Merge pull request #7 from vippsas/publication-1.2.3

VIPPS-288: Add sub validation for userInfo

Gateway/Command/UserInfoCommand.php

@@ -25,6 +25,7 @@
 use Vipps\Login\Api\Data\UserInfoInterface;
 use Vipps\Login\Api\Data\UserInfoInterfaceFactory;
 use Vipps\Login\Api\ApiEndpointsInterface;
+use Vipps\Login\Model\TokenProviderInterface;
 
 /**
  * Class UserInfoCommand
@@ -51,6 +52,11 @@ class UserInfoCommand
      * @var ApiEndpointsInterface
      */
     private $apiEndpoints;
+
+    /**
+     * @var TokenProviderInterface
+     */
+    private $tokenPayloadProvider;
 
     /**
      * @var array
@@ -64,17 +70,20 @@ class UserInfoCommand
      * @param ClientFactory $httpClientFactory
      * @param UserInfoInterfaceFactory $userInfoFactory
      * @param ApiEndpointsInterface $apiEndpoints
+     * @param TokenProviderInterface $tokenPayloadProvider
      */
     public function __construct(
         SerializerInterface $serializer,
         ClientFactory $httpClientFactory,
         UserInfoInterfaceFactory $userInfoFactory,
-        ApiEndpointsInterface $apiEndpoints
+        ApiEndpointsInterface $apiEndpoints,
+        TokenProviderInterface $tokenPayloadProvider
     ) {
         $this->serializer = $serializer;
         $this->httpClientFactory = $httpClientFactory;
         $this->userInfoFactory = $userInfoFactory;
         $this->apiEndpoints = $apiEndpoints;
+        $this->tokenPayloadProvider = $tokenPayloadProvider;
     }
 
     /**
@@ -99,6 +108,10 @@ public function execute($accessToken)
         $body = $this->serializer->unserialize($httpClient->getBody());
 
         if (200 <= $status && 300 > $status) {
+            $tokenPayload = $this->tokenPayloadProvider->get();
+            if (empty($body['sub']) || empty($tokenPayload['sub']) || $body['sub'] !== $tokenPayload['sub']) {
+                throw new LocalizedException(__('An error occurred trying to fetch user info'));
+            }
             $this->cache[$accessToken] = $this->userInfoFactory->create(['data' => $body]);
             return $this->cache[$accessToken];
         }

composer.json

@@ -12,7 +12,7 @@
         "psr/log": "~1.0"
     },
     "type": "magento2-module",
-    "version": "1.2.2",
+    "version": "1.2.3",
     "license": [
         "OSL-3.0",
         "AFL-3.0"

etc/frontend/di.xml

@@ -238,4 +238,10 @@
         </arguments>
     </type>
 
+    <type name="Vipps\Login\Gateway\Command\UserInfoCommand">
+        <arguments>
+            <argument name="tokenPayloadProvider" xsi:type="object">Vipps\Login\Model\TokenPayloadProvider</argument>
+        </arguments>
+    </type>
+
 </config>