From 7109131f783e94a09ab5d85d19c4f7c3dc86f1de Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <bburnichon@alchemy.fr>
Date: Thu, 21 Apr 2016 12:13:26 +0200
Subject: [PATCH 1/2] Fixup CookiesDisablerSubscriber for all API routes

---
 .../Event/Subscriber/CookiesDisablerSubscriber.php | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/lib/Alchemy/Phrasea/Core/Event/Subscriber/CookiesDisablerSubscriber.php b/lib/Alchemy/Phrasea/Core/Event/Subscriber/CookiesDisablerSubscriber.php
index 37df6ed2d9..56472b103d 100644
--- a/lib/Alchemy/Phrasea/Core/Event/Subscriber/CookiesDisablerSubscriber.php
+++ b/lib/Alchemy/Phrasea/Core/Event/Subscriber/CookiesDisablerSubscriber.php
@@ -1,5 +1,4 @@
 <?php
-
 /*
  * This file is part of Phraseanet
  *
@@ -12,16 +11,16 @@
 namespace Alchemy\Phrasea\Core\Event\Subscriber;
 
 use Alchemy\Phrasea\Application;
+use Symfony\Component\HttpFoundation\Cookie;
 use Symfony\Component\HttpKernel\KernelEvents;
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
 use Symfony\Component\HttpKernel\Event\GetResponseEvent;
 use Symfony\Component\HttpKernel\HttpKernelInterface;
-use Symfony\Component\HttpFoundation\ResponseHeaderBag;
 use Symfony\Component\HttpKernel\Event\FilterResponseEvent;
 
 class CookiesDisablerSubscriber implements EventSubscriberInterface
 {
-    private static $NOSESSION_ROUTES = '/^((\/api\/v1)|(\/api\/?$)|(\/permalink))/';
+    private static $NOSESSION_ROUTES = '/^((\/api\/v\d+)|(\/api\/?$)|(\/permalink))/';
     private $app;
     private $sessionCookieEnabled = true;
 
@@ -58,12 +57,9 @@ class CookiesDisablerSubscriber implements EventSubscriberInterface
 
         $response = $event->getResponse();
 
-        foreach ($response->headers->getCookies(ResponseHeaderBag::COOKIES_ARRAY) as $cookie_domains) {
-            foreach ($cookie_domains as $cookie_paths) {
-                foreach ($cookie_paths as $cookie) {
-                    $response->headers->removeCookie($cookie->getName(), $cookie->getPath(), $cookie->getDomain());
-                }
-            }
+        /** @var Cookie $cookie */
+        foreach ($response->headers->getCookies() as $cookie) {
+            $response->headers->removeCookie($cookie->getName(), $cookie->getPath(), $cookie->getDomain());
         }
     }
 }

From ceb8cb55eb755ab62fc4aacc412823be376a3b60 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <bburnichon@alchemy.fr>
Date: Thu, 21 Apr 2016 12:14:09 +0200
Subject: [PATCH 2/2] Add request query parameter check for oauth_token

---
 .../Phrasea/Core/Event/Subscriber/SessionManagerSubscriber.php   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/Alchemy/Phrasea/Core/Event/Subscriber/SessionManagerSubscriber.php b/lib/Alchemy/Phrasea/Core/Event/Subscriber/SessionManagerSubscriber.php
index a7679abd3a..689ae02837 100644
--- a/lib/Alchemy/Phrasea/Core/Event/Subscriber/SessionManagerSubscriber.php
+++ b/lib/Alchemy/Phrasea/Core/Event/Subscriber/SessionManagerSubscriber.php
@@ -71,6 +71,7 @@ class SessionManagerSubscriber implements EventSubscriberInterface
         $request = $event->getRequest();
 
         if ($request->request->has('oauth_token')
+            || $request->query->has('oauth_token')
             || $request->query->has('LOG')
             || null === $moduleId = $this->getModuleId($request->getPathInfo())
         ) {