nextcloud_webdav_client-1.0.x-dev/src/Controller/OAuth2CallbackController.php
src/Controller/OAuth2CallbackController.php
<?php
namespace Drupal\nextcloud_webdav_client\Controller;
use Drupal\Core\Controller\ControllerBase;
use Drupal\Core\Url;
use Drupal\nextcloud_webdav_client\Service\NextCloudOAuth2Manager;
use Symfony\Component\DependencyInjection\ContainerInterface;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request;
/**
* Controller for handling OAuth2 authorization callbacks.
*/
class OAuth2CallbackController extends ControllerBase {
/**
* The OAuth2 manager service.
*
* @var \Drupal\nextcloud_webdav_client\Service\NextCloudOAuth2Manager
*/
protected $oauth2Manager;
/**
* Constructs an OAuth2CallbackController object.
*
* @param \Drupal\nextcloud_webdav_client\Service\NextCloudOAuth2Manager $oauth2_manager
* The OAuth2 manager service.
*/
public function __construct(NextCloudOAuth2Manager $oauth2_manager) {
$this->oauth2Manager = $oauth2_manager;
}
/**
* {@inheritdoc}
*/
public static function create(ContainerInterface $container) {
return new static(
$container->get('nextcloud_webdav_client.oauth2_manager')
);
}
/**
* Handles the OAuth2 authorization callback.
*
* @param \Symfony\Component\HttpFoundation\Request $request
* The current request.
*
* @return \Symfony\Component\HttpFoundation\RedirectResponse
* A redirect response to the settings page.
*/
public function callback(Request $request): RedirectResponse {
$code = $request->query->get('code');
$error = $request->query->get('error');
$error_description = $request->query->get('error_description');
$state = $request->query->get('state');
// Validate CSRF state parameter.
$session = $request->getSession();
$stored_state = $session->get('nextcloud_oauth2_state');
$state_time = $session->get('nextcloud_oauth2_state_time');
// Clear the state from session immediately to prevent reuse.
$session->remove('nextcloud_oauth2_state');
$session->remove('nextcloud_oauth2_state_time');
// Validate state exists and matches.
if (empty($state) || empty($stored_state) || !hash_equals($stored_state, $state)) {
$this->messenger()->addError($this->t('OAuth2 authorization failed: Invalid state parameter. This may be a CSRF attack.'));
\Drupal::logger('nextcloud_webdav_client')->error('OAuth2 CSRF validation failed. State mismatch or missing.');
return $this->redirectToSettings();
}
// Check if state is too old (10 minutes max).
if (empty($state_time) || (time() - $state_time) > 600) {
$this->messenger()->addError($this->t('OAuth2 authorization failed: State parameter expired. Please try again.'));
\Drupal::logger('nextcloud_webdav_client')->warning('OAuth2 state parameter expired.');
return $this->redirectToSettings();
}
// Check for OAuth2 errors.
if (!empty($error)) {
$message = $this->t('OAuth2 authorization failed: @error', [
'@error' => $error,
]);
if (!empty($error_description)) {
$message = $this->t('OAuth2 authorization failed: @error - @description', [
'@error' => $error,
'@description' => $error_description,
]);
}
$this->messenger()->addError($message);
\Drupal::logger('nextcloud_webdav_client')->error('OAuth2 authorization error: @error - @description', [
'@error' => $error,
'@description' => $error_description ?? 'No description provided',
]);
return $this->redirectToSettings();
}
// Check if authorization code is present.
if (empty($code)) {
$this->messenger()->addError($this->t('OAuth2 authorization code missing.'));
\Drupal::logger('nextcloud_webdav_client')->error('OAuth2 callback received without authorization code.');
return $this->redirectToSettings();
}
// Build the redirect URI (this same endpoint).
$redirect_uri = Url::fromRoute('nextcloud_webdav_client.oauth2_callback', [], [
'absolute' => TRUE,
])->toString();
// Exchange authorization code for tokens.
if ($this->oauth2Manager->exchangeAuthorizationCode($code, $redirect_uri)) {
$this->messenger()->addStatus($this->t('OAuth2 authorization successful! You can now use the NextCloud WebDAV client.'));
\Drupal::logger('nextcloud_webdav_client')->info('OAuth2 authorization completed successfully.');
}
else {
$this->messenger()->addError($this->t('Failed to exchange authorization code for tokens. Please check the logs for details.'));
\Drupal::logger('nextcloud_webdav_client')->error('Failed to exchange OAuth2 authorization code.');
}
return $this->redirectToSettings();
}
/**
* Handles manual token refresh requests.
*
* @return \Symfony\Component\HttpFoundation\RedirectResponse
* A redirect response to the settings page.
*/
public function refreshToken(): RedirectResponse {
if ($this->oauth2Manager->refreshAccessToken()) {
$this->messenger()->addStatus($this->t('Access token refreshed successfully.'));
\Drupal::logger('nextcloud_webdav_client')->info('Manual token refresh successful.');
}
else {
$this->messenger()->addError($this->t('Failed to refresh access token. You may need to re-authorize the application.'));
\Drupal::logger('nextcloud_webdav_client')->error('Manual token refresh failed.');
}
return $this->redirectToSettings();
}
/**
* Handles token revocation (clearing tokens).
*
* @return \Symfony\Component\HttpFoundation\RedirectResponse
* A redirect response to the settings page.
*/
public function clearTokens(): RedirectResponse {
$this->oauth2Manager->clearTokens();
$this->messenger()->addStatus($this->t('OAuth2 authorization has been cleared. You will need to authorize again to use OAuth2 authentication.'));
\Drupal::logger('nextcloud_webdav_client')->info('OAuth2 tokens cleared by user.');
return $this->redirectToSettings();
}
/**
* Redirects to the NextCloud WebDAV settings page.
*
* @return \Symfony\Component\HttpFoundation\RedirectResponse
* A redirect response.
*/
protected function redirectToSettings(): RedirectResponse {
$url = Url::fromRoute('nextcloud_webdav_client.settings');
return new RedirectResponse($url->toString());
}
}
