From 041c8c96cecd19cf0bb9823a7a996b5526280fdc Mon Sep 17 00:00:00 2001
From: Alexander Ustimenko <ustimenko.alexander@gmail.com>
Date: Mon, 8 Dec 2025 23:22:25 +0700
Subject: [PATCH] Extract TrustedEsiaAccessToken for operations without
 sign/verify

---
 src/Token/EsiaAccessToken.php        | 25 +------------------
 src/Token/TrustedEsiaAccessToken.php | 36 ++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 24 deletions(-)
 create mode 100644 src/Token/TrustedEsiaAccessToken.php

diff --git a/src/Token/EsiaAccessToken.php b/src/Token/EsiaAccessToken.php
index 2f4a598..575e9c0 100644
--- a/src/Token/EsiaAccessToken.php
+++ b/src/Token/EsiaAccessToken.php
@@ -2,41 +2,18 @@
 
 namespace Ekapusta\OAuth2Esia\Token;
 
-use Ekapusta\OAuth2Esia\Interfaces\Token\ScopedTokenInterface;
 use InvalidArgumentException;
-use Lcobucci\JWT\Parser;
 use Lcobucci\JWT\Signer;
 use Lcobucci\JWT\Signer\Key;
-use Lcobucci\JWT\ValidationData;
-use League\OAuth2\Client\Token\AccessToken;
 
-class EsiaAccessToken extends AccessToken implements ScopedTokenInterface
+class EsiaAccessToken extends TrustedEsiaAccessToken
 {
-    private $parsedToken;
-
     public function __construct(array $options, $publicKeyPath, Signer $signer)
     {
         parent::__construct($options);
 
-        $this->parsedToken = (new Parser())->parse($this->accessToken);
-        $this->resourceOwnerId = $this->parsedToken->getClaim('urn:esia:sbj_id');
-
-        if (!$this->parsedToken->validate(new ValidationData())) {
-            throw new InvalidArgumentException('Access token is invalid: '.var_export($options, true));
-        }
-
         if (!$this->parsedToken->verify($signer, new Key(file_get_contents($publicKeyPath)))) {
             throw new InvalidArgumentException('Access token can not be verified: '.var_export($options, true));
         }
     }
-
-    public function getScopes()
-    {
-        $scopes = [];
-        foreach (explode(' ', $this->parsedToken->getClaim('scope', '')) as $scope) {
-            $scopes[] = parse_url($scope, PHP_URL_PATH);
-        }
-
-        return $scopes;
-    }
 }
diff --git a/src/Token/TrustedEsiaAccessToken.php b/src/Token/TrustedEsiaAccessToken.php
new file mode 100644
index 0000000..8653581
--- /dev/null
+++ b/src/Token/TrustedEsiaAccessToken.php
@@ -0,0 +1,36 @@
+<?php
+
+namespace Ekapusta\OAuth2Esia\Token;
+
+use Ekapusta\OAuth2Esia\Interfaces\Token\ScopedTokenInterface;
+use InvalidArgumentException;
+use Lcobucci\JWT\Parser;
+use Lcobucci\JWT\ValidationData;
+use League\OAuth2\Client\Token\AccessToken;
+
+class TrustedEsiaAccessToken extends AccessToken implements ScopedTokenInterface
+{
+    protected $parsedToken;
+
+    public function __construct(array $options)
+    {
+        parent::__construct($options);
+
+        $this->parsedToken = (new Parser())->parse($this->accessToken);
+        $this->resourceOwnerId = $this->parsedToken->getClaim('urn:esia:sbj_id');
+
+        if (!$this->parsedToken->validate(new ValidationData())) {
+            throw new InvalidArgumentException('Access token is invalid: '.var_export($options, true));
+        }
+    }
+
+    public function getScopes()
+    {
+        $scopes = [];
+        foreach (explode(' ', $this->parsedToken->getClaim('scope', '')) as $scope) {
+            $scopes[] = parse_url($scope, PHP_URL_PATH);
+        }
+
+        return $scopes;
+    }
+}