aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--core/Controller/ClientFlowLoginV2Controller.php29
-rw-r--r--tests/Core/Controller/ClientFlowLoginV2ControllerTest.php6
2 files changed, 32 insertions, 3 deletions
diff --git a/core/Controller/ClientFlowLoginV2Controller.php b/core/Controller/ClientFlowLoginV2Controller.php
index d476b0cdc03..613829787b4 100644
--- a/core/Controller/ClientFlowLoginV2Controller.php
+++ b/core/Controller/ClientFlowLoginV2Controller.php
@@ -150,7 +150,10 @@ class ClientFlowLoginV2Controller extends Controller {
* @NoSameSiteCookieRequired
*/
#[UseSession]
- public function grantPage(string $stateToken): StandaloneTemplateResponse {
+ public function grantPage(?string $stateToken): StandaloneTemplateResponse {
+ if ($stateToken === null) {
+ return $this->stateTokenMissingResponse();
+ }
if (!$this->isValidStateToken($stateToken)) {
return $this->stateTokenForbiddenResponse();
}
@@ -182,7 +185,11 @@ class ClientFlowLoginV2Controller extends Controller {
/**
* @PublicPage
*/
- public function apptokenRedirect(string $stateToken, string $user, string $password) {
+ public function apptokenRedirect(?string $stateToken, string $user, string $password) {
+ if ($stateToken === null) {
+ return $this->loginTokenForbiddenResponse();
+ }
+
if (!$this->isValidStateToken($stateToken)) {
return $this->stateTokenForbiddenResponse();
}
@@ -225,7 +232,10 @@ class ClientFlowLoginV2Controller extends Controller {
* @NoAdminRequired
*/
#[UseSession]
- public function generateAppPassword(string $stateToken): Response {
+ public function generateAppPassword(?string $stateToken): Response {
+ if ($stateToken === null) {
+ return $this->stateTokenMissingResponse();
+ }
if (!$this->isValidStateToken($stateToken)) {
return $this->stateTokenForbiddenResponse();
}
@@ -298,6 +308,19 @@ class ClientFlowLoginV2Controller extends Controller {
return hash_equals($currentToken, $stateToken);
}
+ private function stateTokenMissingResponse(): StandaloneTemplateResponse {
+ $response = new StandaloneTemplateResponse(
+ $this->appName,
+ '403',
+ [
+ 'message' => $this->l10n->t('State token missing'),
+ ],
+ 'guest'
+ );
+ $response->setStatus(Http::STATUS_FORBIDDEN);
+ return $response;
+ }
+
private function stateTokenForbiddenResponse(): StandaloneTemplateResponse {
$response = new StandaloneTemplateResponse(
$this->appName,
diff --git a/tests/Core/Controller/ClientFlowLoginV2ControllerTest.php b/tests/Core/Controller/ClientFlowLoginV2ControllerTest.php
index 2f5cc507378..a1f50e328dd 100644
--- a/tests/Core/Controller/ClientFlowLoginV2ControllerTest.php
+++ b/tests/Core/Controller/ClientFlowLoginV2ControllerTest.php
@@ -187,6 +187,12 @@ class ClientFlowLoginV2ControllerTest extends TestCase {
$this->controller->showAuthPickerPage();
}
+ public function testGrantPageNoStateToken(): void {
+ $result = $this->controller->grantPage(null);
+
+ $this->assertSame(Http::STATUS_FORBIDDEN, $result->getStatus());
+ }
+
public function testGrantPageInvalidStateToken() {
$this->session->method('get')
->willReturnCallback(function ($name) {
generated by cgit v1.2.3 (git 2.39.1) at 2025-06-01 14:16:15 +0000