Change ServerController::autherize() call to disallow updating existing clients.

Potherca · Potherca · commit 99f1b10efc0e · 2025-12-09T10:46:43.000+01:00
diff --git a/solid/lib/BaseServerConfig.php b/solid/lib/BaseServerConfig.php
@@ -157,25 +157,35 @@ public function removeClientConfig($clientId) {
 			$this->config->setAppValue('solid', 'clientScopes', $scopes);
 		}
 
-		public function saveClientRegistration($origin, $clientData) {
-			$originHash = md5($origin);
-			$existingRegistration = $this->getClientRegistration($originHash);
-			if ($existingRegistration && isset($existingRegistration['redirect_uris'])) {
-				foreach ($existingRegistration['redirect_uris'] as $uri) {
-					$clientData['redirect_uris'][] = $uri;
-				}
-				$clientData['redirect_uris'] = array_unique($clientData['redirect_uris']);
-				if (isset($existingRegistration['blocked'])) {
-					$clientData['blocked'] = $existingRegistration['blocked'];
+		public function saveClientRegistration($clientData)
+		{
+			$generatedClientId = bin2hex(random_bytes(16)); // 32 chars for the client Id
+
+			// Avoid collision, give up after 5 tries.
+			for ($i = 0; $i < 5; $i++) {
+				$existingRegistration = $this->getClientRegistration($generatedClientId);
+				if ($existingRegistration['client_id'] ?? false) {
+					$generatedClientId = bin2hex(random_bytes(16));
+				} else {
+					break;
 				}
 			}
 
-			$clientData['client_id'] = $originHash;
-			$clientData['client_name'] = $origin;
-			$clientData['client_secret'] = md5(random_bytes(32));
-			$this->config->setAppValue('solid', "client-" . $originHash, json_encode($clientData));
+			if ($existingRegistration['client_id'] ?? false) {
+				throw new \Exception("Could not generate unique client ID");
+			}
+
+			$generatedClientSecret = bin2hex(random_bytes(32)); // and 64 chars for the client secret
+
+			$clientData['client_id'] = $generatedClientId;
+			$clientData['client_secret'] = $generatedClientSecret;
+
+			if (!isset($clientData['client_name'])) {
+				$clientData['client_name'] = "Client $generatedClientId";
+			}
+
+			$this->config->setAppValue('solid', "client-" . $generatedClientId, json_encode($clientData));
 
-			$this->config->setAppValue('solid', "client-" . $origin, json_encode($clientData));
 			return $clientData;
 		}
 
diff --git a/solid/lib/Controller/ServerController.php b/solid/lib/Controller/ServerController.php
@@ -208,15 +208,18 @@ public function authorize() {
 					$getVars['redirect_uri']
 				)
 			);
-			$clientId = $this->config->saveClientRegistration($origin, $clientData)['client_id'];
-			$clientId = $this->config->saveClientRegistration($getVars['client_id'], $clientData)['client_id'];
+
+			$clientId = $this->config->saveClientRegistration($clientData)['client_id'];
 			$returnUrl = $getVars['redirect_uri'];
+			$clientRegistration = $this->config->getClientRegistration($clientId);
+			// @FIXME: Implement $clientRegistration = $this->fetchRemoteClientDocument($getVars['client_id'])
+			//        to replace this section of this `if` statement.
 		} else {
 			$clientId = $getVars['client_id'];
 			$returnUrl = $_SERVER['REQUEST_URI'];
+			$clientRegistration = $this->config->getClientRegistration($clientId);
 		}
 
-		$clientRegistration = $this->config->getClientRegistration($clientId);
 		if (isset($clientRegistration['blocked']) && ($clientRegistration['blocked'] === true)) {
 			$result = new JSONResponse('Unauthorized client');
 			$result->setStatus(403);
@@ -405,14 +408,11 @@ public function register() {
 		if (! isset($clientData['redirect_uris'])) {
 			return new JSONResponse("Missing redirect URIs", Http::STATUS_BAD_REQUEST);
 		}
+
 		$clientData['client_id_issued_at'] = time();
-		$parsedOrigin = parse_url($clientData['redirect_uris'][0]);
-		$origin = $parsedOrigin['scheme'] . '://' . $parsedOrigin['host'];
-		if (isset($parsedOrigin['port'])) {
-			$origin .= ":" . $parsedOrigin['port'];
-		}
 
