nextcloud_webdav_client-1.0.x-dev/src/Controller/NextCloudUserOAuth2Controller.php
src/Controller/NextCloudUserOAuth2Controller.php
<?php
namespace Drupal\nextcloud_webdav_client\Controller;
use Drupal\Core\Access\AccessResult;
use Drupal\Core\Controller\ControllerBase;
use Drupal\Core\Session\AccountInterface;
use Drupal\Core\Url;
use Drupal\nextcloud_webdav_client\Service\NextCloudOAuth2Manager;
use Drupal\user\UserInterface;
use Symfony\Component\DependencyInjection\ContainerInterface;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request;
/**
* Controller for per-user OAuth2 operations.
*/
class NextCloudUserOAuth2Controller extends ControllerBase {
/**
* The OAuth2 manager service.
*
* @var \Drupal\nextcloud_webdav_client\Service\NextCloudOAuth2Manager
*/
protected $oauth2Manager;
/**
* Constructs a NextCloudUserOAuth2Controller object.
*
* @param \Drupal\nextcloud_webdav_client\Service\NextCloudOAuth2Manager $oauth2_manager
* The OAuth2 manager service.
*/
public function __construct(NextCloudOAuth2Manager $oauth2_manager) {
$this->oauth2Manager = $oauth2_manager;
}
/**
* {@inheritdoc}
*/
public static function create(ContainerInterface $container) {
return new static(
$container->get('nextcloud_webdav_client.oauth2_manager')
);
}
/**
* Checks access for user-specific NextCloud pages.
*
* @param \Drupal\user\UserInterface $user
* The user whose page is being accessed.
* @param \Drupal\Core\Session\AccountInterface $account
* The currently logged in account.
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
public function checkAccess(UserInterface $user, AccountInterface $account) {
// Allow if user is viewing their own page, or has admin permission.
return AccessResult::allowedIf(
$user->id() == $account->id() ||
$account->hasPermission('administer nextcloud webdav')
);
}
/**
* Handles the OAuth2 authorization callback for a user.
*
* @param \Symfony\Component\HttpFoundation\Request $request
* The current request.
*
* @return \Symfony\Component\HttpFoundation\RedirectResponse
* A redirect response to the user's NextCloud page.
*/
public function callback(Request $request): RedirectResponse {
$code = $request->query->get('code');
$error = $request->query->get('error');
$error_description = $request->query->get('error_description');
$state = $request->query->get('state');
$current_user = $this->currentUser();
$user = $this->entityTypeManager()->getStorage('user')->load($current_user->id());
// Validate CSRF state parameter.
$session = $request->getSession();
$stored_state = $session->get('nextcloud_oauth2_state');
$state_time = $session->get('nextcloud_oauth2_state_time');
// Clear the state from session immediately to prevent reuse.
$session->remove('nextcloud_oauth2_state');
$session->remove('nextcloud_oauth2_state_time');
// Validate state exists and matches using constant-time comparison.
if (empty($state) || empty($stored_state) || !hash_equals($stored_state, $state)) {
$this->messenger()->addError($this->t('OAuth2 authorization failed: Invalid state parameter. This may be a CSRF attack.'));
\Drupal::logger('nextcloud_webdav_client')->error('User @uid OAuth2 CSRF validation failed. State mismatch or missing.', [
'@uid' => $user->id(),
]);
return $this->redirectToUserPage($user);
}
// Check if state is too old (10 minutes max).
if (empty($state_time) || (time() - $state_time) > 600) {
$this->messenger()->addError($this->t('OAuth2 authorization failed: State parameter expired. Please try again.'));
\Drupal::logger('nextcloud_webdav_client')->warning('User @uid OAuth2 state parameter expired.', [
'@uid' => $user->id(),
]);
return $this->redirectToUserPage($user);
}
// Check for OAuth2 errors.
