diff options
| author | Christoph Wurst <ChristophWurst@users.noreply.github.com> | 2023-02-06 16:51:25 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-02-06 16:51:25 +0100 |
| commit | eca7ab3221a8fd953226da6a1d0244f6b3024773 (patch) | |
| tree | 62a6f1fcda1056fd92dbc21f816b8e2adee5e62b | |
| parent | 3473b69ad2df1862225cbdff884cf94996f554fc (diff) | |
| parent | 88d116ba846409df5676af85c54c13b9fc2ad110 (diff) | |
| download | nextcloud-server-eca7ab3221a8fd953226da6a1d0244f6b3024773.tar.gz nextcloud-server-eca7ab3221a8fd953226da6a1d0244f6b3024773.zip | |
Merge pull request #36552 from nextcloud/fix/client-login-flow/missing-state-token
fix(client-login-flow): Handle missing stateToken gracefully
| -rw-r--r-- | core/Controller/ClientFlowLoginV2Controller.php | 29 | ||||
| -rw-r--r-- | tests/Core/Controller/ClientFlowLoginV2ControllerTest.php | 6 |
2 files changed, 32 insertions, 3 deletions
diff --git a/core/Controller/ClientFlowLoginV2Controller.php b/core/Controller/ClientFlowLoginV2Controller.php index d476b0cdc03..613829787b4 100644 --- a/core/Controller/ClientFlowLoginV2Controller.php +++ b/core/Controller/ClientFlowLoginV2Controller.php @@ -150,7 +150,10 @@ class ClientFlowLoginV2Controller extends Controller { * @NoSameSiteCookieRequired */ #[UseSession] - public function grantPage(string $stateToken): StandaloneTemplateResponse { + public function grantPage(?string $stateToken): StandaloneTemplateResponse { + if ($stateToken === null) { + return $this->stateTokenMissingResponse(); + } if (!$this->isValidStateToken($stateToken)) { return $this->stateTokenForbiddenResponse(); } @@ -182,7 +185,11 @@ class ClientFlowLoginV2Controller extends Controller { /** * @PublicPage */ - public function apptokenRedirect(string $stateToken, string $user, string $password) { + public function apptokenRedirect(?string $stateToken, string $user, string $password) { + if ($stateToken === null) { + return $this->loginTokenForbiddenResponse(); + } + if (!$this->isValidStateToken($stateToken)) { return $this->stateTokenForbiddenResponse(); } @@ -225,7 +232,10 @@ class ClientFlowLoginV2Controller extends Controller { * @NoAdminRequired */ #[UseSession] - public function generateAppPassword(string $stateToken): Response { + public function generateAppPassword(?string $stateToken): Response { + if ($stateToken === null) { + return $this->stateTokenMissingResponse(); + } if (!$this->isValidStateToken($stateToken)) { return $this->stateTokenForbiddenResponse(); } @@ -298,6 +308,19 @@ class ClientFlowLoginV2Controller extends Controller { return hash_equals($currentToken, $stateToken); } + private function stateTokenMissingResponse(): StandaloneTemplateResponse { + $response = new StandaloneTemplateResponse( + $this->appName, + '403', + [ + 'message' => $this->l10n->t('State token missing'), + ], + 'guest' + ); + $response->setStatus(Http::STATUS_FORBIDDEN); + return $response; + } + private function stateTokenForbiddenResponse(): StandaloneTemplateResponse { $response = new StandaloneTemplateResponse( $this->appName, diff --git a/tests/Core/Controller/ClientFlowLoginV2ControllerTest.php b/tests/Core/Controller/ClientFlowLoginV2ControllerTest.php index 2f5cc507378..a1f50e328dd 100644 --- a/tests/Core/Controller/ClientFlowLoginV2ControllerTest.php +++ b/tests/Core/Controller/ClientFlowLoginV2ControllerTest.php @@ -187,6 +187,12 @@ class ClientFlowLoginV2ControllerTest extends TestCase { $this->controller->showAuthPickerPage(); } + public function testGrantPageNoStateToken(): void { + $result = $this->controller->grantPage(null); + + $this->assertSame(Http::STATUS_FORBIDDEN, $result->getStatus()); + } + public function testGrantPageInvalidStateToken() { $this->session->method('get') ->willReturnCallback(function ($name) { |