Extract handling deprecated session layouts into base class

thekid · thekid · commit 9e88e275dbb7 · 2026-01-04T13:33:34.000+01:00
diff --git a/src/main/php/web/auth/oauth/OAuth1Flow.class.php b/src/main/php/web/auth/oauth/OAuth1Flow.class.php
@@ -96,13 +96,11 @@ public function authenticate($request, $response, $session) {
 
     // Check whether we are continuing an existing authentication flow based on the
     // state given by the server and our session; or if we need to start a new one.
-    // Handle deprecated session layouts from previous library versions.
-    $state= $request->param('oauth_token');
-    $flow= (
-      $stored['flows'][$state] ??
-      (isset($stored['flow'][$state]) ? ['uri' => $stored['flow'][$state], 'seed' => []] : null) ??
-      (isset($stored['target']) ? ['uri' => $stored['target'], 'seed' => []] : null)
-    );
+    if (null === ($state= $request->param('oauth_token'))) {
+      $flow= null;
+    } else {
+      $flow= $this->flow($state, $stored);
+    }
 
     if (null === $flow) {
       $state= $this->request('/request_token', null, ['oauth_callback' => $callback])['oauth_token'];
diff --git a/src/main/php/web/auth/oauth/OAuth2Flow.class.php b/src/main/php/web/auth/oauth/OAuth2Flow.class.php
@@ -93,13 +93,12 @@ public function authenticate($request, $response, $session) {
 
     // Check whether we are continuing an existing authentication flow based on the
     // state given by the server and our session; or if we need to start a new one.
-    // Handle deprecated session layouts from previous library versions.
-    sscanf($request->param('state') ?? '', self::STATE, $state, $fragment);
-    $flow= (
-      $stored['flows'][$state] ??
-      (isset($stored['flow'][$state]) ? ['uri' => $stored['flow'][$state], 'seed' => []] : null) ??
-      (isset($stored['target']) ? ['uri' => $stored['target'], 'seed' => []] : null)
-    );
+    if (null === ($server= $request->param('state'))) {
+      $flow= null;
+    } else {
+      sscanf($server, self::STATE, $state, $fragment);
+      $flow= $this->flow($state, $stored);
+    }
 
     if (null === $flow) {
       $state= bin2hex($this->rand->bytes(16));
diff --git a/src/main/php/web/auth/oauth/OAuthFlow.class.php b/src/main/php/web/auth/oauth/OAuthFlow.class.php
@@ -6,6 +6,15 @@
 abstract class OAuthFlow extends Flow {
   protected $callback;
 
+  /** Locate flow stored in session based on a given state, handling deprecated session layouts */
+  protected function flow($state, $stored) {
+    return (
+      $stored['flows'][$state] ??
+      (isset($stored['flow'][$state]) ? ['uri' => $stored['flow'][$state], 'seed' => []] : null) ??
+      (isset($stored['target']) ? ['uri' => $stored['target'], 'seed' => []] : null)
+    );
+  }
+
   /** @return ?util.URI */
   public function callback() { return $this->callback; }
 
