From a74d67b69c986f1703567bc5986daed9f82f4571 Mon Sep 17 00:00:00 2001 From: Bjoern Schiessle Date: Fri, 12 May 2017 12:44:22 +0200 Subject: show error page if no valid client identifier is given and if it is not a API request Signed-off-by: Bjoern Schiessle --- core/Controller/ClientFlowLoginController.php | 29 ++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) (limited to 'core') diff --git a/core/Controller/ClientFlowLoginController.php b/core/Controller/ClientFlowLoginController.php index 70cf8e8cebc..996ae34b0f2 100644 --- a/core/Controller/ClientFlowLoginController.php +++ b/core/Controller/ClientFlowLoginController.php @@ -151,18 +151,37 @@ class ClientFlowLoginController extends Controller { */ public function showAuthPickerPage($clientIdentifier = '', $oauthState = '') { - $stateToken = $this->random->generate( - 64, - ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_DIGITS - ); - $this->session->set(self::stateName, $stateToken); + $clientName = $this->getClientName(); + $client = null; if($clientIdentifier !== '') { $client = $this->clientMapper->getByIdentifier($clientIdentifier); $clientName = $client->getName(); } + $validClient = $client !== null && $client->getClientIdentifier() !== null; + $cookieCheckSuccessful = $this->request->passesStrictCookieCheck(); + + // no valid clientIdentifier given and no valid API Request (APIRequest header not set) + if ($cookieCheckSuccessful === false && $validClient === false) { + return new TemplateResponse( + $this->appName, + 'error', + ['errors' => + [ + ['error' => 'Access Forbidden', 'hint' => 'Invalid request'] + ] + ] + ); + } + + $stateToken = $this->random->generate( + 64, + ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_DIGITS + ); + $this->session->set(self::stateName, $stateToken); + return new TemplateResponse( $this->appName, 'loginflow/authpicker', -- cgit v1.2.3