mirror of
https://github.com/nextcloud/server.git
synced 2026-04-26 00:27:49 -04:00
Merge pull request #36552 from nextcloud/fix/client-login-flow/missing-state-token
fix(client-login-flow): Handle missing stateToken gracefully
This commit is contained in:
Christoph Wurst
GitHub
commit
eca7ab3221
2 changed files with 32 additions and 3 deletions
|
|
@ -150,7 +150,10 @@ class ClientFlowLoginV2Controller extends Controller {
|
|||
* @NoSameSiteCookieRequired
|
||||
*/
|
||||
#[UseSession]
|
||||
public function grantPage(string $stateToken): StandaloneTemplateResponse {
|
||||
public function grantPage(?string $stateToken): StandaloneTemplateResponse {
|
||||
if ($stateToken === null) {
|
||||
return $this->stateTokenMissingResponse();
|
||||
}
|
||||
if (!$this->isValidStateToken($stateToken)) {
|
||||
return $this->stateTokenForbiddenResponse();
|
||||
}
|
||||
|
|
@ -182,7 +185,11 @@ class ClientFlowLoginV2Controller extends Controller {
|
|||
/**
|
||||
* @PublicPage
|
||||
*/
|
||||
public function apptokenRedirect(string $stateToken, string $user, string $password) {
|
||||
public function apptokenRedirect(?string $stateToken, string $user, string $password) {
|
||||
if ($stateToken === null) {
|
||||
return $this->loginTokenForbiddenResponse();
|
||||
}
|
||||
|
||||
if (!$this->isValidStateToken($stateToken)) {
|
||||
return $this->stateTokenForbiddenResponse();
|
||||
}
|
||||
|
|
@ -225,7 +232,10 @@ class ClientFlowLoginV2Controller extends Controller {
|
|||
* @NoAdminRequired
|
||||
*/
|
||||
#[UseSession]
|
||||
public function generateAppPassword(string $stateToken): Response {
|
||||
public function generateAppPassword(?string $stateToken): Response {
|
||||
if ($stateToken === null) {
|
||||
return $this->stateTokenMissingResponse();
|
||||
}
|
||||
if (!$this->isValidStateToken($stateToken)) {
|
||||
return $this->stateTokenForbiddenResponse();
|
||||
}
|
||||
|
|
@ -298,6 +308,19 @@ class ClientFlowLoginV2Controller extends Controller {
|
|||
return hash_equals($currentToken, $stateToken);
|
||||
}
|
||||
|
||||
private function stateTokenMissingResponse(): StandaloneTemplateResponse {
|
||||
$response = new StandaloneTemplateResponse(
|
||||
$this->appName,
|
||||
'403',
|
||||
[
|
||||
'message' => $this->l10n->t('State token missing'),
|
||||
],
|
||||
'guest'
|
||||
);
|
||||
$response->setStatus(Http::STATUS_FORBIDDEN);
|
||||
return $response;
|
||||
}
|
||||
|
||||
private function stateTokenForbiddenResponse(): StandaloneTemplateResponse {
|
||||
$response = new StandaloneTemplateResponse(
|
||||
$this->appName,
|
||||
|
|
|
|||
|
|
@ -187,6 +187,12 @@ class ClientFlowLoginV2ControllerTest extends TestCase {
|
|||
$this->controller->showAuthPickerPage();
|
||||
}
|
||||
|
||||
public function testGrantPageNoStateToken(): void {
|
||||
$result = $this->controller->grantPage(null);
|
||||
|
||||
$this->assertSame(Http::STATUS_FORBIDDEN, $result->getStatus());
|
||||
}
|
||||
|
||||
public function testGrantPageInvalidStateToken() {
|
||||
$this->session->method('get')
|
||||
->willReturnCallback(function ($name) {
|
||||
|
|
|
|||
Loading…
Reference in a new issue