add special handling to let authorize call work when logging in, without disabling content security policy completely

Author: ylebre

solid/appinfo/routes.php

@@ -14,6 +14,7 @@
         ['name' => 'page#handleRevoke', 'url' => '/revoke/{clientId}', 'verb' => 'GET'],
         ['name' => 'page#handleApproval', 'url' => '/sharing/{clientId}', 'verb' => 'POST'],
         ['name' => 'page#dataJson', 'url' => '/@{userId}/data.json', 'verb' => 'GET' ],
+        ['name' => 'page#customscheme', 'url' => '/customscheme', 'verb' => 'GET'],
 
         ['name' => 'server#cors', 'url' => '/{path}', 'verb' => 'OPTIONS', 'requirements' => array('path' => '.+') ],
         ['name' => 'server#authorize', 'url' => '/authorize', 'verb' => 'GET'],

solid/js/customscheme.js

@@ -0,0 +1,4 @@
+console.log(document.location.href);
+let newUrl = document.location.href.replace("customscheme", "authorize");
+newUrl += "&customscheme=1";
+document.location.href = newUrl;

solid/lib/Controller/PageController.php

@@ -95,18 +95,29 @@ public function approval($clientId) {
 			"returnUrl" => $_GET['returnUrl'],
 		);
 		$templateResponse = new TemplateResponse('solid', 'sharing', $params);
+
 		$policy = new ContentSecurityPolicy();
 		$policy->addAllowedStyleDomain("data:");
 
 		$parsedOrigin = parse_url($clientRegistration['redirect_uris'][0]);
-		$origin = $parsedOrigin['scheme'] . "://" . $parsedOrigin['host'];
+		$origin = $parsedOrigin['host'];
 		if ($origin) {
-			$policy->addAllowedFormActionDomain($origin);
+			$policy->addAllowedFormActionDomain($parsedOrigin['scheme'] . "://" . $origin);
 			$templateResponse->setContentSecurityPolicy($policy);
 		}
 		return $templateResponse;
 	}
 
+	/**
+	 * @PublicPage
+	 * @NoAdminRequired
+	 * @NoCSRFRequired
+	 */
+	public function customscheme() {
+		$templateResponse = new TemplateResponse('solid', 'customscheme');
+		return $templateResponse;
+	}
+
 	/**
 	 * @PublicPage
 	 * @NoAdminRequired

solid/lib/Controller/ServerController.php

@@ -220,6 +220,17 @@ public function authorize() {
 			return $result; // ->addHeader('Access-Control-Allow-Origin', '*');
 		}
 
+		$parsedOrigin = parse_url($clientRegistration['redirect_uris'][0]);
+		if ($parsedOrigin['scheme'] != "https" && !isset($_GET['customscheme'])) {
+			$result = new JSONResponse('Custom schema');
+			$result->setStatus(302);
+			$originalRequest = parse_url($_SERVER['REQUEST_URI']);
+			error_log("CUSTOM SCHEME");
+			$customSchemeUrl = $this->urlGenerator->getAbsoluteURL($this->urlGenerator->linkToRoute("solid.page.customscheme")) . ($originalRequest['query'] ? "?" . $originalRequest['query'] . "&customscheme=" . $parsedOrigin['scheme'] : '');
+			$result->addHeader("Location", $customSchemeUrl);
+			return $result;
+		}
+
 		$user = new \Pdsinterop\Solid\Auth\Entity\User();
 		$user->setIdentifier($this->getProfilePage());
 

solid/templates/customscheme.php

@@ -0,0 +1,3 @@
+<?php
+script('solid', 'customscheme');
+?>