Add validation for missing client_id in ServerController::authorize().

Author: Potherca

solid/lib/Controller/ServerController.php

@@ -154,11 +154,13 @@ public function cors($path) {
 	public function authorize() {
 		// Create a request
 		if (!$this->userManager->userExists($this->userId)) {
-			$result = new JSONResponse('Authorization required');
-			$result->setStatus(401);
-			return $result;
-//			return $result->addHeader('Access-Control-Allow-Origin', '*');
+			return new JSONResponse('Authorization required', 401);
+		}
+
+		if (! isset($_GET['client_id'])) {
+			return new JSONResponse('Bad request, missing client_id', 400);
 		}
+		$clientId = $_GET['client_id'];
 
 		if (isset($_GET['request'])) {
 			$jwtConfig = Configuration::forSymmetricSigner(new Sha256(), InMemory::plainText($this->config->getPrivateKey()));

solid/tests/Unit/Controller/ServerControllerTest.php

@@ -115,6 +115,25 @@ public function testAuthorizeWithoutUser()
 		$this->assertEquals($expected, $actual);
 	}
 
+	/**
+	 * @testdox ServerController should return a 400 when asked to authorize with a user but without client_id
+	 *
+	 * @covers ::authorize
+	 */
+	public function testAuthorizeWithoutClientId()
+	{
+		$parameters = $this->createMockConstructorParameters();
+
+		$parameters['MockUserManager']->method('userExists')->willReturn(true);
+
+		$controller = new ServerController(...array_values($parameters));
+
+		$actual = $controller->authorize();
+		$expected = new JSONResponse('Bad request, missing client_id', Http::STATUS_BAD_REQUEST);
+
+		$this->assertEquals($expected, $actual);
+	}
+
 	/**
 	 * @testdox ServerController should return a 400 when asked to authorize with a user but without valid token
 	 *