simplify basic auth usage in access token request

codemasher · codemasher · commit 33941801e05e · 2024-04-10T00:18:20.000+02:00
diff --git a/src/Core/OAuth2Interface.php b/src/Core/OAuth2Interface.php
@@ -59,6 +59,20 @@ interface OAuth2Interface extends OAuthInterface{
 	 */
 	public const SCOPES_DELIMITER = ' ';
 
+	/**
+	 * This indicates that the current provider requires an `Authorization: Basic <base64(key:secret)>` header
+	 * in the access token request, rather than the key and secret in the request body.
+	 *
+	 * It saves provider inplementations from the hassle to override the respective methods:
+	 *
+	 *   - `OAuth2Provider::getAccessTokenRequestBodyParams()`
+	 *   - `OAuth2Provider::sendAccessTokenRequest()`
+	 *
+	 * I'm not sure where to put this: here or a feature interface (it's not exactly a feature).
+	 * I'll leave it here for now, subject to change.
+	 */
+	public const USES_BASIC_AUTH_IN_ACCESS_TOKEN_REQUEST = false;
+
 	/**
 	 * Obtains an OAuth2 access token with the given $code, verifies the $state
 	 * if the provider implements the CSRFToken interface, and returns an AccessToken object
diff --git a/src/Core/OAuth2Provider.php b/src/Core/OAuth2Provider.php
@@ -185,13 +185,16 @@ public function getAccessToken(string $code, string|null $state = null):AccessTo
 	protected function getAccessTokenRequestBodyParams(string $code):array{
 
 		$params = [
-			'client_id'     => $this->options->key,
-			'client_secret' => $this->options->secret,
-			'code'          => $code,
-			'grant_type'    => 'authorization_code',
-			'redirect_uri'  => $this->options->callbackURL,
+			'code'         => $code,
+			'grant_type'   => 'authorization_code',
+			'redirect_uri' => $this->options->callbackURL,
 		];
 
+		if(!$this::USES_BASIC_AUTH_IN_ACCESS_TOKEN_REQUEST){
+			$params['client_id']     = $this->options->key;
+			$params['client_secret'] = $this->options->secret;
+		}
+
 		if($this instanceof PKCE){
 			$params = $this->setCodeVerifier($params);
 		}
@@ -215,6 +218,10 @@ protected function sendAccessTokenRequest(string $url, array $body):ResponseInte
 			$request = $request->withHeader($header, $value);
 		}
 
+		if($this::USES_BASIC_AUTH_IN_ACCESS_TOKEN_REQUEST){
+			$request = $this->addBasicAuthHeader($request);
+		}
+
 		return $this->http->sendRequest($request);
 	}
 
diff --git a/src/Providers/PayPal.php b/src/Providers/PayPal.php
@@ -13,10 +13,7 @@
 
 namespace chillerlan\OAuth\Providers;
 
-use chillerlan\HTTP\Utils\QueryUtil;
 use chillerlan\OAuth\Core\{AuthenticatedUser, ClientCredentials, CSRFToken, OAuth2Provider, TokenRefresh, UserInfo};
-use Psr\Http\Message\ResponseInterface;
-use const PHP_QUERY_RFC1738;
 
 /**
  * PayPal OAuth2
@@ -36,40 +33,14 @@ class PayPal extends OAuth2Provider implements ClientCredentials, CSRFToken, Tok
 		self::SCOPE_EMAIL,
 	];
 
+	public const USES_BASIC_AUTH_IN_ACCESS_TOKEN_REQUEST = true;
+
 	protected string      $accessTokenURL   = 'https://api.paypal.com/v1/oauth2/token';
 	protected string      $authorizationURL = 'https://www.paypal.com/connect';
 	protected string      $apiURL           = 'https://api.paypal.com';
 	protected string|null $applicationURL   = 'https://developer.paypal.com/developer/applications/';
 	protected string|null $apiDocs          = 'https://developer.paypal.com/docs/connect-with-paypal/reference/';
 
