Properly encode scope and prompt items in OAuth URL

The scope and the prompt items of an OAuth query can be branded and can
contain characters that are not valid without encoding them. This change
makes sure that those get encoded properly.

Fixes: #11472

Author: erikjv

changelog/unreleased/11472

@@ -0,0 +1,7 @@
+Bugfix: Properly encode scope and prompt items in OAuth URL
+
+Fixed a bug where the scope and prompt items of an OAuth query would not
+be encoded, resulting in an invalid request.
+
+https://github.com/owncloud/client/issues/11472
+https://github.com/owncloud/client/pull/11479

src/gui/accountsettings.cpp

@@ -736,11 +736,6 @@ void AccountSettings::slotAccountStateChanged()
             connect(cred, &HttpCredentialsGui::authorisationLinkChanged, contentWidget,
                 [cred, contentWidget] { contentWidget->setUrl(cred->authorisationLink()); });
 
-            connect(contentWidget, &OAuthLoginWidget::copyUrlToClipboardButtonClicked, _askForOAuthLoginDialog, [](const QUrl &url) {
-                // TODO: use authorisationLinkAsync
-                qApp->clipboard()->setText(url.toString());
-            });
-
             connect(contentWidget, &OAuthLoginWidget::openBrowserButtonClicked, cred, &HttpCredentialsGui::openBrowser);
 
             connect(_askForOAuthLoginDialog, &LoginRequiredDialog::rejected, this, [this]() {

src/gui/loginrequireddialog/oauthloginwidget.cpp

@@ -40,7 +40,7 @@ OAuthLoginWidget::OAuthLoginWidget(QWidget *parent)
     });
     connect(_ui->copyUrlToClipboardButton, &QPushButton::clicked, this, [this] {
         Q_ASSERT(_url.isValid());
-        Q_EMIT copyUrlToClipboardButtonClicked(_url);
+        qApp->clipboard()->setText(_url.toString(QUrl::FullyEncoded));
     });
 
     // depending on the theme we have to use a light or dark icon

src/gui/loginrequireddialog/oauthloginwidget.h

@@ -52,7 +52,6 @@ class OAuthLoginWidget : public AbstractLoginWidget
 
 Q_SIGNALS:
     void openBrowserButtonClicked(const QUrl &url);
-    void copyUrlToClipboardButtonClicked(const QUrl &url);
 
 private:
     ::Ui::OAuthLoginWidget *_ui;

src/gui/newwizard/pages/oauthcredentialssetupwizardpage.cpp

@@ -42,8 +42,6 @@ OAuthCredentialsSetupWizardPage::OAuthCredentialsSetupWizardPage(const QUrl &ser
         // TODO: move to OAuthLoginWidget
         _ui->oauthLoginWidget->setOpenBrowserButtonText(tr("Reopen Browser"));
     });
-    connect(
-        _ui->oauthLoginWidget, &OAuthLoginWidget::copyUrlToClipboardButtonClicked, this, [](const QUrl &url) { qApp->clipboard()->setText(url.toString()); });
     connect(this, &AbstractSetupWizardPage::pageDisplayed, _ui->oauthLoginWidget, qOverload<>(&OAuthLoginWidget::setFocus));
 
     _ui->topLabel->setText(tr("Please use your browser to log in to %1.").arg(Theme::instance()->appNameGUI()));

src/libsync/creds/oauth.cpp

@@ -443,9 +443,8 @@ QNetworkReply *OAuth::postTokenRequest(const QList<QPair<QString, QString>> &que
     req.setAttribute(HttpCredentials::DontAddCredentialsAttribute, true);
 
     QUrlQuery arguments;
-    arguments.setQueryItems(QList<QPair<QString, QString>> { { QStringLiteral("client_id"), _clientId },
-                                { QStringLiteral("client_secret"), _clientSecret },
-                                { QStringLiteral("scope"), Theme::instance()->openIdConnectScopes() } }
+    arguments.setQueryItems(QList<QPair<QString, QString>>{{QStringLiteral("client_id"), _clientId}, {QStringLiteral("client_secret"), _clientSecret},
+                                {QStringLiteral("scope"), QString::fromUtf8(QUrl::toPercentEncoding(Theme::instance()->openIdConnectScopes()))}}
         << queryItems);
     req.setUrl(requestTokenUrl);
     return _networkAccessManager->post(req, arguments.toString(QUrl::FullyEncoded).toUtf8());
@@ -466,14 +465,12 @@ QUrl OAuth::authorisationLink() const
 
     const QByteArray code_challenge = QCryptographicHash::hash(_pkceCodeVerifier, QCryptographicHash::Sha256)
                                           .toBase64(QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals);
-    QUrlQuery query { { QStringLiteral("response_type"), QStringLiteral("code") },
-        { QStringLiteral("client_id"), _clientId },
-        { QStringLiteral("redirect_uri"), QStringLiteral("%1:%2").arg(_redirectUrl, QString::number(_server.serverPort())) },
-        { QStringLiteral("code_challenge"), QString::fromLatin1(code_challenge) },
-        { QStringLiteral("code_challenge_method"), QStringLiteral("S256") },
-        { QStringLiteral("scope"), Theme::instance()->openIdConnectScopes() },
-        { QStringLiteral("prompt"), Theme::instance()->openIdConnectPrompt() },
-        { QStringLiteral("state"), QString::fromUtf8(_state) } };
+    QUrlQuery query{{QStringLiteral("response_type"), QStringLiteral("code")}, {QStringLiteral("client_id"), _clientId},
+        {QStringLiteral("redirect_uri"), QStringLiteral("%1:%2").arg(_redirectUrl, QString::number(_server.serverPort()))},
+        {QStringLiteral("code_challenge"), QString::fromLatin1(code_challenge)}, {QStringLiteral("code_challenge_method"), QStringLiteral("S256")},
+        {QStringLiteral("scope"), QString::fromUtf8(QUrl::toPercentEncoding(Theme::instance()->openIdConnectScopes()))},
+        {QStringLiteral("prompt"), QString::fromUtf8(QUrl::toPercentEncoding(Theme::instance()->openIdConnectPrompt()))},
+        {QStringLiteral("state"), QString::fromUtf8(_state)}};
 
     if (!_davUser.isEmpty()) {
         const QString davUser = QString::fromUtf8(QUrl::toPercentEncoding(_davUser)); // Issue #7762;