nextcloud / server

core/templates/loginflow/authpicker.php

Spacing +2 added lines, -2 removed lines

@@ -31,7 +31,7 @@ 
 	<h2><?php p($l->t('Connect to your account')) ?></h2>
 	<p class="info">
 		<?php print_unescaped($l->t('Please log in before granting %1$s access to your %2$s account.', [
-								'<strong>' . \OCP\Util::sanitizeHTML($_['client']) . '</strong>',
+								'<strong>'.\OCP\Util::sanitizeHTML($_['client']).'</strong>',
 								\OCP\Util::sanitizeHTML($_['instanceName'])
 							])) ?>
 	</p>
@@ -59,6 +59,6 @@ 
 	</form>
 </div>
 
-<?php if(empty($_['oauthState'])): ?>
+<?php if (empty($_['oauthState'])): ?>
 <a id="app-token-login" class="warning" href="#"><?php p($l->t('Alternative log in using app token')) ?></a>
 <?php endif; ?>

core/routes.php

Indentation +97 added lines, -97 removed lines

@@ -36,52 +36,52 @@ 
 
 $application = new Application();
 $application->registerRoutes($this, [
-	'routes' => [
-		['name' => 'lost#email', 'url' => '/lostpassword/email', 'verb' => 'POST'],
-		['name' => 'lost#resetform', 'url' => '/lostpassword/reset/form/{token}/{userId}', 'verb' => 'GET'],
-		['name' => 'lost#setPassword', 'url' => '/lostpassword/set/{token}/{userId}', 'verb' => 'POST'],
-		['name' => 'user#getDisplayNames', 'url' => '/displaynames', 'verb' => 'POST'],
-		['name' => 'avatar#getAvatar', 'url' => '/avatar/{userId}/{size}', 'verb' => 'GET'],
-		['name' => 'avatar#deleteAvatar', 'url' => '/avatar/', 'verb' => 'DELETE'],
-		['name' => 'avatar#postCroppedAvatar', 'url' => '/avatar/cropped', 'verb' => 'POST'],
-		['name' => 'avatar#getTmpAvatar', 'url' => '/avatar/tmp', 'verb' => 'GET'],
-		['name' => 'avatar#postAvatar', 'url' => '/avatar/', 'verb' => 'POST'],
-		['name' => 'CSRFToken#index', 'url' => '/csrftoken', 'verb' => 'GET'],
-		['name' => 'login#tryLogin', 'url' => '/login', 'verb' => 'POST'],
-		['name' => 'login#confirmPassword', 'url' => '/login/confirm', 'verb' => 'POST'],
-		['name' => 'login#showLoginForm', 'url' => '/login', 'verb' => 'GET'],
-		['name' => 'login#logout', 'url' => '/logout', 'verb' => 'GET'],
-		['name' => 'ClientFlowLogin#showAuthPickerPage', 'url' => '/login/flow', 'verb' => 'GET'],
-		['name' => 'ClientFlowLogin#generateAppPassword', 'url' => '/login/flow', 'verb' => 'POST'],
-		['name' => 'ClientFlowLogin#grantPage', 'url' => '/login/flow/grant', 'verb' => 'GET'],
-		['name' => 'ClientFlowLogin#apptokenRedirect', 'url' => '/login/flow/apptoken', 'verb' => 'POST'],
-		['name' => 'TwoFactorChallenge#selectChallenge', 'url' => '/login/selectchallenge', 'verb' => 'GET'],
-		['name' => 'TwoFactorChallenge#showChallenge', 'url' => '/login/challenge/{challengeProviderId}', 'verb' => 'GET'],
-		['name' => 'TwoFactorChallenge#solveChallenge', 'url' => '/login/challenge/{challengeProviderId}', 'verb' => 'POST'],
-		['name' => 'OCJS#getConfig', 'url' => '/core/js/oc.js', 'verb' => 'GET'],
-		['name' => 'Preview#getPreviewByFileId', 'url' => '/core/preview', 'verb' => 'GET'],
-		['name' => 'Preview#getPreview', 'url' => '/core/preview.png', 'verb' => 'GET'],
-		['name' => 'Svg#getSvgFromCore', 'url' => '/svg/core/{folder}/{fileName}', 'verb' => 'GET'],
-		['name' => 'Svg#getSvgFromApp', 'url' => '/svg/{app}/{fileName}', 'verb' => 'GET'],
-		['name' => 'Css#getCss', 'url' => '/css/{appName}/{fileName}', 'verb' => 'GET'],
-		['name' => 'Js#getJs', 'url' => '/js/{appName}/{fileName}', 'verb' => 'GET'],
-		['name' => 'contactsMenu#index', 'url' => '/contactsmenu/contacts', 'verb' => 'POST'],
-		['name' => 'contactsMenu#findOne', 'url' => '/contactsmenu/findOne', 'verb' => 'POST'],
-		['name' => 'WalledGarden#get', 'url' => '/204', 'verb' => 'GET'],
-		['name' => 'Search#search', 'url' => '/core/search', 'verb' => 'GET'],
-	],
-	'ocs' => [
-		['root' => '/cloud', 'name' => 'OCS#getCapabilities', 'url' => '/capabilities', 'verb' => 'GET'],
-		['root' => '', 'name' => 'OCS#getConfig', 'url' => '/config', 'verb' => 'GET'],
-		['root' => '/person', 'name' => 'OCS#personCheck', 'url' => '/check', 'verb' => 'POST'],
-		['root' => '/identityproof', 'name' => 'OCS#getIdentityProof', 'url' => '/key/{cloudId}', 'verb' => 'GET'],
-		['root' => '/core', 'name' => 'Navigation#getAppsNavigation', 'url' => '/navigation/apps', 'verb' => 'GET'],
-		['root' => '/core', 'name' => 'Navigation#getSettingsNavigation', 'url' => '/navigation/settings', 'verb' => 'GET'],
-		['root' => '/core', 'name' => 'AutoComplete#get', 'url' => '/autocomplete/get', 'verb' => 'GET'],
