keith/friendica
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

API: New classes for OAuth and basic auth

Browse source
This commit is contained in:
Michael 2021-06-08 06:32:24 +00:00
parent 246aa293d1
commit acbe9ebf9e
9 changed files with 346 additions and 178 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
include/api.php
View file

@ -44,7 +44,6 @@ use Friendica\Model\Photo;
use Friendica\Model\Post; use Friendica\Model\Post;
use Friendica\Model\User; use Friendica\Model\User;
use Friendica\Model\Verb; use Friendica\Model\Verb;
use Friendica\Module\BaseApi;
use Friendica\Network\HTTPException; use Friendica\Network\HTTPException;
use Friendica\Network\HTTPException\BadRequestException; use Friendica\Network\HTTPException\BadRequestException;
use Friendica\Network\HTTPException\ExpectationFailedException; use Friendica\Network\HTTPException\ExpectationFailedException;
@ -58,6 +57,7 @@ use Friendica\Object\Image;
use Friendica\Protocol\Activity; use Friendica\Protocol\Activity;
use Friendica\Protocol\Diaspora; use Friendica\Protocol\Diaspora;
use Friendica\Security\FKOAuth1; use Friendica\Security\FKOAuth1;
use Friendica\Security\OAuth;
use Friendica\Security\OAuth1\OAuthRequest; use Friendica\Security\OAuth1\OAuthRequest;
use Friendica\Security\OAuth1\OAuthUtil; use Friendica\Security\OAuth1\OAuthUtil;
use Friendica\Util\DateTimeFormat; use Friendica\Util\DateTimeFormat;
@ -89,7 +89,7 @@ $called_api = [];
*/ */
function api_user() function api_user()
{ {
$user = BaseApi::getCurrentUserID(true); $user = OAuth::getCurrentUserID();
if (!empty($user)) { if (!empty($user)) {
return $user; return $user;
} }

7
src/Module/Api/Friendica/Events/Index.php
View file

@ -35,16 +35,15 @@ class Index extends BaseApi
{ {
public static function rawContent(array $parameters = []) public static function rawContent(array $parameters = [])
{ {
if (self::login(self::SCOPE_READ) === false) { self::login(self::SCOPE_READ);
throw new HTTPException\ForbiddenException(); $uid = self::getCurrentUserID();
}
$request = self::getRequest([ $request = self::getRequest([
'since_id' => 0, 'since_id' => 0,
'count' => 0, 'count' => 0,
]); ]);
$condition = ["`id` > ? AND `uid` = ?", $request['since_id'], self::$current_user_id]; $condition = ["`id` > ? AND `uid` = ?", $request['since_id'], $uid];
$params = ['limit' => $request['count']]; $params = ['limit' => $request['count']];
$events = DBA::selectToArray('event', [], $condition, $params); $events = DBA::selectToArray('event', [], $condition, $params);

11
src/Module/Api/Friendica/Profile/Show.php
View file

@ -37,16 +37,15 @@ class Show extends BaseApi
{ {
public static function rawContent(array $parameters = []) public static function rawContent(array $parameters = [])
{ {
if (self::login(self::SCOPE_READ) === false) { self::login(self::SCOPE_READ);
throw new HTTPException\ForbiddenException(); $uid = self::getCurrentUserID();
}
// retrieve general information about profiles for user // retrieve general information about profiles for user
$directory = DI::config()->get('system', 'directory'); $directory = DI::config()->get('system', 'directory');
$profile = Profile::getByUID(self::$current_user_id); $profile = Profile::getByUID($uid);
$profileFields = DI::profileField()->select(['uid' => self::$current_user_id, 'psid' => PermissionSet::PUBLIC]); $profileFields = DI::profileField()->select(['uid' => $uid, 'psid' => PermissionSet::PUBLIC]);
$profile = self::formatProfile($profile, $profileFields); $profile = self::formatProfile($profile, $profileFields);
@ -58,7 +57,7 @@ class Show extends BaseApi
} }
// return settings, authenticated user and profiles data // return settings, authenticated user and profiles data
$self = Contact::selectFirst(['nurl'], ['uid' => self::$current_user_id, 'self' => true]); $self = Contact::selectFirst(['nurl'], ['uid' => $uid, 'self' => true]);
$result = [ $result = [
'multi_profiles' => false, 'multi_profiles' => false,

