Merge pull request #11068 from nanaya/oauth-session

notbakaneko · web-flow · commit 466936ef2c62 · 2024-03-06T16:48:57.000+09:00
Ignore invalid session error from oauth approval endpoint
diff --git a/app/Exceptions/Handler.php b/app/Exceptions/Handler.php
@@ -72,6 +72,8 @@ public static function statusCode($e)
             return 401;
         } elseif ($e instanceof AuthorizationException || $e instanceof MissingScopeException) {
             return 403;
+        } elseif (static::isOAuthSessionException($e)) {
+            return 422;
         } else {
             return 500;
         }
@@ -82,6 +84,12 @@ private static function isOAuthServerException($e)
         return ($e instanceof PassportOAuthServerException) && ($e->getPrevious() instanceof OAuthServerException);
     }
 
+    private static function isOAuthSessionException(Throwable $e): bool
+    {
+        return ($e instanceof \Exception)
+            && $e->getMessage() === 'Authorization request was not present in the session.';
+    }
+
     private static function unwrapViewException(Throwable $e): Throwable
     {
         if ($e instanceof ViewException) {
@@ -175,7 +183,9 @@ public function render($request, Throwable $e)
 
     protected function shouldntReport(Throwable $e)
     {
-        return parent::shouldntReport(static::unwrapViewException($e)) || $this->isOAuthServerException($e);
+        $e = static::unwrapViewException($e);
+
+        return parent::shouldntReport($e) || static::isOAuthServerException($e) || static::isOAuthSessionException($e);
     }
 
     protected function unauthenticated($request, AuthenticationException $exception)
diff --git a/tests/Controllers/Passport/ApproveAuthorizationControllerTest.php b/tests/Controllers/Passport/ApproveAuthorizationControllerTest.php
@@ -0,0 +1,21 @@
+<?php
+
+// Copyright (c) ppy Pty Ltd <contact@ppy.sh>. Licensed under the GNU Affero General Public License v3.0.
+// See the LICENCE file in the repository root for full licence text.
+
+namespace Tests\Controllers\Passport;
+
+use App\Models\User;
+use Tests\TestCase;
+
+class ApproveAuthorizationControllerTest extends TestCase
+{
+    public function testApproveWithInvalidSession(): void
+    {
+        $user = User::factory()->create();
+
+        $this->actingAsVerified($user)
+            ->post(route('oauth.authorizations.authorize'))
+            ->assertStatus(422);
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -72,6 +72,8 @@ public static function statusCode($e)`
`72`	`72`	`return 401;`
`73`	`73`	`} elseif ($e instanceof AuthorizationException \|\| $e instanceof MissingScopeException) {`
`74`	`74`	`return 403;`
	`75`	`+ } elseif (static::isOAuthSessionException($e)) {`
	`76`	`+ return 422;`
`75`	`77`	`} else {`
`76`	`78`	`return 500;`
`77`	`79`	`}`
`@@ -82,6 +84,12 @@ private static function isOAuthServerException($e)`
`82`	`84`	`return ($e instanceof PassportOAuthServerException) && ($e->getPrevious() instanceof OAuthServerException);`
`83`	`85`	`}`
`84`	`86`
	`87`	`+ private static function isOAuthSessionException(Throwable $e): bool`
	`88`	`+ {`
	`89`	`+ return ($e instanceof \Exception)`
	`90`	`+ && $e->getMessage() === 'Authorization request was not present in the session.';`
	`91`	`+ }`
	`92`	`+`
`85`	`93`	`private static function unwrapViewException(Throwable $e): Throwable`
`86`	`94`	`{`
`87`	`95`	`if ($e instanceof ViewException) {`
`@@ -175,7 +183,9 @@ public function render($request, Throwable $e)`
`175`	`183`
`176`	`184`	`protected function shouldntReport(Throwable $e)`
`177`	`185`	`{`
`178`		`- return parent::shouldntReport(static::unwrapViewException($e)) \|\| $this->isOAuthServerException($e);`
	`186`	`+ $e = static::unwrapViewException($e);`
	`187`	`+`
	`188`	`+ return parent::shouldntReport($e) \|\| static::isOAuthServerException($e) \|\| static::isOAuthSessionException($e);`
`179`	`189`	`}`
`180`	`190`
`181`	`191`	`protected function unauthenticated($request, AuthenticationException $exception)`