Handle state in OAuth2 client

2016-03-27 12:23:18 -04:00
parent 44946ee684
commit c7cceade96
29 changed files with 156 additions and 74 deletions
--- a/app/Controller/Oauth.php
+++ b/app/Controller/Oauth.php
@@ -2,6 +2,8 @@

 namespace Kanboard\Controller;

+use Kanboard\Core\Security\OAuthAuthenticationProviderInterface;
+
 /**
 * OAuth controller
 *
@@ -10,6 +12,72 @@ namespace Kanboard\Controller;
 */
 class Oauth extends Base
 {
+    /**
+     * Redirect to the provider if no code received
+     *
+     * @access private
+     * @param string $provider
+     */
+    protected function step1($provider)
+    {
+        $code = $this->request->getStringParam('code');
+        $state = $this->request->getStringParam('state');
+
+        if (! empty($code)) {
+            $this->step2($provider, $code, $state);
+        } else {
+            $this->response->redirect($this->authenticationManager->getProvider($provider)->getService()->getAuthorizationUrl());
+        }
+    }
+
+    /**
+     * Link or authenticate the user
+     *
+     * @access protected
+     * @param string $providerName
+     * @param string $code
+     * @param string $state
+     */
+    protected function step2($providerName, $code, $state)
+    {
+        $provider = $this->authenticationManager->getProvider($providerName);
+        $provider->setCode($code);
+        $hasValidState = $provider->getService()->isValidateState($state);
+
+        if ($this->userSession->isLogged()) {
+            if ($hasValidState) {
+                $this->link($provider);
+            } else {
+                $this->flash->failure(t('The OAuth2 state parameter is invalid'));
+                $this->response->redirect($this->helper->url->to('user', 'external', array('user_id' => $this->userSession->getId())));
+            }
+        } else {
+            if ($hasValidState) {
+                $this->authenticate($providerName);
+            } else {
+                $this->authenticationFailure(t('The OAuth2 state parameter is invalid'));
+            }
+        }
+    }
+
+    /**
+     * Link the account
+     *
+     * @access protected
+     * @param  OAuthAuthenticationProviderInterface $provider
+     */
+    protected function link(OAuthAuthenticationProviderInterface $provider)
+    {
+        if (! $provider->authenticate()) {
+            $this->flash->failure(t('External authentication failed'));
+        } else {
+            $this->userProfile->assign($this->userSession->getId(), $provider->getUser());
+            $this->flash->success(t('Your external account is linked to your profile successfully.'));
+        }
+
+        $this->response->redirect($this->helper->url->to('user', 'external', array('user_id' => $this->userSession->getId())));
+    }
+
    /**
     * Unlink external account
     *
@@ -29,78 +97,34 @@ class Oauth extends Base
        $this->response->redirect($this->helper->url->to('user', 'external', array('user_id' => $this->userSession->getId())));
    }

-    /**
-     * Redirect to the provider if no code received
-     *
-     * @access private
-     * @param string $provider
-     */
-    protected function step1($provider)
-    {
-        $code = $this->request->getStringParam('code');
-
-        if (! empty($code)) {
-            $this->step2($provider, $code);
-        } else {
-            $this->response->redirect($this->authenticationManager->getProvider($provider)->getService()->getAuthorizationUrl());
-        }
-    }
-
-    /**
-     * Link or authenticate the user
-     *
-     * @access protected
-     * @param string $provider
-     * @param string $code
-     */
-    protected function step2($provider, $code)
-    {
-        $this->authenticationManager->getProvider($provider)->setCode($code);
-
-        if ($this->userSession->isLogged()) {
-            $this->link($provider);
-        }
-
-        $this->authenticate($provider);
-    }
-
-    /**
-     * Link the account
-     *
-     * @access protected
-     * @param string $provider
-     */
-    protected function link($provider)
-    {
-        $authProvider = $this->authenticationManager->getProvider($provider);
-
-        if (! $authProvider->authenticate()) {
-            $this->flash->failure(t('External authentication failed'));
-        } else {
-            $this->userProfile->assign($this->userSession->getId(), $authProvider->getUser());
-            $this->flash->success(t('Your external account is linked to your profile successfully.'));
-        }
-
-        $this->response->redirect($this->helper->url->to('user', 'external', array('user_id' => $this->userSession->getId())));
-    }
-
    /**
     * Authenticate the account
     *
     * @access protected
-     * @param string $provider
+     * @param string $providerName
     */
-    protected function authenticate($provider)
+    protected function authenticate($providerName)
    {
-        if ($this->authenticationManager->oauthAuthentication($provider)) {
+        if ($this->authenticationManager->oauthAuthentication($providerName)) {
            $this->response->redirect($this->helper->url->to('app', 'index'));
        } else {
-            $this->response->html($this->helper->layout->app('auth/index', array(
-                'errors' => array('login' => t('External authentication failed')),
-                'values' => array(),
-                'no_layout' => true,
-                'title' => t('Login')
-            )));
+            $this->authenticationFailure(t('External authentication failed'));
        }
    }
+
+    /**
+     * Show login failure page
+     *
+     * @access protected
+     * @param  string $message
+     */
+    protected function authenticationFailure($message)
+    {
+        $this->response->html($this->helper->layout->app('auth/index', array(
+            'errors' => array('login' => $message),
+            'values' => array(),
+            'no_layout' => true,
+            'title' => t('Login')
+        )));
+    }
 }