99
1010class OidcController extends Controller
1111{
12- protected OidcService $ oidcService
13-
14- public function __construct (OidcService $ oidcService
15- {
16- $ this oidcService = $ oidcService
12+ public function __construct (
13+ protected OidcService $ oidcService
14+ ) {
1715 $ this middleware ('guard:oidc ' );
1816 }
1917
@@ -30,7 +28,7 @@ public function login()
3028 return redirect ('/login ' );
3129 }
3230
33- session ()->flash ('oidc_state ' , $ loginDetails'state ' ]);
31+ session ()->put ('oidc_state ' , time () . ' : ' . $ loginDetails'state ' ]);
3432
3533 return redirect ($ loginDetails'url ' ]);
3634 }
@@ -41,10 +39,16 @@ public function login()
4139 */
4240 public function callback (Request $ request
4341 {
44- $ storedStatesession ()->pull ('oidc_state ' );
4542 $ responseState$ requestquery ('state ' );
43+ $ splitStateexplode (': ' , session ()->pull ('oidc_state ' , ': ' ), 2 );
44+ if (count ($ splitState2 ) {
45+ $ splitStatenull , null ];
46+ }
47+
48+ [$ storedStateTime$ storedState$ splitState
49+ $ threeMinutesAgotime () - 3 * 60 ;
4650
47- if ($ storedState$ responseState
51+ if (! $ storedState|| $ storedState !== $ responseState || intval ( $ storedStateTime ) < $ threeMinutesAgo
4852 $ this showErrorNotification (trans ('errors.oidc_fail_authed ' , ['system ' => config ('oidc.name ' )]));
4953
5054 return redirect ('/login ' );
@@ -62,7 +66,7 @@ public function callback(Request $request)
6266 }
6367
6468 /**
65- * Log the user out then start the OIDC RP-initiated logout process.
69+ * Log the user out, then start the OIDC RP-initiated logout process.
6670 */
6771 public function logout ()
6872 {
0 commit comments