-		['root' => '/core', 'name' => 'WhatsNew#get', 'url' => '/whatsnew', 'verb' => 'GET'],
-		['root' => '/core', 'name' => 'WhatsNew#dismiss', 'url' => '/whatsnew', 'verb' => 'POST'],
-		['root' => '/core', 'name' => 'AppPassword#getAppPassword', 'url' => '/getapppassword', 'verb' => 'GET'],
-	],
+    'routes' => [
+        ['name' => 'lost#email', 'url' => '/lostpassword/email', 'verb' => 'POST'],
+        ['name' => 'lost#resetform', 'url' => '/lostpassword/reset/form/{token}/{userId}', 'verb' => 'GET'],
+        ['name' => 'lost#setPassword', 'url' => '/lostpassword/set/{token}/{userId}', 'verb' => 'POST'],
+        ['name' => 'user#getDisplayNames', 'url' => '/displaynames', 'verb' => 'POST'],
+        ['name' => 'avatar#getAvatar', 'url' => '/avatar/{userId}/{size}', 'verb' => 'GET'],
+        ['name' => 'avatar#deleteAvatar', 'url' => '/avatar/', 'verb' => 'DELETE'],
+        ['name' => 'avatar#postCroppedAvatar', 'url' => '/avatar/cropped', 'verb' => 'POST'],
+        ['name' => 'avatar#getTmpAvatar', 'url' => '/avatar/tmp', 'verb' => 'GET'],
+        ['name' => 'avatar#postAvatar', 'url' => '/avatar/', 'verb' => 'POST'],
+        ['name' => 'CSRFToken#index', 'url' => '/csrftoken', 'verb' => 'GET'],
+        ['name' => 'login#tryLogin', 'url' => '/login', 'verb' => 'POST'],
+        ['name' => 'login#confirmPassword', 'url' => '/login/confirm', 'verb' => 'POST'],
+        ['name' => 'login#showLoginForm', 'url' => '/login', 'verb' => 'GET'],
+        ['name' => 'login#logout', 'url' => '/logout', 'verb' => 'GET'],
+        ['name' => 'ClientFlowLogin#showAuthPickerPage', 'url' => '/login/flow', 'verb' => 'GET'],
+        ['name' => 'ClientFlowLogin#generateAppPassword', 'url' => '/login/flow', 'verb' => 'POST'],
+        ['name' => 'ClientFlowLogin#grantPage', 'url' => '/login/flow/grant', 'verb' => 'GET'],
+        ['name' => 'ClientFlowLogin#apptokenRedirect', 'url' => '/login/flow/apptoken', 'verb' => 'POST'],
+        ['name' => 'TwoFactorChallenge#selectChallenge', 'url' => '/login/selectchallenge', 'verb' => 'GET'],
+        ['name' => 'TwoFactorChallenge#showChallenge', 'url' => '/login/challenge/{challengeProviderId}', 'verb' => 'GET'],
+        ['name' => 'TwoFactorChallenge#solveChallenge', 'url' => '/login/challenge/{challengeProviderId}', 'verb' => 'POST'],
+        ['name' => 'OCJS#getConfig', 'url' => '/core/js/oc.js', 'verb' => 'GET'],
+        ['name' => 'Preview#getPreviewByFileId', 'url' => '/core/preview', 'verb' => 'GET'],
+        ['name' => 'Preview#getPreview', 'url' => '/core/preview.png', 'verb' => 'GET'],
+        ['name' => 'Svg#getSvgFromCore', 'url' => '/svg/core/{folder}/{fileName}', 'verb' => 'GET'],
+        ['name' => 'Svg#getSvgFromApp', 'url' => '/svg/{app}/{fileName}', 'verb' => 'GET'],
+        ['name' => 'Css#getCss', 'url' => '/css/{appName}/{fileName}', 'verb' => 'GET'],
+        ['name' => 'Js#getJs', 'url' => '/js/{appName}/{fileName}', 'verb' => 'GET'],
+        ['name' => 'contactsMenu#index', 'url' => '/contactsmenu/contacts', 'verb' => 'POST'],
+        ['name' => 'contactsMenu#findOne', 'url' => '/contactsmenu/findOne', 'verb' => 'POST'],
+        ['name' => 'WalledGarden#get', 'url' => '/204', 'verb' => 'GET'],
+        ['name' => 'Search#search', 'url' => '/core/search', 'verb' => 'GET'],
+    ],
+    'ocs' => [
+        ['root' => '/cloud', 'name' => 'OCS#getCapabilities', 'url' => '/capabilities', 'verb' => 'GET'],
+        ['root' => '', 'name' => 'OCS#getConfig', 'url' => '/config', 'verb' => 'GET'],
+        ['root' => '/person', 'name' => 'OCS#personCheck', 'url' => '/check', 'verb' => 'POST'],
+        ['root' => '/identityproof', 'name' => 'OCS#getIdentityProof', 'url' => '/key/{cloudId}', 'verb' => 'GET'],
+        ['root' => '/core', 'name' => 'Navigation#getAppsNavigation', 'url' => '/navigation/apps', 'verb' => 'GET'],
+        ['root' => '/core', 'name' => 'Navigation#getSettingsNavigation', 'url' => '/navigation/settings', 'verb' => 'GET'],
+        ['root' => '/core', 'name' => 'AutoComplete#get', 'url' => '/autocomplete/get', 'verb' => 'GET'],
+        ['root' => '/core', 'name' => 'WhatsNew#get', 'url' => '/whatsnew', 'verb' => 'GET'],
+        ['root' => '/core', 'name' => 'WhatsNew#dismiss', 'url' => '/whatsnew', 'verb' => 'POST'],
+        ['root' => '/core', 'name' => 'AppPassword#getAppPassword', 'url' => '/getapppassword', 'verb' => 'GET'],
+    ],
 ]);
 
 // Post installation check
@@ -90,12 +90,12 @@ 
 // Core ajax actions
 // Routing
 $this->create('core_ajax_update', '/core/ajax/update.php')
-	->actionInclude('core/ajax/update.php');
+    ->actionInclude('core/ajax/update.php');
 
 // File routes
 $this->create('files.viewcontroller.showFile', '/f/{fileid}')->action(function($urlParams) {
-	$app = new \OCA\Files\AppInfo\Application($urlParams);
-	$app->dispatch('ViewController', 'index');
+    $app = new \OCA\Files\AppInfo\Application($urlParams);
+    $app->dispatch('ViewController', 'index');
 });
 
 // Call routes
@@ -104,12 +104,12 @@ 
  * @suppress PhanUndeclaredClassMethod
  */
 $this->create('spreed.pagecontroller.showCall', '/call/{token}')->action(function($urlParams) {
-	if (class_exists(\OCA\Spreed\AppInfo\Application::class, false)) {
-		$app = new \OCA\Spreed\AppInfo\Application($urlParams);
-		$app->dispatch('PageController', 'index');
-	} else {
-		throw new \OC\HintException('App spreed is not enabled');
-	}
+    if (class_exists(\OCA\Spreed\AppInfo\Application::class, false)) {
+        $app = new \OCA\Spreed\AppInfo\Application($urlParams);
+        $app->dispatch('PageController', 'index');
+    } else {
+        throw new \OC\HintException('App spreed is not enabled');
+    }
 });
 
 // OCM routes
@@ -118,12 +118,12 @@ 
  * @suppress PhanUndeclaredClassMethod
  */
 $this->create('cloud_federation_api.requesthandlercontroller.addShare', '/ocm/shares')->post()->action(function($urlParams) {
-	if (class_exists(\OCA\CloudFederationAPI\AppInfo\Application::class, false)) {
-		$app = new \OCA\CloudFederationAPI\AppInfo\Application($urlParams);
-		$app->dispatch('RequestHandlerController', 'addShare');
-	} else {
-		throw new \OC\HintException('Cloud Federation API not enabled');
-	}
+    if (class_exists(\OCA\CloudFederationAPI\AppInfo\Application::class, false)) {
+        $app = new \OCA\CloudFederationAPI\AppInfo\Application($urlParams);
+        $app->dispatch('RequestHandlerController', 'addShare');
+    } else {
+        throw new \OC\HintException('Cloud Federation API not enabled');
+    }
 });
 
 /**
@@ -131,53 +131,53 @@ 
  * @suppress PhanUndeclaredClassMethod
  */
 $this->create('cloud_federation_api.requesthandlercontroller.receiveNotification', '/ocm/notifications')->post()->action(function($urlParams) {
-	if (class_exists(\OCA\CloudFederationAPI\AppInfo\Application::class, false)) {
-		$app = new \OCA\CloudFederationAPI\AppInfo\Application($urlParams);
-		$app->dispatch('RequestHandlerController', 'receiveNotification');
-	} else {
-		throw new \OC\HintException('Cloud Federation API not enabled');
-	}
+    if (class_exists(\OCA\CloudFederationAPI\AppInfo\Application::class, false)) {
+        $app = new \OCA\CloudFederationAPI\AppInfo\Application($urlParams);
+        $app->dispatch('RequestHandlerController', 'receiveNotification');
+    } else {
+        throw new \OC\HintException('Cloud Federation API not enabled');
+    }
 });
 
 
 // Sharing routes
 $this->create('files_sharing.sharecontroller.showShare', '/s/{token}')->action(function($urlParams) {
-	if (class_exists(\OCA\Files_Sharing\AppInfo\Application::class, false)) {
-		$app = new \OCA\Files_Sharing\AppInfo\Application($urlParams);
-		$app->dispatch('ShareController', 'showShare');
-	} else {
-		throw new \OC\HintException('App file sharing is not enabled');
-	}
+    if (class_exists(\OCA\Files_Sharing\AppInfo\Application::class, false)) {
+        $app = new \OCA\Files_Sharing\AppInfo\Application($urlParams);
+        $app->dispatch('ShareController', 'showShare');
+    } else {
+        throw new \OC\HintException('App file sharing is not enabled');
+    }
 });
 $this->create('files_sharing.sharecontroller.authenticate', '/s/{token}/authenticate/{redirect}')->post()->action(function($urlParams) {
-	if (class_exists(\OCA\Files_Sharing\AppInfo\Application::class, false)) {
-		$app = new \OCA\Files_Sharing\AppInfo\Application($urlParams);
-		$app->dispatch('ShareController', 'authenticate');
-	} else {
-		throw new \OC\HintException('App file sharing is not enabled');
-	}
+    if (class_exists(\OCA\Files_Sharing\AppInfo\Application::class, false)) {
+        $app = new \OCA\Files_Sharing\AppInfo\Application($urlParams);
+        $app->dispatch('ShareController', 'authenticate');
+    } else {
+        throw new \OC\HintException('App file sharing is not enabled');
+    }
 });
 $this->create('files_sharing.sharecontroller.showAuthenticate', '/s/{token}/authenticate/{redirect}')->get()->action(function($urlParams) {
-	if (class_exists(\OCA\Files_Sharing\AppInfo\Application::class, false)) {
-		$app = new \OCA\Files_Sharing\AppInfo\Application($urlParams);
-		$app->dispatch('ShareController', 'showAuthenticate');
-	} else {
-		throw new \OC\HintException('App file sharing is not enabled');
-	}
+    if (class_exists(\OCA\Files_Sharing\AppInfo\Application::class, false)) {
+        $app = new \OCA\Files_Sharing\AppInfo\Application($urlParams);
+        $app->dispatch('ShareController', 'showAuthenticate');
+    } else {
+        throw new \OC\HintException('App file sharing is not enabled');
+    }
 });
 $this->create('files_sharing.sharecontroller.downloadShare', '/s/{token}/download')->get()->action(function($urlParams) {
-	if (class_exists(\OCA\Files_Sharing\AppInfo\Application::class, false)) {
-		$app = new \OCA\Files_Sharing\AppInfo\Application($urlParams);
-		$app->dispatch('ShareController', 'downloadShare');
-	} else {
-		throw new \OC\HintException('App file sharing is not enabled');
-	}
+    if (class_exists(\OCA\Files_Sharing\AppInfo\Application::class, false)) {
+        $app = new \OCA\Files_Sharing\AppInfo\Application($urlParams);
+        $app->dispatch('ShareController', 'downloadShare');
+    } else {
+        throw new \OC\HintException('App file sharing is not enabled');
+    }
 });
 $this->create('files_sharing.publicpreview.directLink', '/s/{token}/preview')->get()->action(function($urlParams) {
-	if (class_exists(\OCA\Files_Sharing\AppInfo\Application::class, false)) {
-		$app = new \OCA\Files_Sharing\AppInfo\Application($urlParams);
-		$app->dispatch('PublicPreviewController', 'directLink');
-	} else {
-		throw new \OC\HintException('App file sharing is not enabled');
-	}
+    if (class_exists(\OCA\Files_Sharing\AppInfo\Application::class, false)) {
+        $app = new \OCA\Files_Sharing\AppInfo\Application($urlParams);
+        $app->dispatch('PublicPreviewController', 'directLink');
+    } else {
+        throw new \OC\HintException('App file sharing is not enabled');
+    }
 });

core/Controller/ClientFlowLoginController.php

Indentation +312 added lines, -312 removed lines

@@ -48,316 +48,316 @@
 use OCP\Session\Exceptions\SessionNotAvailableException;
 
