Merge pull request ecamp#5382 from carlobeltrame/fix-expired-oauth-state-cookie

Fix expired oauth state cookie

Author: carlobeltrame

api/src/OAuth/JWTStateOAuth2Client.php

@@ -31,7 +31,7 @@
  * longer-living token and with parts of the cookie available to JavaScript.
  */
 class JWTStateOAuth2Client extends OAuth2Client implements OAuth2ClientInterface {
-    public const JWT_TTL = 300; // seconds, i.e. 5 minutes of validity for the JWT token
+    public const JWT_TTL = 900; // seconds, i.e. 15 minutes of validity for the JWT token
 
     public function __construct(
         AbstractProvider $provider,
@@ -101,14 +101,18 @@ public function redirect(array $scopes = [], array $options = []): RedirectRespo
     /**
      * Checks the validity of the temporary JWT cookie, and checks that the state parameter is correct.
      * Any irregularities would indicate someone tampering with the login system (or someone taking longer
-     * than 5 minutes to authenticate with the external service...)
+     * than 15 minutes to authenticate with the external service...)
      * After this custom state parameter check, we delegate to the original implementation to finish the OAuth
      * flow.
      *
      * @throws IdentityProviderException
      */
     public function getAccessToken(array $options = []): AccessTokenInterface {
         $jwt = $this->getCurrentRequest()->cookies->get($this->getCookieName($this->cookiePrefix));
+        if (null === $jwt) {
+            throw new InvalidStateException('Expired state');
+        }
+
         $actualState = $this->getCurrentRequest()->get('state');
 
         try {

api/src/Security/OAuth/GoogleAuthenticator.php

@@ -12,6 +12,7 @@
 use Lexik\Bundle\JWTAuthenticationBundle\Encoder\JWTEncoderInterface;
 use Lexik\Bundle\JWTAuthenticationBundle\Security\Http\Authentication\AuthenticationSuccessHandler;
 use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -100,6 +101,6 @@ public function onAuthenticationSuccess(Request $request, TokenInterface $token,
     public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response {
         $message = strtr($exception->getMessageKey(), $exception->getMessageData());
 
-        return new Response($message, Response::HTTP_FORBIDDEN);
+        return new JsonResponse(['message' => $message, 'code' => Response::HTTP_FORBIDDEN], Response::HTTP_FORBIDDEN);
     }
 }

api/src/Security/OAuth/HitobitoAuthenticator.php

@@ -13,6 +13,7 @@
 use Lexik\Bundle\JWTAuthenticationBundle\Encoder\JWTEncoderInterface;
 use Lexik\Bundle\JWTAuthenticationBundle\Security\Http\Authentication\AuthenticationSuccessHandler;
 use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -107,6 +108,6 @@ public function onAuthenticationSuccess(Request $request, TokenInterface $token,
     public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response {
         $message = strtr($exception->getMessageKey(), $exception->getMessageData());
 
-        return new Response($message, Response::HTTP_FORBIDDEN);
+        return new JsonResponse(['message' => $message, 'code' => Response::HTTP_FORBIDDEN], Response::HTTP_FORBIDDEN);
     }
 }