mirror of
https://github.com/nextcloud/server.git
synced 2026-06-08 16:26:59 -04:00
Merge pull request #36586 from nextcloud/backport/36552/stable24
[stable24] fix(client-login-flow): Handle missing stateToken gracefully
This commit is contained in:
Julius Härtl
GitHub
commit
6452b9dd4f
2 changed files with 32 additions and 3 deletions
|
|
@ -157,7 +157,10 @@ class ClientFlowLoginV2Controller extends Controller {
|
|||
* @NoCSRFRequired
|
||||
* @NoSameSiteCookieRequired
|
||||
*/
|
||||
public function grantPage(string $stateToken): StandaloneTemplateResponse {
|
||||
public function grantPage(?string $stateToken): StandaloneTemplateResponse {
|
||||
if ($stateToken === null) {
|
||||
return $this->stateTokenMissingResponse();
|
||||
}
|
||||
if (!$this->isValidStateToken($stateToken)) {
|
||||
return $this->stateTokenForbiddenResponse();
|
||||
}
|
||||
|
|
@ -189,7 +192,11 @@ class ClientFlowLoginV2Controller extends Controller {
|
|||
/**
|
||||
* @PublicPage
|
||||
*/
|
||||
public function apptokenRedirect(string $stateToken, string $user, string $password) {
|
||||
public function apptokenRedirect(?string $stateToken, string $user, string $password) {
|
||||
if ($stateToken === null) {
|
||||
return $this->stateTokenMissingResponse();
|
||||
}
|
||||
|
||||
if (!$this->isValidStateToken($stateToken)) {
|
||||
return $this->stateTokenForbiddenResponse();
|
||||
}
|
||||
|
|
@ -232,7 +239,10 @@ class ClientFlowLoginV2Controller extends Controller {
|
|||
* @NoAdminRequired
|
||||
* @UseSession
|
||||
*/
|
||||
public function generateAppPassword(string $stateToken): Response {
|
||||
public function generateAppPassword(?string $stateToken): Response {
|
||||
if ($stateToken === null) {
|
||||
return $this->stateTokenMissingResponse();
|
||||
}
|
||||
if (!$this->isValidStateToken($stateToken)) {
|
||||
return $this->stateTokenForbiddenResponse();
|
||||
}
|
||||
|
|
@ -305,6 +315,19 @@ class ClientFlowLoginV2Controller extends Controller {
|
|||
return hash_equals($currentToken, $stateToken);
|
||||
}
|
||||
|
||||
private function stateTokenMissingResponse(): StandaloneTemplateResponse {
|
||||
$response = new StandaloneTemplateResponse(
|
||||
$this->appName,
|
||||
'403',
|
||||
[
|
||||
'message' => $this->l10n->t('State token missing'),
|
||||
],
|
||||
'guest'
|
||||
);
|
||||
$response->setStatus(Http::STATUS_FORBIDDEN);
|
||||
return $response;
|
||||
}
|
||||
|
||||
private function stateTokenForbiddenResponse(): StandaloneTemplateResponse {
|
||||
$response = new StandaloneTemplateResponse(
|
||||
$this->appName,
|
||||
|
|
|
|||
|
|
@ -188,6 +188,12 @@ class ClientFlowLoginV2ControllerTest extends TestCase {
|
|||
$this->controller->showAuthPickerPage();
|
||||
}
|
||||
|
||||
public function testGrantPageNoStateToken(): void {
|
||||
$result = $this->controller->grantPage(null);
|
||||
|
||||
$this->assertSame(Http::STATUS_FORBIDDEN, $result->getStatus());
|
||||
}
|
||||
|
||||
public function testGrantPageInvalidStateToken() {
|
||||
$this->session->method('get')
|
||||
->willReturnCallback(function ($name) {
|
||||
|
|
|
|||
Loading…
Reference in a new issue