From 2b868af78b26d1dad4b6e66e9870789f147b1a6e Mon Sep 17 00:00:00 2001 From: Christoph Wurst Date: Mon, 6 Feb 2023 09:42:15 +0100 Subject: [PATCH] fix(client-login-flow): Handle missing stateToken gracefully Signed-off-by: Christoph Wurst --- .../ClientFlowLoginV2Controller.php | 29 +++++++++++++++++-- .../ClientFlowLoginV2ControllerTest.php | 6 ++++ 2 files changed, 32 insertions(+), 3 deletions(-) diff --git a/core/Controller/ClientFlowLoginV2Controller.php b/core/Controller/ClientFlowLoginV2Controller.php index 27585cbdb7e..ba78c6d72af 100644 --- a/core/Controller/ClientFlowLoginV2Controller.php +++ b/core/Controller/ClientFlowLoginV2Controller.php @@ -157,7 +157,10 @@ class ClientFlowLoginV2Controller extends Controller { * @NoCSRFRequired * @NoSameSiteCookieRequired */ - public function grantPage(string $stateToken): StandaloneTemplateResponse { + public function grantPage(?string $stateToken): StandaloneTemplateResponse { + if ($stateToken === null) { + return $this->stateTokenMissingResponse(); + } if (!$this->isValidStateToken($stateToken)) { return $this->stateTokenForbiddenResponse(); } @@ -189,7 +192,11 @@ class ClientFlowLoginV2Controller extends Controller { /** * @PublicPage */ - public function apptokenRedirect(string $stateToken, string $user, string $password) { + public function apptokenRedirect(?string $stateToken, string $user, string $password) { + if ($stateToken === null) { + return $this->stateTokenMissingResponse(); + } + if (!$this->isValidStateToken($stateToken)) { return $this->stateTokenForbiddenResponse(); } @@ -232,7 +239,10 @@ class ClientFlowLoginV2Controller extends Controller { * @NoAdminRequired * @UseSession */ - public function generateAppPassword(string $stateToken): Response { + public function generateAppPassword(?string $stateToken): Response { + if ($stateToken === null) { + return $this->stateTokenMissingResponse(); + } if (!$this->isValidStateToken($stateToken)) { return $this->stateTokenForbiddenResponse(); } @@ -305,6 +315,19 @@ class ClientFlowLoginV2Controller extends Controller { return hash_equals($currentToken, $stateToken); } + private function stateTokenMissingResponse(): StandaloneTemplateResponse { + $response = new StandaloneTemplateResponse( + $this->appName, + '403', + [ + 'message' => $this->l10n->t('State token missing'), + ], + 'guest' + ); + $response->setStatus(Http::STATUS_FORBIDDEN); + return $response; + } + private function stateTokenForbiddenResponse(): StandaloneTemplateResponse { $response = new StandaloneTemplateResponse( $this->appName, diff --git a/tests/Core/Controller/ClientFlowLoginV2ControllerTest.php b/tests/Core/Controller/ClientFlowLoginV2ControllerTest.php index 53d5f392ac6..9c6fb8398b3 100644 --- a/tests/Core/Controller/ClientFlowLoginV2ControllerTest.php +++ b/tests/Core/Controller/ClientFlowLoginV2ControllerTest.php @@ -188,6 +188,12 @@ class ClientFlowLoginV2ControllerTest extends TestCase { $this->controller->showAuthPickerPage(); } + public function testGrantPageNoStateToken(): void { + $result = $this->controller->grantPage(null); + + $this->assertSame(Http::STATUS_FORBIDDEN, $result->getStatus()); + } + public function testGrantPageInvalidStateToken() { $this->session->method('get') ->willReturnCallback(function ($name) { -- 2.39.5