From 64ecf7921c7c6b8c79982d6474b5d397c776bba5 Mon Sep 17 00:00:00 2001
From: NISHIMURA Daisuke <nishimura@tyrellsys.com>
Date: Tue, 16 Mar 2021 18:48:49 +0900
Subject: [PATCH] client's secret should be invalid if not sent.

Confidential clients MUST always authenticate.
Clients with non-empty secrets are confidential.
Only clients with empty secrets are allowed not to send secret.
---
 src/Bridge/Repository/ClientRepository.php           |  4 +---
 tests/Fixture/ClientsFixture.php                     | 12 ++++++++++++
 .../Bridge/Repository/ClientRepositoryTest.php       | 10 +++++++---
 3 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/src/Bridge/Repository/ClientRepository.php b/src/Bridge/Repository/ClientRepository.php
index 2c2b12e..938b737 100644
--- a/src/Bridge/Repository/ClientRepository.php
+++ b/src/Bridge/Repository/ClientRepository.php
@@ -43,9 +43,7 @@ public function validateClient($clientIdentifier, $clientSecret, $grantType)
         $conditions = [
             $this->table->getPrimaryKey() => $clientIdentifier,
         ];
-        if ($clientSecret !== null) {
-            $conditions[$this->table->aliasField('client_secret')] = $clientSecret;
-        }
+        $conditions[$this->table->aliasField('client_secret')] = (string)$clientSecret;
 
         $client = $this->table->find()->where($conditions)->first();
         /* @var $client Client|null */
diff --git a/tests/Fixture/ClientsFixture.php b/tests/Fixture/ClientsFixture.php
index 16b3826..5ff85c6 100644
--- a/tests/Fixture/ClientsFixture.php
+++ b/tests/Fixture/ClientsFixture.php
@@ -52,6 +52,18 @@ public function init()
             ]),
         ];
 
+        $this->records[] = [
+            'id' => 'Public',
+            'client_secret' => '',
+            'name' => 'Public Client',
+            'redirect_uri' => json_encode(['http://www.example.com']),
+            'grant_types' => json_encode([
+                'password',
+                'authorization_code',
+                'refresh_token',
+            ]),
+        ];
+
         parent::init();
     }
 }
diff --git a/tests/TestCase/Bridge/Repository/ClientRepositoryTest.php b/tests/TestCase/Bridge/Repository/ClientRepositoryTest.php
index 4b1338f..80884db 100644
--- a/tests/TestCase/Bridge/Repository/ClientRepositoryTest.php
+++ b/tests/TestCase/Bridge/Repository/ClientRepositoryTest.php
@@ -50,15 +50,19 @@ public function testValidateClient($inputs, $expects)
     public function dataValidateClient()
     {
         return [
-            'valid: Client id only' => [
-                ['TEST', null, null],
+            'valid: Public Client id only' => [
+                ['Public', null, null],
                 true,
             ],
+            'invalid: Confidential Client id only' => [
+                ['TEST', null, null],
+                false,
+            ],
             'valid: Client id with secret' => [
                 ['TEST', 'TestSecret', null],
                 true,
             ],
-            'invalid: Client id only' => [
+            'invalid: Unregistered Client id only' => [
                 ['INVALID', null, null],
                 false,
             ],