search

AdnanHussainTurki / microsoft-api-php

Microsoft Graph API Wrapper for PHP
24 stars 6 forks source link

Error - State parameter does not matched #4

Open ubay25 opened 2 years ago

ubay25 commented 2 years ago

Hi,

I am getting this eroor when testing this plugin. I followed your instructions from here -- https://www.youtube.com/watch?v=LbtwSzTkKo8

Got error 'PHP message: PHP Fatal error: Uncaught Exception: State parameter does not matched. in /var/www/html/msid/vendor/adnanhussainturki/microsoft-api-php/src/Auth.php:86

Any ideas? Thanks in advance.

geynen commented 2 years ago

I have the same problem, how did you solve it?

geynen commented 2 years ago

Apparently when I installed by composer the latest commits from the master branch were not downloaded, when updating my local from the master branch the problem was requested.

ubay25 commented 2 years ago

I have the same problem, how did you solve it?

Hi, in my case I edited Auth.php file in "vendor/adnanhussainturki/microsoft-api-php/src/" and commented out line 84-89 below:

if (!is_null($state)) { if (Session::get("state") != $state) { throw new \Exception("State parameter does not matched.", 1); return false; } }

thejorgeflore commented 1 year ago

Yo también me he roto la cabeza con esto. LA SOLUCIÓN ES: Colocar: use myPHPnotes\Microsoft\Models\User; en el archivo callback.php

Quedaría así: use myPHPnotes\Microsoft\Auth; use myPHPnotes\Microsoft\Handlers\Session; use myPHPnotes\Microsoft\Models\User;

oscarclement commented 11 months ago

I have the same problem, how did you solve it?

Hi, in my case I edited Auth.php file in "vendor/adnanhussainturki/microsoft-api-php/src/" and commented out line 84-89 below:

if (!is_null($state)) { if (Session::get("state") != $state) { throw new \Exception("State parameter does not matched.", 1); return false; } }

This is very dangerous. Do not comment that out else you risk a Cross-Site Request Forgery (CSRF) attack. That is what validates the data you receive from microsoft on successful validation. @AdnanHussainTurki The problem lies on line 33 of adnanhussainturki\microsoft-api-php\src\Auth.php. The random integer is being generated a multiple time because $_SESSION['state'] does not exist. Try to change

if (!isset($_SESSION['state'])) {
            Session::set("state", random_int(1, 200000));
        }

to this:

if (null === Session::get("state")) {
            Session::set("state", random_int(1, 200000));
        }
aledc7 commented 11 months ago

Here is the right solution:

in callback.php file replace line 13:

replace this:

$tokens = $auth->getToken($_REQUEST['code'], $_REQUEST['state']);

for this:

$tokens = $auth->getToken($_REQUEST['code'], Session::get("state"));
oscarclement commented 11 months ago

@aledc7 I think you are wrong. You are expected to validate $_REQUEST['state'] which is what $auth->getToken() does first. Please, check the method in the Auth.php file. With your proposed solution, you can't know if the request was actually sent to Microsoft from your application. You shouldn't pass the session set by you to $auth->getToken() because the session is already accessible in the class.

AdnanHussainTurki commented 11 months ago

@oscarclement @aledc7 Reopening this issue, till we get it permanently fixed.

AdnanHussainTurki commented 11 months ago

Hey there,

Checked. Isn't this issue already fixed. Cannot able to replicate what you guys are facing:

The library seems to properly matching the state param:

With correct state: 2023-10-22_02-06

With incorrect state: 2023-10-22_02-04

Test code (callback.php):

<?php

use myPHPnotes\Microsoft\Auth;
use myPHPnotes\Microsoft\Handlers\Session;
use myPHPnotes\Microsoft\Models\User;

session_start();

require 'vendor/autoload.php';

$auth = new Auth(
    Session::get('tenant_id'),
    Session::get('client_id'),
    Session::get('client_secret'),
    Session::get('redirect_uri'),
    Session::get('scopes')
);
var_dump($_SESSION);
$tokens = $auth->getToken($_REQUEST['code'], $_REQUEST['state']);
$accessToken = $tokens->access_token;

$auth->setAccessToken($accessToken);

$user = new User();
echo 'Name: ' . $user->data->getDisplayName() . '<br>';
echo 'Email: ' . $user->data->getUserPrincipalName() . '<br>';
oscarclement commented 11 months ago

@AdnanHussainTurki , I pulled on Friday 20th October 2023, but it was not fixed in the version I pulled. I want to ask; did you test this in a Laravel application? I asked that question because I think the issue is about the system's understanding of Session::get() as $_SESSION[]. I'm not sure that understanding depends on the PHP version.

ubaidismail commented 11 months ago

I am facing same problem.

oscarclement commented 11 months ago

I have the same problem, how did you solve it?

Hi, in my case I edited Auth.php file in "vendor/adnanhussainturki/microsoft-api-php/src/" and commented out line 84-89 below: if (!is_null($state)) { if (Session::get("state") != $state) { throw new \Exception("State parameter does not matched.", 1); return false; } }

This is very dangerous. Do not comment that out else you risk a Cross-Site Request Forgery (CSRF) attack. That is what validates the data you receive from microsoft on successful validation. @AdnanHussainTurki The problem lies on line 33 of adnanhussainturki\microsoft-api-php\src\Auth.php. The random integer is being generated a multiple time because $_SESSION['state'] does not exist. Try to change

if (!isset($_SESSION['state'])) {
            Session::set("state", random_int(1, 200000));
        }

to this:

if (null === Session::get("state")) {
           Session::set("state", random_int(1, 200000));
       }

@ubaidismail Try this

ubaidismail commented 11 months ago

I have set your suggested code,

// if (!Session::get('state')) { // Session::set('state', random_int(1, 200000)); // } To if (null === Session::get("state")) { Session::set("state", random_int(1, 200000)); } But still getting same error