 class ClientFlowLoginController extends Controller {
-	/** @var IUserSession */
-	private $userSession;
-	/** @var IL10N */
-	private $l10n;
-	/** @var Defaults */
-	private $defaults;
-	/** @var ISession */
-	private $session;
-	/** @var IProvider */
-	private $tokenProvider;
-	/** @var ISecureRandom */
-	private $random;
-	/** @var IURLGenerator */
-	private $urlGenerator;
-	/** @var ClientMapper */
-	private $clientMapper;
-	/** @var AccessTokenMapper */
-	private $accessTokenMapper;
-	/** @var ICrypto */
-	private $crypto;
-
-	const stateName = 'client.flow.state.token';
-
-	/**
-	 * @param string $appName
-	 * @param IRequest $request
-	 * @param IUserSession $userSession
-	 * @param IL10N $l10n
-	 * @param Defaults $defaults
-	 * @param ISession $session
-	 * @param IProvider $tokenProvider
-	 * @param ISecureRandom $random
-	 * @param IURLGenerator $urlGenerator
-	 * @param ClientMapper $clientMapper
-	 * @param AccessTokenMapper $accessTokenMapper
-	 * @param ICrypto $crypto
-	 */
-	public function __construct($appName,
-								IRequest $request,
-								IUserSession $userSession,
-								IL10N $l10n,
-								Defaults $defaults,
-								ISession $session,
-								IProvider $tokenProvider,
-								ISecureRandom $random,
-								IURLGenerator $urlGenerator,
-								ClientMapper $clientMapper,
-								AccessTokenMapper $accessTokenMapper,
-								ICrypto $crypto) {
-		parent::__construct($appName, $request);
-		$this->userSession = $userSession;
-		$this->l10n = $l10n;
-		$this->defaults = $defaults;
-		$this->session = $session;
-		$this->tokenProvider = $tokenProvider;
-		$this->random = $random;
-		$this->urlGenerator = $urlGenerator;
-		$this->clientMapper = $clientMapper;
-		$this->accessTokenMapper = $accessTokenMapper;
-		$this->crypto = $crypto;
-	}
-
-	/**
-	 * @return string
-	 */
-	private function getClientName() {
-		$userAgent = $this->request->getHeader('USER_AGENT');
-		return $userAgent !== '' ? $userAgent : 'unknown';
-	}
-
-	/**
-	 * @param string $stateToken
-	 * @return bool
-	 */
-	private function isValidToken($stateToken) {
-		$currentToken = $this->session->get(self::stateName);
-		if(!is_string($stateToken) || !is_string($currentToken)) {
-			return false;
-		}
-		return hash_equals($currentToken, $stateToken);
-	}
-
-	/**
-	 * @return TemplateResponse
-	 */
-	private function stateTokenForbiddenResponse() {
-		$response = new TemplateResponse(
-			$this->appName,
-			'403',
-			[
-				'file' => $this->l10n->t('State token does not match'),
-			],
-			'guest'
-		);
-		$response->setStatus(Http::STATUS_FORBIDDEN);
-		return $response;
-	}
-
-	/**
-	 * @PublicPage
-	 * @NoCSRFRequired
-	 * @UseSession
-	 *
-	 * @param string $clientIdentifier
-	 *
-	 * @return TemplateResponse
-	 */
-	public function showAuthPickerPage($clientIdentifier = '') {
-		$clientName = $this->getClientName();
-		$client = null;
-		if($clientIdentifier !== '') {
-			$client = $this->clientMapper->getByIdentifier($clientIdentifier);
-			$clientName = $client->getName();
-		}
-
-		// No valid clientIdentifier given and no valid API Request (APIRequest header not set)
-		$clientRequest = $this->request->getHeader('OCS-APIREQUEST');
-		if ($clientRequest !== 'true' && $client === null) {
-			return new TemplateResponse(
-				$this->appName,
-				'error',
-				[
-					'errors' =>
-					[
-						[
-							'error' => 'Access Forbidden',
-							'hint' => 'Invalid request',
-						],
-					],
-				],
-				'guest'
-			);
-		}
-
-		$stateToken = $this->random->generate(
-			64,
-			ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_DIGITS
-		);
-		$this->session->set(self::stateName, $stateToken);
-
-		return new TemplateResponse(
-			$this->appName,
-			'loginflow/authpicker',
-			[
-				'client' => $clientName,
-				'clientIdentifier' => $clientIdentifier,
-				'instanceName' => $this->defaults->getName(),
-				'urlGenerator' => $this->urlGenerator,
-				'stateToken' => $stateToken,
-				'serverHost' => $this->getServerPath(),
-				'oauthState' => $this->session->get('oauth.state'),
-			],
-			'guest'
-		);
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @NoCSRFRequired
-	 * @NoSameSiteCookieRequired
-	 * @UseSession
-	 *
-	 * @param string $stateToken
-	 * @param string $clientIdentifier
-	 * @return TemplateResponse
-	 */
-	public function grantPage($stateToken = '',
-								 $clientIdentifier = '') {
-		if(!$this->isValidToken($stateToken)) {
-			return $this->stateTokenForbiddenResponse();
-		}
-
-		$clientName = $this->getClientName();
-		$client = null;
-		if($clientIdentifier !== '') {
-			$client = $this->clientMapper->getByIdentifier($clientIdentifier);
-			$clientName = $client->getName();
-		}
-
-		return new TemplateResponse(
-			$this->appName,
-			'loginflow/grant',
-			[
-				'client' => $clientName,
-				'clientIdentifier' => $clientIdentifier,
-				'instanceName' => $this->defaults->getName(),
-				'urlGenerator' => $this->urlGenerator,
-				'stateToken' => $stateToken,
-				'serverHost' => $this->getServerPath(),
-				'oauthState' => $this->session->get('oauth.state'),
-			],
-			'guest'
-		);
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @UseSession
-	 *
-	 * @param string $stateToken
-	 * @param string $clientIdentifier
-	 * @return Http\RedirectResponse|Response
-	 */
-	public function generateAppPassword($stateToken,
-										$clientIdentifier = '') {
-		if(!$this->isValidToken($stateToken)) {
-			$this->session->remove(self::stateName);
-			return $this->stateTokenForbiddenResponse();
-		}
-
-		$this->session->remove(self::stateName);
-
-		try {
-			$sessionId = $this->session->getId();
-		} catch (SessionNotAvailableException $ex) {
-			$response = new Response();
-			$response->setStatus(Http::STATUS_FORBIDDEN);
-			return $response;
-		}
-
-		try {
-			$sessionToken = $this->tokenProvider->getToken($sessionId);
-			$loginName = $sessionToken->getLoginName();
-			try {
-				$password = $this->tokenProvider->getPassword($sessionToken, $sessionId);
-			} catch (PasswordlessTokenException $ex) {
-				$password = null;
-			}
-		} catch (InvalidTokenException $ex) {
-			$response = new Response();
-			$response->setStatus(Http::STATUS_FORBIDDEN);
-			return $response;
-		}
-
-		$clientName = $this->getClientName();
-		$client = false;
-		if($clientIdentifier !== '') {
-			$client = $this->clientMapper->getByIdentifier($clientIdentifier);
-			$clientName = $client->getName();
-		}
-
-		$token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
-		$uid = $this->userSession->getUser()->getUID();
-		$generatedToken = $this->tokenProvider->generateToken(
-			$token,
-			$uid,
-			$loginName,
-			$password,
-			$clientName,