4
src/Module/Api/Twitter/ContactEndpoint.php
View file

@ -54,7 +54,7 @@ abstract class ContactEndpoint extends BaseApi
*/ */
protected static function getUid(int $contact_id = null, string $screen_name = null) protected static function getUid(int $contact_id = null, string $screen_name = null)
{ {
$uid = self::$current_user_id; $uid = self::getCurrentUserID();
if ($contact_id || $screen_name) { if ($contact_id || $screen_name) {
// screen_name trumps user_id when both are provided // screen_name trumps user_id when both are provided
@ -129,7 +129,7 @@ abstract class ContactEndpoint extends BaseApi
protected static function ids($rel, int $uid, int $cursor = -1, int $count = self::DEFAULT_COUNT, bool $stringify_ids = false) protected static function ids($rel, int $uid, int $cursor = -1, int $count = self::DEFAULT_COUNT, bool $stringify_ids = false)
{ {
$hide_friends = false; $hide_friends = false;
if ($uid != self::$current_user_id) { if ($uid != self::getCurrentUserID()) {
$profile = Profile::getByUID($uid); $profile = Profile::getByUID($uid);
if (empty($profile)) { if (empty($profile)) {
throw new HTTPException\NotFoundException(DI::l10n()->t('Profile not found')); throw new HTTPException\NotFoundException(DI::l10n()->t('Profile not found'));

