From f6c6e55db55e336aee3f99963bc726f098fdcce2 Mon Sep 17 00:00:00 2001
From: memurats <Mauro-Efisio.Mura@t-systems.com>
Date: Mon, 3 Feb 2025 14:42:33 +0100
Subject: [PATCH 1/3] added device check and redirect if access denied

---
 lib/Controller/LoginController.php | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/lib/Controller/LoginController.php b/lib/Controller/LoginController.php
index 4aff4bd0..8adc1957 100644
--- a/lib/Controller/LoginController.php
+++ b/lib/Controller/LoginController.php
@@ -288,6 +288,11 @@ public function code(string $state = '', string $code = '', string $scope = '',
 		$this->logger->debug('Code login with core: ' . $code . ' and state: ' . $state);
 
 		if ($error !== '') {
+			if (!$this->isMobileDevice()) {
+				$cancelRedirectUrl = $this->config->getSystemValue('user_oidc.cancel_redirect_url', 'https://cloud.telekom-dienste.de/');
+				return new RedirectResponse($cancelRedirectUrl);
+			}
+
 			return new JSONResponse([
 				'error' => $error,
 				'error_description' => $error_description,
@@ -785,4 +790,20 @@ private function toCodeChallenge(string $data): string {
 		$s = str_replace('/', '_', $s); // 63rd char of encoding
 		return $s;
 	}
+
+	private function isMobileDevice(): bool {
+		$mobileKeywords = $this->config->getSystemValue('user_oidc.mobile_keywords', ['Android', 'iPhone', 'iPad', 'iPod', 'Windows Phone', 'Mobile', 'webOS', 'BlackBerry', 'Opera Mini', 'IEMobile']);
+	
+		if (!isset($_SERVER['HTTP_USER_AGENT'])) {
+			return false; // if no user-agent is set, assume desktop
+		}
+	
+		foreach ($mobileKeywords as $keyword) {
+			if (stripos($_SERVER['HTTP_USER_AGENT'], $keyword) !== false) {
+				return true; // device is mobile
+			}
+		}
+
+		return false; // device is desktop
+	}
 }

From 4ee1543c362728d7a04393052dcf8c784f33f067 Mon Sep 17 00:00:00 2001
From: memurats <Mauro-Efisio.Mura@t-systems.com>
Date: Tue, 4 Feb 2025 09:11:33 +0100
Subject: [PATCH 2/3] solve merge issue

---
 lib/Controller/LoginController.php | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/lib/Controller/LoginController.php b/lib/Controller/LoginController.php
index 8adc1957..ead17c48 100644
--- a/lib/Controller/LoginController.php
+++ b/lib/Controller/LoginController.php
@@ -781,16 +781,6 @@ private function getBackchannelLogoutErrorResponse(
 		);
 	}
 
-	private function toCodeChallenge(string $data): string {
-		// Basically one big work around for the base64url decode being weird
-		$h = pack('H*', hash('sha256', $data));
-		$s = base64_encode($h); // Regular base64 encoder
-		$s = explode('=', $s)[0]; // Remove any trailing '='s
-		$s = str_replace('+', '-', $s); // 62nd char of encoding
-		$s = str_replace('/', '_', $s); // 63rd char of encoding
-		return $s;
-	}
-
 	private function isMobileDevice(): bool {
 		$mobileKeywords = $this->config->getSystemValue('user_oidc.mobile_keywords', ['Android', 'iPhone', 'iPad', 'iPod', 'Windows Phone', 'Mobile', 'webOS', 'BlackBerry', 'Opera Mini', 'IEMobile']);
 	
@@ -806,4 +796,14 @@ private function isMobileDevice(): bool {
 
 		return false; // device is desktop
 	}
+
+	private function toCodeChallenge(string $data): string {
+		// Basically one big work around for the base64url decode being weird
+		$h = pack('H*', hash('sha256', $data));
+		$s = base64_encode($h); // Regular base64 encoder
+		$s = explode('=', $s)[0]; // Remove any trailing '='s
+		$s = str_replace('+', '-', $s); // 62nd char of encoding
+		$s = str_replace('/', '_', $s); // 63rd char of encoding
+		return $s;
+	}
 }

From 04dcb99f30252a9107d6d5345ee00ca4a6672a6d Mon Sep 17 00:00:00 2001
From: memurats <Mauro-Efisio.Mura@t-systems.com>
Date: Tue, 28 Oct 2025 15:12:05 +0100
Subject: [PATCH 3/3] removed whitespaces

---
 lib/Controller/LoginController.php | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/lib/Controller/LoginController.php b/lib/Controller/LoginController.php
index c83b6332..4eb168a7 100644
--- a/lib/Controller/LoginController.php
+++ b/lib/Controller/LoginController.php
@@ -325,7 +325,6 @@ public function code(string $state = '', string $code = '', string $scope = '',
 				$cancelRedirectUrl = $this->config->getSystemValue('user_oidc.cancel_redirect_url', 'https://cloud.telekom-dienste.de/');
 				return new RedirectResponse($cancelRedirectUrl);
 			}
-
 			$this->logger->warning('Code login error', ['error' => $error, 'error_description' => $error_description]);
 			if ($this->isDebugModeEnabled()) {
 				return new JSONResponse([
@@ -908,11 +907,11 @@ private function getBackchannelLogoutErrorResponse(
 
 	private function isMobileDevice(): bool {
 		$mobileKeywords = $this->config->getSystemValue('user_oidc.mobile_keywords', ['Android', 'iPhone', 'iPad', 'iPod', 'Windows Phone', 'Mobile', 'webOS', 'BlackBerry', 'Opera Mini', 'IEMobile']);
-	
+
 		if (!isset($_SERVER['HTTP_USER_AGENT'])) {
 			return false; // if no user-agent is set, assume desktop
 		}
-	
+
 		foreach ($mobileKeywords as $keyword) {
 			if (stripos($_SERVER['HTTP_USER_AGENT'], $keyword) !== false) {
 				return true; // device is mobile