From 2757a429071a9df012751662d7d990b5d92f5074 Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Fri, 4 Jan 2019 20:30:37 +0100
Subject: [PATCH] Fix loginflow with apptoken enter on iOS

It seems iOS doesn't like us to change the location. So now we submit it
to the server that geneartes the redirect.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 core/Controller/ClientFlowLoginController.php | 30 +++++++++++++++++++
 core/js/login/authpicker.js                   |  8 -----
 core/routes.php                               |  1 +
 core/templates/loginflow/authpicker.php       |  7 +++--
 4 files changed, 35 insertions(+), 11 deletions(-)

diff --git a/core/Controller/ClientFlowLoginController.php b/core/Controller/ClientFlowLoginController.php
index 3050248f4e..7846dfcfd6 100644
--- a/core/Controller/ClientFlowLoginController.php
+++ b/core/Controller/ClientFlowLoginController.php
@@ -336,4 +336,34 @@ class ClientFlowLoginController extends Controller {
 
 		return new Http\RedirectResponse($redirectUri);
 	}
+
+	/**
+	 * @PublicPage
+	 */
+	public function apptokenRedirect(string $stateToken, string $user, string $password) {
+		if (!$this->isValidToken($stateToken)) {
+			return $this->stateTokenForbiddenResponse();
+		}
+
+		$redirectUri = 'nc://login/server:' . $this->getServerPath() . '&user:' . urlencode($user) . '&password:' . urlencode($password);
+		return new Http\RedirectResponse($redirectUri);
+	}
+
+	private function getServerPath() {
+		$serverPostfix = '';
+		if (strpos($this->request->getRequestUri(), '/index.php') !== false) {
+			$serverPostfix = substr($this->request->getRequestUri(), 0, strpos($this->request->getRequestUri(), '/index.php'));
+		} else if (strpos($this->request->getRequestUri(), '/login/flow') !== false) {
+			$serverPostfix = substr($this->request->getRequestUri(), 0, strpos($this->request->getRequestUri(), '/login/flow'));
+		}
+		$protocol = $this->request->getServerProtocol();
+		if ($protocol !== "https") {
+			$xForwardedProto = $this->request->getHeader('X-Forwarded-Proto');
+			$xForwardedSSL = $this->request->getHeader('X-Forwarded-Ssl');
+			if ($xForwardedProto === 'https' || $xForwardedSSL === 'on') {
+				$protocol = 'https';
+			}
+		}
+		return $protocol . "://" . $this->request->getServerHost() . $serverPostfix;
+	}
 }
diff --git a/core/js/login/authpicker.js b/core/js/login/authpicker.js
index 2d4bcc3315..e1e34bbd8d 100644
--- a/core/js/login/authpicker.js
+++ b/core/js/login/authpicker.js
@@ -5,12 +5,4 @@ jQuery(document).ready(function() {
 		$('#redirect-link').addClass('hidden');
 		$('#app-token-login-field').removeClass('hidden');
 	});
-
-	$('#submit-app-token-login').click(function(e) {
-		e.preventDefault();
-		window.location.href = 'nc://login/server:'
-			+ encodeURIComponent($('#serverHost').val())
-			+ "&user:" +  encodeURIComponent($('#user').val())
-			+ "&password:" + encodeURIComponent($('#password').val());
-	});
 });
diff --git a/core/routes.php b/core/routes.php
index 1cb44e47d9..4508ecad81 100644
--- a/core/routes.php
+++ b/core/routes.php
@@ -53,6 +53,7 @@ $application->registerRoutes($this, [
 		['name' => 'ClientFlowLogin#showAuthPickerPage', 'url' => '/login/flow', 'verb' => 'GET'],
 		['name' => 'ClientFlowLogin#redirectPage', 'url' => '/login/flow/redirect', 'verb' => 'GET'],
 		['name' => 'ClientFlowLogin#generateAppPassword', 'url' => '/login/flow', 'verb' => 'POST'],
+		['name' => 'ClientFlowLogin#apptokenRedirect', 'url' => '/login/flow/apptoken', 'verb' => 'POST'],
 		['name' => 'TwoFactorChallenge#selectChallenge', 'url' => '/login/selectchallenge', 'verb' => 'GET'],
 		['name' => 'TwoFactorChallenge#showChallenge', 'url' => '/login/challenge/{challengeProviderId}', 'verb' => 'GET'],
 		['name' => 'TwoFactorChallenge#solveChallenge', 'url' => '/login/challenge/{challengeProviderId}', 'verb' => 'POST'],
diff --git a/core/templates/loginflow/authpicker.php b/core/templates/loginflow/authpicker.php
index 1858f8bcb6..824a1af32b 100644
--- a/core/templates/loginflow/authpicker.php
+++ b/core/templates/loginflow/authpicker.php
@@ -44,7 +44,7 @@ $urlGenerator = $_['urlGenerator'];
 		</a>
 	</p>
 
-	<fieldset id="app-token-login-field" class="hidden">
+	<form action="<?php p($urlGenerator->linkToRouteAbsolute('core.ClientFlowLogin.apptokenRedirect')); ?>" method="post" id="app-token-login-field" class="hidden">
 		<p class="grouptop">
 			<input type="text" name="user" id="user" placeholder="<?php p($l->t('Username')) ?>">
 			<label for="user" class="infield"><?php p($l->t('Username')) ?></label>
@@ -53,9 +53,10 @@ $urlGenerator = $_['urlGenerator'];
 			<input type="password" name="password" id="password" placeholder="<?php p($l->t('App token')) ?>">
 			<label for="password" class="infield"><?php p($l->t('Password')) ?></label>
 		</p>
-		<input type="hidden" id="serverHost" value="<?php p($_['serverHost']) ?>" />
+		<input type="hidden" name="stateToken" value="<?php p($_['stateToken']) ?>" />
+		<input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>">
 		<input id="submit-app-token-login" type="submit" class="login primary icon-confirm-white" value="<?php p($l->t('Grant access')) ?>">
-	</fieldset>
+	</form>
 </div>
 
 <?php if(empty($_['oauthState'])): ?>