185
src/Module/BaseApi.php
View file

@ -24,34 +24,29 @@ namespace Friendica\Module;
use Friendica\BaseModule; use Friendica\BaseModule;
use Friendica\Core\Logger; use Friendica\Core\Logger;
use Friendica\Core\System; use Friendica\Core\System;
use Friendica\Database\Database;
use Friendica\Database\DBA;
use Friendica\DI; use Friendica\DI;
use Friendica\Network\HTTPException; use Friendica\Network\HTTPException;
use Friendica\Util\DateTimeFormat; use Friendica\Security\BasicAuth;
use Friendica\Security\OAuth;
use Friendica\Util\HTTPInputData; use Friendica\Util\HTTPInputData;
require_once __DIR__ . '/../../include/api.php'; require_once __DIR__ . '/../../include/api.php';
class BaseApi extends BaseModule class BaseApi extends BaseModule
{ {
/** @deprecated Use OAuth class constant */
const SCOPE_READ = 'read'; const SCOPE_READ = 'read';
/** @deprecated Use OAuth class constant */
const SCOPE_WRITE = 'write'; const SCOPE_WRITE = 'write';
/** @deprecated Use OAuth class constant */
const SCOPE_FOLLOW = 'follow'; const SCOPE_FOLLOW = 'follow';
/** @deprecated Use OAuth class constant */
const SCOPE_PUSH = 'push'; const SCOPE_PUSH = 'push';
/** /**
* @var string json|xml|rss|atom * @var string json|xml|rss|atom
*/ */
protected static $format = 'json'; protected static $format = 'json';
/**
* @var bool|int
*/
protected static $current_user_id;
/**
* @var array
*/
protected static $current_token = [];
public static function init(array $parameters = []) public static function init(array $parameters = [])
{ {
@ -184,7 +179,6 @@ class BaseApi extends BaseModule
* *
* @param string $scope the requested scope (read, write, follow) * @param string $scope the requested scope (read, write, follow)
* *
* @return bool Was a user authenticated?
* @throws HTTPException\ForbiddenException * @throws HTTPException\ForbiddenException
* @throws HTTPException\UnauthorizedException * @throws HTTPException\UnauthorizedException
* @throws HTTPException\InternalServerErrorException * @throws HTTPException\InternalServerErrorException
@ -197,40 +191,34 @@ class BaseApi extends BaseModule
*/ */
protected static function login(string $scope) protected static function login(string $scope)
{ {
if (empty(self::$current_user_id)) { $token = OAuth::getCurrentApplicationToken();
self::$current_token = self::getTokenByBearer(); if (!empty($token)) {
if (!empty(self::$current_token['uid'])) { if (!OAuth::isAllowedScope($scope)) {
self::$current_user_id = self::$current_token['uid'];
} else {
self::$current_user_id = 0;
}
}
if (!empty($scope) && !empty(self::$current_token)) {
if (empty(self::$current_token[$scope])) {
Logger::warning('The requested scope is not allowed', ['scope' => $scope, 'application' => self::$current_token]);
DI::mstdnError()->Forbidden(); DI::mstdnError()->Forbidden();
} }
$uid = OAuth::getCurrentUserID();
} }
if (empty(self::$current_user_id)) { if (empty($uid)) {
// The execution stops here if no one is logged in // The execution stops here if no one is logged in
api_login(DI::app()); BasicAuth::getCurrentUserID(true);
} }
self::$current_user_id = api_user();
return (bool)self::$current_user_id;
} }
/** /**
* Get current application * Get current application token
* *
* @return array token * @return array token
*/ */
protected static function getCurrentApplication() protected static function getCurrentApplication()
{ {
return self::$current_token; $token = OAuth::getCurrentApplicationToken();
if (empty($token)) {
$token = BasicAuth::getCurrentApplicationToken();
}
return $token;
} }
/** /**
@ -238,136 +226,15 @@ class BaseApi extends BaseModule
* *
* @return int User ID * @return int User ID
*/ */
public static function getCurrentUserID(bool $nologin = false) public static function getCurrentUserID()
{ {
if (empty(self::$current_user_id)) { $uid = OAuth::getCurrentUserID();
self::$current_token = self::getTokenByBearer();
if (!empty(self::$current_token['uid'])) { if (empty($uid)) {
self::$current_user_id = self::$current_token['uid']; $uid = BasicAuth::getCurrentUserID(false);
} else {
self::$current_user_id = 0;
}
} }
if ($nologin) { return (int)$uid;
return (int)self::$current_user_id;
}
if (empty(self::$current_user_id)) {
// Fetch the user id if logged in - but don't fail if not
api_login(DI::app(), false);
self::$current_user_id = api_user();
}
return (int)self::$current_user_id;
}
/**
* Get the user token via the Bearer token
*
* @return array User Token
*/
private static function getTokenByBearer()
{
$authorization = $_SERVER['HTTP_AUTHORIZATION'] ?? '';
if (substr($authorization, 0, 7) != 'Bearer ') {
return [];
}
$bearer = trim(substr($authorization, 7));
$condition = ['access_token' => $bearer];
$token = DBA::selectFirst('application-view', ['uid', 'id', 'name', 'website', 'created_at', 'read', 'write', 'follow', 'push'], $condition);
if (!DBA::isResult($token)) {
Logger::warning('Token not found', $condition);
return [];
}
Logger::debug('Token found', $token);
return $token;
}
/**
* Get the application record via the proved request header fields
*
* @param string $client_id
* @param string $client_secret
* @param string $redirect_uri
* @return array application record
*/
public static function getApplication(string $client_id, string $client_secret, string $redirect_uri)
{
$condition = ['client_id' => $client_id];
if (!empty($client_secret)) {
$condition['client_secret'] = $client_secret;
}
if (!empty($redirect_uri)) {
$condition['redirect_uri'] = $redirect_uri;
}
$application = DBA::selectFirst('application', [], $condition);
if (!DBA::isResult($application)) {
Logger::warning('Application not found', $condition);
return [];
}
return $application;
}
/**
* Check if an token for the application and user exists
*
* @param array $application
* @param integer $uid
* @return boolean
*/
public static function existsTokenForUser(array $application, int $uid)
{
return DBA::exists('application-token', ['application-id' => $application['id'], 'uid' => $uid]);
}
/**
* Fetch the token for the given application and user
*
* @param array $application
* @param integer $uid
* @return array application record
*/
public static function getTokenForUser(array $application, int $uid)
{
return DBA::selectFirst('application-token', [], ['application-id' => $application['id'], 'uid' => $uid]);
}
/**
* Create and fetch an token for the application and user
*
* @param array $application
* @param integer $uid
* @param string $scope
* @return array application record
*/
public static function createTokenForUser(array $application, int $uid, string $scope)
{
$code = bin2hex(random_bytes(32));
$access_token = bin2hex(random_bytes(32));
$fields = ['application-id' => $application['id'], 'uid' => $uid, 'code' => $code, 'access_token' => $access_token, 'scopes' => $scope,
'read' => (stripos($scope, self::SCOPE_READ) !== false),
'write' => (stripos($scope, self::SCOPE_WRITE) !== false),
'follow' => (stripos($scope, self::SCOPE_FOLLOW) !== false),
'push' => (stripos($scope, self::SCOPE_PUSH) !== false),
'created_at' => DateTimeFormat::utcNow(DateTimeFormat::MYSQL)];
foreach ([self::SCOPE_READ, self::SCOPE_WRITE, self::SCOPE_WRITE, self::SCOPE_PUSH] as $scope) {
if ($fields[$scope] && !$application[$scope]) {
Logger::warning('Requested token scope is not allowed for the application', ['token' => $fields, 'application' => $application]);
}
}
if (!DBA::insert('application-token', $fields, Database::INSERT_UPDATE)) {
return [];
}
return DBA::selectFirst('application-token', [], ['application-id' => $application['id'], 'uid' => $uid]);
} }
/** /**