-	/**
-	 * @inheritDoc
-	 */
-	protected function getAccessTokenRequestBodyParams(string $code):array{
-		return [
-			'code'         => $code,
-			'grant_type'   => 'authorization_code',
-			'redirect_uri' => $this->options->callbackURL,
-		];
-	}
-
-	/**
-	 * @inheritDoc
-	 */
-	protected function sendAccessTokenRequest(string $url, array $body):ResponseInterface{
-
-		$request = $this->requestFactory
-			->createRequest('POST', $url)
-			->withHeader('Accept-Encoding', 'identity')
-			->withHeader('Content-Type', 'application/x-www-form-urlencoded')
-			->withBody($this->streamFactory->createStream(QueryUtil::build($body, PHP_QUERY_RFC1738)))
-		;
-
-		$request = $this->addBasicAuthHeader($request);
-
-		return $this->http->sendRequest($request);
-	}
-
 	/**
 	 * @inheritDoc
 	 * @codeCoverageIgnore
diff --git a/src/Providers/Reddit.php b/src/Providers/Reddit.php
@@ -13,14 +13,11 @@
 
 namespace chillerlan\OAuth\Providers;
 
-use chillerlan\HTTP\Utils\QueryUtil;
 use chillerlan\OAuth\Core\{
 	AccessToken, AuthenticatedUser, ClientCredentials, CSRFToken, OAuth2Interface,
 	OAuth2Provider, TokenInvalidate, TokenRefresh, UserInfo
 };
-use Psr\Http\Message\ResponseInterface;
 use function sprintf;
-use const PHP_QUERY_RFC1738;
 
 /**
  * @see https://github.com/reddit-archive/reddit/wiki/OAuth2
@@ -76,6 +73,8 @@ class Reddit extends OAuth2Provider implements ClientCredentials, CSRFToken, Tok
 		'User-Agent' => self::USER_AGENT,
 	];
 
+	public const USES_BASIC_AUTH_IN_ACCESS_TOKEN_REQUEST = true;
+
 	protected string      $authorizationURL = 'https://www.reddit.com/api/v1/authorize';
 	protected string      $accessTokenURL   = 'https://www.reddit.com/api/v1/access_token';
 	protected string      $apiURL           = 'https://oauth.reddit.com/api';
@@ -84,34 +83,6 @@ class Reddit extends OAuth2Provider implements ClientCredentials, CSRFToken, Tok
 	protected string|null $applicationURL   = 'https://www.reddit.com/prefs/apps/';
 	protected string|null $userRevokeURL    = 'https://www.reddit.com/settings/privacy';
 
-	/**
-	 * @inheritDoc
-	 */
-	protected function getAccessTokenRequestBodyParams(string $code):array{
-		return [
-			'code'         => $code,
-			'grant_type'   => 'authorization_code',
-			'redirect_uri' => $this->options->callbackURL,
-		];
-	}
-
-	/**
-	 * @inheritDoc
-	 */
-	protected function sendAccessTokenRequest(string $url, array $body):ResponseInterface{
-
-		$request = $this->requestFactory
-			->createRequest('POST', $url)
-			->withHeader('Accept-Encoding', 'identity')
-			->withHeader('Content-Type', 'application/x-www-form-urlencoded')
-			->withBody($this->streamFactory->createStream(QueryUtil::build($body, PHP_QUERY_RFC1738)))
-		;
-
-		$request = $this->addBasicAuthHeader($request);
-
-		return $this->http->sendRequest($request);
-	}
-
 	/**
 	 * @inheritDoc
 	 * @codeCoverageIgnore
diff --git a/tests/Providers/Unit/OAuth2ProviderUnitTestAbstract.php b/tests/Providers/Unit/OAuth2ProviderUnitTestAbstract.php
@@ -187,11 +187,14 @@ public function testGetAccessTokenRequestBodyParams():void{
 		$params = $this->invokeReflectionMethod('getAccessTokenRequestBodyParams', ['*test_code*']);
 
