brokenhandsio · vamsii777 · Aug 24, 2023 · Aug 24, 2023 · Aug 24, 2023 · Aug 24, 2023
diff --git a/Package.resolved b/Package.resolved
@@ -5,44 +5,44 @@
       "kind" : "remoteSourceControl",
       "location" : "https://github.com/swift-server/async-http-client.git",
       "state" : {
-        "revision" : "fc510a39cff61b849bf5cdff17eb2bd6d0777b49",
-        "version" : "1.11.5"
+        "revision" : "16f7e62c08c6969899ce6cc277041e868364e5cf",
+        "version" : "1.19.0"
       }
     },
     {
       "identity" : "async-kit",
       "kind" : "remoteSourceControl",
       "location" : "https://github.com/vapor/async-kit.git",
       "state" : {
-        "revision" : "c3329e444bafbb12d1d312af9191be95348a8175",
-        "version" : "1.13.0"
+        "revision" : "eab9edff78e8ace20bd7cb6e792ab46d54f59ab9",
+        "version" : "1.18.0"
       }
     },
     {
       "identity" : "console-kit",
       "kind" : "remoteSourceControl",
       "location" : "https://github.com/vapor/console-kit.git",
       "state" : {
-        "revision" : "a7e67a1719933318b5ab7eaaed355cde020465b1",
-        "version" : "4.5.0"
+        "revision" : "9a12000f4064a2bdc49068d7258292ec1bdc88fc",
+        "version" : "4.7.0"
       }
     },
     {
       "identity" : "multipart-kit",
       "kind" : "remoteSourceControl",
       "location" : "https://github.com/vapor/multipart-kit.git",
       "state" : {
-        "revision" : "0d55c35e788451ee27222783c7d363cb88092fab",
-        "version" : "4.5.2"
+        "revision" : "1adfd69df2da08f7931d4281b257475e32c96734",
+        "version" : "4.5.4"
       }
     },
     {
       "identity" : "routing-kit",
       "kind" : "remoteSourceControl",
       "location" : "https://github.com/vapor/routing-kit.git",
       "state" : {
-        "revision" : "ffac7b3a127ce1e85fb232f1a6271164628809ad",
-        "version" : "4.6.0"
+        "revision" : "e0539da5b60a60d7381f44cdcf04036f456cee2f",
+        "version" : "4.8.0"
       }
     },
     {
@@ -59,8 +59,8 @@
       "kind" : "remoteSourceControl",
       "location" : "https://github.com/apple/swift-atomics.git",
       "state" : {
-        "revision" : "919eb1d83e02121cdb434c7bfc1f0c66ef17febe",
-        "version" : "1.0.2"
+        "revision" : "6c89474e62719ddcc1e9614989fff2f68208fe10",
+        "version" : "1.1.0"
       }
     },
     {
@@ -77,80 +77,80 @@
       "kind" : "remoteSourceControl",
       "location" : "https://github.com/apple/swift-collections.git",
       "state" : {
-        "revision" : "f504716c27d2e5d4144fa4794b12129301d17729",
-        "version" : "1.0.3"
+        "revision" : "937e904258d22af6e447a0b72c0bc67583ef64a2",
+        "version" : "1.0.4"
       }
     },
     {
       "identity" : "swift-crypto",
       "kind" : "remoteSourceControl",
       "location" : "https://github.com/apple/swift-crypto.git",
       "state" : {
-        "revision" : "d9825fa541df64b1a7b182178d61b9a82730d01f",
-        "version" : "2.1.0"
+        "revision" : "60f13f60c4d093691934dc6cfdf5f508ada1f894",
+        "version" : "2.6.0"
       }
     },
     {
       "identity" : "swift-log",
       "kind" : "remoteSourceControl",
       "location" : "https://github.com/apple/swift-log.git",
       "state" : {
-        "revision" : "6fe203dc33195667ce1759bf0182975e4653ba1c",
-        "version" : "1.4.4"
+        "revision" : "532d8b529501fb73a2455b179e0bbb6d49b652ed",
+        "version" : "1.5.3"
       }
     },
     {
       "identity" : "swift-metrics",
       "kind" : "remoteSourceControl",
       "location" : "https://github.com/apple/swift-metrics.git",
       "state" : {
-        "revision" : "53be78637ecd165d1ddedc4e20de69b8f43ec3b7",
-        "version" : "2.3.2"
+        "revision" : "971ba26378ab69c43737ee7ba967a896cb74c0d1",
+        "version" : "2.4.1"
       }
     },
     {
