Fix csrf token issue on invite accept dialog url.

Generate proper invite accept dialog path.
Set inviteAcceptDialog in OCMDiscoveryListener.
Rename db migration.

Signed-off-by: antoonp <antoon@redblom.com>

Author: redblom

lib/Controller/FederatedInvitesController.php

@@ -141,13 +141,14 @@ public function deleteInvite(string $token): JSONResponse {
 	}
 
 	/**
-	 * Sets the token and provider states which triggers display of the invite accept dialog.
+	 * Results in displaying the invite accept dialog upon following the invite link.
 	 *
 	 * @param string $token
 	 * @param string $providerDomain
 	 * @return TemplateResponse
 	 */
 	#[NoAdminRequired]
+	#[NoCSRFRequired]
 	public function inviteAcceptDialog(string $token = '', string $providerDomain = ''): TemplateResponse {
 		$this->initialStateService->provideInitialState(Application::APP_ID, 'inviteToken', $token);
 		$this->initialStateService->provideInitialState(Application::APP_ID, 'inviteProvider', $providerDomain);
@@ -157,14 +158,14 @@ public function inviteAcceptDialog(string $token = '', string $providerDomain =
 	}
 
 	/**
-	 * Creates an invitation to exchange contact info for the user with the specified uid.
+	 * Creates an invitation to exchange contact info with the remote user.
 	 *
-	 * @param string $emailAddress the recipient email address to send the invitation to
-	 * @param string $message the optional message to send with the invitation
-	 * @return JSONResponse with data signature ['token' | 'message'] - the token of the invitation or an error message in case of error
+	 * @param string $emailAddress the recipient's (remote user's) email address to send the invitation to.
+	 * @param string $message optional message to send with the invitation.
+	 * @return JSONResponse with data signature ['invite' | 'message'] - the invite url or an error message in case of error.
 	 */
 	#[NoAdminRequired]
-	public function createInvite(string $email, string $message): JSONResponse {
+	public function createInvite(string $email, ?string $message): JSONResponse {
 		if (!isset($email)) {
 			return new JSONResponse(['message' => 'Recipient email is required'], Http::STATUS_BAD_REQUEST);
 		}
@@ -382,7 +383,7 @@ public function discover(string $base): DataResponse {
 		} elseif (empty($dialog)) {
 			// We can not check and see, because we have to be logged in here
 			// so we will just risk it.
-			$dialog = $base . WayfProvider::INVITE_ACCEPT_DIALOG;
+			$dialog = $base . $this->wayfProvider->getInviteAcceptDialogPath();
 			$absolute = preg_match('#^https?://#i', $dialog) ? $dialog : $base . $dialog;
 			return new DataResponse([
 				'base' => $base,

lib/Listener/OcmDiscoveryListener.php

@@ -8,25 +8,35 @@
  */
 namespace OCA\Contacts\Listener;
 
+use OC\Core\AppInfo\ConfigLexicon;
 use OCP\EventDispatcher\Event;
 use OCP\EventDispatcher\IEventListener;
+use OCP\IAppConfig;
+use OCP\IURLGenerator;
 use OCP\OCM\Events\LocalOCMDiscoveryEvent;
 
 /** @template-implements IEventListener<LocalOCMDiscoveryEvent> */
 class OcmDiscoveryListener implements IEventListener {
 
-    public function __construct() {}
+    public function __construct(
+		private IAppConfig $appConfig,
+		private IURLGenerator $urlGenerator,
+    ) {}
 
 	/**
-	 * This handler will register the capability: invite-accepted
+	 * This handler will register the capability invite-accepted
+     * and set the invite accept dialog url.
 	 *
 	 * @param Event $event an event of type LocalOCMDiscoveryEvent
 	 * @return void
 	 */
-	public function handle(Event $event): void {
-        if($event instanceof LocalOCMDiscoveryEvent) {
+    public function handle(Event $event): void {
+        if ($event instanceof LocalOCMDiscoveryEvent) {
             $event->addCapability('invite-accepted');
+            $inviteAcceptDialog = $this->appConfig->getValueString('core', ConfigLexicon::OCM_INVITE_ACCEPT_DIALOG);
+            if ($inviteAcceptDialog !== '') {
+                $event->getProvider()->setInviteAcceptDialog($this->urlGenerator->linkToRouteAbsolute($inviteAcceptDialog));
+            }
         }
     }
-
 }

