Use the proper server for the apptoken flow login

rullzer · rullzer · commit 62340236e75e · 2018-10-31T23:09:52.000+01:00
If a user can't authenticate normally (because they have 2FA that is not
available on their devices for example). The redirect that is generated
should be of the proper format.

This means

1. Include the protocol
2. Include the possible subfolder

Signed-off-by: Roeland Jago Douma &lt;roeland@famdouma.nl&gt;
diff --git a/core/Controller/ClientFlowLoginController.php b/core/Controller/ClientFlowLoginController.php
@@ -197,7 +197,7 @@ public function showAuthPickerPage($clientIdentifier = '') {
 				'instanceName' => $this->defaults->getName(),
 				'urlGenerator' => $this->urlGenerator,
 				'stateToken' => $stateToken,
-				'serverHost' => $this->request->getServerHost(),
+				'serverHost' => $this->getServerPath(),
 				'oauthState' => $this->session->get('oauth.state'),
 			],
 			'guest'
@@ -235,7 +235,7 @@ public function grantPage($stateToken = '',
 				'instanceName' => $this->defaults->getName(),
 				'urlGenerator' => $this->urlGenerator,
 				'stateToken' => $stateToken,
-				'serverHost' => $this->request->getServerHost(),
+				'serverHost' => $this->getServerPath(),
 				'oauthState' => $this->session->get('oauth.state'),
 			],
 			'guest'
@@ -345,32 +345,34 @@ public function generateAppPassword($stateToken,
 			);
 			$this->session->remove('oauth.state');
 		} else {
-			$serverPostfix = '';
+			$redirectUri = 'nc://login/server:' . $this->getServerPath() . '&user:' . urlencode($loginName) . '&password:' . urlencode($token);
 
-			if (strpos($this->request->getRequestUri(), '/index.php') !== false) {
-				$serverPostfix = substr($this->request->getRequestUri(), 0, strpos($this->request->getRequestUri(), '/index.php'));
-			} else if (strpos($this->request->getRequestUri(), '/login/flow') !== false) {
-				$serverPostfix = substr($this->request->getRequestUri(), 0, strpos($this->request->getRequestUri(), '/login/flow'));
-			}
+			// Clear the token from the login here
+			$this->tokenProvider->invalidateToken($sessionId);
+		}
 
-			$protocol = $this->request->getServerProtocol();
+		return new Http\RedirectResponse($redirectUri);
+	}
 
-			if ($protocol !== "https") {
-				$xForwardedProto = $this->request->getHeader('X-Forwarded-Proto');
-				$xForwardedSSL = $this->request->getHeader('X-Forwarded-Ssl');
-				if ($xForwardedProto === 'https' || $xForwardedSSL === 'on') {
-					$protocol = 'https';
-				}
-			}
+	private function getServerPath(): string {
+		$serverPostfix = '';
 
+		if (strpos($this->request->getRequestUri(), '/index.php') !== false) {
+			$serverPostfix = substr($this->request->getRequestUri(), 0, strpos($this->request->getRequestUri(), '/index.php'));
+		} else if (strpos($this->request->getRequestUri(), '/login/flow') !== false) {
+			$serverPostfix = substr($this->request->getRequestUri(), 0, strpos($this->request->getRequestUri(), '/login/flow'));
+		}
 
-			$serverPath = $protocol . "://" . $this->request->getServerHost() . $serverPostfix;
-			$redirectUri = 'nc://login/server:' . $serverPath . '&user:' . urlencode($loginName) . '&password:' . urlencode($token);
+		$protocol = $this->request->getServerProtocol();
 
-			// Clear the token from the login here
-			$this->tokenProvider->invalidateToken($sessionId);
+		if ($protocol !== "https") {
+			$xForwardedProto = $this->request->getHeader('X-Forwarded-Proto');
+			$xForwardedSSL = $this->request->getHeader('X-Forwarded-Ssl');
+			if ($xForwardedProto === 'https' || $xForwardedSSL === 'on') {
+				$protocol = 'https';
+			}
 		}
 
-		return new Http\RedirectResponse($redirectUri);
+		return $protocol . "://" . $this->request->getServerHost() . $serverPostfix;
 	}
 }