-		$clientData = $this->config->saveClientRegistration($origin, $clientData);
+		$clientData = $this->config->saveClientRegistration($clientData);
+
 		$registration = array(
 			'client_id' => $clientData['client_id'],
 			'client_secret' => $clientData['client_secret'],
diff --git a/solid/tests/Unit/BaseServerConfigTest.php b/solid/tests/Unit/BaseServerConfigTest.php
@@ -149,21 +149,6 @@ public function testGetClientRegistrationForNonExistingClient()
 		$this->assertEquals($expected, $actual);
 	}
 
-	/**
-	 * @testdox BaseServerConfig should complain when asked to save ClientRegistration without origin
-	 * @covers ::saveClientRegistration
-	 */
-	public function testSaveClientRegistrationWithoutOrigin()
-	{
-		$this->expectException(TypeError::class);
-		$this->expectExceptionMessage('Too few arguments to function');
-
-		$configMock = $this->createMock(IConfig::class);
-		$baseServerConfig = new BaseServerConfig($configMock);
-
-		$baseServerConfig->saveClientRegistration();
-	}
-
 	/**
 	 * @testdox BaseServerConfig should complain when asked to save ClientRegistration without client data
 	 * @covers ::saveClientRegistration
@@ -176,7 +161,7 @@ public function testSaveClientRegistrationWithoutClientData()
 		$configMock = $this->createMock(IConfig::class);
 		$baseServerConfig = new BaseServerConfig($configMock);
 
-		$baseServerConfig->saveClientRegistration(self::MOCK_ORIGIN);
+		$baseServerConfig->saveClientRegistration();
 	}
 
 	/**
@@ -189,138 +174,22 @@ public function testSaveClientRegistrationForNewClient()
 
 		$configMock->expects($this->once())
 			->method('getAppValue')
-			->with(Application::APP_ID, 'client-' . md5(self::MOCK_ORIGIN))
 			->willReturnArgument(2);
 
