fix(client-login-flow): Handle missing stateToken gracefully

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>

diff --git a/core/Controller/ClientFlowLoginV2Controller.php b/core/Controller/ClientFlowLoginV2Controller.php
index d476b0cdc0323a29321bda8bc7994065192e77bb..613829787b46d87a00253c1b13d0d57b5bf085bd 100644 (file)
--- a/core/Controller/ClientFlowLoginV2Controller.php
+++ b/core/Controller/ClientFlowLoginV2Controller.php
@@ -150,7 +150,10 @@ class ClientFlowLoginV2Controller extends Controller {
         * @NoSameSiteCookieRequired
         */
        #[UseSession]
-       public function grantPage(string $stateToken): StandaloneTemplateResponse {
+       public function grantPage(?string $stateToken): StandaloneTemplateResponse {
+               if ($stateToken === null) {
+                       return $this->stateTokenMissingResponse();
+               }
                if (!$this->isValidStateToken($stateToken)) {
                        return $this->stateTokenForbiddenResponse();
                }
@@ -182,7 +185,11 @@ class ClientFlowLoginV2Controller extends Controller {
        /**
         * @PublicPage
         */
-       public function apptokenRedirect(string $stateToken, string $user, string $password) {
+       public function apptokenRedirect(?string $stateToken, string $user, string $password) {
+               if ($stateToken === null) {
+                       return $this->loginTokenForbiddenResponse();
+               }
+
                if (!$this->isValidStateToken($stateToken)) {
                        return $this->stateTokenForbiddenResponse();
                }
@@ -225,7 +232,10 @@ class ClientFlowLoginV2Controller extends Controller {
         * @NoAdminRequired
         */
        #[UseSession]
-       public function generateAppPassword(string $stateToken): Response {
+       public function generateAppPassword(?string $stateToken): Response {
+               if ($stateToken === null) {
+                       return $this->stateTokenMissingResponse();
+               }
                if (!$this->isValidStateToken($stateToken)) {
                        return $this->stateTokenForbiddenResponse();
                }
@@ -298,6 +308,19 @@ class ClientFlowLoginV2Controller extends Controller {
                return hash_equals($currentToken, $stateToken);
        }
 
+       private function stateTokenMissingResponse(): StandaloneTemplateResponse {
+               $response = new StandaloneTemplateResponse(
+                       $this->appName,
+                       '403',
+                       [
+                               'message' => $this->l10n->t('State token missing'),
+                       ],
+                       'guest'
+               );
+               $response->setStatus(Http::STATUS_FORBIDDEN);
+               return $response;
+       }
+
        private function stateTokenForbiddenResponse(): StandaloneTemplateResponse {
                $response = new StandaloneTemplateResponse(
                        $this->appName,

diff --git a/tests/Core/Controller/ClientFlowLoginV2ControllerTest.php b/tests/Core/Controller/ClientFlowLoginV2ControllerTest.php
index 2f5cc507378b916e4f65e3484dd1b044673dffea..a1f50e328dd00040a72fd6e910703425b6ce0cd8 100644 (file)
--- a/tests/Core/Controller/ClientFlowLoginV2ControllerTest.php
+++ b/tests/Core/Controller/ClientFlowLoginV2ControllerTest.php
@@ -187,6 +187,12 @@ class ClientFlowLoginV2ControllerTest extends TestCase {
                $this->controller->showAuthPickerPage();
        }
 
+       public function testGrantPageNoStateToken(): void {
+               $result = $this->controller->grantPage(null);
+
+               $this->assertSame(Http::STATUS_FORBIDDEN, $result->getStatus());
+       }
+
        public function testGrantPageInvalidStateToken() {
                $this->session->method('get')
                        ->willReturnCallback(function ($name) {