       "identity" : "swift-nio",
       "kind" : "remoteSourceControl",
       "location" : "https://github.com/apple/swift-nio.git",
       "state" : {
-        "revision" : "b4e0a274f7f34210e97e2f2c50ab02a10b549250",
-        "version" : "2.41.1"
+        "revision" : "cf281631ff10ec6111f2761052aa81896a83a007",
+        "version" : "2.58.0"
       }
     },
     {
       "identity" : "swift-nio-extras",
       "kind" : "remoteSourceControl",
       "location" : "https://github.com/apple/swift-nio-extras.git",
       "state" : {
-        "revision" : "6c84d247754ad77487a6f0694273b89b83efd056",
-        "version" : "1.14.0"
+        "revision" : "0e0d0aab665ff1a0659ce75ac003081f2b1c8997",
+        "version" : "1.19.0"
       }
     },
     {
       "identity" : "swift-nio-http2",
       "kind" : "remoteSourceControl",
       "location" : "https://github.com/apple/swift-nio-http2.git",
       "state" : {
-        "revision" : "f9ab1c94c80d568efd762d2a638f25162691d766",
-        "version" : "1.22.1"
+        "revision" : "a8ccf13fa62775277a5d56844878c828bbb3be1a",
+        "version" : "1.27.0"
       }
     },
     {
       "identity" : "swift-nio-ssl",
       "kind" : "remoteSourceControl",
       "location" : "https://github.com/apple/swift-nio-ssl.git",
       "state" : {
-        "revision" : "ba7c0d7f82affc518147ea61d240330bf7f7ea9b",
-        "version" : "2.22.1"
+        "revision" : "320bd978cceb8e88c125dcbb774943a92f6286e9",
+        "version" : "2.25.0"
       }
     },
     {
       "identity" : "swift-nio-transport-services",
       "kind" : "remoteSourceControl",
       "location" : "https://github.com/apple/swift-nio-transport-services.git",
       "state" : {
-        "revision" : "4e02d9cf35cabfb538c96613272fb027dd0c8692",
-        "version" : "1.13.1"
+        "revision" : "e7403c35ca6bb539a7ca353b91cc2d8ec0362d58",
+        "version" : "1.19.0"
       }
     },
     {
@@ -167,17 +167,17 @@
       "kind" : "remoteSourceControl",
       "location" : "https://github.com/vapor/vapor.git",
       "state" : {
-        "revision" : "dda0de537e7906414dccd551e77095be1e34e3da",
-        "version" : "4.65.2"
+        "revision" : "1bb4a2ed94bec7a92f92e82896408c785d068f5c",
+        "version" : "4.79.0"
       }
     },
     {
       "identity" : "websocket-kit",
       "kind" : "remoteSourceControl",
       "location" : "https://github.com/vapor/websocket-kit.git",
       "state" : {
-        "revision" : "2d9d2188a08eef4a869d368daab21b3c08510991",
-        "version" : "2.6.1"
+        "revision" : "53fe0639a98903858d0196b699720decb42aee7b",
+        "version" : "2.14.0"
       }
     }
   ],

diff --git a/Sources/VaporOAuth/DefaultImplementations/EmptyCodeManager.swift b/Sources/VaporOAuth/DefaultImplementations/EmptyCodeManager.swift
@@ -15,4 +15,14 @@ public struct EmptyCodeManager: CodeManager {
     }
 
     public func codeUsed(_ code: OAuthCode) {}
+
+    public func getDeviceCode(_ deviceCode: String) -> OAuthDeviceCode? {
+        return nil
+    }
+
+    public func generateDeviceCode(userID: String, clientID: String, scopes: [String]?) throws -> String {
+        return ""
+    }
+
+    public func deviceCodeUsed(_ deviceCode: OAuthDeviceCode) {}
 }
diff --git a/Sources/VaporOAuth/Models/OAuthDeviceCode.swift b/Sources/VaporOAuth/Models/OAuthDeviceCode.swift
@@ -0,0 +1,32 @@
+import Foundation
+
+public final class OAuthDeviceCode {
+    public let deviceCodeID: String
+    public let userCode: String
+    public let clientID: String
+    public let userID: String?
+    public let expiryDate: Date
+    public let scopes: [String]?
+
+    public var extend: [String: Any] = [:]
+
+    public init(
+        deviceCodeID: String,
+        userCode: String,
+        clientID: String,
+        userID: String?,
+        expiryDate: Date,
+        scopes: [String]?
