From 033ac02c695c32a09105a8321e97f0d949d5b27e Mon Sep 17 00:00:00 2001
From: Ioannis Igoumenos <ioigoume@gmail.com>
Date: Mon, 28 Apr 2025 14:52:32 +0300
Subject: [PATCH] Code improvements

---
 .../Controller/Oauth2ServersController.php    | 19 +++++++++++++++----
 .../src/Lib/Enum/Oauth2GrandTypesEnum.php     |  2 +-
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/app/plugins/CoreServer/src/Controller/Oauth2ServersController.php b/app/plugins/CoreServer/src/Controller/Oauth2ServersController.php
index a545379f3..b2e8ee9cc 100644
--- a/app/plugins/CoreServer/src/Controller/Oauth2ServersController.php
+++ b/app/plugins/CoreServer/src/Controller/Oauth2ServersController.php
@@ -21,7 +21,7 @@
  *
  * @link          https://www.internet2.edu/comanage COmanage Project
  * @package       registry-plugins
- * @since         COmanage Registry v5.0.0
+ * @since         COmanage Registry v5.2.0
  * @license       Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
  */
 
@@ -76,7 +76,11 @@ public function callback($id): void
     // (ie: code=foo, not code:foo)
 
     try {
-      if (empty($_GET['code']) || empty($_GET['state'])) {
+      $request = $this->getRequest();
+      $code = $request->getQuery('code');
+      $state = $request->getQuery('state');
+
+      if (empty($code) || empty($state)) {
         throw new \RuntimeException(__d('core_server', 'error.Oauth2Servers.callback'));
       }
 
@@ -84,11 +88,18 @@ public function callback($id): void
       // recommendations to prevent CSRF.
       // https://tools.ietf.org/html/rfc6749#section-10.12
 
-      if ($_GET['state'] != hash('sha256', session_id())) {
+      // Access session from the request object
+      $sessionId = $request->getSession()->id();
+
+      if ($state != hash('sha256', $sessionId)) {
         throw new \RuntimeException(__d('core_server', 'error.Oauth2Servers.state'));
       }
 
-      $response = $this->Oauth2Servers->exchangeCode($id, $_GET['code'], $this->Oauth2Servers->redirectUri((int)$id));
+      $response = $this->Oauth2Servers->exchangeCode(
+        $id,
+        $code,
+        $this->Oauth2Servers->redirectUri((int)$id),
+      );
 
       $this->Flash->success(__d('core_server', 'info.Oauth2Servers.access_token.ok'));
     } catch (\Exception $e) {
diff --git a/app/plugins/CoreServer/src/Lib/Enum/Oauth2GrandTypesEnum.php b/app/plugins/CoreServer/src/Lib/Enum/Oauth2GrandTypesEnum.php
index a8bd939b2..a82e51111 100644
--- a/app/plugins/CoreServer/src/Lib/Enum/Oauth2GrandTypesEnum.php
+++ b/app/plugins/CoreServer/src/Lib/Enum/Oauth2GrandTypesEnum.php
@@ -21,7 +21,7 @@
  *
  * @link          https://www.internet2.edu/comanage COmanage Project
  * @package       registry-plugins
- * @since         COmanage Registry v5.0.0
+ * @since         COmanage Registry v5.2.0
  * @license       Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
  */