7
src/Module/OAuth/Authorize.php
View file

@ -24,6 +24,7 @@ namespace Friendica\Module\OAuth;
use Friendica\Core\Logger; use Friendica\Core\Logger;
use Friendica\DI; use Friendica\DI;
use Friendica\Module\BaseApi; use Friendica\Module\BaseApi;
use Friendica\Security\OAuth;
/** /**
* @see https://docs.joinmastodon.org/spec/oauth/ * @see https://docs.joinmastodon.org/spec/oauth/
@ -56,7 +57,7 @@ class Authorize extends BaseApi
DI::mstdnError()->UnprocessableEntity(DI::l10n()->t('Incomplete request data')); DI::mstdnError()->UnprocessableEntity(DI::l10n()->t('Incomplete request data'));
} }
$application = self::getApplication($request['client_id'], $request['client_secret'], $request['redirect_uri']); $application = OAuth::getApplication($request['client_id'], $request['client_secret'], $request['redirect_uri']);
if (empty($application)) { if (empty($application)) {
DI::mstdnError()->UnprocessableEntity(); DI::mstdnError()->UnprocessableEntity();
} }
@ -75,14 +76,14 @@ class Authorize extends BaseApi
Logger::info('Already logged in user', ['uid' => $uid]); Logger::info('Already logged in user', ['uid' => $uid]);
} }
if (!self::existsTokenForUser($application, $uid) && !DI::session()->get('oauth_acknowledge')) { if (!OAuth::existsTokenForUser($application, $uid) && !DI::session()->get('oauth_acknowledge')) {
Logger::info('Redirect to acknowledge'); Logger::info('Redirect to acknowledge');
DI::app()->redirect('oauth/acknowledge?' . http_build_query(['return_path' => $redirect, 'application' => $application['name']])); DI::app()->redirect('oauth/acknowledge?' . http_build_query(['return_path' => $redirect, 'application' => $application['name']]));
} }
DI::session()->remove('oauth_acknowledge'); DI::session()->remove('oauth_acknowledge');
$token = self::createTokenForUser($application, $uid, $request['scope']); $token = OAuth::createTokenForUser($application, $uid, $request['scope']);
if (!$token) { if (!$token) {
DI::mstdnError()->UnprocessableEntity(); DI::mstdnError()->UnprocessableEntity();
} }

