Restrict grant types

src/Bridge/ClientRepository.php

@@ -64,6 +64,10 @@ public function getClientEntity($clientIdentifier, $grantType = null,
      */
     protected function handlesGrant($record, $grantType)
     {
+        if (is_array($record->grant_types) && !in_array($grantType, $record->grant_types)) {
+            return false;
+        }
+
         switch ($grantType) {
             case 'authorization_code':
                 return ! $record->firstParty();

tests/BridgeClientRepositoryTest.php

@@ -5,35 +5,56 @@
 
 class BridgeClientRepositoryTest extends TestCase
 {
+    public function setUp()
+    {
+        $clientModelRepository = Mockery::mock(Laravel\Passport\ClientRepository::class);
+        $clientModelRepository->shouldReceive('findActive')->with(1)->andReturn(new BridgeClientRepositoryTestClientStub);
+
+        $this->clientModelRepository = $clientModelRepository;
+        $this->repository = new Laravel\Passport\Bridge\ClientRepository($clientModelRepository);
+    }
+
     public function tearDown()
     {
         Mockery::close();
     }
 
     public function test_can_get_client_for_auth_code_grant()
     {
-        $clients = Mockery::mock('Laravel\Passport\ClientRepository');
-        $client = new BridgeClientRepositoryTestClientStub;
-        $clients->shouldReceive('findActive')->with(1)->andReturn($client);
-        $repository = new ClientRepository($clients);
-
-        $client = $repository->getClientEntity(1, 'authorization_code', 'secret', true);
+        $client = $this->repository->getClientEntity(1, 'authorization_code', 'secret', true);
 
         $this->assertInstanceOf('Laravel\Passport\Bridge\Client', $client);
-        $this->assertNull($repository->getClientEntity(1, 'authorization_code', 'wrong-secret', true));
-        $this->assertNull($repository->getClientEntity(1, 'client_credentials', 'wrong-secret', true));
+        $this->assertNull($this->repository->getClientEntity(1, 'authorization_code', 'wrong-secret', true));
+        $this->assertNull($this->repository->getClientEntity(1, 'client_credentials', 'wrong-secret', true));
     }
 
     public function test_can_get_client_for_client_credentials_grant()
     {
-        $clients = Mockery::mock('Laravel\Passport\ClientRepository');
-        $client = new BridgeClientRepositoryTestClientStub;
+        $client = $this->clientModelRepository->findActive(1);
         $client->personal_access_client = true;
-        $clients->shouldReceive('findActive')->with(1)->andReturn($client);
-        $repository = new ClientRepository($clients);
 
-        $this->assertInstanceOf('Laravel\Passport\Bridge\Client', $repository->getClientEntity(1, 'client_credentials', 'secret', true));
-        $this->assertNull($repository->getClientEntity(1, 'authorization_code', 'secret', true));
+        $this->assertInstanceOf('Laravel\Passport\Bridge\Client', $this->repository->getClientEntity(1, 'client_credentials', 'secret', true));
+        $this->assertNull($this->repository->getClientEntity(1, 'authorization_code', 'secret', true));
+    }
+
+    public function test_password_only_client_is_permitted()
+    {
+        $client = $this->clientModelRepository->findActive(1);
+        $client->password_client = true;
+        $client->grants = ['password'];
+
+        $client = $this->repository->getClientEntity(1, 'password', 'secret');
+        $this->assertEquals('Client', $client->getName());
+    }
+
+    public function test_password_only_client_is_prevented()
+    {
+        $client = $this->clientModelRepository->findActive(1);
+        $client->password_client = true;
+        $client->grant_types = ['password'];
+
+        $client = $this->repository->getClientEntity(1, 'client_credentials', 'secret');
+        $this->assertNull($client);
     }
 }
 
@@ -44,6 +65,8 @@ class BridgeClientRepositoryTestClientStub
     public $secret = 'secret';
     public $personal_access_client = false;
     public $password_client = false;
+    public $grant_types;
+
     public function firstParty()
     {
         return $this->personal_access_client || $this->password_client;