upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-06-13 18:50:47 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 31

Merge pull request #46814 from nextcloud/refactor/oauth2/security-attributes

Browse source
This commit is contained in:
Kate 2024-08-14 09:38:28 +02:00 committed by GitHub
commit ca9752482c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 12 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
apps/oauth2/lib/Controller/LoginRedirectorController.php
View file

@ -12,6 +12,9 @@ use OCA\OAuth2\Db\ClientMapper;
use OCA\OAuth2\Exceptions\ClientNotFoundException;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http;
use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
use OCP\AppFramework\Http\Attribute\PublicPage;
use OCP\AppFramework\Http\Attribute\UseSession;
use OCP\AppFramework\Http\RedirectResponse;
use OCP\AppFramework\Http\TemplateResponse;
use OCP\IL10N;
@ -51,10 +54,6 @@ class LoginRedirectorController extends Controller {
}
/**
* @PublicPage
* @NoCSRFRequired
* @UseSession
*
* Authorize the user
*
* @param string $client_id Client ID
@ -65,6 +64,9 @@ class LoginRedirectorController extends Controller {
* 200: Client not found
* 303: Redirect to login URL
*/
#[PublicPage]
#[NoCSRFRequired]
#[UseSession]
public function authorize($client_id,
$state,
$response_type): TemplateResponse|RedirectResponse {

10
apps/oauth2/lib/Controller/OauthApiController.php
View file

@ -15,6 +15,9 @@ use OCA\OAuth2\Exceptions\AccessTokenNotFoundException;
use OCA\OAuth2\Exceptions\ClientNotFoundException;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http;
use OCP\AppFramework\Http\Attribute\BruteForceProtection;
use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
use OCP\AppFramework\Http\Attribute\PublicPage;
use OCP\AppFramework\Http\JSONResponse;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\Authentication\Exceptions\ExpiredTokenException;
@ -47,10 +50,6 @@ class OauthApiController extends Controller {
}
/**
* @PublicPage
* @NoCSRFRequired
* @BruteForceProtection(action=oauth2GetToken)
*
* Get a token
*
* @param string $grant_type Token type that should be granted
@ -64,6 +63,9 @@ class OauthApiController extends Controller {
* 200: Token returned
* 400: Getting token is not possible
*/
#[PublicPage]
#[NoCSRFRequired]
#[BruteForceProtection(action: 'oauth2GetToken')]
public function getToken(
string $grant_type, ?string $code, ?string $refresh_token,
?string $client_id, ?string $client_secret