fix(client-login-flow): Handle missing stateToken gracefully

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>

diff --git a/core/Controller/ClientFlowLoginV2Controller.php b/core/Controller/ClientFlowLoginV2Controller.php
index 4df94a28d6a1ed62eb03b1e6d18a1d99b69aec0b..51163d200f5ad6eafe1001402597b1b49adc9414 100644 (file)
--- a/core/Controller/ClientFlowLoginV2Controller.php
+++ b/core/Controller/ClientFlowLoginV2Controller.php
@@ -149,7 +149,10 @@ class ClientFlowLoginV2Controller extends Controller {
         * @NoCSRFRequired
         * @NoSameSiteCookieRequired
         */
-       public function grantPage(string $stateToken): StandaloneTemplateResponse {
+       public function grantPage(?string $stateToken): StandaloneTemplateResponse {
+               if ($stateToken === null) {
+                       return $this->stateTokenMissingResponse();
+               }
                if (!$this->isValidStateToken($stateToken)) {
                        return $this->stateTokenForbiddenResponse();
                }
@@ -181,7 +184,11 @@ class ClientFlowLoginV2Controller extends Controller {
        /**
         * @PublicPage
         */
-       public function apptokenRedirect(string $stateToken, string $user, string $password) {
+       public function apptokenRedirect(?string $stateToken, string $user, string $password) {
+               if ($stateToken === null) {
+                       return $this->stateTokenMissingResponse();
+               }
+
                if (!$this->isValidStateToken($stateToken)) {
                        return $this->stateTokenForbiddenResponse();
                }
@@ -224,7 +231,10 @@ class ClientFlowLoginV2Controller extends Controller {
         * @NoAdminRequired
         * @UseSession
         */
-       public function generateAppPassword(string $stateToken): Response {
+       public function generateAppPassword(?string $stateToken): Response {
+               if ($stateToken === null) {
+                       return $this->stateTokenMissingResponse();
+               }
                if (!$this->isValidStateToken($stateToken)) {
                        return $this->stateTokenForbiddenResponse();
                }
@@ -297,6 +307,19 @@ class ClientFlowLoginV2Controller extends Controller {
                return hash_equals($currentToken, $stateToken);
        }
 
+       private function stateTokenMissingResponse(): StandaloneTemplateResponse {
+               $response = new StandaloneTemplateResponse(
+                       $this->appName,
+                       '403',
+                       [
+                               'message' => $this->l10n->t('State token missing'),
+                       ],
+                       'guest'
+               );
+               $response->setStatus(Http::STATUS_FORBIDDEN);
+               return $response;
+       }
+
        private function stateTokenForbiddenResponse(): StandaloneTemplateResponse {
                $response = new StandaloneTemplateResponse(
                        $this->appName,

diff --git a/tests/Core/Controller/ClientFlowLoginV2ControllerTest.php b/tests/Core/Controller/ClientFlowLoginV2ControllerTest.php
index 53d5f392ac647fb8448495e07d06e3712238a50d..9c6fb8398b38e018efee326d8ed128cfe5fdf6b5 100644 (file)
--- a/tests/Core/Controller/ClientFlowLoginV2ControllerTest.php
+++ b/tests/Core/Controller/ClientFlowLoginV2ControllerTest.php
@@ -188,6 +188,12 @@ class ClientFlowLoginV2ControllerTest extends TestCase {
                $this->controller->showAuthPickerPage();
        }
 
+       public function testGrantPageNoStateToken(): void {
+               $result = $this->controller->grantPage(null);
+
+               $this->assertSame(Http::STATUS_FORBIDDEN, $result->getStatus());
+       }
+
        public function testGrantPageInvalidStateToken() {
                $this->session->method('get')
                        ->willReturnCallback(function ($name) {