Add support for trusted apps in authorization flow.

Potherca · Potherca · commit 13ed2de9ba08 · 2025-12-10T16:00:03.000+01:00
diff --git a/init.sh b/init.sh
@@ -6,7 +6,8 @@ php console.php app:enable solid
 php console.php config:system:set trusted_domains 1 --value=server
 php console.php config:system:set trusted_domains 2 --value=nextcloud.local
 php console.php config:system:set trusted_domains 3 --value=thirdparty
-# set 'tester' and 'https://tester' as allowed clients for the test suite to run
-php console.php user:setting alice solid allowedClients '["f5d1278e8109edd94e1e4197e04873b9", "2e5cddcf0f663544e98982931e6cc5a6"]'
+# set 'tester' and 'https://tester' as tyrusted apps for the test suite to run
+php console.php config:app:set solid trustedApps --type=string --value='["https://tester", "tester"]'
+
 echo configured
 mkdir -p /var/www/html/data/files_trashbin/versions
diff --git a/solid/lib/BaseServerConfig.php b/solid/lib/BaseServerConfig.php
@@ -198,6 +198,13 @@ public function getClientRegistration($clientId) {
 			return json_decode($data, true);
 		}
 
+		public function getTrustedApps()
+		{
+			$appValue = $this->config->getAppValue('solid', 'trustedApps', '[]');
+
+			return json_decode($appValue, true, 512, JSON_THROW_ON_ERROR);
+		}
+
 		public function getUserSubDomainsEnabled() {
 			$value = $this->config->getAppValue('solid', 'userSubDomainsEnabled', false);
 
diff --git a/solid/lib/Controller/ServerController.php b/solid/lib/Controller/ServerController.php
@@ -18,6 +18,7 @@
 use Lcobucci\JWT\Configuration;
 use Lcobucci\JWT\Signer\Key\InMemory;
 use Lcobucci\JWT\Signer\Rsa\Sha256;
+use Pdsinterop\Solid\Auth\Enum\Authorization;
 
 class ServerController extends Controller
 {
@@ -286,13 +287,23 @@ public function authorize() {
 		return $this->respond($response); // ->addHeader('Access-Control-Allow-Origin', '*');
 	}
 
-	private function checkApproval($clientId) {
+	private function checkApproval($clientId, $clientRegistration)
+	{
+		$approved = Authorization::DENIED;
+
 		$allowedClients = $this->config->getAllowedClients($this->userId);
 		if (in_array($clientId, $allowedClients)) {
-			return \Pdsinterop\Solid\Auth\Enum\Authorization::APPROVED;
-		} else {
-			return \Pdsinterop\Solid\Auth\Enum\Authorization::DENIED;
+			$approved = Authorization::APPROVED;
+		} elseif (isset($clientRegistration['origin'])) {
+			$origin = $clientRegistration['origin'];
+			$trustedApps = $this->config->getTrustedApps();
+
+			if (in_array($origin, $trustedApps)) {
+				$approved = Authorization::APPROVED;
+			}
 		}
+
+		return $approved;
 	}
 
 	private function getProfilePage() {
diff --git a/solid/tests/Unit/BaseServerConfigTest.php b/solid/tests/Unit/BaseServerConfigTest.php
@@ -208,6 +208,27 @@ public function testRemoveClientRegistration()
 		$baseServerConfig->removeClientRegistration(self::MOCK_CLIENT_ID);
 	}
 
+	/**
+	 * @testdox BaseServerConfig should return decoded trusted apps when asked to GetTrustedApps
+	 * @covers ::getTrustedApps
+	 */
+	public function testGetTrustedApps()
+	{
+		$configMock = $this->createMock(IConfig::class);
+		$baseServerConfig = new BaseServerConfig($configMock);
+
+		$expected = [self::MOCK_ORIGIN];
+
+		$configMock->expects($this->once())
+			->method('getAppValue')
+			->with(Application::APP_ID, 'trustedApps', '[]')
+			->willReturn(json_encode($expected));
+
+		$actual = $baseServerConfig->getTrustedApps();
+
+		$this->assertEquals($expected, $actual);
+	}
+
 	/////////////////////////////// DATAPROVIDERS \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
 
 	public function provideBooleans()
diff --git a/solid/tests/Unit/Controller/ServerControllerTest.php b/solid/tests/Unit/Controller/ServerControllerTest.php
@@ -189,6 +189,67 @@ public function testAuthorizeWithoutApprovedClient()
 		$this->assertEquals($expected, $actual);
 	}
 