 		$this::assertSame('*test_code*', $params['code']);
-		$this::assertSame($this->options->key, $params['client_id']);
-		$this::assertSame($this->options->secret, $params['client_secret']);
 		$this::assertSame($this->options->callbackURL, $params['redirect_uri']);
 		$this::assertSame('authorization_code', $params['grant_type']);
 
+		if(!$this->provider::USES_BASIC_AUTH_IN_ACCESS_TOKEN_REQUEST){
+			$this::assertSame($this->options->key, $params['client_id']);
+			$this::assertSame($this->options->secret, $params['client_secret']);
+		}
+
 		if($this->provider instanceof PKCE){
 			$this::assertSame($verifier, $params['code_verifier']);
 		}
@@ -208,6 +211,13 @@ public function testSendAccessTokenRequest():void{
 		$this::assertSame($url, $json->request->url);
 		$this::assertSame('POST', $json->request->method);
 		$this::assertSame('foo=bar', $json->body);
+
+		if($this->provider::USES_BASIC_AUTH_IN_ACCESS_TOKEN_REQUEST){
+			$authHeader = 'Basic '.base64_encode($this->options->key.':'.$this->options->secret);
+
+			$this::assertSame($authHeader, $json->headers->{'Authorization'});
+		}
+
 	}
 
 
diff --git a/tests/Providers/Unit/PayPalTest.php b/tests/Providers/Unit/PayPalTest.php
@@ -24,29 +24,4 @@ protected function getProviderFQCN():string{
 		return PayPal::class;
 	}
 
-	public function testGetAccessTokenRequestBodyParams():void{
-		$params = $this->invokeReflectionMethod('getAccessTokenRequestBodyParams', ['*test_code*']);
-
-		$this::assertSame('*test_code*', $params['code']);
-		$this::assertSame($this->options->callbackURL, $params['redirect_uri']);
-		$this::assertSame('authorization_code', $params['grant_type']);
-	}
-
-	public function testSendAccessTokenRequest():void{
-		$url        = 'https://localhost/access_token';
-		$response   = $this->invokeReflectionMethod('sendAccessTokenRequest', [$url, ['foo' => 'bar']]);
-		$json       = MessageUtil::decodeJSON($response);
-
-		// paypal uses basic auth instead of the credentials in the body
-		$authHeader = 'Basic '.base64_encode($this->options->key.':'.$this->options->secret);
-
-		$this::assertSame($authHeader, $json->headers->{'Authorization'});
-
-		$this::assertSame('identity', $json->headers->{'Accept-Encoding'});
-		$this::assertSame('application/x-www-form-urlencoded', $json->headers->{'Content-Type'});
-		$this::assertSame($url, $json->request->url);
-		$this::assertSame('POST', $json->request->method);
-		$this::assertSame('foo=bar', $json->body);
-	}
-
 }
diff --git a/tests/Providers/Unit/RedditTest.php b/tests/Providers/Unit/RedditTest.php
@@ -11,8 +11,7 @@
 
 namespace chillerlan\OAuthTest\Providers\Unit;
 
-use chillerlan\OAuth\Core\AccessToken;
-use chillerlan\OAuth\Core\TokenInvalidate;
+use chillerlan\OAuth\Core\{AccessToken, TokenInvalidate};
 use chillerlan\OAuth\Providers\Reddit;
 
 /**
@@ -24,14 +23,6 @@ protected function getProviderFQCN():string{
 		return Reddit::class;
 	}
 
-	public function testGetAccessTokenRequestBodyParams():void{
-		$params = $this->invokeReflectionMethod('getAccessTokenRequestBodyParams', ['*test_code*']);
-
-		$this::assertSame('*test_code*', $params['code']);
-		$this::assertSame($this->options->callbackURL, $params['redirect_uri']);
-		$this::assertSame('authorization_code', $params['grant_type']);
-	}
-
 	public function testTokenInvalidate():void{
 
 		if(!$this->provider instanceof TokenInvalidate){
