From 44821019b6b3cb3fd0b36185012a2879f4335caa Mon Sep 17 00:00:00 2001
From: Joshua Bachmeier <joshua@bachmeier.cc>
Date: Sat, 30 Apr 2022 23:56:45 +0200
Subject: [PATCH] Add error handling to oauth provider response processing

---
 resources/lang/de_DE/additional.po            | 21 +++++++++++
 resources/lang/en_US/additional.po            | 22 +++++++++++
 src/Controllers/OAuthController.php           |  5 +++
 .../Unit/Controllers/OAuthControllerTest.php  | 37 +++++++++++++++++++
 4 files changed, 85 insertions(+)

diff --git a/resources/lang/de_DE/additional.po b/resources/lang/de_DE/additional.po
index 3045379d..425c67e9 100644
--- a/resources/lang/de_DE/additional.po
+++ b/resources/lang/de_DE/additional.po
@@ -107,6 +107,27 @@ msgstr "Account nicht gefunden"
 msgid "oauth.provider-not-found"
 msgstr "OAuth-Provider nicht gefunden"
 
+msgid "oauth.invalid_request"
+msgstr "Der OAuth-Provider lehnt die Anfrage aufgrund eines ungültigen oder fehlenden Parameters ab."
+
+msgid "oauth.unauthorized_client"
+msgstr "Authorisierung als Client beim OAuth-Provider ungültig."
+
+msgid "oauth.access_denied"
+msgstr "Der Nutzer oder der OAuth-Provider hat die Anfrage abgelehnt."
+
+msgid "oauth.unsupported_response_type"
+msgstr "Der OAuth-Provider unterstützt die gewählte Methode zum Erhalt eines Auth-Codes nicht."
+
+msgid "oauth.invalid_scope"
+msgstr "Der angefragte Scope ist ungültig, unbekannt oder fehlerhaft."
+
+msgid "oauth.server_error"
+msgstr "Der OAuth-Provider ist aufgrund eines unerwarteten Fehlers nicht in der Lage, die Anfrage zu erfüllen"
+
+msgid "oauth.temporarily_unavailable"
+msgstr "Der OAuth-Provider ist aufgrund Überlastung oder Wartung temporär nicht in der Lage, die Anfrage zu erfüllen"
+
 msgid "settings.profile"
 msgstr "Profil"
 
diff --git a/resources/lang/en_US/additional.po b/resources/lang/en_US/additional.po
index daab8b32..861569a9 100644
--- a/resources/lang/en_US/additional.po
+++ b/resources/lang/en_US/additional.po
@@ -105,6 +105,28 @@ msgstr "Unable to find account"
 msgid "oauth.provider-not-found"
 msgstr "Unable to find OAuth provider"
 
+msgid "oauth.invalid_request"
+msgstr "The OAuth-Provider rejected the request due to a missing or invalid parameter."
+
+msgid "oauth.unauthorized_client"
+msgstr "Not authorized as a client with the OAuth-Provider."
+
+msgid "oauth.access_denied"
+msgstr "The resource owner or authorization server denied the request."
+
+msgid "oauth.unsupported_response_type"
+msgstr "The OAuth-Provider does not support obtaining an authorization code using this method."
+
+msgid "oauth.invalid_scope"
+msgstr "The requested scope is invalid, unknown, or malformed."
+
+msgid "oauth.server_error"
+msgstr "The OAuth-Provider encountered an unexpected condition that prevented it from fulfilling the request."
+
+msgid "oauth.temporarily_unavailable"
+msgstr "The OAuth-Provider is currently unable to handle the request "
+"due to a temporary overloading or maintenance of the server."
+
 msgid "settings.profile"
 msgstr "Profile"
 
diff --git a/src/Controllers/OAuthController.php b/src/Controllers/OAuthController.php
index 4375de76..fb9d7066 100644
--- a/src/Controllers/OAuthController.php
+++ b/src/Controllers/OAuthController.php
@@ -89,6 +89,11 @@ class OAuthController extends BaseController
         $providerName = $request->getAttribute('provider');
         $provider = $this->getProvider($providerName);
 
+        // Handle OAuth error response according to https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2.1
+        if ($request->has('error')) {
+            throw new HttpNotFound('oauth.' . $request->get('error'));
+        }
+
         if (!$request->has('code')) {
             $authorizationUrl = $provider->getAuthorizationUrl();
             $this->session->set('oauth2_state', $provider->getState());
diff --git a/tests/Unit/Controllers/OAuthControllerTest.php b/tests/Unit/Controllers/OAuthControllerTest.php
index 667f3e6c..3908e94d 100644
--- a/tests/Unit/Controllers/OAuthControllerTest.php
+++ b/tests/Unit/Controllers/OAuthControllerTest.php
@@ -361,6 +361,43 @@ class OAuthControllerTest extends TestCase
         $this->assertEquals('oauth.already-connected', $exception->getMessage());
     }
 
+    /**
+     * @covers \Engelsystem\Controllers\OAuthController::index
+     * @dataProvider oAuthErrorCodeProvider
+     */
+    public function testIndexOAuthErrorResponse(string $oauth_error_code)
+    {
+        $controller = $this->getMock(['getProvider']);
+
+        $request = new Request();
+        $request = $request
+                    ->withAttribute('provider', 'testprovider')
+                    ->withQueryParams(['error' => $oauth_error_code]);
+
+        $exception = null;
+        try {
+            $controller->index($request);
+        } catch (HttpNotFound $e) {
+            $exception = $e;
+        }
+
+        $this->assertNotNull($exception, 'Exception not thrown');
+        $this->assertEquals('oauth.' . $oauth_error_code, $exception->getMessage());
+    }
+
+    public function oAuthErrorCodeProvider(): array
+    {
+        return [
+            ['invalid_request'],
+            ['unauthorized_client'],
+            ['access_denied'],
+            ['unsupported_response_type'],
+            ['invalid_scope'],
+            ['server_error'],
+            ['temporarily_unavailable']
+        ];
+    }
+
     /**
      * @covers \Engelsystem\Controllers\OAuthController::index
      * @covers \Engelsystem\Controllers\OAuthController::redirectRegister