From 0d3545189fd33be242d2bed98bb00df8673668f1 Mon Sep 17 00:00:00 2001 From: Yvo Brevoort Date: Mon, 6 Jul 2026 11:50:00 +0200 Subject: [PATCH 01/15] remove primary key from userId --- init.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/init.php b/init.php index 94c1b72..21e739a 100644 --- a/init.php +++ b/init.php @@ -24,7 +24,7 @@ function initDatabase() clientData TEXT NOT NULL )', 'CREATE TABLE IF NOT EXISTS allowedClients ( - userId VARCHAR(255) NOT NULL PRIMARY KEY, + userId VARCHAR(255) NOT NULL, clientId VARCHAR(255) NOT NULL )', 'CREATE TABLE IF NOT EXISTS userStorage ( From d398a9ac3bcf61c71d8729510c9c3802bf1b91fe Mon Sep 17 00:00:00 2001 From: Yvo Brevoort Date: Mon, 6 Jul 2026 11:51:53 +0200 Subject: [PATCH 02/15] add upgrade script to fix the db --- upgrade/0.4.1/upgrade.php | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 upgrade/0.4.1/upgrade.php diff --git a/upgrade/0.4.1/upgrade.php b/upgrade/0.4.1/upgrade.php new file mode 100644 index 0000000..575f5a9 --- /dev/null +++ b/upgrade/0.4.1/upgrade.php @@ -0,0 +1,30 @@ +exec($statement); + } + } catch(\PDOException $e) { + echo $e->getMessage(); + } +} + +upgradeDatabase(); From 9f1ec218fbe8406f60e45be6073b02b7f6e6787c Mon Sep 17 00:00:00 2001 From: Yvo Brevoort Date: Mon, 6 Jul 2026 11:53:55 +0200 Subject: [PATCH 03/15] remove client secret if the token endpoint has no auth --- lib/Server.php | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lib/Server.php b/lib/Server.php index 204f5ab..d67509d 100644 --- a/lib/Server.php +++ b/lib/Server.php @@ -73,6 +73,13 @@ public static function getConfigClient() $registeredClient = ClientRegistration::getRegistration($clientId); } if (isset($registeredClient)) { + /* + If the token_endpoint_auth_method is 'none', this means we are dealing with a public client that is not able to securely store the client secret. + In that case, we remove the client_secret so we treat the client as a public client + */ + if ($registeredClient['token_endpoint_auth_method'] === "none") { + unset($registeredClient['client_secret']); + } return new ConfigClient( $clientId, $registeredClient['client_secret'] ?? '', From 4759ee9ca8e60a458eba410d9cbe1c26d75c6646 Mon Sep 17 00:00:00 2001 From: Yvo Brevoort Date: Mon, 6 Jul 2026 11:55:41 +0200 Subject: [PATCH 04/15] fix client registration for public clients (with token_endpoint_auth_method=none) --- lib/Routes/SolidIdp.php | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/lib/Routes/SolidIdp.php b/lib/Routes/SolidIdp.php index 9e628bc..0ccf3a8 100644 --- a/lib/Routes/SolidIdp.php +++ b/lib/Routes/SolidIdp.php @@ -128,12 +128,14 @@ public static function respondToRegister() $generatedClientId = bin2hex(random_bytes(16)); // 32 chars for the client Id - $generatedClientSecret = bin2hex(random_bytes(32)); // and 64 chars for the client secret $clientData['client_id_issued_at'] = time(); $clientData['client_id'] = $generatedClientId; - $clientData['client_secret'] = $generatedClientSecret; $clientData['origin'] = $origin; + if ($clientData['token_endpoint_auth_method'] !