Http: Review credential classes

- Split `AccessToken` into `GenericCredential`, `GenericToken` and
  `OAuth2AccessToken`, replacing public properties with getters

Author: lkrms

src/Toolkit/Contract/Http/CredentialInterface.php

@@ -8,12 +8,15 @@
 interface CredentialInterface
 {
     /**
-     * Get the authentication scheme of the credential, e.g. "Bearer"
+     * Get the authentication scheme of the credential, e.g. "Basic", "Digest"
+     * or "Bearer"
      */
     public function getAuthenticationScheme(): string;
 
     /**
-     * Get the credential
+     * Get the credential, e.g. a Base64-encoded user ID/password pair, a
+     * comma-delimited list of authorization parameters or an OAuth 2.0 access
+     * token
      */
     public function getCredential(): string;
 }

src/Toolkit/Http/GenericCredential.php

@@ -0,0 +1,42 @@
+<?php declare(strict_types=1);
+
+namespace Salient\Http;
+
+use Salient\Contract\Core\Immutable;
+use Salient\Contract\Http\CredentialInterface;
+
+/**
+ * @api
+ */
+class GenericCredential implements CredentialInterface, Immutable
+{
+    private string $AuthenticationScheme;
+    private string $Credential;
+
+    /**
+     * @api
+     */
+    public function __construct(
+        string $credential,
+        string $authenticationScheme
+    ) {
+        $this->AuthenticationScheme = $authenticationScheme;
+        $this->Credential = $credential;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function getAuthenticationScheme(): string
+    {
+        return $this->AuthenticationScheme;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function getCredential(): string
+    {
+        return $this->Credential;
+    }
+}

src/Toolkit/Http/GenericToken.php

@@ -1,82 +1,52 @@
 <?php declare(strict_types=1);
 
-namespace Salient\Http\OAuth2;
+namespace Salient\Http;
 
-use Salient\Contract\Core\Entity\Readable;
-use Salient\Contract\Core\Immutable;
-use Salient\Contract\Http\CredentialInterface;
-use Salient\Core\Concern\ReadableProtectedPropertiesTrait;
 use Salient\Utility\Date;
 use DateTimeImmutable;
 use DateTimeInterface;
 use InvalidArgumentException;
 
 /**
- * A token issued by an authorization provider for access to protected resources
- *
- * @property-read string $Token
- * @property-read string $Type
- * @property-read DateTimeImmutable|null $Expires
- * @property-read string[] $Scopes
- * @property-read array<string,mixed> $Claims
+ * @api
  */
-final class AccessToken implements CredentialInterface, Immutable, Readable
+class GenericToken extends GenericCredential
 {
-    use ReadableProtectedPropertiesTrait;
-
-    protected string $Token;
-    protected string $Type;
-    protected ?DateTimeImmutable $Expires;
-    /** @var string[] */
-    protected array $Scopes;
-    /** @var array<string,mixed> */
-    protected array $Claims;
+    private ?DateTimeImmutable $Expires;
 
     /**
-     * @param DateTimeInterface|int|null $expires `null` if the access token's
-     * lifetime is unknown, otherwise a {@see DateTimeInterface} or Unix
+     * @api
+     *
+     * @param DateTimeInterface|int|null $expires `null` if the token's lifetime
+     * is unknown or unlimited, otherwise a {@see DateTimeInterface} or Unix
      * timestamp representing its expiration time.
-     * @param string[]|null $scopes
-     * @param array<string,mixed>|null $claims
      */
     public function __construct(
         string $token,
-        string $type,
-        $expires,
-        ?array $scopes = null,
-        ?array $claims = null
+        string $authenticationScheme,
+        $expires = null
     ) {
         if (is_int($expires) && $expires < 0) {
-            throw new InvalidArgumentException(sprintf(
-                'Invalid $expires: %d',
-                $expires
-            ));
+            throw new InvalidArgumentException(
+                sprintf('Invalid timestamp: %d', $expires),
+            );
         }
 
-        $this->Token = $token;
-        $this->Type = $type;
         $this->Expires = $expires instanceof DateTimeInterface
             ? Date::immutable($expires)
-            : ($expires === null
-                ? null
-                : new DateTimeImmutable("@$expires"));
-        $this->Scopes = $scopes ?: [];
-        $this->Claims = $claims ?: [];
-    }
+            : ($expires !== null
+                ? new DateTimeImmutable('@' . $expires)
+                : null);
 
-    /**
-     * @inheritDoc
-     */
-    public function getAuthenticationScheme(): string
-    {
-        return $this->Type;
+        parent::__construct($token, $authenticationScheme);
     }
 
     /**
-     * @inheritDoc
+     * Get the expiration time of the token, or null if its lifetime is unknown
+     * or unlimited
      */
-    public function getCredential(): string
+    public function getExpires(): ?DateTimeImmutable
     {
-        return $this->Token;
+        return $this->Expires;
     }
 }

src/Toolkit/Http/OAuth2/OAuth2AccessToken.php

@@ -2,81 +2,53 @@
 
 namespace Salient\Http\OAuth2;
 
-use Salient\Contract\Core\Entity\Readable;
-use Salient\Contract\Core\Immutable;
-use Salient\Contract\Http\CredentialInterface;
-use Salient\Core\Concern\ReadableProtectedPropertiesTrait;
-use Salient\Utility\Date;
-use DateTimeImmutable;
-use DateTimeInterface;
-use InvalidArgumentException;
+use Salient\Http\GenericToken;
 
 /**
- * A token issued by an authorization provider for access to protected resources
- *
- * @property-read string $Token
- * @property-read string $Type
- * @property-read DateTimeImmutable|null $Expires
- * @property-read string[] $Scopes
- * @property-read array<string,mixed> $Claims
+ * @api
  */
-final class AccessToken implements CredentialInterface, Immutable, Readable
+class OAuth2AccessToken extends GenericToken
 {
-    use ReadableProtectedPropertiesTrait;
-
-    protected string $Token;
-    protected string $Type;
-    protected ?DateTimeImmutable $Expires;
     /** @var string[] */
-    protected array $Scopes;
+    private array $Scopes;
     /** @var array<string,mixed> */
-    protected array $Claims;
+    private array $Claims;
 
     /**
-     * @param DateTimeInterface|int|null $expires `null` if the access token's
-     * lifetime is unknown, otherwise a {@see DateTimeInterface} or Unix
-     * timestamp representing its expiration time.
-     * @param string[]|null $scopes
-     * @param array<string,mixed>|null $claims
+     * @api
+     *
+     * @param string[] $scopes
+     * @param array<string,mixed> $claims
      */
     public function __construct(
         string $token,
-        string $type,
-        $expires,
-        ?array $scopes = null,
-        ?array $claims = null
+        $expires = null,
+        array $scopes = [],
+        array $claims = []
     ) {
-        if (is_int($expires) && $expires < 0) {
-            throw new InvalidArgumentException(sprintf(
-                'Invalid $expires: %d',
-                $expires
-            ));
-        }
+        $this->Scopes = $scopes;
+        $this->Claims = $claims;
 
-        $this->Token = $token;
-        $this->Type = $type;
-        $this->Expires = $expires instanceof DateTimeInterface
-            ? Date::immutable($expires)
-            : ($expires === null
-                ? null
-                : new DateTimeImmutable("@$expires"));
-        $this->Scopes = $scopes ?: [];
-        $this->Claims = $claims ?: [];
+        parent::__construct($token, 'Bearer', $expires);
     }
 
     /**
-     * @inheritDoc
+     * Get the token's scopes
+     *
+     * @return string[]
      */
-    public function getAuthenticationScheme(): string
+    public function getScopes(): array
     {
-        return $this->Type;
+        return $this->Scopes;
     }
 
     /**
-     * @inheritDoc
+     * Get the token's claims
+     *
+     * @return array<string,mixed>
      */
-    public function getCredential(): string
+    public function getClaims(): array
     {
-        return $this->Token;
+        return $this->Claims;
     }
 }

src/Toolkit/Http/OAuth2/OAuth2Client.php

@@ -126,7 +126,7 @@ abstract protected function getJsonWebKeySetUrl(): ?string;
      * @param array<string,mixed>|null $idToken
      * @param OAuth2GrantType::* $grantType
      */
-    abstract protected function receiveToken(AccessToken $token, ?array $idToken, string $grantType): void;
+    abstract protected function receiveToken(OAuth2AccessToken $token, ?array $idToken, string $grantType): void;
 