-			IToken::PERMANENT_TOKEN,
-			IToken::DO_NOT_REMEMBER
-		);
-
-		if($client) {
-			$code = $this->random->generate(128, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
-			$accessToken = new AccessToken();
-			$accessToken->setClientId($client->getId());
-			$accessToken->setEncryptedToken($this->crypto->encrypt($token, $code));
-			$accessToken->setHashedCode(hash('sha512', $code));
-			$accessToken->setTokenId($generatedToken->getId());
-			$this->accessTokenMapper->insert($accessToken);
-
-			$redirectUri = sprintf(
-				'%s?state=%s&code=%s',
-				$client->getRedirectUri(),
-				urlencode($this->session->get('oauth.state')),
-				urlencode($code)
-			);
-			$this->session->remove('oauth.state');
-		} else {
-			$redirectUri = 'nc://login/server:' . $this->getServerPath() . '&user:' . urlencode($loginName) . '&password:' . urlencode($token);
-
-			// Clear the token from the login here
-			$this->tokenProvider->invalidateToken($sessionId);
-		}
-
-		return new Http\RedirectResponse($redirectUri);
-	}
-
-	/**
-	 * @PublicPage
-	 */
-	public function apptokenRedirect(string $stateToken, string $user, string $password) {
-		if (!$this->isValidToken($stateToken)) {
-			return $this->stateTokenForbiddenResponse();
-		}
-
-		$redirectUri = 'nc://login/server:' . $this->getServerPath() . '&user:' . urlencode($user) . '&password:' . urlencode($password);
-		return new Http\RedirectResponse($redirectUri);
-	}
-
-	private function getServerPath(): string {
-		$serverPostfix = '';
-
-		if (strpos($this->request->getRequestUri(), '/index.php') !== false) {
-			$serverPostfix = substr($this->request->getRequestUri(), 0, strpos($this->request->getRequestUri(), '/index.php'));
-		} else if (strpos($this->request->getRequestUri(), '/login/flow') !== false) {
-			$serverPostfix = substr($this->request->getRequestUri(), 0, strpos($this->request->getRequestUri(), '/login/flow'));
-		}
-
-		$protocol = $this->request->getServerProtocol();
-
-		if ($protocol !== "https") {
-			$xForwardedProto = $this->request->getHeader('X-Forwarded-Proto');
-			$xForwardedSSL = $this->request->getHeader('X-Forwarded-Ssl');
-			if ($xForwardedProto === 'https' || $xForwardedSSL === 'on') {
-				$protocol = 'https';
-			}
-		}
-
-		return $protocol . "://" . $this->request->getServerHost() . $serverPostfix;
-	}
+    /** @var IUserSession */
+    private $userSession;
+    /** @var IL10N */
+    private $l10n;
+    /** @var Defaults */
+    private $defaults;
+    /** @var ISession */
+    private $session;
+    /** @var IProvider */
+    private $tokenProvider;
+    /** @var ISecureRandom */
+    private $random;
+    /** @var IURLGenerator */
+    private $urlGenerator;
+    /** @var ClientMapper */
+    private $clientMapper;
+    /** @var AccessTokenMapper */
+    private $accessTokenMapper;
+    /** @var ICrypto */
+    private $crypto;
+
+    const stateName = 'client.flow.state.token';
+
+    /**
+     * @param string $appName
+     * @param IRequest $request
+     * @param IUserSession $userSession
+     * @param IL10N $l10n
+     * @param Defaults $defaults
+     * @param ISession $session
+     * @param IProvider $tokenProvider
+     * @param ISecureRandom $random
+     * @param IURLGenerator $urlGenerator
+     * @param ClientMapper $clientMapper
+     * @param AccessTokenMapper $accessTokenMapper
+     * @param ICrypto $crypto
+     */
+    public function __construct($appName,
+                                IRequest $request,
+                                IUserSession $userSession,
+                                IL10N $l10n,
+                                Defaults $defaults,
+                                ISession $session,
+                                IProvider $tokenProvider,
+                                ISecureRandom $random,
+                                IURLGenerator $urlGenerator,
+                                ClientMapper $clientMapper,
+                                AccessTokenMapper $accessTokenMapper,
+                                ICrypto $crypto) {
+        parent::__construct($appName, $request);
+        $this->userSession = $userSession;
+        $this->l10n = $l10n;
+        $this->defaults = $defaults;
+        $this->session = $session;
+        $this->tokenProvider = $tokenProvider;
+        $this->random = $random;
+        $this->urlGenerator = $urlGenerator;
+        $this->clientMapper = $clientMapper;
+        $this->accessTokenMapper = $accessTokenMapper;
+        $this->crypto = $crypto;
+    }
+
+    /**
+     * @return string
+     */
+    private function getClientName() {
+        $userAgent = $this->request->getHeader('USER_AGENT');
+        return $userAgent !== '' ? $userAgent : 'unknown';
+    }
+
+    /**
+     * @param string $stateToken
+     * @return bool
+     */
+    private function isValidToken($stateToken) {
+        $currentToken = $this->session->get(self::stateName);
+        if(!is_string($stateToken) || !is_string($currentToken)) {
+            return false;
+        }
+        return hash_equals($currentToken, $stateToken);
+    }
+
+    /**
+     * @return TemplateResponse
+     */
+    private function stateTokenForbiddenResponse() {
+        $response = new TemplateResponse(
+            $this->appName,
+            '403',
+            [
+                'file' => $this->l10n->t('State token does not match'),
+            ],
+            'guest'
+        );
+        $response->setStatus(Http::STATUS_FORBIDDEN);
+        return $response;
+    }
+
+    /**
+     * @PublicPage
+     * @NoCSRFRequired
+     * @UseSession
+     *
+     * @param string $clientIdentifier
+     *
+     * @return TemplateResponse
+     */
+    public function showAuthPickerPage($clientIdentifier = '') {
+        $clientName = $this->getClientName();
+        $client = null;
+        if($clientIdentifier !== '') {
+            $client = $this->clientMapper->getByIdentifier($clientIdentifier);
+            $clientName = $client->getName();
+        }
+
+        // No valid clientIdentifier given and no valid API Request (APIRequest header not set)
+        $clientRequest = $this->request->getHeader('OCS-APIREQUEST');
+        if ($clientRequest !== 'true' && $client === null) {
+            return new TemplateResponse(
+                $this->appName,
+                'error',
+                [
+                    'errors' =>
+                    [
+                        [
+                            'error' => 'Access Forbidden',
+                            'hint' => 'Invalid request',
+                        ],
+                    ],
+                ],
+                'guest'
+            );
+        }
+
