show error page if no valid client identifier is given and if it is not a API request

Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>

1 files changed, 24 insertions, 5 deletions

diff --git a/core/Controller/ClientFlowLoginController.php b/core/Controller/ClientFlowLoginController.php
index 70cf8e8cebc..996ae34b0f2 100644
--- a/core/Controller/ClientFlowLoginController.php
+++ b/core/Controller/ClientFlowLoginController.php
@@ -151,18 +151,37 @@ class ClientFlowLoginController extends Controller {
 	 */
 	public function showAuthPickerPage($clientIdentifier = '',
 									   $oauthState = '') {
-		$stateToken = $this->random->generate(
-			64,
-			ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_DIGITS
-		);
-		$this->session->set(self::stateName, $stateToken);
+
 
 		$clientName = $this->getClientName();
+		$client = null;
 		if($clientIdentifier !== '') {
 			$client = $this->clientMapper->getByIdentifier($clientIdentifier);
 			$clientName = $client->getName();
 		}
 
+		$validClient = $client !== null && $client->getClientIdentifier() !== null;
+		$cookieCheckSuccessful = $this->request->passesStrictCookieCheck();
+
+		// no valid clientIdentifier given and no valid API Request (APIRequest header not set)
+		if ($cookieCheckSuccessful === false && $validClient === false) {
+			return new TemplateResponse(
+				$this->appName,
+				'error',
+				['errors' =>
+					[
+						['error' => 'Access Forbidden', 'hint' => 'Invalid request']
+					]
+				]
+			);
+		}
+
+		$stateToken = $this->random->generate(
+			64,
+			ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_DIGITS
+		);
+		$this->session->set(self::stateName, $stateToken);
+
 		return new TemplateResponse(
 			$this->appName,
 			'loginflow/authpicker',