5
src/Module/OAuth/Token.php
View file

@ -26,6 +26,7 @@ use Friendica\Core\System;
use Friendica\Database\DBA; use Friendica\Database\DBA;
use Friendica\DI; use Friendica\DI;
use Friendica\Module\BaseApi; use Friendica\Module\BaseApi;
use Friendica\Security\OAuth;
/** /**
* @see https://docs.joinmastodon.org/spec/oauth/ * @see https://docs.joinmastodon.org/spec/oauth/
@ -57,7 +58,7 @@ class Token extends BaseApi
DI::mstdnError()->UnprocessableEntity(DI::l10n()->t('Incomplete request data')); DI::mstdnError()->UnprocessableEntity(DI::l10n()->t('Incomplete request data'));
} }
$application = self::getApplication($request['client_id'], $request['client_secret'], $request['redirect_uri']); $application = OAuth::getApplication($request['client_id'], $request['client_secret'], $request['redirect_uri']);
if (empty($application)) { if (empty($application)) {
DI::mstdnError()->UnprocessableEntity(); DI::mstdnError()->UnprocessableEntity();
} }
@ -65,7 +66,7 @@ class Token extends BaseApi
if ($request['grant_type'] == 'client_credentials') { if ($request['grant_type'] == 'client_credentials') {
// the "client_credentials" are used as a token for the application itself. // the "client_credentials" are used as a token for the application itself.
// see https://aaronparecki.com/oauth-2-simplified/#client-credentials // see https://aaronparecki.com/oauth-2-simplified/#client-credentials
$token = self::createTokenForUser($application, 0, ''); $token = OAuth::createTokenForUser($application, 0, '');
} elseif ($request['grant_type'] == 'authorization_code') { } elseif ($request['grant_type'] == 'authorization_code') {
// For security reasons only allow freshly created tokens // For security reasons only allow freshly created tokens
$condition = ["`redirect_uri` = ? AND `id` = ? AND `code` = ? AND `created_at` > UTC_TIMESTAMP() - INTERVAL ? MINUTE", $condition = ["`redirect_uri` = ? AND `id` = ? AND `code` = ? AND `created_at` > UTC_TIMESTAMP() - INTERVAL ? MINUTE",

85
src/Security/BasicAuth.php Normal file
View file

@ -0,0 +1,85 @@
<?php
/**
* @copyright Copyright (C) 2010-2021, the Friendica project
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
*/
namespace Friendica\Security;
use Friendica\Database\DBA;
use Friendica\DI;
/**
* Authentification via the basic auth method
*/
class BasicAuth
{
/**
* @var bool|int
*/
protected static $current_user_id = 0;
/**
* @var array
*/
protected static $current_token = [];
/**
* Fetch a dummy application token
*
* @return array token
*/
public static function getCurrentApplicationToken()
{
if (empty(self::getCurrentUserID())) {
return [];
}
if (!empty(self::$current_token)) {
return self::$current_token;
}
self::$current_token = [
'uid' => self::$current_user_id,
'id' => 0,
'name' => api_source(),
'website' => '',
'created_at' => DBA::NULL_DATETIME,
'read' => true,
'write' => true,
'follow' => true,
'push' => false];
return self::$current_token;
}
/**
* Get current user id, returns 0 if not logged in
*
* @return int User ID
*/
public static function getCurrentUserID(bool $login = true)
{
if (empty(self::$current_user_id)) {
api_login(DI::app(), $login);
self::$current_user_id = api_user();
}
return (int)self::$current_user_id;
}
}

