From adb4507b2f598e14a55c1f3c0ff97ee14c3117d0 Mon Sep 17 00:00:00 2001
From: Christoph Wurst <christoph@winzerhof-wurst.at>
Date: Mon, 6 Feb 2023 09:42:15 +0100
Subject: [PATCH] fix(client-login-flow): Handle missing stateToken gracefully

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
---
 .../ClientFlowLoginV2Controller.php           | 29 +++++++++++++++++--
 .../ClientFlowLoginV2ControllerTest.php       |  6 ++++
 2 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/core/Controller/ClientFlowLoginV2Controller.php b/core/Controller/ClientFlowLoginV2Controller.php
index 4df94a28d6a..51163d200f5 100644
--- a/core/Controller/ClientFlowLoginV2Controller.php
+++ b/core/Controller/ClientFlowLoginV2Controller.php
@@ -149,7 +149,10 @@ class ClientFlowLoginV2Controller extends Controller {
 	 * @NoCSRFRequired
 	 * @NoSameSiteCookieRequired
 	 */
-	public function grantPage(string $stateToken): StandaloneTemplateResponse {
+	public function grantPage(?string $stateToken): StandaloneTemplateResponse {
+		if ($stateToken === null) {
+			return $this->stateTokenMissingResponse();
+		}
 		if (!$this->isValidStateToken($stateToken)) {
 			return $this->stateTokenForbiddenResponse();
 		}
@@ -181,7 +184,11 @@ class ClientFlowLoginV2Controller extends Controller {
 	/**
 	 * @PublicPage
 	 */
-	public function apptokenRedirect(string $stateToken, string $user, string $password) {
+	public function apptokenRedirect(?string $stateToken, string $user, string $password) {
+		if ($stateToken === null) {
+			return $this->stateTokenMissingResponse();
+		}
+
 		if (!$this->isValidStateToken($stateToken)) {
 			return $this->stateTokenForbiddenResponse();
 		}
@@ -224,7 +231,10 @@ class ClientFlowLoginV2Controller extends Controller {
 	 * @NoAdminRequired
 	 * @UseSession
 	 */
-	public function generateAppPassword(string $stateToken): Response {
+	public function generateAppPassword(?string $stateToken): Response {
+		if ($stateToken === null) {
+			return $this->stateTokenMissingResponse();
+		}
 		if (!$this->isValidStateToken($stateToken)) {
 			return $this->stateTokenForbiddenResponse();
 		}
@@ -297,6 +307,19 @@ class ClientFlowLoginV2Controller extends Controller {
 		return hash_equals($currentToken, $stateToken);
 	}
 
+	private function stateTokenMissingResponse(): StandaloneTemplateResponse {
+		$response = new StandaloneTemplateResponse(
+			$this->appName,
+			'403',
+			[
+				'message' => $this->l10n->t('State token missing'),
+			],
+			'guest'
+		);
+		$response->setStatus(Http::STATUS_FORBIDDEN);
+		return $response;
+	}
+
 	private function stateTokenForbiddenResponse(): StandaloneTemplateResponse {
 		$response = new StandaloneTemplateResponse(
 			$this->appName,
diff --git a/tests/Core/Controller/ClientFlowLoginV2ControllerTest.php b/tests/Core/Controller/ClientFlowLoginV2ControllerTest.php
index 53d5f392ac6..9c6fb8398b3 100644
--- a/tests/Core/Controller/ClientFlowLoginV2ControllerTest.php
+++ b/tests/Core/Controller/ClientFlowLoginV2ControllerTest.php
@@ -188,6 +188,12 @@ class ClientFlowLoginV2ControllerTest extends TestCase {
 		$this->controller->showAuthPickerPage();
 	}
 
+	public function testGrantPageNoStateToken(): void {
+		$result = $this->controller->grantPage(null);
+
+		$this->assertSame(Http::STATUS_FORBIDDEN, $result->getStatus());
+	}
+
 	public function testGrantPageInvalidStateToken() {
 		$this->session->method('get')
 			->willReturnCallback(function ($name) {
-- 
2.39.5