Add OAuth state to session

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>

1 files changed, 18 insertions, 24 deletions

diff --git a/core/Controller/ClientFlowLoginController.php b/core/Controller/ClientFlowLoginController.php
index b41a29dc1c4..cafcc16442a 100644
--- a/core/Controller/ClientFlowLoginController.php
+++ b/core/Controller/ClientFlowLoginController.php
@@ -149,10 +149,7 @@ class ClientFlowLoginController extends Controller {
 	 *
 	 * @return TemplateResponse
 	 */
-	public function showAuthPickerPage($clientIdentifier = '',
-									   $oauthState = '') {
-
-
+	public function showAuthPickerPage($clientIdentifier = '') {
 		$clientName = $this->getClientName();
 		$client = null;
 		if($clientIdentifier !== '') {
@@ -160,19 +157,22 @@ class ClientFlowLoginController extends Controller {
 			$clientName = $client->getName();
 		}
 
-		$validClient = $client !== null && $client->getClientIdentifier() !== null;
-		$cookieCheckSuccessful = $this->request->passesStrictCookieCheck();
-
-		// no valid clientIdentifier given and no valid API Request (APIRequest header not set)
-		if ($cookieCheckSuccessful === false && $validClient === false) {
+		// No valid clientIdentifier given and no valid API Request (APIRequest header not set)
+		$clientRequest = $this->request->getHeader('OCS-APIREQUEST');
+		if ($clientRequest !== 'true' && $client === null) {
 			return new TemplateResponse(
 				$this->appName,
 				'error',
-				['errors' =>
+				[
+					'errors' =>
 					[
-						['error' => 'Access Forbidden', 'hint' => 'Invalid request']
-					]
-				]
+						[
+							'error' => 'Access Forbidden',
+							'hint' => 'Invalid request',
+						],
+					],
+				],
+				'guest'
 			);
 		}
 
@@ -188,7 +188,6 @@ class ClientFlowLoginController extends Controller {
 			[
 				'client' => $clientName,
 				'clientIdentifier' => $clientIdentifier,
-				'oauthState' => $oauthState,
 				'instanceName' => $this->defaults->getName(),
 				'urlGenerator' => $this->urlGenerator,
 				'stateToken' => $stateToken,
@@ -205,12 +204,10 @@ class ClientFlowLoginController extends Controller {
 	 *
 	 * @param string $stateToken
 	 * @param string $clientIdentifier
-	 * @param string $oauthState
 	 * @return TemplateResponse
 	 */
 	public function redirectPage($stateToken = '',
-								 $clientIdentifier = '',
-								 $oauthState = '') {
+								 $clientIdentifier = '') {
 		if(!$this->isValidToken($stateToken)) {
 			return $this->stateTokenForbiddenResponse();
 		}
@@ -222,7 +219,7 @@ class ClientFlowLoginController extends Controller {
 				'urlGenerator' => $this->urlGenerator,
 				'stateToken' => $stateToken,
 				'clientIdentifier' => $clientIdentifier,
-				'oauthState' => $oauthState,
+				'oauthState' => $this->session->get('oauth.state'),
 			],
 			'empty'
 		);
@@ -234,14 +231,10 @@ class ClientFlowLoginController extends Controller {
 	 *
 	 * @param string $stateToken
 	 * @param string $clientIdentifier
-	 * @param string $state
-	 * @param string $oauthState
 	 * @return Http\RedirectResponse|Response
 	 */
 	public function generateAppPassword($stateToken,
-										$clientIdentifier = '',
-										$state = '',
-										$oauthState = '') {
+										$clientIdentifier = '') {
 		if(!$this->isValidToken($stateToken)) {
 			$this->session->remove(self::stateName);
 			return $this->stateTokenForbiddenResponse();
@@ -305,9 +298,10 @@ class ClientFlowLoginController extends Controller {
 			$redirectUri = sprintf(
 				'%s?state=%s&code=%s',
 				$client->getRedirectUri(),
-				urlencode($oauthState),
+				urlencode($this->session->get('oauth.state')),
 				urlencode($code)
 			);
+			$this->session->remove('oauth.state');
 		} else {
 			$redirectUri = 'nc://login/server:' . $this->request->getServerHost() . '&user:' . urlencode($loginName) . '&password:' . urlencode($token);
 		}