Merge pull request #103 from microsoft/fix/delegated-token-hash

Make cache keys reproducible and auth code string optional
microsoft · Nov 27, 2024 · 0ba4e7c · 0ba4e7c
2 parents 997b50a + b124275
commit 0ba4e7c
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 2 deletions.
diff --git a/src/Oauth/AuthorizationCodeContext.php b/src/Oauth/AuthorizationCodeContext.php
@@ -47,7 +47,7 @@ class AuthorizationCodeContext extends BaseSecretContext implements TokenRequest
      */
     public function __construct(string $tenantId, string $clientId, string $clientSecret, string $authCode, string $redirectUri, array $additionalParams = [])
     {
-        if (!$authCode || !$redirectUri) {
+        if (!$redirectUri) {
             throw new InvalidArgumentException('$authCode or $redirectUri cannot be empty.');
         }
         $this->authCode = $authCode;

diff --git a/src/Oauth/DelegatedPermissionTrait.php b/src/Oauth/DelegatedPermissionTrait.php
@@ -40,7 +40,7 @@ abstract public function getTenantId(): string;
     public function setCacheKey(?AccessToken $accessToken = null): void
     {
         if ($accessToken && $accessToken->getToken()) {
-            $uniqueIdentifier = password_hash($accessToken->getToken(), PASSWORD_DEFAULT);
+            $uniqueIdentifier = hash("sha256", $accessToken->getToken());
             $this->cacheKey = "{$this->getTenantId()}-{$this->getClientId()}-{$uniqueIdentifier}";
         }
     }

diff --git a/tests/Cache/InMemoryAccessTokenCacheTest.php b/tests/Cache/InMemoryAccessTokenCacheTest.php
@@ -70,4 +70,20 @@ public function testCacheKeyIsSetForNonJWTToken() {
 
         $this->assertNotEmpty($delegatedTokenRequestContext->getCacheKey());
     }
+
+    public function testCacheKeyForDelegatedPermissionsIsReproducible() {
+        $accessToken = $this->createMock(AccessToken::class);
+        $accessToken->method('getToken')->willReturn('token');
+
+        $delegatedTokenRequestContext = new AuthorizationCodeContext("tenantId", "clientId", "clientSecret", "redirectUri", "code");
+        $delegatedTokenRequestContext->setCacheKey($accessToken);
+        $this->assertEquals("tenantId-clientId-".hash("sha256", 'token'), $delegatedTokenRequestContext->getCacheKey());
+        $cache = new InMemoryAccessTokenCache($delegatedTokenRequestContext, $accessToken);
+
+        // initialise another cache with same token & ensure token key is still the same for user
+        $newTokenContext = new AuthorizationCodeContext("tenantId", "clientId", "clientSecret", "redirectUri", "code");
+        $newCache = new InMemoryAccessTokenCache($newTokenContext, $accessToken);
+        $this->assertEquals($delegatedTokenRequestContext->getCacheKey(), $newTokenContext->getCacheKey());
+        $this->assertEquals($cache->getAccessToken($delegatedTokenRequestContext->getCacheKey()), $newCache->getAccessToken($newTokenContext->getCacheKey()));
+    }
 }