Merge pull request #294 from d-ph/more-state-csrf-hashes

Add support for CSRF state hashes for Facebook, Instagram and Google

Author: elliotchance

examples/facebook.php

@@ -36,8 +36,11 @@
 $facebookService = $serviceFactory->createService('facebook', $credentials, $storage, array());
 
 if (!empty($_GET['code'])) {
+    // retrieve the CSRF state parameter
+    $state = isset($_GET['state']) ? $_GET['state'] : null;
+
     // This was a callback request from facebook, get the token
-    $token = $facebookService->requestAccessToken($_GET['code']);
+    $token = $facebookService->requestAccessToken($_GET['code'], $state);
 
     // Send a request with it
     $result = json_decode($facebookService->request('/me'), true);

examples/google.php

@@ -35,11 +35,14 @@
 $googleService = $serviceFactory->createService('google', $credentials, $storage, array('userinfo_email', 'userinfo_profile'));
 
 if (!empty($_GET['code'])) {
+    // retrieve the CSRF state parameter
+    $state = isset($_GET['state']) ? $_GET['state'] : null;
+
     // This was a callback request from google, get the token
-    $googleService->requestAccessToken($_GET['code']);
+    $googleService->requestAccessToken($_GET['code'], $state);
 
     // Send a request with it
-    $result = json_decode($googleService->request('https://www.googleapis.com/oauth2/v1/userinfo'), true);
+    $result = json_decode($googleService->request('userinfo'), true);
 
     // Show some of the resultant data
     echo 'Your unique google user id is: ' . $result['id'] . ' and your name is ' . $result['name'];

examples/instagram.php

@@ -38,8 +38,11 @@
 $instagramService = $serviceFactory->createService('instagram', $credentials, $storage, $scopes);
 
 if (!empty($_GET['code'])) {
+    // retrieve the CSRF state parameter
+    $state = isset($_GET['state']) ? $_GET['state'] : null;
+
     // This was a callback request from Instagram, get the token
-    $instagramService->requestAccessToken($_GET['code']);
+    $instagramService->requestAccessToken($_GET['code'], $state);
 
     // Send a request with it
     $result = json_decode($instagramService->request('users/self'), true);

src/OAuth/OAuth2/Service/Facebook.php

@@ -130,7 +130,7 @@ public function __construct(
         UriInterface $baseApiUri = null,
         $apiVersion = ""
     ) {
-        parent::__construct($credentials, $httpClient, $storage, $scopes, $baseApiUri, false, $apiVersion);
+        parent::__construct($credentials, $httpClient, $storage, $scopes, $baseApiUri, true, $apiVersion);
 
         if (null === $baseApiUri) {
             $this->baseApiUri = new Uri('https://graph.facebook.com'.$this->getApiVersionString().'/');

src/OAuth/OAuth2/Service/Google.php

@@ -2,6 +2,10 @@
 
 namespace OAuth\OAuth2\Service;
 
+use OAuth\Common\Consumer\CredentialsInterface;
+use OAuth\Common\Http\Client\ClientInterface;
+use OAuth\Common\Http\Uri\UriInterface;
+use OAuth\Common\Storage\TokenStorageInterface;
 use OAuth\OAuth2\Token\StdOAuth2Token;
 use OAuth\Common\Http\Exception\TokenResponseException;
 use OAuth\OAuth2\Service\Exception\InvalidAccessTypeException;
@@ -110,6 +114,19 @@ class Google extends AbstractService
 
     protected $accessType = 'online';
 
+    public function __construct(
+        CredentialsInterface $credentials,
+        ClientInterface $httpClient,
+        TokenStorageInterface $storage,
+        $scopes = array(),
+        UriInterface $baseApiUri = null
+    ) {
+        parent::__construct($credentials, $httpClient, $storage, $scopes, $baseApiUri, true);
+
+        if (null === $baseApiUri) {
+            $this->baseApiUri = new Uri('https://www.googleapis.com/oauth2/v1/');
+        }
+    }
 
     public function setAccessType($accessType)
     {

src/OAuth/OAuth2/Service/Instagram.php

@@ -28,7 +28,7 @@ public function __construct(
         $scopes = array(),
         UriInterface $baseApiUri = null
     ) {
-        parent::__construct($credentials, $httpClient, $storage, $scopes, $baseApiUri);
+        parent::__construct($credentials, $httpClient, $storage, $scopes, $baseApiUri, true);
 
         if (null === $baseApiUri) {
             $this->baseApiUri = new Uri('https://api.instagram.com/v1/');