diff --git a/htdocs/core/login/functions_googleoauth.php b/htdocs/core/login/functions_googleoauth.php index 0e61541192c..c0a77655f29 100644 --- a/htdocs/core/login/functions_googleoauth.php +++ b/htdocs/core/login/functions_googleoauth.php @@ -115,6 +115,7 @@ function check_user_password_googleoauth($usertotest, $passwordtotest, $entityto // If googleoauth_login has been set (by google_oauthcallback after a successful OAUTH2 request on openid scope if (!empty($_SESSION['googleoauth_receivedlogin']) && dol_verifyHash($conf->file->instance_unique_id.$usertotest, $_SESSION['googleoauth_receivedlogin'], '0')) { + dol_syslog("Login received by Google OAuth was validated by callback page and saved crypted into session. This login is ".$usertotest); unset($_SESSION['googleoauth_receivedlogin']); $login = $usertotest; } diff --git a/htdocs/core/modules/oauth/google_oauthcallback.php b/htdocs/core/modules/oauth/google_oauthcallback.php index 4f38e884481..165fb44c61e 100644 --- a/htdocs/core/modules/oauth/google_oauthcallback.php +++ b/htdocs/core/modules/oauth/google_oauthcallback.php @@ -152,7 +152,7 @@ if ($action == 'delete') { } if (!GETPOST('code')) { - dol_syslog("Page is called without code parameter defined"); + dol_syslog("Page is called without the 'code' parameter defined"); // If we enter this page without 'code' parameter, it means we click on the link from login page and we want to get the redirect // to the OAuth provider login page. diff --git a/htdocs/core/tpl/login.tpl.php b/htdocs/core/tpl/login.tpl.php index e7eea603e18..f271a2ed385 100644 --- a/htdocs/core/tpl/login.tpl.php +++ b/htdocs/core/tpl/login.tpl.php @@ -74,10 +74,13 @@ if (preg_match('/'.preg_quote('core/modules/oauth', '/').'/', $php_self)) { $php_self = DOL_URL_ROOT.'/index.php?mainmenu=home'; } $php_self = preg_replace('/(\?|&|&)action=[^&]+/', '\1', $php_self); +$php_self = preg_replace('/(\?|&|&)actionlogin=[^&]+/', '\1', $php_self); +$php_self = preg_replace('/(\?|&|&)afteroauthloginreturn=[^&]+/', '\1', $php_self); $php_self = preg_replace('/(\?|&|&)username=[^&]*/', '\1', $php_self); $php_self = preg_replace('/(\?|&|&)entity=\d+/', '\1', $php_self); $php_self = preg_replace('/(\?|&|&)massaction=[^&]+/', '\1', $php_self); $php_self = preg_replace('/(\?|&|&)token=[^&]+/', '\1', $php_self); +$php_self = preg_replace('/(&)+/', '&', $php_self); // Javascript code on logon page only to detect user tz, dst_observed, dst_first, dst_second $arrayofjs = array( @@ -374,7 +377,7 @@ if (isset($conf->file->main_authentication) && preg_match('/google/', $conf->fil */ print ''; - print ''; + print ''; print '
'; print img_picto('', 'google', 'class="pictofixedwidth"'); print $langs->trans("LoginWith", "Google"); diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 67886881b32..2e937c9b543 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -876,9 +876,13 @@ if (!defined('NOLOGIN')) { // $authmode is an array for example: array('0'=>'dolibarr', '1'=>'googleoauth'); $oauthmodetotestarray = array('google'); foreach ($oauthmodetotestarray as $oauthmodetotest) { - if (in_array($oauthmodetotest.'oauth', $authmode) && GETPOST('beforeoauthloginredirect') != $oauthmodetotest) { - // If we did not click on the link to use OAuth authentication, we do not try it. - dol_syslog("User did not click on link for OAuth so we disable check using googleoauth"); + if (in_array($oauthmodetotest.'oauth', $authmode)) { // This is an authmode that is currently qualified. Do we have to remove it ? + // If we click on the link to use OAuth authentication or if we goes after callback return, we do nothing + if (GETPOST('beforeoauthloginredirect') == $oauthmodetotest || GETPOST('afteroauthloginreturn')) { + // TODO Use: if (GETPOST('beforeoauthloginredirect') == $oauthmodetotest || GETPOST('afteroauthloginreturn') == $oauthmodetotest) { + continue; + } + dol_syslog("User did not click on link for OAuth or is not on the OAuth return, so we disable check using ".$oauthmodetotest); foreach ($authmode as $tmpkey => $tmpval) { if ($tmpval == $oauthmodetotest.'oauth') { unset($authmode[$tmpkey]); @@ -888,6 +892,7 @@ if (!defined('NOLOGIN')) { } } + // Check login for all qualified modes in array $authmode. $login = checkLoginPassEntity($usertotest, $passwordtotest, $entitytotest, $authmode); if ($login === '--bad-login-validity--') { $login = '';