-		$expected = [
-			'client_id' => md5(self::MOCK_ORIGIN),
-			'client_name' => self::MOCK_ORIGIN,
-			'client_secret' => md5(self::MOCK_RANDOM_BYTES),
-		];
-
-		$configMock->expects($this->exactly(2))
+		$configMock->expects($this->exactly(1))
 			->method('setAppValue')
 			->willReturnMap([
 				// Using willReturnMap as withConsecutive is removed since PHPUnit 10
-				[Application::APP_ID, 'client-' . md5(self::MOCK_ORIGIN), json_encode($expected)],
-				[Application::APP_ID, 'client-' . self::MOCK_ORIGIN, json_encode($expected)]
-			]);
-
-		$baseServerConfig = new BaseServerConfig($configMock);
-
-		$actual = $baseServerConfig->saveClientRegistration(self::MOCK_ORIGIN, []);
-
-		$this->assertEquals($expected, $actual);
-	}
-
-	/**
-	 * @testdox BaseServerConfig should save ClientRegistration when asked to save ClientRegistration for existing client
-	 * @covers ::saveClientRegistration
-	 */
-	public function testSaveClientRegistrationForExistingClient()
-	{
-		$configMock = $this->createMock(IConfig::class);
-
-		$expected = [
-			'client_id' => md5(self::MOCK_ORIGIN),
-			'client_name' => self::MOCK_ORIGIN,
-			'client_secret' => md5(self::MOCK_RANDOM_BYTES),
-			'redirect_uris' => [self::MOCK_REDIRECT_URI],
-		];
-
-		$configMock->expects($this->once())
-			->method('getAppValue')
-			->with(Application::APP_ID, 'client-' . md5(self::MOCK_ORIGIN))
-			->willReturn(json_encode($expected));
-
-		$configMock->expects($this->exactly(2))
-			->method('setAppValue')
-			->willReturnMap([
-				// Using willReturnMap as withConsecutive is deprecated since PHPUnit 10
-				[Application::APP_ID, 'client-' . md5(self::MOCK_ORIGIN), json_encode($expected)],
-				[Application::APP_ID, 'client-' . self::MOCK_ORIGIN, json_encode($expected)]
-			]);
-
-		$baseServerConfig = new BaseServerConfig($configMock);
-
-		$actual = $baseServerConfig->saveClientRegistration(self::MOCK_ORIGIN, []);
-
-		$this->assertEquals($expected, $actual);
-	}
-
-	/**
-	 * @testdox BaseServerConfig should save ClientRegistration when asked to save ClientRegistration for blocked client
-	 * @covers ::saveClientRegistration
-	 */
-	public function testSaveClientRegistrationForBlockedClient()
-	{
-		$configMock = $this->createMock(IConfig::class);
-
-		$expected = [
-			'client_id' => md5(self::MOCK_ORIGIN),
-			'client_name' => self::MOCK_ORIGIN,
-			'client_secret' => md5(self::MOCK_RANDOM_BYTES),
-			'redirect_uris' => [self::MOCK_REDIRECT_URI],
-			'blocked' => true,
-		];
-
-		$configMock->expects($this->once())
-			->method('getAppValue')
-			->with(Application::APP_ID, 'client-' . md5(self::MOCK_ORIGIN))
-			->willReturn(json_encode($expected));
-
-		$configMock->expects($this->exactly(2))
-			->method('setAppValue')
-			->willReturnMap([
-				// Using willReturnMap as withConsecutive is deprecated since PHPUnit 10
-				[Application::APP_ID, 'client-' . md5(self::MOCK_ORIGIN), json_encode($expected)],
-				[Application::APP_ID, 'client-' . self::MOCK_ORIGIN, json_encode($expected)]
-			]);
-
-		$baseServerConfig = new BaseServerConfig($configMock);
-
-		$actual = $baseServerConfig->saveClientRegistration(self::MOCK_ORIGIN, $expected);
-
-		$this->assertEquals($expected, $actual);
-	}
-
-	/**
-	 * @testdox BaseServerConfig should always "blocked" to existing value when asked to save ClientRegistration for blocked client
-	 * @covers ::saveClientRegistration
-	 */
-	public function testSaveClientRegistrationSetsBlocked()
-	{
-		$configMock = $this->createMock(IConfig::class);
-
-		$expected = [
-			'client_id' => md5(self::MOCK_ORIGIN),
-			'client_name' => self::MOCK_ORIGIN,
-			'client_secret' => md5(self::MOCK_RANDOM_BYTES),
-			'redirect_uris' => [self::MOCK_REDIRECT_URI],
-			'blocked' => true,
-		];
-
-		$configMock->expects($this->once())
-			->method('getAppValue')
-			->with(Application::APP_ID, 'client-' . md5(self::MOCK_ORIGIN))
-			->willReturn(json_encode($expected));
-
-		$clientData = $expected;
-		$clientData['blocked'] = false;
-
-		$configMock->expects($this->exactly(2))
-			->method('setAppValue')
-			->willReturnMap([
-				// Using willReturnMap as withConsecutive is deprecated since PHPUnit 10
-				[Application::APP_ID, 'client-' . md5(self::MOCK_ORIGIN), json_encode($expected)],
-				[Application::APP_ID, 'client-' . self::MOCK_ORIGIN, json_encode($expected)]
+				[Application::APP_ID, 'client-' . self::MOCK_ORIGIN, json_encode('{}')]
 			]);
 
 		$baseServerConfig = new BaseServerConfig($configMock);
 
-		$actual = $baseServerConfig->saveClientRegistration(self::MOCK_ORIGIN, $clientData);
+		$actual = $baseServerConfig->saveClientRegistration([]);
 
