This commit is contained in:
Diogo Peralta Cordeiro 2022-01-16 18:52:05 +00:00
parent 95c8f3bdc7
commit 841d10cde0
No known key found for this signature in database
GPG Key ID: 18D2D35001FBFAB0
2 changed files with 11 additions and 1 deletions

View File

@ -43,6 +43,7 @@ use Plugin\OAuth2\Controller\Apps;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Trikoder\Bundle\OAuth2Bundle\Event\AuthorizationRequestResolveEvent;
use Trikoder\Bundle\OAuth2Bundle\Event\UserResolveEvent;
use Trikoder\Bundle\OAuth2Bundle\Model\Grant;
use Trikoder\Bundle\OAuth2Bundle\OAuth2Events;
use XML_XRD_Element_Link;
@ -106,6 +107,7 @@ class OAuth2 extends Plugin implements EventSubscriberInterface
$user = Common::ensureLoggedIn();
$event->setUser($user);
$event->resolveAuthorization(AuthorizationRequestResolveEvent::AUTHORIZATION_APPROVED);
$event->getClient()->setGrants(new Grant('client_credentials'), new Grant('authorization_code'));
} catch (NoLoggedInUser) {
$event->setResponse(new Response(302, [
'Location' => Router::url('security_login', [

View File

@ -180,8 +180,15 @@ abstract class Controller extends AbstractController implements EventSubscriberI
$event->getResponse()->headers->set('permissions-policy', 'interest-cohort=()');
$event->getResponse()->headers->set('strict-transport-security', 'max-age=15768000; preload;');
$event->getResponse()->headers->set('vary', 'Accept-Encoding,Cookie');
$event->getResponse()->headers->set('x-frame-options', 'SAMEORIGIN');
$event->getResponse()->headers->set('x-frame-options', 'DENY');
$event->getResponse()->headers->set('x-xss-protection', '1; mode=block');
$event->getResponse()->headers->set('x-content-type-options', 'nosniff');
$event->getResponse()->headers->set('x-download-options', 'noopen');
$event->getResponse()->headers->set('x-permitted-cross-domain-policies', 'none');
$event->getResponse()->headers->set('access-control-allow-credentials', true);
$event->getResponse()->headers->set('access-control-allow-origin', '*');
$event->getResponse()->headers->set('referrer-policy', 'same-origin');
$event->getResponse()->headers->set('access-control-expose-headers', 'Link,X-RateLimit-Reset,X-RateLimit-Limit,X-RateLimit-Remaining,X-Request-Id,Idempotency-Key');
$policy = "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'; style-src 'self' 'unsafe-inline'; img-src * blob: data:;";
$event->getResponse()->headers->set('Content-Security-Policy', $policy);
$event->getResponse()->headers->set('X-Content-Security-Policy', $policy);
@ -257,6 +264,7 @@ abstract class Controller extends AbstractController implements EventSubscriberI
} else {
return null;
}
// no break
case 'params':
return $this->request->query->all();
default: