wip42

2022-01-16 18:14:08 +00:00 · 2022-01-16 18:14:08 +00:00 · b82818646f
commit b82818646f
parent 5ac764f3e5
3 changed files with 7 additions and 16 deletions
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@ -20,10 +20,6 @@ security:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
-        oauth_token:
-            pattern: ^/oauth/(token|authorize)$
-            provider: local_user
-            security: false
        api_apps:
            pattern: ^/api/v1/apps$
            security: false
--- a/plugins/OAuth2/OAuth2.php
+++ b/plugins/OAuth2/OAuth2.php
@ -33,7 +33,6 @@ declare(strict_types = 1);
 namespace Plugin\OAuth2;

 use App\Core\Event;
-use App\Core\Log;
 use App\Core\Modules\Plugin;
 use App\Core\Router\RouteLoader;
 use App\Core\Router\Router;
@ -44,8 +43,6 @@ use Nyholm\Psr7\Response;
 use Plugin\OAuth2\Controller\Apps;
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
 use Symfony\Component\HttpFoundation\Exception\BadRequestException;
-use Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface;
-use Symfony\Component\Security\Core\User\UserProviderInterface;
 use Trikoder\Bundle\OAuth2Bundle\Event\AuthorizationRequestResolveEvent;
 use Trikoder\Bundle\OAuth2Bundle\Event\UserResolveEvent;
 use Trikoder\Bundle\OAuth2Bundle\OAuth2Events;
@ -94,19 +91,14 @@ class OAuth2 extends Plugin implements EventSubscriberInterface
        return Event::next;
    }

-    public function userResolve(UserResolveEvent $event, UserProviderInterface $userProvider, UserPasswordEncoderInterface $userPasswordEncoder): void
+    public function userResolve(UserResolveEvent $event): void
    {
-        Log::debug('cenas: ', [$event, $userProvider, $userPasswordEncoder]);
-        $user = $userProvider->loadUserByUsername($event->getUsername());
+        $user = Common::user();

        if (\is_null($user)) {
            return;
        }

-        if (!$userPasswordEncoder->isPasswordValid($user, $event->getPassword())) {
-            return;
-        }
-
        $event->setUser($user);
    }

--- a/src/Controller/Security.php
+++ b/src/Controller/Security.php
@ -36,6 +36,7 @@ use LogicException;
 use Symfony\Component\Form\Extension\Core\Type\EmailType;
 use Symfony\Component\Form\Extension\Core\Type\SubmitType;
 use Symfony\Component\Form\Extension\Core\Type\TextType;
+use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
@ -49,11 +50,13 @@ class Security extends Controller
    /**
     * Log a user in
     */
-    public function login(AuthenticationUtils $authenticationUtils)
+    public function login(AuthenticationUtils $authenticationUtils): RedirectResponse|array
    {
        // Skip if already logged in
        if ($this->getUser()) {
-            return $this->redirectToRoute('root');
+            // TODO: Fix the Open Redirect security flaw here.
+            $targetPath = Common::getRequest()->query->get('returnUrl');
+            return \is_null($targetPath) ? $this->redirectToRoute('root') : new RedirectResponse($targetPath);
        }

        // get the login error if there is one