     public function __construct()
     {
@@ -162,9 +162,9 @@ final protected function getRedirectUri(): ?string
      *
      * @param string[]|null $scopes
      */
-    final public function getAccessToken(?array $scopes = null): AccessToken
+    final public function getAccessToken(?array $scopes = null): OAuth2AccessToken
     {
-        $token = Cache::getInstance()->getInstanceOf($this->TokenKey, AccessToken::class);
+        $token = Cache::getInstance()->getInstanceOf($this->TokenKey, OAuth2AccessToken::class);
         if ($token) {
             if ($this->accessTokenHasScopes($token, $scopes)) {
                 return $token;
@@ -197,9 +197,9 @@ final public function getAccessToken(?array $scopes = null): AccessToken
      *
      * @param string[]|null $scopes
      */
-    private function accessTokenHasScopes(AccessToken $token, ?array $scopes): bool
+    private function accessTokenHasScopes(OAuth2AccessToken $token, ?array $scopes): bool
     {
-        if ($scopes && array_diff($scopes, $token->Scopes)) {
+        if ($scopes && array_diff($scopes, $token->getScopes())) {
             return false;
         }
         return true;
@@ -209,7 +209,7 @@ private function accessTokenHasScopes(AccessToken $token, ?array $scopes): bool
      * If an unexpired refresh token is available, use it to get a new access
      * token from the provider if possible
      */
-    final protected function refreshAccessToken(): ?AccessToken
+    final protected function refreshAccessToken(): ?OAuth2AccessToken
     {
         $refreshToken = Cache::getString("{$this->TokenKey}:refresh");
         return $refreshToken === null
@@ -225,7 +225,7 @@ final protected function refreshAccessToken(): ?AccessToken
      *
      * @param array<string,mixed> $options
      */
-    final protected function authorize(array $options = []): AccessToken
+    final protected function authorize(array $options = []): OAuth2AccessToken
     {
         if (isset($options['scope'])) {
             $scopes = $this->filterScope($options['scope']);
@@ -237,9 +237,9 @@ final protected function authorize(array $options = []): AccessToken
                 $cache->has($this->TokenKey)
                 || $cache->has("{$this->TokenKey}:refresh")
             ) {
-                $lastToken = $cache->getInstanceOf($this->TokenKey, AccessToken::class);
+                $lastToken = $cache->getInstanceOf($this->TokenKey, OAuth2AccessToken::class);
                 if ($lastToken) {
-                    $scopes = Arr::extend($lastToken->Scopes, ...$scopes);
+                    $scopes = Arr::extend($lastToken->getScopes(), ...$scopes);
                 }
             }
             $cache->close();
@@ -265,7 +265,7 @@ final protected function authorize(array $options = []): AccessToken
     /**
      * @param array<string,mixed> $options
      */
-    private function authorizeWithClientCredentials(array $options = []): AccessToken
+    private function authorizeWithClientCredentials(array $options = []): OAuth2AccessToken
     {
         // league/oauth2-client doesn't add scopes to client_credentials
         // requests
@@ -290,7 +290,7 @@ private function authorizeWithClientCredentials(array $options = []): AccessToke
     /**
      * @param array<string,mixed> $options
      */
-    private function authorizeWithAuthorizationCode(array $options = []): AccessToken
+    private function authorizeWithAuthorizationCode(array $options = []): OAuth2AccessToken
     {
         if (!$this->Listener) {
             throw new LogicException('Cannot use the Authorization Code flow without a Listener');
@@ -380,7 +380,7 @@ private function requestAccessToken(
         string $grantType,
         array $options = [],
         $scope = null
-    ): AccessToken {
+    ): OAuth2AccessToken {
         Console::debug('Requesting access token with ' . $grantType);
 
         $_token = $this->Provider->getAccessToken($grantType, $options);
@@ -419,21 +419,20 @@ private function requestAccessToken(
             ?? $scope);
 
         if (!$scopes && $grantType === OAuth2GrantType::REFRESH_TOKEN) {
-            $lastToken = Cache::getInstance()->getInstanceOf($this->TokenKey, AccessToken::class);
+            $lastToken = Cache::getInstance()->getInstanceOf($this->TokenKey, OAuth2AccessToken::class);
             if ($lastToken) {
-                $scopes = $lastToken->Scopes;
+                $scopes = $lastToken->getScopes();
             }
         }
 
-        $token = new AccessToken(
+        $token = new OAuth2AccessToken(
             $accessToken,
-            $tokenType,
             $expires,
             $scopes ?: $this->getDefaultScopes(),
             $claims
         );
 
-        Cache::set($this->TokenKey, $token, $token->Expires);
+        Cache::set($this->TokenKey, $token, $token->getExpires());
 
         if ($idToken !== null) {
             $idToken = $this->getValidJsonWebToken($idToken, true);