Block the request to issue new tokens if an invalid provider is given.

src/Http/Middleware/AddCustomProvider.php

@@ -4,6 +4,7 @@
 
 use Closure;
 use Illuminate\Http\Request;
+use League\OAuth2\Server\Exception\OAuthServerException;
 
 class AddCustomProvider
 {
@@ -20,21 +21,25 @@ class AddCustomProvider
      * is used by Laravel Passport to get the correct model on access token
      * creation.
      *
-     * @param  \Illuminate\Http\Request  $request
-     * @param  \Closure  $next
+     * @param  \Illuminate\Http\Request $request
+     * @param  \Closure $next
+     *
      * @return mixed
+     *
+     * @throws OAuthServerException
      */
     public function handle(Request $request, Closure $next)
     {
         $this->defaultApiProvider = config('auth.guards.api.provider');
 
-        $params = $request->all();
-        if (array_key_exists('provider', $params)) {
-            if (! is_null($params['provider'])) {
-                config(['auth.guards.api.provider' => $params['provider']]);
-            }
+        $provider = $request->get('provider');
+
+        if ($this->invalidProvider($provider)) {
+            throw OAuthServerException::invalidRequest('provider');
         }
 
+        config(['auth.guards.api.provider' => $provider]);
+
         return $next($request);
     }
 
@@ -51,4 +56,26 @@ public function terminate()
     {
         config(['auth.guards.api.provider' => $this->defaultApiProvider]);
     }
+
+    /**
+     * Check if the given provider is not registered in the auth configuration file.
+     *
+     * @param $provider
+     *
+     * @return bool
+     */
+    protected function invalidProvider($provider)
+    {
+        if (is_null($provider)) {
+            return true;
+        }
+
+        foreach (config('auth.guards') as $guardsConfiguration) {
+            if ($guardsConfiguration['provider'] === $provider) {
+                return false;
+            }
+        }
+
+        return true;
+    }
 }

tests/Unit/AddCustomProviderTest.php

@@ -5,6 +5,7 @@
 use Mockery;
 use Illuminate\Http\Request;
 use SMartins\PassportMultiauth\Tests\TestCase;
+use League\OAuth2\Server\Exception\OAuthServerException;
 use SMartins\PassportMultiauth\Http\Middleware\AddCustomProvider;
 
 class AddCustomProviderTest extends TestCase
@@ -24,10 +25,11 @@ public function tearDown()
 
     public function testIfApiProviderOnAuthWasSetCorrectly()
     {
+        // We'll push a fake testing provider in the auth config registered in the app..
+        config(['auth.guards.testing.provider' => 'companies']);
+
         $request = Mockery::mock(Request::class);
-        $request->shouldReceive('all')->andReturn([
-            'provider' => 'companies',
-        ]);
+        $request->shouldReceive('get')->andReturn('companies')->with('provider');
 
         $middleware = new AddCustomProvider();
         $middleware->handle($request, function () {
@@ -40,4 +42,30 @@ public function testIfApiProviderOnAuthWasSetCorrectly()
         $middleware->terminate();
         $this->assertEquals(config('auth.guards.api.provider'), 'users');
     }
+
+    public function testPassNotExistentProvider()
+    {
+        $this->expectException(OAuthServerException::class);
+
+        $request = Mockery::mock(Request::class);
+        $request->shouldReceive('get')->andReturn('not_found')->with('provider');
+
+        $middleware = new AddCustomProvider();
+        $middleware->handle($request, function () {
+            return 'response';
+        });
+    }
+
+    public function testDoNotPassProviderToRequest()
+    {
+        $this->expectException(OAuthServerException::class);
+
+        $request = Mockery::mock(Request::class);
+        $request->shouldReceive('get')->andReturn(null)->with('provider');
+
+        $middleware = new AddCustomProvider();
+        $middleware->handle($request, function () {
+            return 'response';
+        });
+    }
 }