From c8e575c1e7c2f3a7bf6ae0c423acef4c6759b36c Mon Sep 17 00:00:00 2001 From: jygaulier Date: Tue, 25 Oct 2022 12:27:21 +0200 Subject: [PATCH] PHRAS-3765_oauth-parms-in-session (#4153) PHRAS-3765: fetch parms from session PHRAS-3765 : fix : pass custom parameters as argument (don't try to hack request) --- .../Controller/Api/OAuth2Controller.php | 12 ++++++++- lib/classes/API/OAuth2/Adapter.php | 27 ++++++++++++------- 2 files changed, 29 insertions(+), 10 deletions(-) diff --git a/lib/Alchemy/Phrasea/Controller/Api/OAuth2Controller.php b/lib/Alchemy/Phrasea/Controller/Api/OAuth2Controller.php index 36e32a5f32..5044718c52 100644 --- a/lib/Alchemy/Phrasea/Controller/Api/OAuth2Controller.php +++ b/lib/Alchemy/Phrasea/Controller/Api/OAuth2Controller.php @@ -197,7 +197,17 @@ class OAuth2Controller extends Controller { $context = new Context(Context::CONTEXT_OAUTH2_NATIVE); $provider = $this->findProvider($providerId); - $params = $this->oAuth2Adapter->getAuthorizationRequestParameters($request); + + /* + * some api client (parade) did want to pass parameters into oauth2 callback url + * but we prevent this for openid + * The parameters can be passed in session, we restore them + */ + $customParms = $this->getSession()->get($provider->getId() . '.parms', []); + if(!is_array($customParms)) { + $customParms = []; + } + $params = $this->oAuth2Adapter->getAuthorizationRequestParameters($request, $customParms); // triggers what's necessary try { diff --git a/lib/classes/API/OAuth2/Adapter.php b/lib/classes/API/OAuth2/Adapter.php index eade7f577e..fa811ce9ac 100644 --- a/lib/classes/API/OAuth2/Adapter.php +++ b/lib/classes/API/OAuth2/Adapter.php @@ -9,7 +9,6 @@ */ use Alchemy\Phrasea\Application; - use Alchemy\Phrasea\Authentication\Exception\AccountLockedException; use Alchemy\Phrasea\Authentication\Exception\RequireCaptchaException; use Alchemy\Phrasea\ControllerProvider\Api\V2; @@ -17,8 +16,8 @@ use Alchemy\Phrasea\Exception\RuntimeException; use Alchemy\Phrasea\Model\Entities\ApiApplication; use Alchemy\Phrasea\Model\Entities\User; use Alchemy\Phrasea\Model\Repositories\ApiApplicationRepository; -use Symfony\Component\HttpFoundation\Session\Session; use Symfony\Component\HttpFoundation\Request; +use Symfony\Component\HttpFoundation\Session\Session; use Symfony\Component\HttpKernel\Exception\BadRequestHttpException; use Symfony\Component\HttpKernel\Exception\NotFoundHttpException; @@ -338,20 +337,30 @@ class API_OAuth2_Adapter extends OAuth2 return $this; } + + private function getCustomOrRealParm(Request $request, array $customParms, string $parmName) + { + if(array_key_exists($parmName, $customParms)) { + return $customParms[$parmName]; + } + return $request->get($parmName, false); + } + /** - * @param Request $request + * @param Request $request + * @param array $customParms * @return array */ - public function getAuthorizationRequestParameters(Request $request) + public function getAuthorizationRequestParameters(Request $request, $customParms = []) { $data = [ - 'response_type' => $request->get('response_type', false), - 'client_id' => $request->get('client_id', false), - 'redirect_uri' => $request->get('redirect_uri', false), + 'response_type' => $this->getCustomOrRealParm($request, $customParms, 'response_type'), + 'client_id' => $this->getCustomOrRealParm($request, $customParms, 'client_id'), + 'redirect_uri' => $this->getCustomOrRealParm($request, $customParms, 'redirect_uri'), ]; - $scope = $request->get('scope', false); - $state = $request->get('state', false); + $scope = $this->getCustomOrRealParm($request, $customParms, 'scope'); + $state = $this->getCustomOrRealParm($request, $customParms, 'state'); if ($state) { $data["state"] = $state;