+    ) {
+        self.deviceCodeID = deviceCodeID
+        self.userCode = userCode
+        self.clientID = clientID
+        self.userID = userID
+        self.expiryDate = expiryDate
+        self.scopes = scopes
+    }
+
+    public var isExpired: Bool {
+        return Date() > expiryDate
+    }
+}
diff --git a/Sources/VaporOAuth/Protocols/CodeManager.swift b/Sources/VaporOAuth/Protocols/CodeManager.swift
@@ -1,9 +1,44 @@
 /// Responsible for generating and managing OAuth Codes
 public protocol CodeManager {
+
+    /// Generates an OAuth code for the specified user, client, redirect URI, and scopes.
+    /// - Parameters:
+    ///   - userID: The ID of the user.
+    ///   - clientID: The ID of the client.
+    ///   - redirectURI: The redirect URI for the client.
+    ///   - scopes: Optional array of scopes.
+    /// - Returns: The generated OAuth code.
+    /// - Throws: An error if the code generation fails.
     func generateCode(userID: String, clientID: String, redirectURI: String, scopes: [String]?) async throws -> String
+
+    /// Retrieves the OAuth code associated with the specified code.
+    /// - Parameter code: The OAuth code.
+    /// - Returns: The associated OAuth code, or `nil` if not found.
+    /// - Throws: An error if the retrieval fails.
     func getCode(_ code: String) async throws -> OAuthCode?
-
-    // This is explicit to ensure that the code is marked as used or deleted (it could be implied that this is done when you call
-    // `getCode` but it is called explicitly to remind developers to ensure that codes can't be reused)
+
+    /// Marks the specified OAuth code as used or deleted.
+    /// - Parameter code: The OAuth code to mark as used or deleted.
+    /// - Throws: An error if the operation fails.
     func codeUsed(_ code: OAuthCode) async throws
+
+    /// Generates a device code for the specified user, client, and scopes.
+    /// - Parameters:
+    ///   - userID: The ID of the user.
+    ///   - clientID: The ID of the client.
+    ///   - scopes: Optional array of scopes.
+    /// - Returns: The generated device code.
+    /// - Throws: An error if the code generation fails.
+    func generateDeviceCode(userID: String, clientID: String, scopes: [String]?) async throws -> String
+
+    /// Retrieves the device code associated with the specified code.
+    /// - Parameter deviceCode: The device code.
+    /// - Returns: The associated device code, or `nil` if not found.
+    /// - Throws: An error if the retrieval fails.
+    func getDeviceCode(_ deviceCode: String) async throws -> OAuthDeviceCode?
+
+    /// Marks the specified device code as used or deleted.
+    /// - Parameter deviceCode: The device code to mark as used or deleted.
+    /// - Throws: An error if the operation fails.
+    func deviceCodeUsed(_ deviceCode: OAuthDeviceCode) async throws
 }
diff --git a/Sources/VaporOAuth/RouteHandlers/TokenHandler.swift b/Sources/VaporOAuth/RouteHandlers/TokenHandler.swift
@@ -8,6 +8,7 @@ struct TokenHandler {
     let tokenResponseGenerator: TokenResponseGenerator
     let authCodeTokenHandler: AuthCodeTokenHandler
     let passwordTokenHandler: PasswordTokenHandler
+    let deviceCodeTokenHandler: DeviceCodeTokenHandler
 
     init(clientValidator: ClientValidator, tokenManager: TokenManager, scopeValidator: ScopeValidator,
          codeManager: CodeManager, userManager: UserManager, logger: Logger) {
@@ -25,6 +26,9 @@ struct TokenHandler {
         passwordTokenHandler = PasswordTokenHandler(clientValidator: clientValidator, scopeValidator: scopeValidator,
                                                     userManager: userManager, logger: logger, tokenManager: tokenManager,
                                                     tokenResponseGenerator: tokenResponseGenerator)
+        deviceCodeTokenHandler = DeviceCodeTokenHandler(clientValidator: clientValidator, scopeValidator: scopeValidator, codeManager: codeManager,
+                                                        tokenManager: tokenManager,
+                                                        tokenResponseGenerator: tokenResponseGenerator)
     }
 
     func handleRequest(request: Request) async throws -> Response {
@@ -42,6 +46,8 @@ struct TokenHandler {
             return try await clientCredentialsTokenHandler.handleClientCredentialsTokenRequest(request)
         case OAuthFlowType.refresh.rawValue:
             return try await refreshTokenHandler.handleRefreshTokenRequest(request)
+        case OAuthFlowType.deviceCode.rawValue:
+            return try await deviceCodeTokenHandler.handleDeviceCodeTokenRequest(request)
         default:
             return try tokenResponseGenerator.createResponse(error: OAuthResponseParameters.ErrorType.unsupportedGrant,
