Properly encode scope and prompt items in OAuth URL

erikjv · TheOneRing · commit e87d66696576 · 2024-01-31T17:23:07.000+01:00
The scope and the prompt items of an OAuth query can be branded and can contain characters that are not valid without encoding them. This change makes sure that those get encoded properly. Fixes: #11472
diff --git a/changelog/unreleased/11472 b/changelog/unreleased/11472
@@ -0,0 +1,7 @@
+Bugfix: Properly encode scope and prompt items in OAuth URL
+
+Fixed a bug where the scope and prompt items of an OAuth query would not
+be encoded, resulting in an invalid request.
+
+https://github.com/owncloud/client/issues/11472
+https://github.com/owncloud/client/pull/11479
diff --git a/src/gui/creds/httpcredentialsgui.cpp b/src/gui/creds/httpcredentialsgui.cpp
@@ -172,11 +172,6 @@ void HttpCredentialsGui::restartOAuth()
             tr("The account %1 is currently logged out.\n\nPlease authenticate using your browser.").arg(_account->displayName()));
 
         auto *contentWidget = qobject_cast<OAuthLoginWidget *>(_loginRequiredDialog->contentWidget());
-        connect(contentWidget, &OAuthLoginWidget::copyUrlToClipboardButtonClicked, _loginRequiredDialog, [](const QUrl &url) {
-            // TODO: use authorisationLinkAsync
-            qApp->clipboard()->setText(url.toString());
-        });
-
         connect(contentWidget, &OAuthLoginWidget::openBrowserButtonClicked, this, &HttpCredentialsGui::openBrowser);
         connect(_loginRequiredDialog, &LoginRequiredDialog::rejected, this, &HttpCredentials::requestLogout);
 
diff --git a/src/gui/loginrequireddialog/oauthloginwidget.cpp b/src/gui/loginrequireddialog/oauthloginwidget.cpp
@@ -40,7 +40,7 @@ OAuthLoginWidget::OAuthLoginWidget(QWidget *parent)
     });
     connect(_ui->copyUrlToClipboardButton, &QPushButton::clicked, this, [this] {
         Q_ASSERT(_url.isValid());
-        Q_EMIT copyUrlToClipboardButtonClicked(_url);
+        qApp->clipboard()->setText(_url.toString(QUrl::FullyEncoded));
     });
 
     // depending on the theme we have to use a light or dark icon
diff --git a/src/gui/loginrequireddialog/oauthloginwidget.h b/src/gui/loginrequireddialog/oauthloginwidget.h
@@ -52,7 +52,6 @@ class OAuthLoginWidget : public AbstractLoginWidget
 
 Q_SIGNALS:
     void openBrowserButtonClicked(const QUrl &url);
-    void copyUrlToClipboardButtonClicked(const QUrl &url);
 
 private:
     ::Ui::OAuthLoginWidget *_ui;
diff --git a/src/gui/newwizard/pages/oauthcredentialssetupwizardpage.cpp b/src/gui/newwizard/pages/oauthcredentialssetupwizardpage.cpp
@@ -42,8 +42,6 @@ OAuthCredentialsSetupWizardPage::OAuthCredentialsSetupWizardPage(const QUrl &ser
         // TODO: move to OAuthLoginWidget
         _ui->oauthLoginWidget->setOpenBrowserButtonText(tr("Reopen Browser"));
     });
-    connect(
-        _ui->oauthLoginWidget, &OAuthLoginWidget::copyUrlToClipboardButtonClicked, this, [](const QUrl &url) { qApp->clipboard()->setText(url.toString()); });
     connect(this, &AbstractSetupWizardPage::pageDisplayed, _ui->oauthLoginWidget, qOverload<>(&OAuthLoginWidget::setFocus));
 
     _ui->topLabel->setText(tr("Please use your browser to log in to %1.").arg(Theme::instance()->appNameGUI()));
diff --git a/src/libsync/creds/oauth.cpp b/src/libsync/creds/oauth.cpp
@@ -420,9 +420,8 @@ QNetworkReply *OAuth::postTokenRequest(const QList<QPair<QString, QString>> &que
     req.setAttribute(HttpCredentials::DontAddCredentialsAttribute, true);
 
     QUrlQuery arguments;
-    arguments.setQueryItems(QList<QPair<QString, QString>> { { QStringLiteral("client_id"), _clientId },
-                                { QStringLiteral("client_secret"), _clientSecret },
-                                { QStringLiteral("scope"), Theme::instance()->openIdConnectScopes() } }
+    arguments.setQueryItems(QList<QPair<QString, QString>>{{QStringLiteral("client_id"), _clientId}, {QStringLiteral("client_secret"), _clientSecret},
+                                {QStringLiteral("scope"), QString::fromUtf8(QUrl::toPercentEncoding(Theme::instance()->openIdConnectScopes()))}}
         << queryItems);
     req.setUrl(requestTokenUrl);
     return _networkAccessManager->post(req, arguments.toString(QUrl::FullyEncoded).toUtf8());
@@ -443,14 +442,12 @@ QUrl OAuth::authorisationLink() const
 
     const QByteArray code_challenge = QCryptographicHash::hash(_pkceCodeVerifier, QCryptographicHash::Sha256)
                                           .toBase64(QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals);
-    QUrlQuery query { { QStringLiteral("response_type"), QStringLiteral("code") },
-        { QStringLiteral("client_id"), _clientId },
-        { QStringLiteral("redirect_uri"), QStringLiteral("%1:%2").arg(_redirectUrl, QString::number(_server.serverPort())) },
-        { QStringLiteral("code_challenge"), QString::fromLatin1(code_challenge) },
-        { QStringLiteral("code_challenge_method"), QStringLiteral("S256") },
-        { QStringLiteral("scope"), Theme::instance()->openIdConnectScopes() },
-        { QStringLiteral("prompt"), Theme::instance()->openIdConnectPrompt() },
-        { QStringLiteral("state"), QString::fromUtf8(_state) } };
+    QUrlQuery query{{QStringLiteral("response_type"), QStringLiteral("code")}, {QStringLiteral("client_id"), _clientId},
+        {QStringLiteral("redirect_uri"), QStringLiteral("%1:%2").arg(_redirectUrl, QString::number(_server.serverPort()))},
+        {QStringLiteral("code_challenge"), QString::fromLatin1(code_challenge)}, {QStringLiteral("code_challenge_method"), QStringLiteral("S256")},
+        {QStringLiteral("scope"), QString::fromUtf8(QUrl::toPercentEncoding(Theme::instance()->openIdConnectScopes()))},
+        {QStringLiteral("prompt"), QString::fromUtf8(QUrl::toPercentEncoding(Theme::instance()->openIdConnectPrompt()))},
+        {QStringLiteral("state"), QString::fromUtf8(_state)}};
 
     if (!_davUser.isEmpty()) {
         const QString davUser = QString::fromUtf8(QUrl::toPercentEncoding(_davUser)); // Issue #7762;