== 'none') { // generate and use secret if we have token endpoint authentication + $generatedClientSecret = bin2hex(random_bytes(32)); // and 64 chars for the client secret + $clientData['client_secret'] = $generatedClientSecret; + } ClientRegistration::saveClientRegistration($clientData); $client = ClientRegistration::getRegistration($generatedClientId); @@ -141,16 +143,20 @@ public static function respondToRegister() $responseData = array( 'redirect_uris' => $client['redirect_uris'], 'client_id' => $client['client_id'], - 'client_secret' => $client['client_secret'], 'response_types' => array('code'), 'grant_types' => array('authorization_code', 'refresh_token'), 'application_type' => $client['application_type'] ?? 'web', 'client_name' => $client['client_name'] ?? $client['client_id'], 'id_token_signed_response_alg' => 'RS256', - 'token_endpoint_auth_method' => 'client_secret_basic', - 'client_id_issued_at' => $client['client_id_issued_at'], - 'client_secret_expires_at' => 0 + 'client_id_issued_at' => $client['client_id_issued_at'] ); + if (isset($client['client_secret'])) { + $responseData['client_secret'] = $client['client_secret']; + $responseData['token_endpoint_auth_method'] = 'client_secret_basic'; + $responseData['client_secret_expires_at'] = 0; + } else { + $responseData['token_endpoint_auth_method'] = 'none'; // No client secret means we can't authenticate on the token endpoint; + } header("HTTP/1.1 201 Created"); header("Content-type: application/json"); echo json_encode($responseData, JSON_PRETTY_PRINT | JSON_THROW_ON_ERROR); From f83a86d779c5e36d07debdc8ccb17d9203742f74 Mon Sep 17 00:00:00 2001 From: Yvo Brevoort Date: Mon, 6 Jul 2026 11:58:07 +0200 Subject: [PATCH 05/15] whitespace --- lib/Server.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/Server.php b/lib/Server.php index d67509d..f6731b3 100644 --- a/lib/Server.php +++ b/lib/Server.php @@ -74,8 +74,8 @@ public static function getConfigClient() } if (isset($registeredClient)) { /* - If the token_endpoint_auth_method is 'none', this means we are dealing with a public client that is not able to securely store the client secret. - In that case, we remove the client_secret so we treat the client as a public client + If the token_endpoint_auth_method is 'none', this means we are dealing with a public client that is not able to securely store the client secret. + In that case, we remove the client_secret so we treat the client as a public client */ if ($registeredClient['token_endpoint_auth_method'] === "none") { unset($registeredClient['client_secret']); From 7c4f77ffc78e22cda6ea28aa6ea0dec36841b70b Mon Sep 17 00:00:00 2001 From: Yvo Brevoort Date: Mon, 6 Jul 2026 11:58:32 +0200 Subject: [PATCH 06/15] whitespace --- upgrade/0.4.1/upgrade.php | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/upgrade/0.4.1/upgrade.php b/upgrade/0.4.1/upgrade.php index 575f5a9..075acbf 100644 --- a/upgrade/0.4.1/upgrade.php +++ b/upgrade/0.4.1/upgrade.php @@ -6,25 +6,25 @@ function upgradeDatabase() { - $statements = [ - 'BEGIN TRANSACTION', - 'CREATE TABLE allowedClients_new (userId VARCHAR(255) NOT NULL, clientId VARCHAR(255) NOT NULL)', - 'INSERT INTO allowedClients_new (userId, clientId) SELECT userId, clientId FROM allowedClients', - 'DROP TABLE allowedClients', - 'ALTER TABLE allowedClients_new RENAME TO allowedClients', - 'COMMIT' - ]; + $statements = [ + 'BEGIN TRANSACTION', + 'CREATE TABLE allowedClients_new (userId VARCHAR(255) NOT NULL, clientId VARCHAR(255) NOT NULL)', + 'INSERT INTO allowedClients_new (userId, clientId) SELECT userId, clientId FROM allowedClients', + 