From c058d133623c80a3b40497c63a5d2f9c4bb97d22 Mon Sep 17 00:00:00 2001 From: Eduard Melnyk Date: Wed, 4 Mar 2020 10:00:35 +0100 Subject: [PATCH] VIPPS-288: Add sub validation for userinfo --- Gateway/Command/UserInfoCommand.php | 15 ++++++++++++++- composer.json | 2 +- etc/frontend/di.xml | 6 ++++++ 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/Gateway/Command/UserInfoCommand.php b/Gateway/Command/UserInfoCommand.php index 6f8be8e..ddf3031 100644 --- a/Gateway/Command/UserInfoCommand.php +++ b/Gateway/Command/UserInfoCommand.php @@ -25,6 +25,7 @@ use Vipps\Login\Api\Data\UserInfoInterface; use Vipps\Login\Api\Data\UserInfoInterfaceFactory; use Vipps\Login\Api\ApiEndpointsInterface; +use Vipps\Login\Model\TokenProviderInterface; /** * Class UserInfoCommand @@ -51,6 +52,11 @@ class UserInfoCommand * @var ApiEndpointsInterface */ private $apiEndpoints; + + /** + * @var TokenProviderInterface + */ + private $tokenPayloadProvider; /** * @var array @@ -64,17 +70,20 @@ class UserInfoCommand * @param ClientFactory $httpClientFactory * @param UserInfoInterfaceFactory $userInfoFactory * @param ApiEndpointsInterface $apiEndpoints + * @param TokenProviderInterface $tokenPayloadProvider */ public function __construct( SerializerInterface $serializer, ClientFactory $httpClientFactory, UserInfoInterfaceFactory $userInfoFactory, - ApiEndpointsInterface $apiEndpoints + ApiEndpointsInterface $apiEndpoints, + TokenProviderInterface $tokenPayloadProvider ) { $this->serializer = $serializer; $this->httpClientFactory = $httpClientFactory; $this->userInfoFactory = $userInfoFactory; $this->apiEndpoints = $apiEndpoints; + $this->tokenPayloadProvider = $tokenPayloadProvider; } /** @@ -99,6 +108,10 @@ public function execute($accessToken) $body = $this->serializer->unserialize($httpClient->getBody()); if (200 <= $status && 300 > $status) { + $tokenPayload = $this->tokenPayloadProvider->get(); + if (empty($body['sub']) || empty($tokenPayload['sub']) || $body['sub'] !== $tokenPayload['sub']) { + throw new LocalizedException(__('An error occurred trying to fetch user info')); + } $this->cache[$accessToken] = $this->userInfoFactory->create(['data' => $body]); return $this->cache[$accessToken]; } diff --git a/composer.json b/composer.json index 7afaa9b..6d5e444 100644 --- a/composer.json +++ b/composer.json @@ -12,7 +12,7 @@ "psr/log": "~1.0" }, "type": "magento2-module", - "version": "1.2.2", + "version": "1.2.3", "license": [ "OSL-3.0", "AFL-3.0" diff --git a/etc/frontend/di.xml b/etc/frontend/di.xml index 9a3d860..1a09294 100644 --- a/etc/frontend/di.xml +++ b/etc/frontend/di.xml @@ -238,4 +238,10 @@ + + + Vipps\Login\Model\TokenPayloadProvider + + +