…igration/Version1016Date202502262004.php …ration/Version8004Date20260130131217.phplib/Migration/Version1016Date202502262004.php renamed to lib/Migration/Version8004Date20260130131217.php lib/Migration/Version1016Date202502262004.php renamed to lib/Migration/Version8004Date20260130131217.php

@@ -17,7 +17,7 @@
 use OCP\Migration\SimpleMigrationStep;
 
 #[CreateTable(table: 'federated_invites', columns: ['id', 'user_id', 'recipient_provider', 'recipient_user_id', 'recipient_name', 'recipient_email', 'token', 'accepted', 'created_at', 'expired_at', 'accepted_at'], description: 'Supporting the OCM Invitation Flow feature')]
-class Version1016Date202502262004 extends SimpleMigrationStep {
+class Version8004Date20260130131217 extends SimpleMigrationStep {
 	/**
 	 * @param IOutput $output
 	 * @param Closure $schemaClosure The `\Closure` returns a `ISchemaWrapper`

lib/WayfProvider.php

@@ -22,12 +22,10 @@ class WayfProvider {
 	// The default wayf page route.
 	public const WAYF_ROUTE = '/wayf';
 	public const DISCOVERY_ROUTE = '/discover';
-	public const INVITE_ACCEPT_DIALOG = '/index.php/apps/contacts' . FederatedInvitesService::OCM_INVITE_ACCEPT_DIALOG_ROUTE;
 
 	public function __construct(
 		private IAppConfig $appConfig,
 		private IClientService $httpClient,
-		private FederatedInvitesService $federatedInvitesService,
 		private LoggerInterface $logger,
 		private IOCMDiscoveryService $discovery,
 		private IURLGenerator $urlGenerator,
@@ -73,7 +71,8 @@ public function getMeshProviders(): array {
 					}
 					if ($inviteAcceptDialog === '') {
 						// We fall back on Nextcloud default path
-						$inviteAcceptDialog = $prov['url'] . WayfProvider::INVITE_ACCEPT_DIALOG;
+						$inviteAcceptDialogPath = self::getInviteAcceptDialogPath();
+						$inviteAcceptDialog = rtrim($prov['url'], '/') . $inviteAcceptDialogPath;
 					}
 					$federations[$fed][] = [
 						'provider' => $disc->getProvider(),
@@ -116,27 +115,17 @@ public function getMeshProvidersFromCache(): array {
 	 * @return string|null the WAYF login page endpoint or null if it could not be created
 	 */
 	public function getWayfEndpoint(): string|null {
-		$appRootUrl = $this->getAppRootUrl();
-		if(empty($appRootUrl)) {
-			$this->logger->error("Unable to create WAYF endpoint", ['app' => Application::APP_ID]);
-			return null;
-		}
-		$appRootUrl = trim($appRootUrl, '/');
-		$wayfEndpoint = 'https://' . $this->federatedInvitesService->getProviderFQDN() . "/$appRootUrl/" . Application::APP_ID . WayfProvider::WAYF_ROUTE;
-		return $this->appConfig->getValueString(Application::APP_ID, 'wayf_endpoint', $wayfEndpoint);
+		// default wayf endpoint
+		$defaultWayfEndpoint = $this->urlGenerator->linkToRouteAbsolute(Application::APP_ID . '.federated_invites.wayf');
+		return $this->appConfig->getValueString(Application::APP_ID, 'wayf_endpoint', $defaultWayfEndpoint);
 	}
 
 	/**
-	 * Returns this app root url. Currently either '/apps' or '/custom_apps'.
-	 * @return string|null the app root url or null if the app root url could not be determined
+	 * Returns the path of the invite accept dialog route.
+	 * 
+	 * @return string
 	 */
-	private function getAppRootUrl(): string|null {
-		foreach(\OC::$APPSROOTS as $appRoot) {
-			if(str_starts_with(__DIR__, $appRoot['path'])) {
-				return $appRoot['url'];
-			}
-		}
-		$this->logger->error("Could not determine app root url", ['app' => Application::APP_ID]);
-		return null;
+	public function getInviteAcceptDialogPath(): string {
+		return $this->urlGenerator->linkToRoute(Application::APP_ID . '.federated_invites.invite_accept_dialog');
 	}
 }