+        $stateToken = $this->random->generate(
+            64,
+            ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_DIGITS
+        );
+        $this->session->set(self::stateName, $stateToken);
+
+        return new TemplateResponse(
+            $this->appName,
+            'loginflow/authpicker',
+            [
+                'client' => $clientName,
+                'clientIdentifier' => $clientIdentifier,
+                'instanceName' => $this->defaults->getName(),
+                'urlGenerator' => $this->urlGenerator,
+                'stateToken' => $stateToken,
+                'serverHost' => $this->getServerPath(),
+                'oauthState' => $this->session->get('oauth.state'),
+            ],
+            'guest'
+        );
+    }
+
+    /**
+     * @NoAdminRequired
+     * @NoCSRFRequired
+     * @NoSameSiteCookieRequired
+     * @UseSession
+     *
+     * @param string $stateToken
+     * @param string $clientIdentifier
+     * @return TemplateResponse
+     */
+    public function grantPage($stateToken = '',
+                                    $clientIdentifier = '') {
+        if(!$this->isValidToken($stateToken)) {
+            return $this->stateTokenForbiddenResponse();
+        }
+
+        $clientName = $this->getClientName();
+        $client = null;
+        if($clientIdentifier !== '') {
+            $client = $this->clientMapper->getByIdentifier($clientIdentifier);
+            $clientName = $client->getName();
+        }
+
+        return new TemplateResponse(
+            $this->appName,
+            'loginflow/grant',
+            [
+                'client' => $clientName,
+                'clientIdentifier' => $clientIdentifier,
+                'instanceName' => $this->defaults->getName(),
+                'urlGenerator' => $this->urlGenerator,
+                'stateToken' => $stateToken,
+                'serverHost' => $this->getServerPath(),
+                'oauthState' => $this->session->get('oauth.state'),
+            ],
+            'guest'
+        );
+    }
+
+    /**
+     * @NoAdminRequired
+     * @UseSession
+     *
+     * @param string $stateToken
+     * @param string $clientIdentifier
+     * @return Http\RedirectResponse|Response
+     */
+    public function generateAppPassword($stateToken,
+                                        $clientIdentifier = '') {
+        if(!$this->isValidToken($stateToken)) {
+            $this->session->remove(self::stateName);
+            return $this->stateTokenForbiddenResponse();
+        }
+
+        $this->session->remove(self::stateName);
+
+        try {
+            $sessionId = $this->session->getId();
+        } catch (SessionNotAvailableException $ex) {
+            $response = new Response();
+            $response->setStatus(Http::STATUS_FORBIDDEN);
+            return $response;
+        }
+
+        try {
+            $sessionToken = $this->tokenProvider->getToken($sessionId);
+            $loginName = $sessionToken->getLoginName();
+            try {
+                $password = $this->tokenProvider->getPassword($sessionToken, $sessionId);
+            } catch (PasswordlessTokenException $ex) {
+                $password = null;
+            }
+        } catch (InvalidTokenException $ex) {
+            $response = new Response();
+            $response->setStatus(Http::STATUS_FORBIDDEN);
+            return $response;
+        }
+
+        $clientName = $this->getClientName();
+        $client = false;
+        if($clientIdentifier !== '') {
+            $client = $this->clientMapper->getByIdentifier($clientIdentifier);
+            $clientName = $client->getName();
+        }
+
+        $token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
+        $uid = $this->userSession->getUser()->getUID();
+        $generatedToken = $this->tokenProvider->generateToken(
+            $token,
+            $uid,
+            $loginName,
+            $password,
+            $clientName,
+            IToken::PERMANENT_TOKEN,
+            IToken::DO_NOT_REMEMBER
+        );
+
+        if($client) {
+            $code = $this->random->generate(128, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
+            $accessToken = new AccessToken();
+            $accessToken->setClientId($client->getId());
+            $accessToken->setEncryptedToken($this->crypto->encrypt($token, $code));
+            $accessToken->setHashedCode(hash('sha512', $code));
+            $accessToken->setTokenId($generatedToken->getId());
+            $this->accessTokenMapper->insert($accessToken);
+
+            $redirectUri = sprintf(
+                '%s?state=%s&code=%s',
+                $client->getRedirectUri(),
+                urlencode($this->session->get('oauth.state')),
+                urlencode($code)
+            );
+            $this->session->remove('oauth.state');
+        } else {
+            $redirectUri = 'nc://login/server:' . $this->getServerPath() . '&user:' . urlencode($loginName) . '&password:' . urlencode($token);
+
+            // Clear the token from the login here
+            $this->tokenProvider->invalidateToken($sessionId);
+        }
+
+        return new Http\RedirectResponse($redirectUri);
+    }
+
+    /**
+     * @PublicPage
+     */
+    public function apptokenRedirect(string $stateToken, string $user, string $password) {
+        if (!$this->isValidToken($stateToken)) {
+            return $this->stateTokenForbiddenResponse();
+        }
+
+        $redirectUri = 'nc://login/server:' . $this->getServerPath() . '&user:' . urlencode($user) . '&password:' . urlencode($password);
+        return new Http\RedirectResponse($redirectUri);
+    }
+
+    private function getServerPath(): string {
+        $serverPostfix = '';
+
+        if (strpos($this->request->getRequestUri(), '/index.php') !== false) {
+            $serverPostfix = substr($this->request->getRequestUri(), 0, strpos($this->request->getRequestUri(), '/index.php'));
+        } else if (strpos($this->request->getRequestUri(), '/login/flow') !== false) {
+            $serverPostfix = substr($this->request->getRequestUri(), 0, strpos($this->request->getRequestUri(), '/login/flow'));
+        }
+
+        $protocol = $this->request->getServerProtocol();
+
+        if ($protocol !== "https") {
+            $xForwardedProto = $this->request->getHeader('X-Forwarded-Proto');
+            $xForwardedSSL = $this->request->getHeader('X-Forwarded-Ssl');
+            if ($xForwardedProto === 'https' || $xForwardedSSL === 'on') {
+                $protocol = 'https';
+            }
+        }
+
+        return $protocol . "://" . $this->request->getServerHost() . $serverPostfix;
+    }
 }

