Clean Up POST Parameters Code (#470)

brianfreytag · web-flow · commit b5d8fa369854 · 2025-12-08T16:39:09.000+01:00
diff --git a/src/Client/OAuth2Client.php b/src/Client/OAuth2Client.php
@@ -90,17 +90,16 @@ public function redirect(array $scopes = [], array $options = [])
      */
     public function getAccessToken(array $options = [])
     {
-        $request = $this->getCurrentRequest();
-
         if (!$this->isStateless()) {
             $expectedState = $this->getSession()->get(self::OAUTH2_SESSION_STATE_KEY);
-            $actualState = $this->getRequestParameter($request, 'state');
+            $actualState = $this->getRequestParameter('state');
+
             if (!$actualState || ($actualState !== $expectedState)) {
                 throw new InvalidStateException('Invalid state');
             }
         }
 
-        $code = $this->getRequestParameter($request, 'code');
+        $code = $this->getRequestParameter('code');
 
         if (!$code) {
             throw new MissingAuthorizationCodeException('No "code" parameter was found (usually this is a query parameter)!');
@@ -187,10 +186,14 @@ private function getCurrentRequest()
     /**
      * @return SessionInterface
      */
-    private function getSession()
+    protected function getSession(bool $isPKCE = false)
     {
         if (!$this->getCurrentRequest()->hasSession()) {
-            throw new \LogicException('In order to use "state", you must have a session. Set the OAuth2Client to stateless to avoid state');
+            $errorMessage = $isPKCE ?
+                'You must have a session to utilize the PKCE OAuth2 Client flow. Ensure you are not utilizing PKCE in a stateless environment.' :
+                'In order to use "state", you must have a session. Set the OAuth2Client to stateless to avoid state';
+
+            throw new \LogicException($errorMessage);
         }
 
         return $this->getCurrentRequest()->getSession();
@@ -199,12 +202,10 @@ private function getSession()
     /**
      * @return string|int|float|bool|null
      */
-    private function getRequestParameter(Request $request, string $key)
+    private function getRequestParameter(string $key)
     {
-        if ($request->query->has($key)) {
-            return $request->query->get($key);
-        }
+        $request = $this->getCurrentRequest();
 
-        return $request->request->get($key);
+        return $request->query->has($key) ? $request->query->get($key) : $request->request->get($key);
     }
 }
diff --git a/src/Client/OAuth2PKCEClient.php b/src/Client/OAuth2PKCEClient.php
@@ -10,12 +10,9 @@
 
 namespace KnpU\OAuth2ClientBundle\Client;
 
-use League\OAuth2\Client\Provider\AbstractProvider;
 use League\OAuth2\Client\Token\AccessToken;
 use League\OAuth2\Client\Token\AccessTokenInterface;
-use Symfony\Component\HttpFoundation\Exception\SessionNotFoundException;
 use Symfony\Component\HttpFoundation\RedirectResponse;
-use Symfony\Component\HttpFoundation\RequestStack;
 use Symfony\Component\HttpFoundation\Session\SessionInterface;
 
 /**
@@ -27,14 +24,6 @@ class OAuth2PKCEClient extends OAuth2Client
 {
     public const VERIFIER_KEY = 'pkce_code_verifier';
 
-    private RequestStack $requestStack;
-
-    public function __construct(AbstractProvider $provider, RequestStack $requestStack)
-    {
-        parent::__construct($provider, $requestStack);
-        $this->requestStack = $requestStack;
-    }
-
     /**
      * Enhance the RedirectResponse prepared by OAuth2Client::redirect() with
      * PKCE code challenge and code challenge method parameters.
@@ -66,29 +55,23 @@ public function redirect(array $scopes = [], array $options = [])
      */
     public function getAccessToken(array $options = [])
     {
-        if (!$this->getSession()->has(static::VERIFIER_KEY)) {
+        $session = $this->getSession();
+
+        if (!$session->has(static::VERIFIER_KEY)) {
             throw new \LogicException('Unable to fetch token from OAuth2 server because there is no PKCE code verifier stored in the session');
         }
-        $pkce = ['code_verifier' => $this->getSession()->get(static::VERIFIER_KEY)];
-        $this->getSession()->remove(static::VERIFIER_KEY);
+
+        $pkce = ['code_verifier' => $session->get(static::VERIFIER_KEY)];
+        $session->remove(static::VERIFIER_KEY);
 
         return parent::getAccessToken($options + $pkce);
     }
 
     /**
      * @return SessionInterface
-     *
-     * @throws \LogicException          When there is no current request
-     * @throws SessionNotFoundException When session is not set properly [thrown by Request::getSession()]
      */
-    protected function getSession()
+    protected function getSession(bool $isPKCE = true)
     {
-        $request = $this->requestStack->getCurrentRequest();
-
-        if (!$request) {
-            throw new \LogicException('There is no "current request", and it is needed to perform this action');
-        }
-
-        return $request->getSession();
+        return parent::getSession($isPKCE);
     }
 }
