feat: base#71 — Incremental consent in OAuthAccountController

ralflang · ralflang · commit c97788c56546 · 2026-04-23T20:08:27.000+01:00
When a Horde app needs a scope the user hasn't granted yet, it must trigger a re-authorization. For incremental consent it needs to accept additional scopes and merge them. See also #70 Model A
diff --git a/src/Factory/OAuthHttpClientServiceFactory.php b/src/Factory/OAuthHttpClientServiceFactory.php
@@ -0,0 +1,40 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * Copyright 2026 The Horde Project (http://www.horde.org/)
+ *
+ * See the enclosed file LICENSE for license information (LGPL). If you
+ * did not receive this file, see http://www.horde.org/licenses/lgpl21.
+ *
+ * @category Horde
+ * @package  Horde
+ * @author   Ralf Lang <ralf.lang@ralf-lang.de>
+ * @license  http://www.horde.org/licenses/lgpl21 LGPL 2.1
+ */
+
+namespace Horde\Horde\Factory;
+
+use Horde\Core\Service\OAuthHttpClientService;
+use Horde\Core\Service\OAuthProviderConfigRepository;
+use Horde\Core\Service\OAuthTokenService;
+use Horde\Horde\Service\DefaultOAuthHttpClientService;
+use Horde_Injector;
+use Psr\Http\Client\ClientInterface;
+use Psr\Http\Message\RequestFactoryInterface;
+use Psr\Http\Message\StreamFactoryInterface;
+
+class OAuthHttpClientServiceFactory
+{
+    public function create(Horde_Injector $injector): OAuthHttpClientService
+    {
+        return new DefaultOAuthHttpClientService(
+            tokenService: $injector->getInstance(OAuthTokenService::class),
+            providerConfig: $injector->getInstance(OAuthProviderConfigRepository::class),
+            httpClient: $injector->getInstance(ClientInterface::class),
+            requestFactory: $injector->getInstance(RequestFactoryInterface::class),
+            streamFactory: $injector->getInstance(StreamFactoryInterface::class),
+        );
+    }
+}
diff --git a/src/Service/DefaultOAuthHttpClientService.php b/src/Service/DefaultOAuthHttpClientService.php
@@ -0,0 +1,80 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * Copyright 2026 The Horde Project (http://www.horde.org/)
+ *
+ * See the enclosed file LICENSE for license information (LGPL). If you
+ * did not receive this file, see http://www.horde.org/licenses/lgpl21.
+ *
+ * @category Horde
+ * @package  Horde
+ * @author   Ralf Lang <ralf.lang@ralf-lang.de>
+ * @license  http://www.horde.org/licenses/lgpl21 LGPL 2.1
+ */
+
+namespace Horde\Horde\Service;
+
+use Horde\Core\Service\Exception\OAuthInsufficientScopeException;
+use Horde\Core\Service\Exception\OAuthTokenNotFoundException;
+use Horde\Core\Service\OAuthHttpClientService;
+use Horde\Core\Service\OAuthProviderConfigRepository;
+use Horde\Core\Service\OAuthTokenService;
+use Horde\Core\Service\ScopeCheckResult;
+use Horde\Core\Service\WantedScopes;
+use Horde\OAuth\Client\AuthenticatedHttpClient;
+use Horde\OAuth\Client\ScopeSet;
+use Horde\OAuth\Client\TokenRefresher;
+use Psr\Http\Client\ClientInterface;
+use Psr\Http\Message\RequestFactoryInterface;
+use Psr\Http\Message\StreamFactoryInterface;
+
+class DefaultOAuthHttpClientService implements OAuthHttpClientService
+{
+    public function __construct(
+        private readonly OAuthTokenService $tokenService,
+        private readonly OAuthProviderConfigRepository $providerConfig,
+        private readonly ClientInterface $httpClient,
+        private readonly RequestFactoryInterface $requestFactory,
+        private readonly StreamFactoryInterface $streamFactory,
+    ) {}
+
+    public function getClient(
+        string $userId,
+        string $providerId,
+        ?WantedScopes $wantedScopes = null,
+    ): AuthenticatedHttpClient {
+        if ($wantedScopes !== null) {
+            $result = $this->tokenService->checkScopes($userId, $providerId, $wantedScopes);
+
+            if ($result === ScopeCheckResult::NoToken) {
+                throw new OAuthTokenNotFoundException(
+                    "No OAuth tokens for user '{$userId}' / provider '{$providerId}'"
+                );
+            }
+
+            if ($result === ScopeCheckResult::Insufficient) {
+                $tokenSet = $this->tokenService->getTokenSet($userId, $providerId);
+                $granted = ScopeSet::fromSpaceSeparated($tokenSet->scope);
+                $missing = $wantedScopes->scopes->diff($granted)->toArray();
+
+                throw new OAuthInsufficientScopeException($tokenSet, $missing);
+            }
+        }
+
+        $tokenSet = $this->tokenService->getTokenSet($userId, $providerId);
+        $config = $this->providerConfig->get($providerId);
+
+        $refresher = new TokenRefresher(
+            httpClient: $this->httpClient,
+            requestFactory: $this->requestFactory,
+            streamFactory: $this->streamFactory,
+            tokenEndpoint: $config['token_endpoint'] ?? '',
+            clientId: $config['client_id'] ?? '',
+            clientSecret: $config['client_secret'] ?? null,
+        );
+
+        return new AuthenticatedHttpClient($this->httpClient, $tokenSet, $refresher);
+    }
+}
diff --git a/src/Service/DefaultOAuthTokenService.php b/src/Service/DefaultOAuthTokenService.php
@@ -17,9 +17,13 @@
 namespace Horde\Horde\Service;
 
 use Horde\Core\Service\Exception\OAuthTokenRefreshException;
+use Horde\Core\Service\NullScopeStrategy;
 use Horde\Core\Service\OAuthProviderConfigRepository;
 use Horde\Core\Service\OAuthTokenRepository;
 use Horde\Core\Service\OAuthTokenService;
+use Horde\Core\Service\ScopeCheckResult;
+use Horde\Core\Service\WantedScopes;
+use Horde\OAuth\Client\ScopeSet;
 use Horde\OAuth\Client\TokenRefresher;
 use Horde\OAuth\Client\TokenSet;
 use Psr\Http\Client\ClientInterface;
@@ -87,6 +91,31 @@ public function getTokenSet(string $userId, string $providerId): TokenSet
         return $this->repository->load($userId, $providerId);
     }
 
+    public function checkScopes(string $userId, string $providerId, WantedScopes $wanted): ScopeCheckResult
+    {
+        if (!$this->repository->exists($userId, $providerId)) {
+            return ScopeCheckResult::NoToken;
+        }
+
+        if ($wanted->isEmpty()) {
+            return ScopeCheckResult::Sufficient;
+        }
+
+        $tokenSet = $this->repository->load($userId, $providerId);
+
+        if ($tokenSet->scope === null) {
+            return $wanted->nullStrategy === NullScopeStrategy::TreatAsSufficient
+                ? ScopeCheckResult::Sufficient
+                : ScopeCheckResult::Insufficient;
+        }
+
+        $granted = ScopeSet::fromSpaceSeparated($tokenSet->scope);
+
+        return $granted->hasAll($wanted->scopes)
+            ? ScopeCheckResult::Sufficient
+            : ScopeCheckResult::Insufficient;
+    }
+
     private function refresh(string $providerId, TokenSet $tokenSet): TokenSet
     {
         try {
diff --git a/src/Settings/OAuthAccountController.php b/src/Settings/OAuthAccountController.php
@@ -40,6 +40,7 @@
 use Horde\OAuth\Client\OAuthFlowStore;
 use Horde\OAuth\Client\PkceGenerator;
 use Horde\OAuth\Client\ProviderConfig;
+use Horde\OAuth\Client\ScopeSet;
 use Horde_Notification_Handler;
 use Horde_Registry;
 use Horde_View;
@@ -167,6 +168,38 @@ private function connect(ServerRequestInterface $request, ?string $providerId):
             return $this->redirect($baseUrl . '/');
         }
 
+        $queryParams = $request->getQueryParams();
+        $extraScopes = trim($queryParams['scopes'] ?? '');
+        $returnUrl = trim($queryParams['return_url'] ?? '');
+        $requestingApp = trim($queryParams['requesting_app'] ?? '');
+        $userId = $request->getAttribute('HORDE_AUTHENTICATED_USER');
+
+        $defaultScopes = !empty($row['default_scopes']) ? explode(' ', $row['default_scopes']) : [];
+        $neededScopes = $extraScopes !== ''
+            ? ScopeSet::fromSpaceSeparated($extraScopes)
+            : new ScopeSet(...$defaultScopes);
+
+        $client = $this->buildOAuth2Client($row);
+
+        if ($extraScopes !== '' && $this->tokenService->hasTokens($userId, $providerId)) {
+            $tokenSet = $this->tokenService->getTokenSet($userId, $providerId);
+            $currentScopes = ScopeSet::fromSpaceSeparated($tokenSet->scope);
+
+            $result = $client->getIncrementalConsentUrl(
+                currentScopes: $currentScopes,
+                neededScopes: $neededScopes,
+            );
+
+            if (!$result->consentNeeded) {
+                $this->notification->push(_("Required scopes are already granted."), 'horde.message');
+                return $this->redirect($returnUrl !== '' ? $returnUrl : $baseUrl . '/');
+            }
+
+            $scopes = $result->mergedScopes->toArray();
+        } else {
+            $scopes = $neededScopes->toArray();
+        }
+
         $verifier = PkceGenerator::generateVerifier();
         $challenge = PkceGenerator::computeChallenge($verifier);
         $state = bin2hex(random_bytes(32));
@@ -177,11 +210,10 @@ private function connect(ServerRequestInterface $request, ?string $providerId):
             pkceVerifier: $verifier,
             flowType: 'account_link',
             createdAt: time(),
+            redirectUrl: $returnUrl,
+            requestingApp: $requestingApp,
         ));
 
-        $client = $this->buildOAuth2Client($row);
-        $scopes = !empty($row['default_scopes']) ? explode(' ', $row['default_scopes']) : [];
-
         $authUrl = $client->getAuthorizationUrl(
             scopes: $scopes,
             state: $state,
@@ -368,6 +400,10 @@ private function handleAccountLinkCallback(
             );
         }
 
+        if ($flowData->redirectUrl !== '') {
+            return $this->redirect($flowData->redirectUrl);
+        }
+
         return $this->redirect($baseUrl . '/');
     }
 
