From 6dc179ee12fe86a6e70ff53630d60da3e5aecc60 Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Sat, 10 Aug 2019 19:27:01 +0200
Subject: [PATCH] Fix login flow form actions

So fun fact. Chrome considers a redirect after submitting a form part of
the form actions. Since we redirect to a new protocol (nc://login/).
Causing the form submission to work but the redirect failing hard.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 core/Controller/ClientFlowLoginController.php    | 16 ++++++++++++++--
 .../Controller/ClientFlowLoginControllerTest.php |  6 ++++++
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/core/Controller/ClientFlowLoginController.php b/core/Controller/ClientFlowLoginController.php
index 748139fe83217..f049f282ce8a9 100644
--- a/core/Controller/ClientFlowLoginController.php
+++ b/core/Controller/ClientFlowLoginController.php
@@ -195,7 +195,10 @@ public function showAuthPickerPage($clientIdentifier = '') {
 		);
 		$this->session->set(self::stateName, $stateToken);
 
-		return new StandaloneTemplateResponse(
+		$csp = new Http\ContentSecurityPolicy();
+		$csp->addAllowedFormActionDomain('nc://*');
+
+		$response = new StandaloneTemplateResponse(
 			$this->appName,
 			'loginflow/authpicker',
 			[
@@ -209,6 +212,9 @@ public function showAuthPickerPage($clientIdentifier = '') {
 			],
 			'guest'
 		);
+
+		$response->setContentSecurityPolicy($csp);
+		return $response;
 	}
 
 	/**
@@ -234,7 +240,10 @@ public function grantPage($stateToken = '',
 			$clientName = $client->getName();
 		}
 
-		return new StandaloneTemplateResponse(
+		$csp = new Http\ContentSecurityPolicy();
+		$csp->addAllowedFormActionDomain('nc://*');
+
+		$response = new StandaloneTemplateResponse(
 			$this->appName,
 			'loginflow/grant',
 			[
@@ -248,6 +257,9 @@ public function grantPage($stateToken = '',
 			],
 			'guest'
 		);
+
+		$response->setContentSecurityPolicy($csp);
+		return $response;
 	}
 
 	/**
diff --git a/tests/Core/Controller/ClientFlowLoginControllerTest.php b/tests/Core/Controller/ClientFlowLoginControllerTest.php
index 73b8118a87625..f35b616a68eda 100644
--- a/tests/Core/Controller/ClientFlowLoginControllerTest.php
+++ b/tests/Core/Controller/ClientFlowLoginControllerTest.php
@@ -186,6 +186,9 @@ public function testShowAuthPickerPageWithOcsHeader() {
 			],
 			'guest'
 		);
+		$csp = new Http\ContentSecurityPolicy();
+		$csp->addAllowedFormActionDomain('nc://*');
+		$expected->setContentSecurityPolicy($csp);
 		$this->assertEquals($expected, $this->clientFlowLoginController->showAuthPickerPage());
 	}
 
@@ -245,6 +248,9 @@ public function testShowAuthPickerPageWithOauth() {
 			],
 			'guest'
 		);
+		$csp = new Http\ContentSecurityPolicy();
+		$csp->addAllowedFormActionDomain('nc://*');
+		$expected->setContentSecurityPolicy($csp);
 		$this->assertEquals($expected, $this->clientFlowLoginController->showAuthPickerPage('MyClientIdentifier'));
 	}