fix(config): Fix incorrect config handling

appinfo/routes.php

@@ -13,7 +13,9 @@
 	'routes' => [
 		['name' => 'config#oauthRedirect', 'url' => '/oauth-redirect', 'verb' => 'GET'],
 		['name' => 'config#setConfig', 'url' => '/config', 'verb' => 'PUT'],
+		['name' => 'config#setSensitiveConfig', 'url' => '/sensitive-config', 'verb' => 'PUT'],
 		['name' => 'config#setAdminConfig', 'url' => '/admin-config', 'verb' => 'PUT'],
+		['name' => 'config#setSensitiveAdminConfig', 'url' => '/sensitive-admin-config', 'verb' => 'PUT'],
 		['name' => 'config#popupSuccessPage', 'url' => '/popup-success', 'verb' => 'GET'],
 
 		['name' => 'gitlabAPI#getEvents', 'url' => '/events', 'verb' => 'GET'],

lib/Controller/ConfigController.php

@@ -23,7 +23,6 @@
 use OCP\AppFramework\Services\IInitialState;
 use OCP\IConfig;
 use OCP\IL10N;
-
 use OCP\IRequest;
 use OCP\IURLGenerator;
 use OCP\PreConditionNotMetException;
@@ -46,11 +45,27 @@ public function __construct(string $appName,
 	 * set config values
 	 * @NoAdminRequired
 	 *
-	 * @param array $values
-	 * @return DataResponse
 	 * @throws PreConditionNotMetException
 	 */
 	public function setConfig(array $values): DataResponse {
+		foreach ($values as $key => $value) {
+			if ($key === 'url' || $key === 'token') {
+				return new DataResponse([], Http::STATUS_BAD_REQUEST);
+			}
+
+			$this->config->setUserValue($this->userId, Application::APP_ID, $key, $value);
+		}
+
+		return new DataResponse([]);
+	}
+
+	/**
+	 * @PasswordConfirmationRequired
+	 * @NoAdminRequired
+	 *
+	 * @throws PreConditionNotMetException
+	 */
+	public function setSensitiveConfig(array $values): DataResponse {
 		// revoke the oauth token if needed
 		if (isset($values['token']) && $values['token'] === '') {
 			$tokenType = $this->config->getUserValue($this->userId, Application::APP_ID, 'token_type');
@@ -62,6 +77,7 @@ public function setConfig(array $values): DataResponse {
 		foreach ($values as $key => $value) {
 			$this->config->setUserValue($this->userId, Application::APP_ID, $key, $value);
 		}
+
 		$result = [];
 
 		if (isset($values['token'])) {
@@ -100,6 +116,20 @@ public function setConfig(array $values): DataResponse {
 	 * @return DataResponse
 	 */
 	public function setAdminConfig(array $values): DataResponse {
+		foreach ($values as $key => $value) {
+			if ($key === 'client_id' || $key === 'client_secret' || $key === 'oauth_instance_url') {
+				return new DataResponse([], Http::STATUS_BAD_REQUEST);
+			}
+
+			$this->config->setAppValue(Application::APP_ID, $key, $value);
+		}
+		return new DataResponse(1);
+	}
+
+	/**
+	 * @PasswordConfirmationRequired
+	 */
+	public function setSensitiveAdminConfig(array $values): DataResponse {
 		foreach ($values as $key => $value) {
 			$this->config->setAppValue(Application::APP_ID, $key, $value);
 		}
@@ -153,7 +183,7 @@ public function oauthRedirect(string $code = '', string $state = ''): RedirectRe
 				$refreshToken = $result['refresh_token'] ?? '';
 				if (isset($result['expires_in'])) {
 					$nowTs = (new Datetime())->getTimestamp();
-					$expiresAt = $nowTs + (int) $result['expires_in'];
+					$expiresAt = $nowTs + (int)$result['expires_in'];
 					$this->config->setUserValue($this->userId, Application::APP_ID, 'token_expires_at', strval($expiresAt));
 				}
 				$this->config->setUserValue($this->userId, Application::APP_ID, 'url', $adminOauthUrl);

lib/Settings/Admin.php

@@ -6,7 +6,6 @@
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\AppFramework\Services\IInitialState;
 use OCP\IConfig;
-
 use OCP\Settings\ISettings;
 
 class Admin implements ISettings {
@@ -20,7 +19,8 @@ public function __construct(private IConfig $config,
 	 */
 	public function getForm(): TemplateResponse {
 		$clientID = $this->config->getAppValue(Application::APP_ID, 'client_id');
-		$clientSecret = $this->config->getAppValue(Application::APP_ID, 'client_secret');
+		// Do not expose the saved client secret to the user
+		$clientSecret = $this->config->getAppValue(Application::APP_ID, 'client_secret') !== '' ? 'dummyToken' : '';
 		$oauthUrl = $this->config->getAppValue(Application::APP_ID, 'oauth_instance_url');
 		$usePopup = $this->config->getAppValue(Application::APP_ID, 'use_popup', '0') === '1';
 		$adminLinkPreviewEnabled = $this->config->getAppValue(Application::APP_ID, 'link_preview_enabled', '1') === '1';

lib/Settings/Personal.php

@@ -20,7 +20,8 @@ public function __construct(private IConfig $config,
 	 * @return TemplateResponse
 	 */
 	public function getForm(): TemplateResponse {
-		$token = $this->config->getUserValue($this->userId, Application::APP_ID, 'token');
+		// Do not expose the saved token to the user
+		$token = $this->config->getUserValue($this->userId, Application::APP_ID, 'token') !== '' ? 'dummyToken' : '';
 		$searchEnabled = $this->config->getUserValue($this->userId, Application::APP_ID, 'search_enabled', '0') === '1';
 		$searchIssuesEnabled = $this->config->getUserValue($this->userId, Application::APP_ID, 'search_issues_enabled', '0') === '1';
 		$searchMRsEnabled = $this->config->getUserValue($this->userId, Application::APP_ID, 'search_mrs_enabled', '0') === '1';