if (!empty($error)) {
$message = $this->t('OAuth2 authorization failed: @error', [
'@error' => $error,
]);
if (!empty($error_description)) {
$message = $this->t('OAuth2 authorization failed: @error - @description', [
'@error' => $error,
'@description' => $error_description,
]);
}
$this->messenger()->addError($message);
\Drupal::logger('nextcloud_webdav_client')->error('User @uid OAuth2 authorization error: @error - @description', [
'@uid' => $user->id(),
'@error' => $error,
'@description' => $error_description ?? 'No description provided',
]);
return $this->redirectToUserPage($user);
}
// Check if authorization code is present.
if (empty($code)) {
$this->messenger()->addError($this->t('OAuth2 authorization code missing.'));
\Drupal::logger('nextcloud_webdav_client')->error('User @uid OAuth2 callback received without authorization code.', [
'@uid' => $user->id(),
]);
return $this->redirectToUserPage($user);
}
// Build the redirect URI (this same endpoint).
$redirect_uri = Url::fromRoute('nextcloud_webdav_client.user_oauth2_callback', [], [
'absolute' => TRUE,
])->toString();
// Exchange authorization code for tokens.
if ($this->oauth2Manager->exchangeAuthorizationCodeForUser($user, $code, $redirect_uri)) {
$this->messenger()->addStatus($this->t('Your NextCloud account has been linked successfully!'));
\Drupal::logger('nextcloud_webdav_client')->info('User @uid OAuth2 authorization completed successfully.', [
'@uid' => $user->id(),
]);
}
else {
$this->messenger()->addError($this->t('Failed to link your NextCloud account. Please check the logs for details.'));
\Drupal::logger('nextcloud_webdav_client')->error('User @uid failed to exchange OAuth2 authorization code.', [
'@uid' => $user->id(),
]);
}
return $this->redirectToUserPage($user);
}
/**
* Unlinks a user's NextCloud account.
*
* @param \Drupal\user\UserInterface $user
* The user.
*
* @return \Symfony\Component\HttpFoundation\RedirectResponse
* A redirect response to the user's NextCloud page.
*/
public function unlink(UserInterface $user): RedirectResponse {
/** @var \Drupal\nextcloud_webdav_client\NextCloudUserTokenStorageInterface $storage */
$storage = $this->entityTypeManager()->getStorage('nextcloud_user_token');
if ($storage->deleteForUser($user)) {
$this->messenger()->addStatus($this->t('Your NextCloud account has been unlinked.'));
\Drupal::logger('nextcloud_webdav_client')->info('User @uid unlinked NextCloud account.', [
'@uid' => $user->id(),
]);
}
else {
$this->messenger()->addWarning($this->t('No linked NextCloud account found.'));
}
return $this->redirectToUserPage($user);
}
/**
* Refreshes a user's access token.
*
* @param \Drupal\user\UserInterface $user
* The user.
*
* @return \Symfony\Component\HttpFoundation\RedirectResponse
* A redirect response to the user's NextCloud page.
*/
public function refreshToken(UserInterface $user): RedirectResponse {
if ($this->oauth2Manager->refreshUserAccessToken($user)) {
$this->messenger()->addStatus($this->t('Your NextCloud access token has been refreshed.'));
\Drupal::logger('nextcloud_webdav_client')->info('User @uid manual token refresh successful.', [
'@uid' => $user->id(),
]);
}
else {
$this->messenger()->addError($this->t('Failed to refresh access token. You may need to re-link your account.'));
\Drupal::logger('nextcloud_webdav_client')->error('User @uid manual token refresh failed.', [
'@uid' => $user->id(),
]);
}
return $this->redirectToUserPage($user);
}
/**
* Redirects to the user's NextCloud account page.
*
* @param \Drupal\user\UserInterface $user
* The user.
*
* @return \Symfony\Component\HttpFoundation\RedirectResponse
* A redirect response.
*/
protected function redirectToUserPage(UserInterface $user): RedirectResponse {
$url = Url::fromRoute('nextcloud_webdav_client.user_link', [
'user' => $user->id(),
]);
return new RedirectResponse($url->toString());
}
}
