feat: referer -> origin fallback

Signed-off-by: romanetar <roman_ag@hotmail.com>

Author: romanetar

app/Http/Middleware/OAuth2BearerAccessTokenRequestValidator.php

@@ -132,12 +132,8 @@ public function handle($request, Closure $next)
             }
 
             Log::debug($request->headers->__toString());
-            // http://tools.ietf.org/id/draft-abarth-origin-03.html
-            $origin = $request->headers->has('Origin') ? $request->headers->get('Origin') : null;
-            if (!empty($origin)) {
-                $nm = new Normalizer($origin);
-                $origin = $nm->normalize();
-            }
+
+            $origin = RequestUtils::getOrigin($request);
 
             //check first http basic auth header
             $auth_header = isset($this->headers['authorization']) ? $this->headers['authorization'] : null;

app/libs/Utils/RequestUtils.php

@@ -11,16 +11,22 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  **/
+
+use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Route;
 use Illuminate\Support\Facades\Log;
+use OAuth2\Exceptions\OAuth2ResourceServerException;
+use OAuth2\OAuth2Protocol;
+use URL\Normalizer;
+
 /**
  * Class RequestUtils
  * @package libs\utils
  */
 final class RequestUtils {
 
     /**
-     * @param \Illuminate\Http\Request $request
+     * @param Request $request
      * @return bool|string
      */
     public static function getCurrentRoutePath($request)
@@ -42,4 +48,37 @@ public static function getCurrentRoutePath($request)
         return false;
     }
 
+    /**
+     * @param Request $request
+     * @return string|null
+     * @throws OAuth2ResourceServerException
+     */
+    public static function getOrigin(Request $request): ?string
+    {
+        // http://tools.ietf.org/id/draft-abarth-origin-03.html
+        $origin = $request->headers->get('Origin');
+        $referer = $request->headers->get('Referer');
+
+        if (!empty($origin) && !empty($referer) &&
+            parse_url($origin, PHP_URL_HOST) != parse_url($referer, PHP_URL_HOST))
+        {
+            Log::warning('OAuth2BearerAccessTokenRequestValidator::handle Origin and Referrer mismatch');
+            throw new OAuth2ResourceServerException(
+                403,
+                OAuth2Protocol::OAuth2Protocol_Error_InvalidRequest,
+                'Origin and Referrer mismatch'
+            );
+        }
+        if (empty($origin) && !empty($referer)) {
+            $referer_parts = parse_url($referer);
+            $origin = $referer_parts['scheme'] . '://' . $referer_parts['host'];
+            if (!empty($origin)) {
+                Log::warning('OAuth2BearerAccessTokenRequestValidator::Origin header not present. Using normalized Referer as fallback: ' . $origin);
+            }
+        }
+        if (!empty($origin)) {
+            $origin = (new Normalizer($origin))->normalize();
+        }
+        return $origin;
+    }
 }