Client\Provider\Google([ - 'clientId' => $subject->getUser(), - 'clientSecret' => $subject->getPassword(), - 'redirectUri' => $redirectUri, -// 'hostedDomain' => 'example.com', // optional; used to restrict access to users on your G Suite/Google Apps for Business accounts - 'scopes' => ['https://mail.google.com/'], - 'accessType' => 'offline' - ]); - try { - $token = $provider->getAccessToken('refresh_token', [ - 'refresh_token' => $refreshToken - ]); - $tokenOptions = array_merge($token->jsonSerialize(), ['refresh_token' => $refreshToken]); - $subject->setToken($tokenOptions); - $this->serviceRepository->save($subject); - } catch (\Exception $e) { - $this->logger->critical($e->getMessage()); - } + // refresh creadential + $tokenId = $subject->getTokenId(); + /** @var \Swissup\OAuth2Client\Model\AccessToken $accessToken */ + $accessToken = $this->accessTokenRepository->getById($tokenId); + $storedCredentialHash = $accessToken->getCredentialHash(); + $clientId = $subject->getUser(); + $clientSecret = $subject->getPassword(); + $scope = implode(' ', ['https://mail.google.com/']); + $credential = $accessToken->getCredential(); + $credential->setClientId($clientId) + ->setClientSecret($clientSecret) + ->setScope($scope); + $hash = $credential->getHash(); + if ($storedCredentialHash !== $hash || $credential->isExpired()) { + $credential->save(); + $accessToken->setCredentialHash($hash); + $this->accessTokenRepository->save($accessToken); } + + // refresh access_token is expired + $accessToken = $accessToken->runRefreshToken(); + if ($accessToken) { + $this->accessTokenRepository->save($accessToken); + } + + $subject->setData('token', $accessToken->getData()); } } diff --git a/README.md b/README.md index 0a96149..2534f6c 100644 --- a/README.md +++ b/README.md @@ -51,7 +51,7 @@ If `Type` selects `Gmail`. Use an [App Password](https://security.google.com/set > > - [Transition from less secure apps to OAuth](https://support.google.com/a/answer/14114704?hl=en) -If the `Type` field is set to `Gmail OAuth 2.0`, please follow the [Google instructions](https://developers.google.com/identity/openid-connect/openid-connect#registeringyourapp) to create the required credentials. In your credentials, you need to add `Authorized redirect URIs` with at least one URI, such as `https://localhost/swissup_email/gmail/getOAuth2Token/` (replace `localhost` with your Magento store URL). +If the `Type` field is set to `Gmail OAuth 2.0`, please follow the [Google instructions](https://developers.google.com/identity/openid-connect/openid-connect#registeringyourapp) to create the required credentials. In your credentials, you need to add `Authorized redirect URIs` with at least one URI, such as `https://localhost/swissup_oauth2client/google/getToken/` (replace `localhost` with your Magento store URL). ![Gmail OAuth2 Credential](https://github.com/swissup/module-email/assets/412612/47802486-2725-4642-91e2-8ff8ead58389) ###### Customize the User Consent Screen diff --git a/composer.json b/composer.json index 264ab13..250ed36 100644 --- a/composer.json +++ b/composer.json @@ -22,7 +22,7 @@ "magento/module-config": "^101.1", "laminas/laminas-mail": "^2.9.0", "laminas/laminas-mime": "^2.5.0", - "swissup/module-oauth2-client": "*" + "swissup/module-oauth2-client": "^1.0" }, "require-dev": { "slm/mail": "~1.5", diff --git a/etc/db_schema.xml b/etc/db_schema.xml index 88269c9..e7f9e74 100644 --- a/etc/db_schema.xml +++ b/etc/db_schema.xml @@ -12,7 +12,6 @@ - diff --git a/etc/frontend/routes.xml b/etc/frontend/routes.xml deleted file mode 100644 index e12f1c6..0000000 --- a/etc/frontend/routes.xml +++ /dev/null @@ -1,8 +0,0 @@ - - - - - - - - diff --git a/etc/module.xml b/etc/module.xml index 55520b0..f39f469 100644 --- a/etc/module.xml +++ b/etc/module.xml @@ -1,6 +1,6 @@ - +