-		$this->assertEquals($expected, $actual);
+		$this->assertArrayHasKey('client_id', $actual);
+		$this->assertArrayHasKey('client_secret', $actual);
+		$this->assertArrayHasKey('client_name', $actual);
 	}
 
 	/**
diff --git a/solid/tests/Unit/Controller/ServerControllerTest.php b/solid/tests/Unit/Controller/ServerControllerTest.php
@@ -352,20 +352,28 @@ public function testRegisterWithRedirectUris()
 
 		$data = [
 			'application_type' => 'web',
-			'client_id' => 'f4a2d00f7602948a97ff409d7a581ec2',
-			'client_secret' => '3b5798fddd49e23662ee6fe801085100',
 			'grant_types' => ['implicit'],
 			'id_token_signed_response_alg' => 'RS256',
 			'redirect_uris' => ['https://mock.client/redirect'],
-			'registration_access_token' => 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL21vY2suc2VydmVyIiwiYXVkIjoiZjRhMmQwMGY3NjAyOTQ4YTk3ZmY0MDlkN2E1ODFlYzIiLCJzdWIiOiJmNGEyZDAwZjc2MDI5NDhhOTdmZjQwOWQ3YTU4MWVjMiJ9.AfOi9YW70rL0EKn4_dvhkyu02iI4yGYV-Xh8hQ9RbHBUnvcXROFfQzn-OL-R3kV3nn8tknmpG-r_8Ouoo7O_Sjo8Hx1QSFfeqjJGOgB8HbXV7WN2spOMicSB-68EyftqfTGH0ksyPyJaNSTbkdIqtawsDaSKUVqTmziEo4IrE5anwDLZrtSUcS0A4KVrOAkJmgYGiC4MC0NMYXeBRxgkr1_h7GN4hekAXs9-5XwRH1mwswUVRL-6prx0IYpPNURFNqkS2NU83xNf-vONThOdLVkADVy-l3PCHT3E1sRdkklCHLjhWiZo7NcMlB0WdS-APnZYCi5hLEr5-jwNI2sxoA',
 			'registration_client_uri' => '',
 			'response_types' => ['id_token token'],
 			'token_endpoint_auth_method' => 'client_secret_basic',
 		];
 		$expected = $this->createExpectedResponse(Http::STATUS_OK, $data);
 
+		$actualData = $response->getData();
+		$this->assertArrayHasKey('client_id', $actualData);
+		$this->assertArrayHasKey('client_secret', $actualData);
+		$this->assertArrayHasKey('registration_access_token', $actualData);
+
+		unset(
+			$actualData['client_id'],
+			$actualData['client_secret'],
+			$actualData['registration_access_token'],
+		);
+
 		$actual = [
-			'data' => $response->getData(),
+			'data' => $actualData,
 			'headers' => $response->getHeaders(),
 			'status' => $response->getStatus(),
 		];
@@ -458,13 +466,10 @@ public function createMockConfig($clientData): IConfig|MockObject
 
 		$this->mockConfig->method('getAppValue')->willReturnMap([
 			[Application::APP_ID, 'client-' . self::MOCK_CLIENT_ID, '{}', 'return' => $clientData],
-			[Application::APP_ID, 'client-d6d7896757f61ac4c397d914053180ff', '{}', 'return' => $clientData],
+			[Application::APP_ID, 'client-6d6f636b2072616e646f6d206279746573', '{}', 'return' => $clientData],
 			[Application::APP_ID, 'client-', '{}', 'return' => $clientData],
-			[Application::APP_ID, 'profileData', '', 'return' => ''],
 			[Application::APP_ID, 'encryptionKey', '', 'return' => 'mock encryption key'],
 			[Application::APP_ID, 'privateKey', '', 'return' => self::$privateKey],
-			// Client ID from register() with https://mock.client
-			[Application::APP_ID, 'client-f4a2d00f7602948a97ff409d7a581ec2', '{}', 'return' => $clientData],
 		]);
 
 		return $this->mockConfig;
