remove oauth1 from jsonapi, fixes #4204

Closes #4204

Merge request studip/studip!3031

lib/classes/JsonApi/Middlewares/Auth/OAuth1Strategy.php

-<?php
-
-namespace JsonApi\Middlewares\Auth;
-
-use Psr\Http\Message\ResponseInterface as Response;
-use Psr\Http\Message\ServerRequestInterface as Request;
-
-class OAuth1Strategy implements Strategy
-{
-    /** @var callable */
-    protected $authenticator;
-
-    /** @var Request */
-    protected $request;
-
-    /** @var ?\User */
-    protected $user;
-
-    /**
-     * @param callable $authenticator
-     */
-    public function __construct(Request $request, $authenticator)
-    {
-        $this->request = $request;
-        $this->authenticator = $authenticator;
-
-        \OAuthStore::instance('PDO', ['conn' => \DBManager::get()]);
-    }
-
-    public function check()
-    {
-        return !is_null($this->user());
-    }
-
-    public function user()
-    {
-        if (!is_null($this->user)) {
-            return $this->user;
-        }
-
-        $this->user = $this->detect();
-
-        return $this->user;
-    }
-
-    public function addChallenge(Response $response)
-    {
-        return $response; //->withHeader('WWW-Authenticate', sprintf('Basic realm="%s"', 'Stud.IP JSON-API'));
-    }
-
-    private function detect(): ?\User
-    {
-        if (!\OAuthRequestVerifier::requestIsSigned()) {
-            return null;
-        }
-
-        $uri = (string) $this->request->getUri();
-        $method = $this->request->getMethod();
-
-        if ('GET' === strtoupper(($method))) {
-            $parameters = (array) $this->request->getQueryParams();
-        } elseif ('POST' === strtoupper(($method))) {
-            $parameters = (array) $this->request->getParsedBody();
-        } else {
-            $parameters = [];
-        }
-        $parameters = $this->getParamsFromAuthorizationHeader($this->request, $parameters);
-
-        $req = new \OAuthRequestVerifier($uri, $method, $parameters);
-
-        // Check oauth timestamp and deny access if timestamp is outdated
-        if ($req->getParam('oauth_timestamp') < strtotime('-6 hours')) {
-            return null;
-        }
-
-        $result = $req->verifyExtended('access');
-
-        $query = 'SELECT user_id FROM api_oauth_user_mapping WHERE oauth_id = ?';
-        $statement = \DBManager::get()->prepare($query);
-        $statement->execute([$result['user_id']]);
-
-        if (!$userId = $statement->fetchColumn()) {
-            return null;
-        }
-
-        /** @var \User */
-        return \User::find($userId);
-    }
-
-    private function getParamsFromAuthorizationHeader(Request $request, array $params): array
-    {
-        if ($request->hasHeader('Authorization')) {
-            $auth = $request->getHeaderLine('Authorization');
-            if (0 == strncasecmp($auth, 'OAuth', 4)) {
-                foreach (explode(',', substr($auth, 6)) as $v) {
-                    if (!strpos($v, '=')) {
-                        continue;
-                    }
-                    $v = trim($v);
-                    list($name, $value) = explode('=', $v, 2);
-                    if (!empty($value) && '"' == $value[0] && '"' == substr($value, -1)) {
-                        $value = substr(substr($value, 1), 0, -1);
-                    }
-
-                    if (0 != strcasecmp($name, 'realm')) {
-                        $params[$name] = $value;
-                    }
-                }
-            }
-        }
-
-        return $params;
-    }
-}

lib/classes/JsonApi/Middlewares/Authentication.php

@@ -107,7 +107,6 @@ class Authentication
             'session' => new Auth\SessionStrategy(),
             'basic'   => new Auth\HttpBasicAuthStrategy($request, $this->authenticator),
             'oauth2'  => new Auth\OAuth2Strategy($request, $this->authenticator),
-            'oauth1'  => new Auth\OAuth1Strategy($request, $this->authenticator),
         ];
 
         foreach ($this->excluded_strategies as $strategy) {