+	/**
+	 * @testdox
+	 *
+	 * @covers ::authorize
+	 */
+	public function testAuthorizeWithTrustedApp()
+	{
+		$_GET['client_id'] = self::MOCK_CLIENT_ID;
+		$_GET['redirect_uri'] = 'https://mock.client/redirect';
+
+		$origin = 'https://mock.client/';
+		$clientData = json_encode([
+			'client_name' => 'Mock Client',
+			'origin' => $origin,
+			'redirect_uris' => ['https://mock.client/redirect'],
+		], JSON_THROW_ON_ERROR);
+		$trustedApps = json_encode([$origin], JSON_THROW_ON_ERROR);
+
+		$parameters = $this->createMockConstructorParameters($clientData, $trustedApps);
+
+		$this->mockConfig->method('getUserValue')->willReturnArgument(3);
+
+		$this->mockUserManager->method('userExists')->willReturn(true);
+
+		$controller = new ServerController(...$parameters);
+
+		$response = $controller->authorize();
+
+		$expected = $this->createExpectedResponse();
+
+		$actual = [
+			'data' => $response->getData(),
+			'headers' => $response->getHeaders(),
+			'status' => $response->getStatus(),
+		];
+
+		$location = $actual['headers']['Location'] ?? '';
+
+		// Not comparing time-sensitive data
+		unset($actual['headers']['X-Request-Id'], $actual['headers']['Location']);
+
+		$this->assertEquals($expected, $actual);
+
+		// @TODO: Move $location assert to a separate test
+		$url = parse_url($location);
+
+		parse_str($url['fragment'], $url['fragment']);
+
+		unset($url['fragment']['access_token'], $url['fragment']['id_token']);
+
+		$this->assertEquals([
+			'scheme' => 'https',
+			'host' => 'mock.client',
+			'path' => '/redirect',
+			'fragment' => [
+				'token_type' => 'Bearer',
+				'expires_in' => '3600',
+			],
+		], $url);
+	}
+
 	/**
 	 * @testdox ServerController should return a 400 when asked to authorize a client that sends an incorrect redirect URI
 	 *
@@ -460,7 +521,7 @@ public function testToken()
 
 	////////////////////////////// MOCKS AND STUBS \\\\\\\\\\\\\\\\\\\\\\\\\\\\\
 
-	public function createMockConfig($clientData): IConfig|MockObject
+	public function createMockConfig($clientData, $trustedApps): IConfig|MockObject
 	{
 		$this->mockConfig = $this->createMock(IConfig::class);
 
@@ -470,12 +531,13 @@ public function createMockConfig($clientData): IConfig|MockObject
 			[Application::APP_ID, 'client-', '{}', 'return' => $clientData],
 			[Application::APP_ID, 'encryptionKey', '', 'return' => 'mock encryption key'],
 			[Application::APP_ID, 'privateKey', '', 'return' => self::$privateKey],
+			[Application::APP_ID, 'trustedApps', '[]', 'return' => $trustedApps],
 		]);
 
 		return $this->mockConfig;
 	}
 
-	public function createMockConstructorParameters($clientData = '{}'): array
+	public function createMockConstructorParameters($clientData = '{}', $trustedApps = '[]'): array
 	{
 		$parameters = [
 			'mock appname',
@@ -484,7 +546,7 @@ public function createMockConstructorParameters($clientData = '{}'): array
 			$this->createMockUserManager(),
 			$this->createMockUrlGenerator(),
 			self::MOCK_USER_ID,
-			$this->createMockConfig($clientData),
+			$this->createMockConfig($clientData, $trustedApps),
 			$this->createMock(UserService::class),
 			$this->createMock(IDBConnection::class),
 		];
