This commit is contained in:
Diogo Peralta Cordeiro 2022-01-16 18:52:05 +00:00
parent 95c8f3bdc7
commit 841d10cde0
Signed by: diogo
GPG Key ID: 18D2D35001FBFAB0
2 changed files with 11 additions and 1 deletions

View File

@ -43,6 +43,7 @@ use Plugin\OAuth2\Controller\Apps;
use Symfony\Component\EventDispatcher\EventSubscriberInterface; use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Trikoder\Bundle\OAuth2Bundle\Event\AuthorizationRequestResolveEvent; use Trikoder\Bundle\OAuth2Bundle\Event\AuthorizationRequestResolveEvent;
use Trikoder\Bundle\OAuth2Bundle\Event\UserResolveEvent; use Trikoder\Bundle\OAuth2Bundle\Event\UserResolveEvent;
use Trikoder\Bundle\OAuth2Bundle\Model\Grant;
use Trikoder\Bundle\OAuth2Bundle\OAuth2Events; use Trikoder\Bundle\OAuth2Bundle\OAuth2Events;
use XML_XRD_Element_Link; use XML_XRD_Element_Link;
@ -106,6 +107,7 @@ class OAuth2 extends Plugin implements EventSubscriberInterface
$user = Common::ensureLoggedIn(); $user = Common::ensureLoggedIn();
$event->setUser($user); $event->setUser($user);
$event->resolveAuthorization(AuthorizationRequestResolveEvent::AUTHORIZATION_APPROVED); $event->resolveAuthorization(AuthorizationRequestResolveEvent::AUTHORIZATION_APPROVED);
$event->getClient()->setGrants(new Grant('client_credentials'), new Grant('authorization_code'));
} catch (NoLoggedInUser) { } catch (NoLoggedInUser) {
$event->setResponse(new Response(302, [ $event->setResponse(new Response(302, [
'Location' => Router::url('security_login', [ 'Location' => Router::url('security_login', [

View File

@ -180,8 +180,15 @@ abstract class Controller extends AbstractController implements EventSubscriberI
$event->getResponse()->headers->set('permissions-policy', 'interest-cohort=()'); $event->getResponse()->headers->set('permissions-policy', 'interest-cohort=()');
$event->getResponse()->headers->set('strict-transport-security', 'max-age=15768000; preload;'); $event->getResponse()->headers->set('strict-transport-security', 'max-age=15768000; preload;');
$event->getResponse()->headers->set('vary', 'Accept-Encoding,Cookie'); $event->getResponse()->headers->set('vary', 'Accept-Encoding,Cookie');
$event->getResponse()->headers->set('x-frame-options', 'SAMEORIGIN'); $event->getResponse()->headers->set('x-frame-options', 'DENY');
$event->getResponse()->headers->set('x-xss-protection', '1; mode=block'); $event->getResponse()->headers->set('x-xss-protection', '1; mode=block');
$event->getResponse()->headers->set('x-content-type-options', 'nosniff');
$event->getResponse()->headers->set('x-download-options', 'noopen');
$event->getResponse()->headers->set('x-permitted-cross-domain-policies', 'none');
$event->getResponse()->headers->set('access-control-allow-credentials', true);
$event->getResponse()->headers->set('access-control-allow-origin', '*');
$event->getResponse()->headers->set('referrer-policy', 'same-origin');
$event->getResponse()->headers->set('access-control-expose-headers', 'Link,X-RateLimit-Reset,X-RateLimit-Limit,X-RateLimit-Remaining,X-Request-Id,Idempotency-Key');
$policy = "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'; style-src 'self' 'unsafe-inline'; img-src * blob: data:;"; $policy = "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'; style-src 'self' 'unsafe-inline'; img-src * blob: data:;";
$event->getResponse()->headers->set('Content-Security-Policy', $policy); $event->getResponse()->headers->set('Content-Security-Policy', $policy);
$event->getResponse()->headers->set('X-Content-Security-Policy', $policy); $event->getResponse()->headers->set('X-Content-Security-Policy', $policy);
@ -257,6 +264,7 @@ abstract class Controller extends AbstractController implements EventSubscriberI
} else { } else {
return null; return null;
} }
// no break
case 'params': case 'params':
return $this->request->query->all(); return $this->request->query->all();
default: default: