add refresh token repository

ylebre · ylebre · commit 66bbc3bd7c19 · 2025-12-15T20:24:09.000+01:00
diff --git a/init.php b/init.php
@@ -45,6 +45,12 @@ function initDatabase() {
 			type VARCHAR(255) NOT NULL,
 			expires TEXT NOT NULL
 		    )',
+		    'CREATE TABLE IF NOT EXISTS oauth2Repository (
+			type VARCHAR(255) NOT NULL,
+			key VARCHAR(255) NOT NULL,
+			value TEXT NOT NULL,
+			expires TEXT NOT NULL
+		    )',
 		];
 		      
 		try {
diff --git a/lib/Repositories/RefreshTokenRepository.php b/lib/Repositories/RefreshTokenRepository.php
@@ -0,0 +1,110 @@
+<?php
+namespace Pdsinterop\PhpSolid\Repository;
+
+use Pdsinterop\PhpSolid\Db;
+use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
+use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
+use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
+use Pdsinterop\Solid\Auth\Entity\RefreshToken as RefreshTokenEntity;
+
+class RefreshToken implements RefreshTokenRepositoryInterface
+{
+	/**
+	 * Creates a new refresh token
+	 *
+	 * @return RefreshTokenEntityInterface|null
+	 */
+	public function getNewRefreshToken() : ?RefreshTokenEntityInterface
+	{
+		return new RefreshTokenEntity();
+	}
+
+	/**
+	 * Called when a new refresh token is created
+	 *
+	 * @param RefreshTokenEntityInterface $refreshTokenEntity
+	 *
+	 * @throws UniqueTokenIdentifierConstraintViolationException
+	 */
+	public function persistNewRefreshToken(RefreshTokenEntityInterface $refreshTokenEntity) : void
+	{
+		// throw new UniqueTokenIdentifierConstraintViolationException;
+		/*/
+			When a new refresh token is created this method will be called. You don’t have to do anything here but for
+			auditing you might want to.
+
+			The refresh token entity passed in has a number of methods you can call which contain data worth saving to
+			a database:
+
+				getIdentifier() : string this is randomly generated unique identifier (of 80+ characters in length) for the refresh token.
+				getExpiryDateTime() : \DateTime the expiry date and time of the refresh token.
+				getAccessToken()->getIdentifier() : string the linked access token’s identifier.
+
+			JWT access tokens contain an expiry date and so will be rejected automatically when used. You can safely
+			clean up expired access tokens from your database.
+		/*/
+		Db::connect();
+		$query = Db::$pdo->prepare(
+			'INSERT INTO oauth2Repository VALUES(:type, :key, :value, :expiry)'
+		);
+		$query->execute([
+			':type' => 'refreshToken',
+			':key' => $refreshTokenEntity->getIdentifier(),
+			':value' => $refreshTokenEntity,
+			':expires' => $refreshTokenEntit->getExpiryDateTime()
+		]);
+	}
+
+	/**
+	 * Revoke the refresh token.
+	 *
+	 * @param string $tokenId
+	 */
+	public function revokeRefreshToken($tokenId) : void
+	{
+		/*/
+			This method is called when a refresh token is used to reissue an access token.
+
+			The original refresh token is revoked a new refresh token is issued.
+		/*/
+		Db::connect();
+		$now = new \DateTime();
+		$query = Db::$pdo->prepare(
+			'DELETE FROM oauth2Repository WHERE type=:type AND key = :key'
+		);
+		$query->execute([
+			':type' => 'refreshToken',
+			':key' => $tokenId
+		]);
+	}
+
+	/**
+	 * Check if the refresh token has been revoked.
+	 *
+	 * @param string $tokenId
+	 *
+	 * @return bool Return true if this token has been revoked
+	 */
+	public function isRefreshTokenRevoked($tokenId) : bool
+	{
+		/*/
+			This method is called when an refresh token is used to issue a new access token.
+
+			Return true if the refresh token has been manually revoked before it expired.
+			If the token is still valid return false.
+		/*/
+		return false;
+	}
+
+	public static function cleanup() {
+		Db::connect();
+		$now = new \DateTime();
+		$query = Db::$pdo->prepare(
+			'DELETE FROM oauth2Repository WHERE type=:type AND expires < :now'
+		);
+		$query->execute([
+			':type' => 'refreshToken',
+			':now' => $now->getTimestamp()
+		]);
+	}
+}
diff --git a/lib/Server.php b/lib/Server.php
@@ -2,6 +2,7 @@
 	namespace Pdsinterop\PhpSolid;
 	
 	use Pdsinterop\Solid\Auth\Factory\AuthorizationServerFactory;
+	use Pdsinterop\Solid\Auth\Factory\RepositoryFactory;
 	use Laminas\Diactoros\Response;
 	use Pdsinterop\Solid\Auth\Server as SolidAuthServer;
 	use Pdsinterop\Solid\Auth\Factory\ConfigFactory;
@@ -13,6 +14,7 @@
 	use Pdsinterop\Solid\Auth\TokenGenerator;
 	use Pdsinterop\PhpSolid\ClientRegistration;
 	use Pdsinterop\PhpSolid\JtiStore;
+	use Pdsinterop\Solid\Auth\Enum\Repository;
 
 	class Server {
 		public static function generateKeySet() {
@@ -40,6 +42,8 @@ public static function generateKeySet() {
 		public static function getAuthServer() {
 			$authServerConfig = self::getAuthServerConfig();
 			$authServerFactory = new AuthorizationServerFactory($authServerConfig);
+			$repositoryFactory = self::getAuthServerRepositoryFactory();
+			$authServerFactory->setRepositoryFactory($repositoryFactory);
 			$authServer = $authServerFactory->create();
 			$response = new Response();
 			$server = new SolidAuthServer($authServer, $authServerConfig, $response);
@@ -60,7 +64,13 @@ public static function getAuthServerConfig() {
 			$authServerConfig = $authServerConfigFactory->create();
 			return $authServerConfig;
 		}
-		
+
+		public static function getAuthServerRepositoryFactory() {
+			return new RepositoryFactory([
+				Repository::REFRESH_TOKEN => new RefreshTokenRepository()
+			]);
+		}
+
 		public static function getConfigClient() {
 			$clientId = $_GET['client_id'] ?? $_POST['client_id'] ?? null;
 			if ($clientId) { 