'DROP TABLE allowedClients', + 'ALTER TABLE allowedClients_new RENAME TO allowedClients', + 'COMMIT' + ]; - try { - $pdo = new \PDO("sqlite:" . DBPATH); + try { + $pdo = new \PDO("sqlite:" . DBPATH); - // create tables - foreach($statements as $statement){ - $pdo->exec($statement); - } - } catch(\PDOException $e) { - echo $e->getMessage(); - } + // create tables + foreach($statements as $statement){ + $pdo->exec($statement); + } + } catch(\PDOException $e) { + echo $e->getMessage(); + } } upgradeDatabase(); From d0558feb364e589bdce9e93bbed17861938b4344 Mon Sep 17 00:00:00 2001 From: Yvo Brevoort Date: Mon, 6 Jul 2026 13:41:49 +0200 Subject: [PATCH 07/15] codesniffer --- upgrade/0.4.1/upgrade.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/upgrade/0.4.1/upgrade.php b/upgrade/0.4.1/upgrade.php index 075acbf..ad31f94 100644 --- a/upgrade/0.4.1/upgrade.php +++ b/upgrade/0.4.1/upgrade.php @@ -1,4 +1,5 @@ exec($statement); } - } catch(\PDOException $e) { + } catch (\PDOException $e) { echo $e->getMessage(); } } From 6283d271409fe95763519713ddaf98a2c20cf63b Mon Sep 17 00:00:00 2001 From: Yvo Brevoort Date: Mon, 6 Jul 2026 13:43:34 +0200 Subject: [PATCH 08/15] codesniffer --- lib/Server.php | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/Server.php b/lib/Server.php index f6731b3..8b55d18 100644 --- a/lib/Server.php +++ b/lib/Server.php @@ -74,8 +74,12 @@ public static function getConfigClient() } if (isset($registeredClient)) { /* - If the token_endpoint_auth_method is 'none', this means we are dealing with a public client that is not able to securely store the client secret. - In that case, we remove the client_secret so we treat the client as a public client + If the token_endpoint_auth_method is 'none', + this means we are dealing with a public + client that is not able to securely store + the client secret. In that case, we remove + the client_secret so we treat the client as + a public client */ if ($registeredClient['token_endpoint_auth_method'] === "none") { unset($registeredClient['client_secret']); From 9e94078ad676c7f93be68e088dd0fd6d198eac69 Mon Sep 17 00:00:00 2001 From: Yvo Brevoort Date: Mon, 6 Jul 2026 13:44:47 +0200 Subject: [PATCH 09/15] ignore side effects and symbols --- upgrade/0.4.1/upgrade.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/upgrade/0.4.1/upgrade.php b/upgrade/0.4.1/upgrade.php index ad31f94..56344d8 100644 --- a/upgrade/0.4.1/upgrade.php +++ b/upgrade/0.4.1/upgrade.php @@ -1,5 +1,7 @@ Date: Tue, 7 Jul 2026 11:01:54 +0200 Subject: [PATCH 10/15] split functions and calls --- upgrade/0.4.1/upgrade.functions.php | 29 ++++++++++++++++++++++++++++ upgrade/0.4.1/upgrade.php | 30 +---------------------------- 2 files changed, 30 insertions(+), 29 deletions(-) create mode 100644 upgrade/0.4.1/upgrade.functions.php diff --git a/upgrade/0.4.1/upgrade.functions.php b/upgrade/0.4.1/upgrade.functions.php new file mode 100644 index 0000000..0b56e33 --- /dev/null +++ b/upgrade/0.4.1/upgrade.functions.php @@ -0,0 +1,29 @@ +exec($statement); + } + } catch (\PDOException $e) { + echo $e->getMessage(); + } +} diff --git a/upgrade/0.4.1/upgrade.php b/upgrade/0.4.1/upgrade.php index 56344d8..c19c019 100644 --- a/upgrade/0.4.1/upgrade.php +++ b/upgrade/0.4.1/upgrade.php @@ -1,33 +1,5 @@ exec($statement); - } - } catch (\PDOException $e) { - echo $e->getMessage(); - } -} +require_once(__DIR__ . "/upgrade.functions.php"); upgradeDatabase(); From 80f74c8e74863839434395f839e7ad6cd3d4aff0 Mon Sep 17 00:00:00 2001 From: Yvo Brevoort Date: Tue, 7 Jul 2026 11:06:39 +0200 Subject: [PATCH 11/15] move stuff around --- upgrade/0.4.1/upgrade.functions.php | 1 - upgrade/0.4.1/upgrade.php | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/upgrade/0.4.1/upgrade.functions.php b/upgrade/0.4.1/upgrade.functions.php index 0b56e33..9729c3c 100644 --- a/upgrade/0.4.1/upgrade.functions.php +++ b/upgrade/0.4.1/upgrade.functions.php @@ -1,6 +1,5 @@ Date: Tue, 7 Jul 2026 11:11:36 +0200 Subject: [PATCH 12/15] useless split --- upgrade/0.4.1/upgrade.functions.php | 4 ---- upgrade/0.4.1/upgrade.php | 3 +++ 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/upgrade/0.4.1/upgrade.functions.php b/upgrade/0.4.1/upgrade.functions.php index 9729c3c..f2d76d5 100644 --- a/upgrade/0.4.1/upgrade.functions.php +++ b/upgrade/0.4.1/upgrade.functions.php @@ -1,9 +1,5 @@ Date: Tue, 7 Jul 2026 11:21:06 +0200 Subject: [PATCH 13/15] check if the value is set, it is not a required value --- lib/Routes/SolidIdp.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/Routes/SolidIdp.php b/lib/Routes/SolidIdp.php index 0ccf3a8..6effd9d 100644 --- a/lib/Routes/SolidIdp.php +++ b/lib/Routes/SolidIdp.php @@ -132,7 +132,10 @@ public static function respondToRegister() $clientData['client_id_issued_at'] = time(); $clientData['client_id'] = $generatedClientId; $clientData['origin'] = $origin; - if ($clientData['token_endpoint_auth_method'] !== 'none') { // generate and use secret if we have token endpoint authentication + if ( + (!isset($clientData['token_endpoint_auth_method'])) || // if not set, assume we have to add a client secret; + ($clientData['token_endpoint_auth_method'] !== 'none') + ) { // generate and use secret if we have token endpoint authentication $generatedClientSecret = bin2hex(random_bytes(32)); // and 64 chars for the client secret $clientData['client_secret'] = $generatedClientSecret; } From 2de12502ab68bbe50cfeda6caa2249db640e4dc2 Mon Sep 17 00:00:00 2001 From: Yvo Brevoort Date: Tue, 7 Jul 2026 11:46:40 +0200 Subject: [PATCH 14/15] make it optional --- lib/Server.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/Server.php b/lib/Server.php index 8b55d18..98a1ed7 100644 --- a/lib/Server.php +++ b/lib/Server.php @@ -81,7 +81,10 @@ public static function getConfigClient() the client_secret so we treat the client as a public client */ - if ($registeredClient['token_endpoint_auth_method'] === "none") { + if ( + isset($registeredClient['token_endpoint_auth_method']) && + ($registeredClient['token_endpoint_auth_method'] === "none") + ) { unset($registeredClient['client_secret']); } return new ConfigClient( From f0a906ae725a43368f24788b6c3112ea5c976f50 Mon Sep 17 00:00:00 2001 From: Yvo Brevoort Date: Fri, 10 Jul 2026 11:49:29 +0200 Subject: [PATCH 15/15] bump php-solid-auth --- composer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/composer.json b/composer.json index a403b67..1099572 100644 --- a/composer.json +++ b/composer.json @@ -15,7 +15,7 @@ } ], "require": { - "pdsinterop/solid-auth": "v0.14.1", + "pdsinterop/solid-auth": "v0.14.2", "pdsinterop/solid-crud": "v0.8.4", "phpmailer/phpmailer": "^6.10", "sweetrdf/easyrdf": "~1.15.0",