[13.x] Make client RFC compatible (#1744)

* make client RFC compatible

* formatting

* drop support for Laravel 9

* update upgrade guide

* wip

* revert some changes

* fix tests

* wip

* fix tests

* wip

* wip

* wip

* wip

* wip

* wip

* wip

* wip

* formatting

* formatting

* formatting

* wip

* revert unrelated changes

* fix backward compatibility

* formatting

* fix bc on update

* add tests for clients without grant_types

Author: hafezdivandari

database/factories/ClientFactory.php

@@ -32,9 +32,8 @@ public function definition()
             'user_id' => null,
             'name' => $this->faker->company(),
             'secret' => Str::random(40),
-            'redirect' => $this->faker->url(),
-            'personal_access_client' => false,
-            'password_client' => false,
+            'redirect_uris' => [$this->faker->url()],
+            'grant_types' => ['authorization_code', 'refresh_token'],
             'revoked' => false,
         ];
     }
@@ -47,8 +46,7 @@ public function definition()
     public function asPasswordClient()
     {
         return $this->state([
-            'personal_access_client' => false,
-            'password_client' => true,
+            'grant_types' => ['password', 'refresh_token'],
         ]);
     }
 
@@ -60,8 +58,7 @@ public function asPasswordClient()
     public function asPersonalAccessTokenClient()
     {
         return $this->state([
-            'personal_access_client' => true,
-            'password_client' => false,
+            'grant_types' => ['personal_access'],
         ]);
     }
 
@@ -73,8 +70,7 @@ public function asPersonalAccessTokenClient()
     public function asClientCredentials()
     {
         return $this->state([
-            'personal_access_client' => false,
-            'password_client' => false,
+            'grant_types' => ['client_credentials'],
         ]);
     }
 }

database/migrations/2016_06_01_000004_create_oauth_clients_table.php

@@ -17,9 +17,8 @@ public function up(): void
             $table->string('name');
             $table->string('secret')->nullable();
             $table->string('provider')->nullable();
-            $table->text('redirect');
-            $table->boolean('personal_access_client');
-            $table->boolean('password_client');
+            $table->text('redirect_uris');
+            $table->text('grant_types');
             $table->boolean('revoked');
             $table->timestamps();
         });

src/Bridge/Client.php

@@ -21,15 +21,15 @@ class Client implements ClientEntityInterface
     public function __construct(
         string $identifier,
         string $name,
-        string $redirectUri,
+        array $redirectUri,
         bool $isConfidential = false,
         ?string $provider = null
     ) {
         $this->setIdentifier($identifier);
 
         $this->name = $name;
         $this->isConfidential = $isConfidential;
-        $this->redirectUri = explode(',', $redirectUri);
+        $this->redirectUri = $redirectUri;
         $this->provider = $provider;
     }
 }

src/Bridge/ClientRepository.php

@@ -43,7 +43,7 @@ public function getClientEntity(string $clientIdentifier): ?ClientEntityInterfac
         return new Client(
             $clientIdentifier,
             $record->name,
-            $record->redirect,
+            $record->redirect_uris,
             $record->confidential(),
             $record->provider
         );
@@ -71,17 +71,7 @@ public function validateClient(string $clientIdentifier, ?string $clientSecret,
      */
     protected function handlesGrant(ClientModel $record, string $grantType): bool
     {
-        if (! $record->hasGrantType($grantType)) {
-            return false;
-        }
-
-        return match ($grantType) {
-            'authorization_code' => ! $record->firstParty(),
-            'personal_access' => $record->personal_access_client && $record->confidential(),
-            'password' => $record->password_client,
-            'client_credentials' => $record->confidential(),
-            default => true,
-        };
+        return $record->hasGrantType($grantType);
     }
 
     /**

src/Client.php

@@ -2,6 +2,7 @@
 
 namespace Laravel\Passport;
 
+use Illuminate\Database\Eloquent\Casts\Attribute;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Support\Facades\Hash;
@@ -44,6 +45,7 @@ class Client extends Model
     protected $casts = [
         'grant_types' => 'array',
         'scopes' => 'array',
+        'redirect_uris' => 'array',
         'personal_access_client' => 'bool',
         'password_client' => 'bool',
         'revoked' => 'bool',
@@ -132,14 +134,30 @@ public function setSecretAttribute($value)
         $this->attributes['secret'] = is_null($value) ? $value : Hash::make($value);
     }
 
+    /**
+     * Get the client's redirect URIs.
+     */
+    protected function redirectUris(): Attribute
+    {
+        return Attribute::make(
+            get: function (?string $value, array $attributes) {
+                if (isset($value)) {
+                    return $this->fromJson($value);
+                }
+
+                return empty($attributes['redirect']) ? [] : explode(',', $attributes['redirect']);
+            },
+        );
+    }
+
     /**
      * Determine if the client is a "first party" client.
      *
      * @return bool
      */
     public function firstParty()
     {
-        return $this->personal_access_client || $this->password_client;
+        return $this->hasGrantType('personal_access') || $this->hasGrantType('password');
     }
 
     /**
@@ -160,11 +178,17 @@ public function skipsAuthorization()
      */
     public function hasGrantType($grantType)
     {
-        if (! isset($this->attributes['grant_types']) || ! is_array($this->grant_types)) {
-            return true;
+        if (isset($this->attributes['grant_types']) && is_array($this->grant_types)) {
+            return in_array($grantType, $this->grant_types);
         }
 
