Open ubay25 opened 2 years ago
I have the same problem, how did you solve it?
Apparently when I installed by composer the latest commits from the master branch were not downloaded, when updating my local from the master branch the problem was requested.
I have the same problem, how did you solve it?
Hi, in my case I edited Auth.php file in "vendor/adnanhussainturki/microsoft-api-php/src/" and commented out line 84-89 below:
if (!is_null($state)) { if (Session::get("state") != $state) { throw new \Exception("State parameter does not matched.", 1); return false; } }
Yo también me he roto la cabeza con esto. LA SOLUCIÓN ES: Colocar: use myPHPnotes\Microsoft\Models\User; en el archivo callback.php
Quedaría así: use myPHPnotes\Microsoft\Auth; use myPHPnotes\Microsoft\Handlers\Session; use myPHPnotes\Microsoft\Models\User;
I have the same problem, how did you solve it?
Hi, in my case I edited Auth.php file in "vendor/adnanhussainturki/microsoft-api-php/src/" and commented out line 84-89 below:
if (!is_null($state)) { if (Session::get("state") != $state) { throw new \Exception("State parameter does not matched.", 1); return false; } }
This is very dangerous. Do not comment that out else you risk a Cross-Site Request Forgery (CSRF) attack. That is what validates the data you receive from microsoft on successful validation. @AdnanHussainTurki The problem lies on line 33 of adnanhussainturki\microsoft-api-php\src\Auth.php. The random integer is being generated a multiple time because $_SESSION['state'] does not exist. Try to change
if (!isset($_SESSION['state'])) {
Session::set("state", random_int(1, 200000));
}
to this:
if (null === Session::get("state")) {
Session::set("state", random_int(1, 200000));
}
in callback.php file replace line 13:
replace this:
$tokens = $auth->getToken($_REQUEST['code'], $_REQUEST['state']);
for this:
$tokens = $auth->getToken($_REQUEST['code'], Session::get("state"));
@aledc7 I think you are wrong.
You are expected to validate $_REQUEST['state']
which is what $auth->getToken()
does first. Please, check the method in the Auth.php file. With your proposed solution, you can't know if the request was actually sent to Microsoft from your application. You shouldn't pass the session set by you to $auth->getToken()
because the session is already accessible in the class.
@oscarclement @aledc7 Reopening this issue, till we get it permanently fixed.
Hey there,
Checked. Isn't this issue already fixed. Cannot able to replicate what you guys are facing:
The library seems to properly matching the state param:
With correct state:
With incorrect state:
Test code (callback.php):
<?php
use myPHPnotes\Microsoft\Auth;
use myPHPnotes\Microsoft\Handlers\Session;
use myPHPnotes\Microsoft\Models\User;
session_start();
require 'vendor/autoload.php';
$auth = new Auth(
Session::get('tenant_id'),
Session::get('client_id'),
Session::get('client_secret'),
Session::get('redirect_uri'),
Session::get('scopes')
);
var_dump($_SESSION);
$tokens = $auth->getToken($_REQUEST['code'], $_REQUEST['state']);
$accessToken = $tokens->access_token;
$auth->setAccessToken($accessToken);
$user = new User();
echo 'Name: ' . $user->data->getDisplayName() . '<br>';
echo 'Email: ' . $user->data->getUserPrincipalName() . '<br>';
@AdnanHussainTurki , I pulled on Friday 20th October 2023, but it was not fixed in the version I pulled.
I want to ask; did you test this in a Laravel application? I asked that question because I think the issue is about the system's understanding of Session::get()
as $_SESSION[]
. I'm not sure that understanding depends on the PHP version.
I am facing same problem.
I have the same problem, how did you solve it?
Hi, in my case I edited Auth.php file in "vendor/adnanhussainturki/microsoft-api-php/src/" and commented out line 84-89 below:
if (!is_null($state)) { if (Session::get("state") != $state) { throw new \Exception("State parameter does not matched.", 1); return false; } }
This is very dangerous. Do not comment that out else you risk a Cross-Site Request Forgery (CSRF) attack. That is what validates the data you receive from microsoft on successful validation. @AdnanHussainTurki The problem lies on line 33 of adnanhussainturki\microsoft-api-php\src\Auth.php. The random integer is being generated a multiple time because $_SESSION['state'] does not exist. Try to change
if (!isset($_SESSION['state'])) { Session::set("state", random_int(1, 200000)); }
to this:
if (null === Session::get("state")) { Session::set("state", random_int(1, 200000)); }
@ubaidismail Try this
I have set your suggested code,
// if (!Session::get('state')) { // Session::set('state', random_int(1, 200000)); // }
To
if (null === Session::get("state")) { Session::set("state", random_int(1, 200000)); }
But still getting same error
Hi,
I am getting this eroor when testing this plugin. I followed your instructions from here -- https://www.youtube.com/watch?v=LbtwSzTkKo8
Got error 'PHP message: PHP Fatal error: Uncaught Exception: State parameter does not matched. in /var/www/html/msid/vendor/adnanhussainturki/microsoft-api-php/src/Auth.php:86
Any ideas? Thanks in advance.