Spacing +10 added lines, -10 removed lines

@@ -124,7 +124,7 @@ 
 	 */
 	private function isValidToken($stateToken) {
 		$currentToken = $this->session->get(self::stateName);
-		if(!is_string($stateToken) || !is_string($currentToken)) {
+		if (!is_string($stateToken) || !is_string($currentToken)) {
 			return false;
 		}
 		return hash_equals($currentToken, $stateToken);
@@ -158,7 +158,7 @@ 
 	public function showAuthPickerPage($clientIdentifier = '') {
 		$clientName = $this->getClientName();
 		$client = null;
-		if($clientIdentifier !== '') {
+		if ($clientIdentifier !== '') {
 			$client = $this->clientMapper->getByIdentifier($clientIdentifier);
 			$clientName = $client->getName();
 		}
@@ -216,13 +216,13 @@ 
 	 */
 	public function grantPage($stateToken = '',
 								 $clientIdentifier = '') {
-		if(!$this->isValidToken($stateToken)) {
+		if (!$this->isValidToken($stateToken)) {
 			return $this->stateTokenForbiddenResponse();
 		}
 
 		$clientName = $this->getClientName();
 		$client = null;
-		if($clientIdentifier !== '') {
+		if ($clientIdentifier !== '') {
 			$client = $this->clientMapper->getByIdentifier($clientIdentifier);
 			$clientName = $client->getName();
 		}
@@ -253,7 +253,7 @@ 
 	 */
 	public function generateAppPassword($stateToken,
 										$clientIdentifier = '') {
-		if(!$this->isValidToken($stateToken)) {
+		if (!$this->isValidToken($stateToken)) {
 			$this->session->remove(self::stateName);
 			return $this->stateTokenForbiddenResponse();
 		}
@@ -284,7 +284,7 @@ 
 
 		$clientName = $this->getClientName();
 		$client = false;
-		if($clientIdentifier !== '') {
+		if ($clientIdentifier !== '') {
 			$client = $this->clientMapper->getByIdentifier($clientIdentifier);
 			$clientName = $client->getName();
 		}
@@ -301,7 +301,7 @@ 
 			IToken::DO_NOT_REMEMBER
 		);
 
-		if($client) {
+		if ($client) {
 			$code = $this->random->generate(128, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
 			$accessToken = new AccessToken();
 			$accessToken->setClientId($client->getId());
@@ -318,7 +318,7 @@ 
 			);
 			$this->session->remove('oauth.state');
 		} else {
-			$redirectUri = 'nc://login/server:' . $this->getServerPath() . '&user:' . urlencode($loginName) . '&password:' . urlencode($token);
+			$redirectUri = 'nc://login/server:'.$this->getServerPath().'&user:'.urlencode($loginName).'&password:'.urlencode($token);
 
 			// Clear the token from the login here
 			$this->tokenProvider->invalidateToken($sessionId);
@@ -335,7 +335,7 @@ 
 			return $this->stateTokenForbiddenResponse();
 		}
 
-		$redirectUri = 'nc://login/server:' . $this->getServerPath() . '&user:' . urlencode($user) . '&password:' . urlencode($password);
+		$redirectUri = 'nc://login/server:'.$this->getServerPath().'&user:'.urlencode($user).'&password:'.urlencode($password);
 		return new Http\RedirectResponse($redirectUri);
 	}
 
@@ -358,6 +358,6 @@ 
 			}
 		}
 
-		return $protocol . "://" . $this->request->getServerHost() . $serverPostfix;
+		return $protocol."://".$this->request->getServerHost().$serverPostfix;
 	}
 }