From ce23373f2338e1b0482de6d27ccdd2008bc11542 Mon Sep 17 00:00:00 2001
From: Mauro Mura <Mauro-Efisio.Mura@t-systems.com>
Date: Wed, 24 Jan 2024 16:13:10 +0100
Subject: [PATCH 1/5] modified code login session value handling

---
 lib/Controller/LoginController.php | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/lib/Controller/LoginController.php b/lib/Controller/LoginController.php
index b2db72ff..8afb912c 100644
--- a/lib/Controller/LoginController.php
+++ b/lib/Controller/LoginController.php
@@ -222,14 +222,23 @@ public function login(int $providerId, string $redirectUrl = null) {
 			return $this->buildErrorTemplateResponse($message, Http::STATUS_NOT_FOUND, ['provider_not_found' => $providerId]);
 		}
 
-		$state = $this->random->generate(32, ISecureRandom::CHAR_DIGITS . ISecureRandom::CHAR_UPPER);
-		$this->session->set(self::STATE, $state);
-		$this->session->set(self::REDIRECT_AFTER_LOGIN, $redirectUrl);
+		// check if oidc state is present in session data
+		if($this->session->exists(self::STATE)) {
+			$oidcState = true;
+			$state = $this->session->get(self::STATE);
+			$nonce = $this->session->get(self::NONCE);
+		} else {
+			$oidcState = false;
+			$state = $this->random->generate(32, ISecureRandom::CHAR_DIGITS . ISecureRandom::CHAR_UPPER);
+			$this->session->set(self::STATE, $state);
+			$this->session->set(self::REDIRECT_AFTER_LOGIN, $redirectUrl);
+
+			$nonce = $this->random->generate(32, ISecureRandom::CHAR_DIGITS . ISecureRandom::CHAR_UPPER);
+			$this->session->set(self::NONCE, $nonce);
 
-		$nonce = $this->random->generate(32, ISecureRandom::CHAR_DIGITS . ISecureRandom::CHAR_UPPER);
-		$this->session->set(self::NONCE, $nonce);
+			$this->session->set(self::PROVIDERID, $providerId);
+		}
 
-		$this->session->set(self::PROVIDERID, $providerId);
 		$this->session->close();
 
 		// get attribute mapping settings
@@ -502,6 +511,12 @@ public function code(string $state = '', string $code = '', string $scope = '',
 		$this->userSession->createSessionToken($this->request, $user->getUID(), $user->getUID());
 		$this->userSession->createRememberMeToken($user);
 
+		// remove code login session values
+		$this->session->remove(self::STATE);
+		$this->session->remove(self::REDIRECT_AFTER_LOGIN);
+		$this->session->remove(self::NONCE);
+		$this->session->remove(self::PROVIDERID);
+
 		// Set last password confirm to the future as we don't have passwords to confirm against with SSO
 		$this->session->set('last-password-confirm', strtotime('+4 year', time()));
 

From 4cf41bcf66d6ab827371b86e44c8e56e6a51b282 Mon Sep 17 00:00:00 2001
From: Mauro Mura <Mauro-Efisio.Mura@t-systems.com>
Date: Wed, 24 Jan 2024 16:16:02 +0100
Subject: [PATCH 2/5] removed test variable

---
 lib/Controller/LoginController.php | 2 --
 1 file changed, 2 deletions(-)

diff --git a/lib/Controller/LoginController.php b/lib/Controller/LoginController.php
index 8afb912c..a33e3ba0 100644
--- a/lib/Controller/LoginController.php
+++ b/lib/Controller/LoginController.php
@@ -224,11 +224,9 @@ public function login(int $providerId, string $redirectUrl = null) {
 
 		// check if oidc state is present in session data
 		if($this->session->exists(self::STATE)) {
-			$oidcState = true;
 			$state = $this->session->get(self::STATE);
 			$nonce = $this->session->get(self::NONCE);
 		} else {
-			$oidcState = false;
 			$state = $this->random->generate(32, ISecureRandom::CHAR_DIGITS . ISecureRandom::CHAR_UPPER);
 			$this->session->set(self::STATE, $state);
 			$this->session->set(self::REDIRECT_AFTER_LOGIN, $redirectUrl);

From 294c35ab3ea84433fe0be5da71a8aa4a471557e9 Mon Sep 17 00:00:00 2001
From: Mauro Mura <Mauro-Efisio.Mura@t-systems.com>
Date: Wed, 24 Jan 2024 16:27:30 +0100
Subject: [PATCH 3/5] fix php coding style

---
 lib/Controller/LoginController.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/Controller/LoginController.php b/lib/Controller/LoginController.php
index a33e3ba0..f9520dd8 100644
--- a/lib/Controller/LoginController.php
+++ b/lib/Controller/LoginController.php
@@ -223,7 +223,7 @@ public function login(int $providerId, string $redirectUrl = null) {
 		}
 
 		// check if oidc state is present in session data
-		if($this->session->exists(self::STATE)) {
+		if ($this->session->exists(self::STATE)) {
 			$state = $this->session->get(self::STATE);
 			$nonce = $this->session->get(self::NONCE);
 		} else {

From 3e46643552d22bb6b69f6130485808efcc2ea86a Mon Sep 17 00:00:00 2001
From: Mauro Mura <Mauro-Efisio.Mura@t-systems.com>
Date: Fri, 26 Jan 2024 15:50:10 +0100
Subject: [PATCH 4/5] PROVIDERID value is no longer removed from session

---
 lib/Controller/LoginController.php | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/Controller/LoginController.php b/lib/Controller/LoginController.php
index f9520dd8..1f3f7761 100644
--- a/lib/Controller/LoginController.php
+++ b/lib/Controller/LoginController.php
@@ -513,7 +513,6 @@ public function code(string $state = '', string $code = '', string $scope = '',
 		$this->session->remove(self::STATE);
 		$this->session->remove(self::REDIRECT_AFTER_LOGIN);
 		$this->session->remove(self::NONCE);
-		$this->session->remove(self::PROVIDERID);
 
 		// Set last password confirm to the future as we don't have passwords to confirm against with SSO
 		$this->session->set('last-password-confirm', strtotime('+4 year', time()));

From 90f1381ea86ce5b4b435fed98fbd49664af4c734 Mon Sep 17 00:00:00 2001
From: Mauro <Mauro-Efisio.Mura@t-systems.com>
Date: Tue, 13 Feb 2024 09:00:27 +0100
Subject: [PATCH 5/5] keep needed REDIRECT_AFTER_LOGIN value after login

---
 lib/Controller/LoginController.php | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/Controller/LoginController.php b/lib/Controller/LoginController.php
index 1f3f7761..982f6159 100644
--- a/lib/Controller/LoginController.php
+++ b/lib/Controller/LoginController.php
@@ -511,7 +511,6 @@ public function code(string $state = '', string $code = '', string $scope = '',
 
 		// remove code login session values
 		$this->session->remove(self::STATE);
-		$this->session->remove(self::REDIRECT_AFTER_LOGIN);
 		$this->session->remove(self::NONCE);
 
 		// Set last password confirm to the future as we don't have passwords to confirm against with SSO