216
src/Security/OAuth.php Normal file
View file

@ -0,0 +1,216 @@
<?php
/**
* @copyright Copyright (C) 2010-2021, the Friendica project
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
*/
namespace Friendica\Security;
use Friendica\Core\Logger;
use Friendica\Database\Database;
use Friendica\Database\DBA;
use Friendica\Util\DateTimeFormat;
/**
* OAuth Server
*/
class OAuth
{
const SCOPE_READ = 'read';
const SCOPE_WRITE = 'write';
const SCOPE_FOLLOW = 'follow';
const SCOPE_PUSH = 'push';
/**
* @var bool|int
*/
protected static $current_user_id = 0;
/**
* @var array
*/
protected static $current_token = [];
/**
* Check if the provided scope does exist
*
* @param string $scope the requested scope (read, write, follow, push)
*
* @return bool "true" if the scope is allowed
*/
public static function isAllowedScope(string $scope)
{
$token = self::getCurrentApplicationToken();
if (empty($token)) {
Logger::notice('Empty application token');
return false;
}
if (!isset($token[$scope])) {
Logger::warning('The requested scope does not exist', ['scope' => $scope, 'application' => $token]);
return false;
}
if (empty($token[$scope])) {
Logger::warning('The requested scope is not allowed', ['scope' => $scope, 'application' => $token]);
return false;
}
return true;
}
/**
* Get current application token
*
* @return array token
*/
public static function getCurrentApplicationToken()
{
if (empty(self::$current_token)) {
self::$current_token = self::getTokenByBearer();
}
return self::$current_token;
}
/**
* Get current user id, returns 0 if not logged in
*
* @return int User ID
*/
public static function getCurrentUserID()
{
if (empty(self::$current_user_id)) {
$token = self::getCurrentApplicationToken();
if (!empty($token['uid'])) {
self::$current_user_id = $token['uid'];
} else {
self::$current_user_id = 0;
}
}
return (int)self::$current_user_id;
}
/**
* Get the user token via the Bearer token
*
* @return array User Token
*/
private static function getTokenByBearer()
{
$authorization = $_SERVER['HTTP_AUTHORIZATION'] ?? '';
if (substr($authorization, 0, 7) != 'Bearer ') {
return [];
}
$bearer = trim(substr($authorization, 7));
$condition = ['access_token' => $bearer];
$token = DBA::selectFirst('application-view', ['uid', 'id', 'name', 'website', 'created_at', 'read', 'write', 'follow', 'push'], $condition);
if (!DBA::isResult($token)) {
Logger::warning('Token not found', $condition);
return [];
}
Logger::debug('Token found', $token);
return $token;
}
/**
* Get the application record via the provided request header fields
*
* @param string $client_id
* @param string $client_secret
* @param string $redirect_uri
* @return array application record
*/
public static function getApplication(string $client_id, string $client_secret, string $redirect_uri)
{
$condition = ['client_id' => $client_id];
if (!empty($client_secret)) {
$condition['client_secret'] = $client_secret;
}
if (!empty($redirect_uri)) {
$condition['redirect_uri'] = $redirect_uri;
}
$application = DBA::selectFirst('application', [], $condition);
if (!DBA::isResult($application)) {
Logger::warning('Application not found', $condition);
return [];
}
return $application;
}
/**
* Check if an token for the application and user exists
*
* @param array $application
* @param integer $uid
* @return boolean
*/
public static function existsTokenForUser(array $application, int $uid)
{
return DBA::exists('application-token', ['application-id' => $application['id'], 'uid' => $uid]);
}
/**
* Fetch the token for the given application and user
*
* @param array $application
* @param integer $uid
* @return array application record
*/
public static function getTokenForUser(array $application, int $uid)
{
return DBA::selectFirst('application-token', [], ['application-id' => $application['id'], 'uid' => $uid]);
}
/**
* Create and fetch an token for the application and user
*
* @param array $application
* @param integer $uid
* @param string $scope
* @return array application record
*/
public static function createTokenForUser(array $application, int $uid, string $scope)
{
$code = bin2hex(random_bytes(32));
$access_token = bin2hex(random_bytes(32));
$fields = ['application-id' => $application['id'], 'uid' => $uid, 'code' => $code, 'access_token' => $access_token, 'scopes' => $scope,
'read' => (stripos($scope, self::SCOPE_READ) !== false),
'write' => (stripos($scope, self::SCOPE_WRITE) !== false),
'follow' => (stripos($scope, self::SCOPE_FOLLOW) !== false),
'push' => (stripos($scope, self::SCOPE_PUSH) !== false),
'created_at' => DateTimeFormat::utcNow(DateTimeFormat::MYSQL)];
foreach ([self::SCOPE_READ, self::SCOPE_WRITE, self::SCOPE_WRITE, self::SCOPE_PUSH] as $scope) {
if ($fields[$scope] && !$application[$scope]) {
Logger::warning('Requested token scope is not allowed for the application', ['token' => $fields, 'application' => $application]);
}
}
if (!DBA::insert('application-token', $fields, Database::INSERT_UPDATE)) {
return [];
}
return DBA::selectFirst('application-token', [], ['application-id' => $application['id'], 'uid' => $uid]);
}
}