                                                              description: "This server does not support the '\(grantType)' grant type")

diff --git a/Sources/VaporOAuth/RouteHandlers/TokenHandlers/DeviceCodeTokenHandler.swift b/Sources/VaporOAuth/RouteHandlers/TokenHandlers/DeviceCodeTokenHandler.swift
@@ -0,0 +1,64 @@
+import Vapor
+
+struct DeviceCodeTokenHandler {
+
+    let clientValidator: ClientValidator
+    let scopeValidator: ScopeValidator
+    let codeManager: CodeManager
+    let tokenManager: TokenManager
+    let tokenResponseGenerator: TokenResponseGenerator
+
+    func handleDeviceCodeTokenRequest(_ request: Request) async throws -> Response {
+        guard let deviceCodeString: String = request.content[OAuthRequestParameters.deviceCode] else {
+            return try tokenResponseGenerator.createResponse(error: OAuthResponseParameters.ErrorType.invalidRequest,
+                                                             description: "Request was missing the 'device_code' parameter")
+        }
+
+        guard let clientID: String = request.content[OAuthRequestParameters.clientID] else {
+            return try tokenResponseGenerator.createResponse(error: OAuthResponseParameters.ErrorType.invalidRequest,
+                                                             description: "Request was missing the 'client_id' parameter")
+        }
+
+        do {
+            try await clientValidator.authenticateClient(clientID: clientID, clientSecret: nil,
+                                                         grantType: .deviceCode)
+        } catch {
+            return try tokenResponseGenerator.createResponse(error: OAuthResponseParameters.ErrorType.invalidClient,
+                                                             description: "Request had invalid client credentials", status: .unauthorized)
+        }
+
+        guard let deviceCode = try await codeManager.getDeviceCode(deviceCodeString) else {
+            let errorDescription = "The device code provided was invalid or expired"
+            return try tokenResponseGenerator.createResponse(error: OAuthResponseParameters.ErrorType.invalidGrant,
+                                                             description: errorDescription)
+        }
+
+        if deviceCode.expiryDate < Date() {
+            let errorDescription = "The device code provided was invalid or expired"
+            return try tokenResponseGenerator.createResponse(error: "expired_token",
+                                                             description: errorDescription)
+        }
+
+        if let scopes = deviceCode.scopes {
+            do {
+                try await scopeValidator.validateScope(clientID: clientID, scopes: scopes)
+            } catch ScopeError.invalid, ScopeError.unknown {
+                return try tokenResponseGenerator.createResponse(error: OAuthResponseParameters.ErrorType.invalidScope,
+                                                                 description: "Request contained an invalid or unknown scope")
+            }
+        }
+
+        try await codeManager.deviceCodeUsed(deviceCode)
+
+        let expiryTime = 3600
+
+        let (access, refresh) = try await tokenManager.generateAccessRefreshTokens(
+            clientID: clientID, userID: deviceCode.userID,
+            scopes: deviceCode.scopes,
+            accessTokenExpiryTime: expiryTime
+        )
+
+        return try tokenResponseGenerator.createResponse(accessToken: access, refreshToken: refresh, expires: Int(expiryTime),
+                                                         scope: deviceCode.scopes?.joined(separator: " "))
+    }
+}
diff --git a/Sources/VaporOAuth/Utilities/OAuthFlowType.swift b/Sources/VaporOAuth/Utilities/OAuthFlowType.swift
@@ -5,4 +5,5 @@ public enum OAuthFlowType: String {
     case clientCredentials = "client_credentials"
     case refresh = "refresh_token"
     case tokenIntrospection = "token_introspection"
+    case deviceCode = "urn:ietf:params:oauth:grant-type:device_code"
 }
diff --git a/Sources/VaporOAuth/Utilities/StringDefines.swift b/Sources/VaporOAuth/Utilities/StringDefines.swift
@@ -13,6 +13,7 @@ struct OAuthRequestParameters {
     static let usernname = "username"
     static let csrfToken = "csrfToken"
     static let token = "token"
+    static let deviceCode = "device_code"
 }
 
 struct OAuthResponseParameters {
@@ -39,6 +40,7 @@ struct OAuthResponseParameters {
         static let unsupportedGrant = "unsupported_grant_type"
         static let invalidGrant = "invalid_grant"
         static let missingToken = "missing_token"
+        static let expiredToken = "expired_token"
     }
 }