-        return in_array($grantType, $this->grant_types);
+        return match ($grantType) {
+            'authorization_code' => ! $this->personal_access_client && ! $this->password_client,
+            'personal_access' => $this->personal_access_client && $this->confidential(),
+            'password' => $this->password_client,
+            'client_credentials' => $this->confidential(),
+            default => true,
+        };
     }
 
     /**

src/ClientRepository.php

@@ -2,6 +2,7 @@
 
 namespace Laravel\Passport;
 
+use Illuminate\Contracts\Auth\Authenticatable;
 use Illuminate\Support\Str;
 
 class ClientRepository
@@ -78,75 +79,110 @@ public function activeForUser($userId)
     /**
      * Store a new client.
      *
-     * @param  int|null  $userId
-     * @param  string  $name
-     * @param  string  $redirect
-     * @param  string|null  $provider
-     * @param  bool  $personalAccess
-     * @param  bool  $password
-     * @param  bool  $confidential
-     * @return \Laravel\Passport\Client
+     * @param  string[]  $redirectUris
+     * @param  string[]  $grantTypes
      */
-    public function create($userId, $name, $redirect, $provider = null, $personalAccess = false, $password = false, $confidential = true)
-    {
-        $client = Passport::client()->forceFill([
-            'user_id' => $userId,
+    protected function create(
+        string $name,
+        array $grantTypes,
+        array $redirectUris = [],
+        ?string $provider = null,
+        bool $confidential = true,
+        ?Authenticatable $user = null
+    ): Client {
+        $client = Passport::client();
+        $columns = $client->getConnection()->getSchemaBuilder()->getColumnListing($client->getTable());
+
+        $attributes = [
             'name' => $name,
-            'secret' => ($confidential || $personalAccess) ? Str::random(40) : null,
+            'secret' => $confidential ? Str::random(40) : null,
             'provider' => $provider,
-            'redirect' => $redirect,
-            'personal_access_client' => $personalAccess,
-            'password_client' => $password,
             'revoked' => false,
-        ]);
-
-        $client->save();
-
-        return $client;
+            ...(in_array('redirect_uris', $columns) ? [
+                'redirect_uris' => $redirectUris,
+            ] : [
+                'redirect' => implode(',', $redirectUris),
+            ]),
+            ...(in_array('grant_types', $columns) ? [
+                'grant_types' => $grantTypes,
+            ] : [
+                'personal_access_client' => in_array('personal_access', $grantTypes),
+                'password_client' => in_array('password', $grantTypes),
+            ]),
+        ];
+
+        return $user
+            ? $user->clients()->forceCreate($attributes)
+            : $client->forceCreate($attributes);
     }
 
     /**
      * Store a new personal access token client.
-     *
-     * @param  int|null  $userId
-     * @param  string  $name
-     * @param  string  $redirect
-     * @return \Laravel\Passport\Client
      */
-    public function createPersonalAccessClient($userId, $name, $redirect)
+    public function createPersonalAccessGrantClient(string $name, ?string $provider = null): Client
     {
-        return $this->create($userId, $name, $redirect, null, true);
+        return $this->create($name, ['personal_access'], [], $provider);
     }
 
     /**
      * Store a new password grant client.
+     */
+    public function createPasswordGrantClient(string $name, ?string $provider = null): Client
+    {
+        return $this->create($name, ['password', 'refresh_token'], [], $provider);
+    }
+
+    /**
+     * Store a new client credentials grant client.
+     */
+    public function createClientCredentialsGrantClient(string $name): Client
+    {
+        return $this->create($name, ['client_credentials']);
+    }
+
+    /**
+     * Store a new implicit grant client.
      *
-     * @param  int|null  $userId
-     * @param  string  $name
-     * @param  string  $redirect
-     * @param  string|null  $provider
-     * @return \Laravel\Passport\Client
+     * @param  string[]  $redirectUris
      */
-    public function createPasswordGrantClient($userId, $name, $redirect, $provider = null)
+    public function createImplicitGrantClient(string $name, array $redirectUris): Client
     {
-        return $this->create($userId, $name, $redirect, $provider, false, true);
+        return $this->create($name, ['implicit'], $redirectUris);
+    }
+
+    /**
+     * Store a new authorization code grant client.
+     *
+     * @param  string[]  $redirectUris
+     */
+    public function createAuthorizationCodeGrantClient(
+        string $name,
+        array $redirectUris,
+        bool $confidential = true,
+        ?Authenticatable $user = null
+    ): Client {
+        return $this->create(
+            $name, ['authorization_code', 'refresh_token'], $redirectUris, null, $confidential, $user
+        );
     }
 
     /**
      * Update the given client.
      *
-     * @param  \Laravel\Passport\Client  $client
-     * @param  string  $name
-     * @param  string  $redirect
-     * @return \Laravel\Passport\Client
+     * @param  string[]  $redirectUris
      */
-    public function update(Client $client, $name, $redirect)
+    public function update(Client $client, string $name, array $redirectUris): bool
     {
-        $client->forceFill([
-            'name' => $name, 'redirect' => $redirect,
-        ])->save();
+        $columns = $client->getConnection()->getSchemaBuilder()->getColumnListing($client->getTable());
 
-        return $client;
+        return $client->forceFill([
+            'name' => $name,
+            ...(in_array('redirect_uris', $columns) ? [
+                'redirect_uris' => $redirectUris,
+            ] : [
+                'redirect' => implode(',', $redirectUris),
+            ]),
+        ])->save();
     }
 
     /**