fix: use correct logic for URI check (#8)

mikedamm · gao-sun · web-flow · commit bfbfe7439608 · 2024-04-27T18:57:23.000+08:00
* Fix logic for URI check PATH_INFO is specific to Apache, so this code fails if you use any other webserver https://httpd.apache.org/docs/2.4/mod/core.html#acceptpathinfo * refactor: fix tests --------- Co-authored-by: Gao Sun <gao@silverhand.io>
diff --git a/src/LogtoClient.php b/src/LogtoClient.php
@@ -248,7 +248,7 @@ public function handleSignInCallback(): void
     // Some loose checks
     if (
       parse_url($signInSession->redirectUri, PHP_URL_HOST) !== ($_SERVER['SERVER_NAME'] ?? null) ||
-      parse_url($signInSession->redirectUri, PHP_URL_PATH) !== ($_SERVER['PATH_INFO'] ?? null)
+      parse_url($signInSession->redirectUri, PHP_URL_PATH) !== parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH)
     ) {
       throw new LogtoException('The redirect URI in the sign-in session does not match the current request.');
     }
diff --git a/tests/LogtoClientTest.php b/tests/LogtoClientTest.php
@@ -152,7 +152,7 @@ function test_handleSignInCallback_sessionNotFound()
   function test_handleSignInCallback_pathDoesNotMatch()
   {
     $_SERVER['SERVER_NAME'] = 'localhost';
-    $_SERVER['PATH_INFO'] = '/foo';
+    $_SERVER['REQUEST_URI'] = '/foo';
     $client = $this->getInstance();
     $client->storage->set(
       StorageKey::signInSession,
@@ -166,7 +166,7 @@ function test_handleSignInCallback_pathDoesNotMatch()
   function test_handleSignInCallback_stateDoesNotMatch()
   {
     $_SERVER['SERVER_NAME'] = 'redirect_uri';
-    $_SERVER['PATH_INFO'] = '/some_path';
+    $_SERVER['REQUEST_URI'] = '/some_path';
     $_SERVER['QUERY_STRING'] = null;
     $client = $this->getInstance();
     $client->storage->set(
@@ -181,7 +181,7 @@ function test_handleSignInCallback_stateDoesNotMatch()
   function test_handleSignInCallback_codeNotFound()
   {
     $_SERVER['SERVER_NAME'] = 'redirect_uri';
-    $_SERVER['PATH_INFO'] = '/some_path';
+    $_SERVER['REQUEST_URI'] = '/some_path';
     $_SERVER['QUERY_STRING'] = 'state=state';
     $client = $this->getInstance();
     $client->storage->set(
@@ -196,7 +196,7 @@ function test_handleSignInCallback_codeNotFound()
   function test_handleSignInCallback()
   {
     $_SERVER['SERVER_NAME'] = 'redirect_uri';
-    $_SERVER['PATH_INFO'] = '/some_path';
+    $_SERVER['REQUEST_URI'] = '/some_path';
     $_SERVER['QUERY_STRING'] = 'state=state&code=code';
     $tokenResponse = new TokenResponse(
       access_token: 'access_token',

Original file line number	Diff line number	Diff line change
`@@ -248,7 +248,7 @@ public function handleSignInCallback(): void`
`248`	`248`	`// Some loose checks`
`249`	`249`	`if (`
`250`	`250`	`parse_url($signInSession->redirectUri, PHP_URL_HOST) !== ($_SERVER['SERVER_NAME'] ?? null) \|\|`
`251`		`- parse_url($signInSession->redirectUri, PHP_URL_PATH) !== ($_SERVER['PATH_INFO'] ?? null)`
	`251`	`+ parse_url($signInSession->redirectUri, PHP_URL_PATH) !== parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH)`
`252`	`252`	`) {`
`253`	`253`	`throw new LogtoException('The redirect URI in the sign-in session does not match the current request.');`
`254`	`254`	`}`